BVwG - W137 2248575-1
From GDPRhub
| BVwG - W137 2248575-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 5 GDPR Article 12(1) GDPR Article 12(2) GDPR Article 83 GDPR Article 83(5)(b) GDPR §30 DSG |
| Decided: | 18.04.2024 |
| Published: | 03.07.2024 |
| Parties: | XXXX DSB |
| National Case Number/Name: | W137 2248575-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2024:W137.2248575.1.01 |
| Appeal from: | DSB D550.289 2021-0.538.938 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | stella |
A court upheld the DPA's decision that the controller violated the exercise of data subject rights under the GDPR by designing a contact form for "the three most used" (right of access, right to erasure, right to object) and requiring a copy of ID.
English Summary
Facts
The Austrian Data Protection Authority (DSB) fined a controller 500 000€ for failing to fulfil its obligations under Articles 12 and 15-22 of the GDPR.
The controller collected information and marketing classifications on the party affiliations of the entire Austrian population. Data subjects filled out more than 30 000 requests. In response, the controller created a web contact form to enforce the three most frequently used data subject rights, thereby limiting other contact options.
The controller did not adequately facilitate the exercise of data subject rights by limiting them to "the three most used". The three most used data subject rights were the right of access, the right to erasure and the right to object. Other data subject rights were not included in the contact form.
Data subjects requested to exercise their rights under the GDPR. The controller failed to provide appropriate mechanisms or responses to these requests, leading to complaints from the data subjects. The DSB initiated an investigation into the controller's practices following these complaints. The investigation revealed that the controller had not sufficiently complied with the GDPR, particularly regarding the facilitation of data subject rights.
The controller appealed.
Holding
The Federal Administrative Court dismissed the appeal of the controller as unfounded. The Federal Administrative Court upheld the DSB's decision that the controller violated Article 12(2) GDPR by failing to facilitate the exercise of data subject rights in a transparent and accessible manner, as it restricted requests to only three data subject rights through a mandatory contact form: 1. right of access, 2. right to erasure, and 3. right to object.
The Federal Administrative Court held that the requirement to provide a copy of an ID as a prerequisite for exercising these rights violated Article 12(6) GDPR, as it imposed an unnecessary burden on data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date
April 18, 2024
Standard
B-VG Art133 Para. 4
DSG §30
DSGVO Art12 Para. 1
DSGVO Art12 Para. 2
DSGVO Art5
DSGVO Art83
DSGVO Art83 Para. 5 litb
VStG 1950 §10
VStG 1950 §19
VStG 1950 §33a
VStG 1950 §5
VStG 1950 §64
VwGVG §28 Para. 2
B-VG Art. 133 today B-VG Art. 133 valid from January 1, 2019 to May 24, 2018 last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from January 1, 2019 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 25.05.2018 to 31.12.2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to 24.05.2018 last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from 01.01.2014 to 31.07.2014 last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to December 31, 2003, last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from December 25, 1946 to December 31, 1974, last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946, last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 03.01.1930 to 30.06.1934
DSG Art. 2 § 30 today DSG Art. 2 § 30 valid from 25.05.2018 to 24.05.2018 last amended by BGBl. I No. 120/2017 DSG Art. 2 § 30 valid from 25.05.2018 last amended by BGBl. I No. 24/2018 DSG Art. 2 § 30 valid from 01.01.2014 to 24.05.2018 last amended by BGBl. I No. 83/2013 DSG Art. 2 § 30 valid from 01.01.2010 to 31.12.2013 last amended by BGBl. I No. 133/2009 DSG Art. 2 § 30 valid from 01.01.2000 to 31.12.2009
VStG 1950 § 10 valid from 01.07.1988 to 31.01.1991 republished by BGBl. No. 52/1991 VStG 1950 § 10 valid from 01.01.1965 to 30.06.1988 last amended by BGBl. No. 275/1964
VStG 1950 § 19 valid from 01.03.1978 to 31.01.1991 republished by BGBl. No. 52/1991
VStG 1950 § 5 valid from 01.07.1988 to 31.01.1991 republished by BGBl. No. 52/1991 VStG 1950 § 5 valid from 01.09.1950 to 30.06.1988
VStG 1950 § 64 valid from 01.01.1991 to 31.01.1991 republished by BGBl. No. 52/1991 VStG 1950 § 64 valid from 01.07.1988 to 31.12.1990 last amended by BGBl. No. 516/1987 VStG 1950 § 64 valid from 01.01.1965 to 30.06.1988 last amended by BGBl. No. 275/1964
VwGVG § 28 today VwGVG § 28 valid from 01.01.2019 last amended by BGBl. I No. 138/2017 VwGVG § 28 valid from 01.01.2014 to 31.12.2018
Saying
W137 2248575-1/31E
IN THE NAME OF THE REPUBLIC!
Written copy of the decision announced orally on February 23, 2024
The Federal Administrative Court, through the judge Mag. Peter HAMMER as chairman and the expert lay judges Mag. Ursula ILLIBAUER and Mag. Martina CHLESTIL as assessors, recognizes the complaint of XXXX against the penal decision of the data protection authority dated September 28, 2021, GZ: D550.289 2021-0.538.938, after conducting an oral hearing:The Federal Administrative Court, through the judge Mag. Peter HAMMER as chairman and the expert lay judges Mag. Ursula ILLIBAUER and Mag. Martina CHLESTIL as assessors, recognizes the complaint of Roman 40 against the penal decision of the data protection authority dated September 28, 2021, GZ: D550.289 2021-0.538.938, after conducting an oral hearing:
A)
I. The complaint is dismissed as unfounded pursuant to Section 28 Paragraph 2 VwGVG in conjunction with Article 12 Paragraph 2 in conjunction with Article 83 Paragraph 5 Letter b GDPR with the proviso that the fine is set at € 500,000 (in words: five hundred thousand euros) pursuant to Section 30 DSG.Roman one. The complaint is dismissed as unfounded pursuant to Paragraph 28, Paragraph 2, VwGVG in conjunction with Article 12, Paragraph 2, in conjunction with Article 83, Paragraph 5 Letter b, GDPR with the proviso that the fine is set at € 500,000 (in words: five hundred thousand euros) pursuant to Paragraph 30 DSG.
II. The total amount to be paid (taking into account Section 64 of the Administrative Offenses Act) is therefore € 550,000 (in words: five hundred and fifty thousand euros). Roman II. The total amount to be paid (taking into account Section 64 of the Administrative Offenses Act) is therefore € 550,000 (in words: five hundred and fifty thousand euros).
B)
The appeal is admissible pursuant to Article 133, Paragraph 4 of the Federal Constitutional Court Act.The appeal is admissible pursuant to Article 133, Paragraph 4 of the Federal Constitutional Court Act.
Text
Reasons for the decision:
I. Course of proceedings: Roman one. Course of proceedings:
1. XXXX (= complainant before the Federal Administrative Court and accused in the administrative penal proceedings before the Data Protection Authority) acted as an address dealer with the aim of enabling its advertising customers to send targeted advertising and reducing advertising wastage. As part of this activity, it has - among other things - collected information and marketing classifications on the "party affinities" of the entire Austrian population, and also due to the media response, received more than 30,000 data protection inquiries from data subjects within a few months. In order to cope with the flood of inquiries, the complainant's responsible representative has implemented a web contact form to assert the most frequently used rights of data subjects in accordance with Art. 15, 17 and 21 GDPR and limited other contact options in this context.1. Roman 40 (= complainant before the Federal Administrative Court and accused in administrative criminal proceedings before the Data Protection Authority) has acted as an address dealer with the aim of enabling its advertising customers to send targeted advertising and to reduce advertising wastage. As part of this activity, it has - among other things - collected information and marketing classifications on the "party affinities" of the entire Austrian population, and also received more than 30,000 data protection inquiries from data subjects within a few months due to the media response. In order to cope with the flood of inquiries, the complainant's responsible representative has implemented a web contact form for asserting the most frequently used rights of data subjects in accordance with Articles 15, 17 and 21 GDPR and limited other contact options in this context.
2. With a measure initiating proceedings dated June 26, 2020, the data protection authority (also referred to as the authority or DPO) sent a request for justification based on official observations concerning the accused, as there is a suspicion that she has systematically violated data subjects' rights within the meaning of Art. 12 ff GDPR from January 7, 2019 to date, at least until May 26, 2020. This is particularly due to the fact that the exercise of data subject rights was restricted by the mandatory use of a "data protection form" for data subjects, requests for information pursuant to Art. 15 GDPR were sometimes not answered on time, sometimes inadequately, sometimes not answered at all, no information was provided about the use of the extension of time within the meaning of Art. 12 Para. 3 GDPR and the request to data subjects to prove their identity within the meaning of Art. 12 Para. 6 GDPR by submitting further documents and/or information was not initiated within the legally stipulated time limit.2. With the measure initiating proceedings dated June 26, 2020, the data protection authority (also referred to as the authority or DPO) sent a request for justification based on official observations concerning the accused, as there is a suspicion that she had systematically violated data subject rights within the meaning of Articles 12, ff of the GDPR from January 7, 2019 to date, at least until May 26, 2020. This is particularly because it restricted the exercise of data subjects' rights through the mandatory use of a "data protection form" for data subjects, partially answered requests for information in accordance with Article 15, GDPR, partially answered inadequately, partially not answered at all, did not provide any information about the use of the extension of time within the meaning of Article 12, Paragraph 3, GDPR and did not prompt the request to data subjects to prove their identity within the meaning of Article 12, Paragraph 6, GDPR by submitting further documents and/or information within the legally stipulated time limit.
3. In a justification dated September 4, 2020, the accused summarized that the proceedings should be discontinued because the authority had not made a specific description of the offense. There was no systematic violation of data subjects' rights and the accused had introduced an effective control system to comply with the requirements of the GDPR. This was ensured by the expertise of professionally qualified consultants in the field of data protection. In addition, it responded to all requests from data subjects in a lawful manner as quickly and efficiently as possible, a copy of ID was absolutely necessary due to the volume of data processed, the contact form set up was the best way (within the meaning of Art. 12 Para. 2 GDPR) to be able to deal with a high number of requests, and a data subject who sent an email to the accused's email addresses that were no longer in use immediately received a reference to the new contact form. It was not a mandatory contact option, as it was still possible to submit requests by post or fax. Requests that could not be processed via the contact form would still be accepted by email, as was pointed out in the data protection information and on the contact form itself. Furthermore, the authority refused to provide advice to the accused. No information was ever provided late and, with regard to the alleged incompleteness of the information, reference can only be made to the diverging legal views between the complainants and the accused, which must be clarified in the context of administrative or judicial proceedings.There was also no systematic "non-response" to requests from those affected. In the event of criminal conduct on the part of the accused, the integrity, use of means, use of resources, the continuous improvement process, mere negligence, lack of damage, cooperation with the authority and the effects of the pandemic should be taken into account as mitigating factors. A bundle of documents relevant to the proceedings was attached to the submission.3. In a justification dated September 4, 2020, the accused argued in summary that the proceedings should be discontinued because the authority had not made a specific description of the act. There was no systematic violation of the rights of those affected and the accused had introduced an effective control system to comply with the requirements of the GDPR. She had ensured this through the expertise of professionally qualified consultants in the field of data protection. In addition, it responded to all requests from data subjects in a lawful manner as quickly and efficiently as possible, a copy of ID was absolutely necessary due to the volume of data processed, the contact form set up was the best way (within the meaning of Article 12, Paragraph 2, GDPR) to be able to deal with a high number of requests, and a data subject who sent an email to the accused's email addresses that were no longer in use immediately received a reference to the new contact form. It was not a mandatory contact option, as it was still possible to submit requests by post or fax. Requests that could not be processed via the contact form would still be accepted by email, as was pointed out in the data protection information and on the contact form itself. Furthermore, the authority refused to provide advice to the accused. There was never any late information and, with regard to the alleged incompleteness of information, one could only point to the differing legal views between the complainants and the accused, which had to be clarified in the context of administrative or judicial proceedings. There was also no systematic "non-response" to inquiries from those affected. In the event of criminal conduct on the part of the accused, the integrity, use of means, use of resources, continuous improvement process, mere negligence, lack of damage, cooperation with the authorities and the effects of the pandemic should be taken into account as mitigating factors. A bundle of documents relevant to the proceedings was attached to the submission.
4. With a request for justification dated December 21, 2020 to the accused, the board members and the responsible representative, the data protection authority expanded the circle of accused and specified the alleged acts with the presentation of 18 (not exhaustively detailed) data protection complaints and summarized:
There is a suspicion that the representatives of the accused - who were listed in the commercial register for the period of the offense - and the responsible representative within the meaning of Section 9 Para. 2 of the Administrative Offenses Act had committed the alleged administrative offenses in connection with the planning, development and introduction as well as implementation and monitoring of a "data protection management concept" with regard to the treatment of data subjects' rights within the meaning of Art. 12 to 22 GDPR, at least by disregarding the required care and due to a lack of control and monitoring. In any case, when implementing the GDPR, they had not introduced an effective internal control system to avoid violations of data subjects' rights due to the expected increase in inquiries or applications. This ultimately leads to a systematic violation of the rights of those affected. There is a suspicion that the official representatives of the accused - who were listed in the commercial register for the period of the offense - and the responsible representative within the meaning of paragraph 9, paragraph 2, VStG committed the alleged administrative offenses in connection with the planning, development and introduction as well as implementation and monitoring of a "data protection management concept" in relation to the treatment of the rights of those affected within the meaning of Articles 12 to 22 of the GDPR, at least by disregarding the required care and due to a lack of control and monitoring. In any case, when implementing the GDPR, they did not introduce an effective internal control system to avoid violations of the rights of those affected due to the expected increase in enquiries or applications. This ultimately leads to a systematic violation of the rights of those affected.
5. In their justification of February 15, 2021, the accused jointly and in addition to the justification of September 4, 2020, argued that the authority was making identical allegations and was now also listing the board members and the responsible representative as accused. This inadmissible conduct created apparent competition with the proceedings initiated in June 2020. To the extent that the latter assumed that a continuing offense was present, it should be pointed out that Art. 12 GDPR and Art. 15 GDPR are offenses that end when illegality occurs. The allegations do not describe any sanctionable act that the natural persons mentioned can be accused of. Contrary to the case law of the highest court, the authority had initiated administrative penal proceedings against the board members and the responsible representative "to be on the safe side", although this was not necessary for the liability of a legal person. This procedure makes it impossible for the accused to defend their legal positions, since all allegations are undifferentiated. It was precisely the ongoing risk of a data protection violation through the manual processing of all incoming requests from data subjects that made it necessary to partially automate the process using a contact form. The contact form has been implemented since July 17, 2019, and the majority of requests from data subjects are processed via this channel. This was never mandatory and those affected also had an email address available for detailed information. After switching to the GDPR contact form, it happened that those affected continued to use the accused's old email address. In such cases, they automatically received feedback from the XXXX mailbox that they had to use the GDPR contact form, even if their request was already being processed. On April 22, 2020, the mailbox was finally shut down and those affected who contacted this mailbox were sent a non-delivery notification. Finally, it should be pointed out that the statute of limitations has already expired for the majority of the cases brought by the authority. Moreover, any violation of the facilitation requirement is not directly punishable, because according to Art. 83 Para. 5 lit. b GDPR, a fine may only be imposed in the event of violations of the rights of those affected.5. In their justification of February 15, 2021, the accused jointly and in addition to the justification of September 4, 2020, argued that the authority was making identical allegations and was now also listing the board members and the responsible representative as accused. This impermissible conduct constituted apparent competition with the proceedings initiated in June 2020. Insofar as the court assumes that there is a continuing offence, it should be pointed out that Article 12, GDPR and Article 15, GDPR are offences that end when the illegality occurs. The allegations do not describe any sanctionable act that the natural persons mentioned can be accused of. Contrary to the case law of the highest court, the authority initiated administrative penal proceedings against the board members and the responsible representative "to be on the safe side", although this is not necessary for the liability of a legal person. This procedure makes it impossible for the accused to defend their legal positions, since all allegations are undifferentiated. It is precisely the ongoing risk of a data protection violation through the manual processing of all incoming inquiries from data subjects that has made it necessary to partially automate the process using a contact form. The contact form has been implemented since July 17, 2019 and the majority of inquiries from data subjects are processed via this channel. This was never mandatory and those affected also had an email address for detailed information. After the switch to the GDPR contact form, it happened that those affected continued to use the old email address of the accused. In such cases, they automatically received feedback from the mailbox Roman 40 that they had to use the GDPR contact form, even if their request was already being processed. On April 22, 2020, the mailbox was finally shut down and those affected who contacted this mailbox were sent a non-delivery notification. Finally, it should be shown that the statute of limitations has already expired for the majority of the cases brought by the authority. Furthermore, any violation of the facilitation requirement is not directly punishable, because according to Article 83, Paragraph 5, Letter b, GDPR, a fine may only be imposed in the event of violations of the rights of those affected.6. By simple summons dated May 17, 2021, the authority summoned XXXX (data protection officer of XXXX until June 2020) to appear as a witness and conducted the interview on June 1, 2021. In summary, the authority stated that it was never intended to restrict the rights of those affected and that the flood of inquiries had made a change absolutely necessary. The responsible officer declared the contact form to be permissible, which had been used from June/July 2019. She did not know whether board members were involved in the process. Since 2018, contact options had been postal delivery, fax, the customer service center and an email address. When the email address was deactivated, reference was automatically made to the contact form; there were no other changes to the contact options. The restriction to three rights of those affected in the contact form only occurred because the majority of those affected requested them; other requests were always permissible by post, fax or via the customer service center. This information was explained in the data protection information. Concerns that had already been raised were also affected by the change. 6. By simple summons dated May 17, 2021, the authority summoned roman 40 (data protection officer of roman 40 until June 2020) to appear as a witness and conducted the interview on June 1, 2021. In summary, the authority stated that it had never been intended to restrict the rights of those affected and that the flood of inquiries had made a change absolutely necessary. The responsible officer declared the contact form permissible; it had been used from June/July 2019. She did not know whether board members were involved in the process. Since 2018, contact options had been postal delivery, fax, the customer service center and an email address. When the email address was deactivated, the person was automatically referred to the contact form; there had been no other changes to the contact options. The restriction to three rights of those affected in the contact form was only made because the majority of those affected requested these; other requests were always permitted by post, fax or via the customer service center. This information was explained in the data protection notice. Requests that had already been submitted were also affected by the change.
7. On June 2nd, 2021, the authority granted all parties involved the right to be heard with regard to the witness interview that took place on June 1st, 2021.
8. By summons dated June 2nd, 2021, the authority summoned the responsible representative to be interviewed on June 30th, 2021, where she stated in summary and as far as relevant:
The board had been informed of the high number of inquiries and had given the order to process them properly, the budget for the required workforce had been approved and she had been given the necessary authority to issue orders. There were time limits for implementation and the responsible representative informed the board quarterly about the progress of processing the enquiries. The expertise of XXXX and XXXX was used to implement the form (verbal consultations only); moreover, the responsible representative was familiar with the data protection regulations. She approved the form for use on her own responsibility; the board was not involved. After the form was implemented, an automatic reply referred to it before the previously used email address was finally deactivated. For the exercise of data subject rights other than those stated in the contact form, there was always a contact option by post, fax and customer service center.The board was informed of the high number of enquiries and gave the order to process them properly; the board approved the budget for the required workforce and gave her the necessary authority to give orders. There were time limits for implementation and the responsible representative informed the board quarterly about the progress of processing the enquiries. The expertise of roman 40 and roman 40 was used to implement the form (only oral consultations), and the responsible representative was also familiar with the data protection regulations. She approved the form for use on her own responsibility; the board was not involved. After the form was implemented, an automatic reply was sent to refer to it before the previously used email address was permanently deactivated. For the exercise of data subject rights other than those mentioned in the contact form, there was always a contact option by post, fax and customer service center.
9. With a supplementary justification dated June 30, 2021, the other accused commented on the witness interview of June 1, 2021 and specified it.
10. On July 1, 2021, the authority granted all parties involved the opportunity to be heard with regard to the interview of the accused on June 30, 2021.
11. In a supplementary request dated July 15, 2021 to the accused, the data protection authority requested the submission of the signed appointment of the responsible representative for the period in question, if this was not available or invalid, the resolution of the general board on the appointment of the responsible representative or other relevant documents and information on the scope of the responsibility assumed.
12. In a submission dated July 26, 2021, all other accused commented on the questioning of the accused on June 30, 2021, specified the information provided and complied with the requests of the data protection authority.
13. On September 28, 2021, the authority issued the contested penal decision against the accused XXXX for violating her duty to facilitate the exercise of rights of those affected, dropped all further charges against the accused and the other (individual) accused and essentially stated the following reasons: 13. On September 28, 2021, the authority issued the contested penal decision against the accused Roman 40 for violating her duty to facilitate the exercise of rights of those affected, dropped all further charges against the accused and the other (individual) accused and essentially stated the following reasons:
By using the mandatory contact form, the accused had violated the principle of facilitation and made it more difficult for those affected to exercise their rights. This is particularly the case because it did not accept inquiries via other channels (deactivated email address or customer service center), referred to the contact form or only processed requests after the data subjects refused to use it. To the extent that the accused claims to also allow other channels, it did not adequately inform the data subjects about these options and instead gave the impression that contact was only possible via the form provided, since even trained employees of the accused had only referred to the contact form. This is therefore de facto a mandatory use of the contact form. The associated restriction to three specific data subject rights (by the accused) is also inadmissible. A data subject had to assert a data subject right not provided for in the contact form via the general contact form "Service offer - Other services", by letter/fax or by 13.12.2020 by email. Information to this effect was only provided in a non-transparent manner and the impression was created that only three data subject rights could be asserted electronically. The contact form also provided for identification exclusively by means of a valid photo ID; other identification methods were not possible. Due to the complete deactivation of the email inbox XXXX on December 15, 2020, such contact was prevented. The negligence arose from the attributable actions of the board members, as they did not implement an effective internal control system, and of the responsible representative, who should at least have recognized that the approved measures did not comply with the facilitation requirement of Art. 12 Para. 2 GDPR. There was no error of prohibition. According to Section 30 Para. 3 DSG, the imposition of an administrative penalty on natural persons is inadmissible if one has already been imposed on the legal person. By using the mandatory contact form, the accused violated the principle of facilitation and made it more difficult for those affected to exercise their rights. This is particularly the case because it did not accept inquiries via other channels (deactivated email address or customer service center), referred to the contact form or only processed requests after the data subjects refused to use it. To the extent that the accused claims to also allow other channels, it did not adequately inform the data subjects about these options and instead gave the impression that contact was only possible via the form provided, since even trained employees of the accused had only referred to the contact form. This is therefore de facto a mandatory use of the contact form. The associated restriction to three specific data subject rights (by the accused) is also inadmissible. A data subject had to assert a data subject right not provided for in the contact form via the general contact form "Service offer - Other services", by letter/fax or by 13.12.2020 by email. Information to this effect was only provided in a non-transparent manner and the impression was created that only three data subject rights could be asserted electronically. The contact form also provided for identification exclusively by means of a valid photo ID; other identification methods were not possible. Due to the complete deactivation of the email inbox Roman 40 on December 15, 2020, such contact was prevented. The negligence arose from the attributable actions of the board members, as they did not implement an effective internal control system, and the responsible representative, who should at least have recognized that the approved measures did not comply with the facilitation requirement of Article 12, Paragraph 2, GDPR. There was no error of prohibition. According to Paragraph 30, Paragraph 3, DSG, the imposition of an administrative penalty on natural persons is inadmissible if one has already been imposed on the legal person.
14. A complaint was filed against the above-mentioned penal decision on October 25, 2021, in which it was stated in summary that the complainant had not carried out the alleged crime. She had not hindered the exercise of the rights of those affected. Rather, the provision of a contact form was a relief. Art. 12 GDPR is also not a penal norm and this article is too vague for this purpose. In addition, attribution to the board members cannot be made, whereby the verdict of the penal decision is also highly vague and the authority grossly misjudged the objective and subjective aspects of the crime in the sentencing. The complainant therefore requests that the authority's verdict point I be removed without replacement and that the proceedings be discontinued, in the event that the proceedings be discontinued with a warning, in the event that the sentence be reduced.14. A complaint was filed against the aforementioned penal decision on October 25, 2021, in which it was stated in summary that the complainant had not carried out the alleged crime. She had not hindered the exercise of the rights of those affected. Rather, the provision of a contact form was a relief. Article 12 of the GDPR is also not a penal norm and this article is too vague for this purpose. In addition, attribution to the board members cannot be made, whereby the verdict of the penal decision is also highly vague and the authority grossly misjudged the objective and subjective aspects of the offense in the sentencing. The complainant therefore requests that the authority's verdict point Roman 1 be removed without replacement and the proceedings be discontinued, in the event that the proceedings be discontinued with a warning, in the event that the sentence be reduced.
15. In a letter dated November 22, 2021, the authority submitted the complaint, including the administrative act, to the Federal Administrative Court, requested that the complaint be dismissed, referred in full to the contested criminal judgment, and essentially stated with regard to the appeal against the decision that the authority had never claimed that a contact form did not constitute a relief. It was about the mandatory channeling of entries for those affected via the contact form provided, Art. 12 (2) in conjunction with Section 83 (5) GDPR was a sufficiently specific criminal provision, and the complainant's further statements were also incomprehensible.15. In a letter dated November 22, 2021, the authority submitted the complaint, including the administrative act, to the Federal Administrative Court, requested that the complaint be dismissed, referred in full to the contested criminal judgment, and essentially stated with regard to the appeal against the decision that the authority had never claimed that a contact form did not constitute a relief. It is about the mandatory channeling of entries for those affected via the contact form provided, Article 12, Paragraph 2, in conjunction with Paragraph 83, Paragraph 5, GDPR is a sufficiently specific criminal provision and the complainant's further statements are also incomprehensible.
16. In a supplementary statement dated January 4, 2022, the authority suggested that the complaint procedure in question be suspended, as a request for a preliminary ruling is pending before the ECJ on whether a legal person can be directly affected in the administrative fine procedure for a violation of Art. 83 GDPR.16. In a supplementary statement dated January 4, 2022, the authority suggested that the complaint procedure in question be suspended, as a request for a preliminary ruling is pending before the ECJ on whether a legal person can be directly affected in the administrative fine procedure for a violation of Article 83 GDPR.
17. In a supplementary statement dated July 20, 2022, the authority summarized the complainant's fault by stating that an error of prohibition was ruled out in every respect. Contrary to the clear recommendation of the data protection training experts consulted, the complainant had restricted the exercise of data subject rights. Training materials from the complainant were attached to the submission.
18. By order of the Federal Administrative Court of October 12, 2022, the proceedings relating to the case C-807/21 pending before the ECJ were suspended.
By order of the Business Allocation Committee of the Federal Administrative Court of August 30, 2023, the proceedings in question were reassigned to Court Division W137.
19. By judgment of December 5, 2023, the ECJ issued its decision in case C-807/21. The latter stated, as far as relevant to the proceedings, that Article 58 (2) (i) and Article 83 (1) to (6) GDPR were to be interpreted as precluding a national provision according to which a fine for an infringement referred to in Article 83 (4) to (6) GDPR against a legal person in its capacity as controller could only be imposed if that infringement had previously been attributed to an identified natural person. Article 83 GDPR was to be interpreted as meaning that, under this provision, a fine could only be imposed if it was proven that the controller, who was a legal person and at the same time a company, had intentionally or negligently committed an infringement referred to in Article 83 (4) to (6) GDPR.19. The ECJ's decision in case C-807/21 was issued on December 5, 2023. The court stated, as far as relevant to the proceedings, that Article 58, paragraph 2, letter i and Article 83, paragraphs one to six of the GDPR were to be interpreted as precluding a national provision according to which a fine for an infringement referred to in Article 83, paragraphs four to six of the GDPR could only be imposed on a legal person in its capacity as controller if that infringement had previously been attributed to an identified natural person. Article 83 of the GDPR was to be interpreted as meaning that, under this provision, a fine could only be imposed if it was proven that the controller, who was a legal person and at the same time a company, had intentionally or negligently committed an infringement referred to in Article 83, paragraphs four to six of the GDPR.
20. In its opinion of January 12, 2024, the data protection authority essentially stated that the complainant's argument - as far as it related to the attributions of a person acting at fault - was ineffective. In order to determine the penalty range, the concept of an economic unit under competition law should be taken into account, in the case of a systematic violation of the rights of those affected, a high degree of severity should be assumed and culpability in the form of negligence should be assumed. In this context, Section 5 of the Criminal Code is not relevant, since Art. 83 GDPR conclusively regulates the criminal offense according to the case law of the ECJ.20. In its opinion of January 12, 2024, the data protection authority essentially stated that the complainant's arguments - insofar as they relate to the attribution of a person acting culpably - were ineffective. In order to determine the penalty range, the concept of an economic unit under competition law should be taken into account, in the case of a systematic violation of the rights of those affected, a high degree of severity should be assumed and culpability in the form of negligence should be assumed. In this context, Paragraph 5 of the Criminal Procedure Act is irrelevant, since Article 83 of the GDPR conclusively regulates the criminal offense according to the case law of the ECJ.
21. In statements dated January 12, 2024 and January 15, 2024, the complainant essentially stated that the verdict of the criminal judgment did not contain a clear statement on the degree of culpability, that there was an excusable error of law, that Article 12, Paragraph 2 of the GDPR was an indeterminate norm, and that the authority made an indiscriminate assessment of the relevant online tools (contact form).21. In statements dated January 12, 2024 and January 15, 2024, the complainant essentially stated that the verdict of the penal decision did not contain a clear statement on the degree of culpability, that there was an excusable error of law, that Article 12, paragraph 2, GDPR was an indeterminate norm and that the authority made an indiscriminate assessment of the relevant online tools (contact form).
22. On January 26, 2024, February 2, 2024 and February 23, 2024, an oral appeal hearing took place at the Federal Administrative Court, in which the parties had the opportunity to discuss their position, witnesses were questioned and the legal issues at issue in the proceedings were discussed. In a statement dated January 30, 2024, the complainant replied to the authority's submissions at the oral hearing on January 26, 2024, submitted an IT report on the contact form and, as far as relevant to the proceedings, stated that the requirement to facilitate proceedings could not constitute a criminal norm and that the imposition of a cost contribution in the millions would not comply with the principle of proportionality. Procedural decisions rejected applications for further witness interviews and for obtaining an expert opinion. Following the last hearing, the deciding Senate announced the decision along with the main reasons for the decision.
23. In a (not merely procedural) decision dated February 26, 2024, the Federal Administrative Court corrected a typo in the recording of the decision announced orally in the minutes of the hearing dated February 23, 2024; this correction was not contested by the parties.
II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:
1. Findings:
1.1. The background to the present proceedings is the activity of the complainant (a legal entity) as an address publisher and the associated allocation of personal/address data to specific Sinus Geo milieus. In this context, several thousand data protection inquiries arrived in the mailbox XXXX within a few days from January 7, 2019. A total of 33,290 inquiries from data subjects were received between January 7, 2019 and June 30, 2019, of which 32,590 were submitted electronically. In July 2019, only 18 data protection inquiries were received.1.1. The background to the current proceedings is the activity of the complainant (a legal entity) as an address publisher and the associated allocation of personal/address data to specific Sinus Geo milieus. In this context, several thousand data protection inquiries arrived in the Roman 40 mailbox within a few days from January 7, 2019. A total of 33,290 inquiries from data subjects were received between January 7, 2019 and June 30, 2019, of which 32,590 were submitted electronically. In July 2019, only 18 data protection inquiries were received.
1.2. As of January 7, 2019, the complainant offered the following contact options (also for data protection matters) on its homepage:
- Correspondence
- Email box XXXX - Email box Roman 40
- Customer service contact form (online) with free text field
1.3. A specific contact option for data protection matters was not provided - despite the additional activity as an address publisher (with comprehensive customer categorization) and thus a matter that makes data protection inquiries much more likely than the core activity of the complainant.
1.4. The mailbox XXXX (in the MS Outlook system) was available as of January 7, 2019, but was only intended for relevant contacts, for example with the authorities or (only) for further contact with those affected in the case of data protection inquiries. However, this mailbox was explicitly communicated in the media by third parties immediately before and after January 7, 2019 in connection with inquiries regarding the Sinus Geo-Milieus, while at the same time calling for corresponding inquiries to be made. Systemically, the mailbox XXXX was not intended for such a volume of communication and the structured processing of relevant applications or (while maintaining structured and secure processing) was effectively not suitable. By June 30, 2019, more than 30,000 inquiries had been received via this channel.1.4. The mailbox Roman 40 (in the MS Outlook system) was available at the time of January 7, 2019, but was only intended for relevant contacts, for example with the authorities or (only) for further contact with those affected in the case of data protection inquiries. However, this mailbox was explicitly communicated in the media by third parties immediately before and after January 7, 2019 in connection with inquiries regarding the Sinus Geo-Milieus, while at the same time calling for the submission of corresponding inquiries. Systemically, the Roman 40 mailbox was not designed for such a volume of communication and the structured processing of relevant applications or (while maintaining structured and secure processing) was effectively not suitable. By June 30, 2019, more than 30,000 inquiries had been received via this channel.
1.5. On July 17, 2019, the XXXX mailbox was provided with an auto-reply that referred to the use of the data protection contact form, which was also installed on July 17, 2019. This initially only provided for three specific rights of the data subject (and also a free text field). The data protection contact form was implemented with the basic intention of making it easier for data subjects to exercise their rights under the GDPR and to facilitate the structured processing of enquiries.1.5. On July 17, 2019, the mailbox Roman 40 was provided with an auto-reply that referred to the use of the data protection contact form, which was also installed on July 17, 2019. This initially only provided for three specific rights of data subjects (and a free text field). The data protection contact form was implemented with the basic intention of making it easier for data subjects to exercise their rights under the GDPR and to facilitate the structured processing of enquiries.
1.6. The contact form set up from July 17, 2019 enabled electronic applications for three specific rights of data subjects (information, objection and deletion of data for third-party marketing purposes). At the end of the contact form there was a reference to the complainant's data protection information at XXXX (home page or "landing page" and information on contact options).1.6. The contact form set up from July 17, 2019 enabled the electronic submission of three specific data subject rights (information, objection and deletion of data for third-party marketing purposes). At the end of the contact form there was a reference to the complainant's data protection information under roman 40 (home page or "landing page" as well as information on contact options).
If a data subject asserted one of these three data subject rights ("information, objection, deletion of data for third-party marketing purposes") via the email address of the postal customer service ( XXXX - hereinafter) instead of using the contact form provided for this purpose, they were expressly referred to the exclusive use of the contact form.If a data subject asserted one of these three data subject rights ("information, objection, deletion of data for third-party marketing purposes") via the email address of the postal customer service ( Roman 40 - hereinafter) instead of using the contact form provided for this purpose, they were expressly referred to the exclusive use of the contact form.
1.7. As of July 17, 2019, new incoming requests from affected persons that arrived at the email inbox XXXX were no longer processed. Requests that had already been received (before July 17, 2019) from affected persons who had already identified themselves sufficiently were also processed after the contact form had been implemented and the mailbox had been converted. All remaining open requests that were incomplete requests or were not sufficiently identified were not processed further.1.7. As of July 17, 2019, new incoming requests from affected persons that arrived at the email inbox Roman 40 were no longer processed. Requests that had already been received (before July 17, 2019) from affected persons who had already identified themselves sufficiently were also processed after the contact form had been implemented and the mailbox had been converted. All remaining open requests that were incomplete requests or were not sufficiently identified were not processed further.
The proposal to use the contact form in question was discussed with both internal and external consultants. There is no evidence that the legal advice obtained from the external consultants (lawyers) was given on the basis of complete factual information and what specific information was given to them. The advice was given orally and no legal opinion was obtained on the use of the contact form.
1.8. The mailbox XXXX was not used or made available exclusively for data protection matters, but for all (general) concerns of the complainant.1.8. The mailbox Roman 40 was not used or made available exclusively for data protection matters, but for all (general) concerns of the complainant.
1.9. On January 31, 2020, the mailbox XXXX was removed from the data protection information (point 8. Contact), so that only the link to the data protection form and the complainant's postal address appeared there. Due to the shutdown on December 14, 2020, the mailbox XXXX was deactivated. From this point on, the data subjects only had the option of using the data protection contact form (for the three specific data subject rights) or the general customer service contact form (for the remaining data subject rights) for electronic communication.1.9. On January 31, 2020, the mailbox Roman 40 was removed from the data protection information (point 8. Contact), so that only the link to the data protection form and the postal address of the complainant appeared there. Due to the shutdown on December 14, 2020, the mailbox Roman 40 was deactivated. From this point on, the data subjects only had the option of using the data protection contact form (for the three specific data subject rights) or the general customer service contact form (for the remaining data subject rights) for electronic communication.
1.10. The data protection contact form for data subjects has been updated several times. The first change was made in mid-July 2020 and was initiated by the request for justification dated June 26, 2020. The complainant added detailed information on the exercise of the data subject's rights at the end of the form, thereby replacing the general reference to the data protection information. From this point on, reference was also made to the contact form for data protection and that for other inquiries.
1.11. As proof of identity, the complainant initially officially only accepted a copy of a photo ID, or only this form of identification was made public. Due to numerous other means of identification put forward by those affected, these were actually also permitted and the responsible clerks were given instructions in a guideline on which means of identification were accepted or approved as such regardless of the public announcement. Identification by means of a digital signature was already permitted or accepted before the implementation of the data protection contact form on July 17, 2019, if the data subject also provided their date of birth. In order to query the databases of the accused for clear identification, the following data had to be disclosed: name, address and date of birth.
In September 2020, the official option for those affected to identify themselves using a digital signature (mobile phone signature) was implemented (in addition to the option of identifying themselves using a photo ID). However, throughout the entire period of the crime and even before the implementation of the contact form, it was common (internal) practice of the accused that those affected could identify themselves using a digital signature. From January 2021, the data protection contact form will record all of the rights of those affected by merging the two active contact forms.
1.12. The complainant has generally processed all of the more than 30,000 relevant inquiries within a few months, with complications or errors only occurring in a low double-digit number of procedures.
1.13. The complainant's consolidated sales revenue for 2020 amounts to EUR 2.1892 billion.
2. Assessment of evidence:
2.1. The findings under 1.1. arise from the complainant's justifications of September 4, 2020 and February 15, 2021, the minutes of the questioning of the responsible officer by the data protection authority and the complainant's statements in the oral hearing before the Federal Administrative Court on January 26, 2024 and February 2, 2024. The figures relating to the requests received from those affected arise from the graphic submitted by the complainant in the course of the justification of September 4, 2020 and its confirmation in the oral hearing of February 2, 2024.
2.2. The findings under 1.2. arise from the complainant's submissions in the course of the administrative penal proceedings before the authority (in particular in the context of her justification of September 4, 2020), the complaint of October 25, 2021 and its confirmation by the submissions in the oral hearing before the Federal Administrative Court on January 26, 2024 and February 2, 2024.
2.3. The finding regarding the lack of a channel explicitly intended for data protection matters (1.3.), despite the additional activity as an address publisher, is based on the complainant's own submissions in the course of the proceedings and the subsequent implementation of a data protection contact form. This arises in particular from the justifications during the administrative penal proceedings, the complainant's submissions in the oral hearing before the Federal Administrative Court on February 2, 2024 and the complaint of October 25, 2021.
2.4. The findings regarding 1.4. arise from the justifications and statements made by the complainant during the proceedings before the authority, the complaint of October 25, 2021, the complainant's submissions in the oral hearing before the Federal Administrative Court on February 2, 2024, and the graphic submitted by the complainant in the course of the justification of September 4, 2020. The complainant also expressly stated that MS Outlook is simply not suitable for the secure and structured processing of such an incoming message.
2.5. The findings under 1.5. arise from the complainant's submissions during the administrative penal proceedings before the authority (in particular the minutes of the witness interview of June 1, 2021 and June 30, 2021 and the data protection notices of October 30, 2019 submitted in the course of the statement of July 26, 2021), the complaint of October 25, 2021 and the complainant's identical submissions in the oral hearing of February 2, 2024.
2.6. The findings made on the data protection contact form (1.6.) are based on the complainant's statements of July 26, 2021 and June 30, 2021, the minutes of the witness interview/accused interview of August 12, 2021 and June 30, 2021, the PDF printout of the data protection contact form included in the administrative act, the complaint of October 25, 2021 and the complainant's submissions in the oral hearing before the Federal Administrative Court on February 2, 2024.
The findings made regarding the handling of inquiries via the email address XXXX after implementation of the data protection contact form arise from the minutes of the witness/accused interview on August 12, 2021 and June 30, 2021 as well as the confirmation of this practice by the complainant in the oral hearing before the Federal Administrative Court on February 2, 2024.The findings made regarding the handling of inquiries via the email address roman 40 after implementation of the data protection contact form arise from the minutes of the witness/accused interview on August 12, 2021 and June 30, 2021 as well as the confirmation of this practice by the complainant in the oral hearing before the Federal Administrative Court on February 2, 2024.
2.7. The findings made are essentially based on the minutes of the questioning of the accused on June 30, 2021 and the minutes of the witness questioning on August 12, 2021, the complaint of October 25, 2021 and the complainant's submissions in the oral hearing before the Federal Administrative Court on February 2, 2024.
The findings made regarding an alleged error of law arise from the minutes of the questioning of the accused on June 30, 2021, the complaint of October 25, 2021 and the submissions in the oral hearing before the Federal Administrative Court on January 26, 2024, February 2, 2024 and February 23, 2024.
2.8. The findings made regarding the handling of inquiries via the email address XXXX after the implementation of the data protection contact form arise again from the minutes of the witness/accused interview on August 12, 2021 and June 30, 2021 as well as the confirmation of this practice by the complainant in the oral hearing before the Federal Administrative Court on February 2, 2024.2.8. The findings made regarding the handling of inquiries via the email address roman 40 after the implementation of the data protection contact form arise again from the minutes of the witness/accused interview on August 12, 2021 and June 30, 2021 as well as the confirmation of this practice by the complainant in the oral hearing before the Federal Administrative Court on February 2, 2024.
2.9. The findings on 1.9. arise from the administrative act of the authority (in particular the complainant's statement of July 26, 2021 and June 30, 2021, the minutes of the witness interview of August 12, 2021 and June 30, 2021), the complaint of October 25, 2021 and the complainant's submissions in the oral hearing before the Federal Administrative Court on February 2, 2024 and February 23, 2024.
2.10. The findings regarding the changes to the contact forms made by the complainant in the course of the proceedings arise from the minutes of the witness interview of August 12, 2021, the minutes of the accused interview of June 30, 2021 and the (revised/updated) contact form submitted by the complainant in the course of the written justification of September 4, 2020. The finding that the digital signature was already considered a permissible means of identification by the complainant when dealing with data subject enquiries before the implementation of the contact form if a date of birth was known is based on the record of the witness interview of August 12, 2021, the complaint of October 25, 2021 and the complainant's credible submissions at the oral hearing on February 2, 2024.
2.11. The findings on 1.11. arise from the administrative act of the authority (in particular the internal guidelines on proof of identification when processing inquiries regarding the rights of those affected, the minutes of the witness interviews/accused interviews of June 1, 2021, June 30, 2021 and August 12, 2021), the complaint of October 25, 2021 and the complainant's submissions at the oral hearing on February 2, 2024.
2.12. The finding that all requests from those affected have been (almost completely) processed results from the administrative act, in particular the authority's request for justification of December 21, 2020, whereby the authority had already noted in this request that the requests had ultimately already been answered at that time (in the course of the proceedings), the complaint of October 25, 2021 and the complainant's submissions in the oral hearing before the Federal Administrative Court on February 2, 2024 and February 23, 2024.
2.13. The finding regarding group turnover results from the complainant's group annual report for the 2020 financial year, which was attached to the authority's statement of January 12, 2024.
3. Legal assessment:
3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority on the grounds of illegality.3.1. According to Article 130, paragraph one, number one, B-VG, the administrative courts decide on complaints against the decision of an administrative authority on the grounds of illegality.
According to Section 6 BVwGG, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates. According to Section 6 BVwGG, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates.
According to Section 27 paragraph 1 DSG, the Federal Administrative Court decides by a senate on complaints against decisions due to violation of the duty to inform pursuant to Section 24 paragraph 7 leg.cit. and the duty of the data protection authority to decide. According to Section 27 paragraph 2 first sentence DSG, the senate consists of a chairperson and one expert lay judge each from the circle of employers and from the circle of employees. In this case, the senate is therefore responsible. According to paragraph 27, paragraph one, DSG, the Federal Administrative Court decides through a senate on complaints against decisions due to violations of the duty to inform in accordance with paragraph 24, paragraph 7, leg.cit. and the decision-making obligation of the data protection authority. According to paragraph 27, paragraph 2, first sentence DSG, the senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees. In this case, the senate is therefore responsible.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, BGBl. I No. 33/2013 (§ 1 leg.cit.). According to Section 59, Paragraph 2 of the Administrative Court Act (VwGVG), conflicting provisions that were already published at the time this federal law comes into force remain in force. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Act (VwGVG), Federal Law Gazette Part One, No. 33 of 2013 (Paragraph One, leg.cit.). According to Paragraph 59, Paragraph 2 of the Administrative Court Act (VwGVG), conflicting provisions that were already published at the time this federal law comes into force remain in force.
According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Administrative Court Act. ... With the exception of paragraphs one to five and Roman IV, the provisions of the Federal Tax Code - BAO, Federal Law Gazette No. 194 of 1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173 of 1950, and the Civil Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29 of 1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court are to be applied accordingly.
Regarding A) I. Regarding A) Roman one.
3.1.1. The relevant provisions of the GDPR read in part:
Article 5 - Principles for the processing of personal data:
(1) Personal data must
a) be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitation’);
c) be adequate, relevant and limited to what is necessary for the purposes of the processing (‘data minimisation’);
d) be accurate and, where necessary, kept up to date; all reasonable measures shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for longer provided that the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical and organisational measures (‘integrity and confidentiality’);
(2) The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate compliance ('accountability').
Article 12 - Transparent information, communication and modalities for exercising the data subject's rights:
(1) The controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 and all communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for information specifically addressed to children. The information shall be provided in writing or in another form, including, where appropriate, electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven in another form.
(2) The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his or her rights under Articles 15 to 22 only if the controller demonstrates that it is not in a position to identify the data subject.
(…)
Article 83 - General conditions for imposing administrative fines:
(1) Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation as referred to in paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case.
(2) Administrative fines shall be imposed in addition to or instead of measures under points (a) to (h) and (i) of Article 58(2), depending on the circumstances of the individual case. In deciding on the imposition of a fine and on the amount thereof, due account shall be taken in each individual case of:
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected by the processing and the extent of the damage suffered by them;
b) the intentional or negligent nature of the infringement;
c) any measures taken by the controller or processor to mitigate the damage caused to data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32;
e) any relevant previous infringements by the controller or processor;
f) the level of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects;
g) the categories of personal data affected by the infringement;
(h) how the infringement came to the knowledge of the supervisory authority, in particular whether and, if so, to what extent the controller or processor communicated the infringement;
(i) compliance with measures previously ordered pursuant to Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;
(j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating circumstances specific to the case, such as financial advantages gained or losses avoided directly or indirectly as a result of the infringement.
(3) Where a controller or processor intentionally or negligently infringes several provisions of this Regulation in the case of the same or related processing operations, the total amount of the fine shall not exceed the amount for the most serious infringement.
(…)
(5) Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the principles for processing, including the conditions for consent, set out in Articles 5, 6, 7 and 9;
b) the rights of the data subject set out in Articles 12 to 22;
(…)
3.1.2. The relevant provisions of the Administrative Penal Code read in extracts:
Section 5. - Guilt: Paragraph 5, - Guilt:
(1) Unless an administrative regulation on culpability provides otherwise, negligent conduct is sufficient to constitute a criminal offence. Negligence is to be assumed without further ado in the case of contravention of a prohibition or non-compliance with an order if the occurrence of damage or danger is not part of the administrative offence and the offender does not credibly demonstrate that he is not at fault for violating the administrative regulation.
(1a) Paragraph 1, second sentence does not apply if the administrative offence is punishable by a fine of more than EUR 50,000.(1a) Paragraph 1, second sentence does not apply if the administrative offence is punishable by a fine of more than EUR 50,000.
(2) Ignorance of the administrative regulation that the offender has contravened only excuses if it can be proven that it was not his fault and the offender could not have seen that his conduct was unlawful without knowledge of the administrative regulation.
§ 10. Penalties: Paragraph 10, Penalties:
(1) The type of penalty and the penalty rate are governed by the administrative regulations, unless otherwise provided in this federal law.
(2) If no special penalty is set for administrative offenses, in particular for violations of local police regulations, they are punished with a fine of up to 218 euros or with imprisonment of up to two weeks.
§ 19. - Sentence: Paragraph 19, - Sentence:
(1) The basis for determining the penalty is the importance of the legal interest protected by criminal law and the intensity of its impairment by the offense.(2) In ordinary proceedings (sections 40 to 46), the aggravating and mitigating circumstances that are relevant to the purpose of the threat of punishment must also be weighed against each other, insofar as they do not already determine the threat of punishment. Particular consideration must be given to the extent of the fault. Taking into account the nature of administrative criminal law, sections 32 to 35 of the Criminal Code must be applied accordingly. The accused's income and assets and any duty of care must be taken into account when determining fines. (2) In ordinary proceedings (sections 40 to 46), the aggravating and mitigating circumstances that are relevant to the purpose of the threat of punishment must also be weighed against each other, insofar as they do not already determine the threat of punishment. Particular consideration must be given to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied accordingly. The accused's income and assets and any care obligations are to be taken into account when determining fines.
§ 33a. - AdviceParagraph 33 a, - Advice
(1) If the authority determines an infringement and the importance of the legal interest protected by criminal law and the intensity of its impairment by the act and the fault of the accused are minor, the authority must, unless the administrative regulations stipulate otherwise, advise him with the aim of ending the criminal conduct or activities as effectively as possible and request him in writing, stating the facts established, to restore the situation in accordance with the administrative regulations and official orders within a reasonable period of time.
(2) If the written request is complied with within the time limit set or extended by the authority, then further prosecution of a person for those violations for which the situation has been brought into line with the law and official orders is inadmissible.
(3) The intensity of the impairment of the legal interest protected by criminal law is not insignificant in any case if the violation has had adverse effects on persons or property or if the occurrence of such effects is to be expected if the criminal conduct or activities continue for even a short period of time.
(4) The intensity of the impairment of the legal interest protected by criminal law is considered to be insignificant if minor deviations from technical dimensions have been identified and none of the circumstances mentioned in paragraph 3 apply.(4) The intensity of the impairment of the legal interest protected by criminal law is considered to be insignificant if minor deviations from technical dimensions have been identified and none of the circumstances mentioned in paragraph 3 apply.
(5) Paragraphs 1 and 2 do not apply in any case to (5) Paragraphs 1 and 2 do not apply in any case to
1. Violations of administrative regulations that require intentional conduct in order to be punishable;
2. Violations that were already the subject of advice and written notice from the authority within the last three years before the violation was determined or for which relevant administrative penalties that have not yet been paid off are recorded by the authority;
3. Violations that give rise to temporary coercive and security measures provided for in the administrative regulations;
4. Violations for which the administrative regulations provide for the measure of withdrawal of authorizations.
Section 64 - Costs of criminal proceedings: Paragraph 64 - Costs of criminal proceedings:
(1) In every penal decision, it must be stated that the person punished must make a contribution to the costs of the criminal proceedings.
(2) This contribution is to be calculated for the first instance proceedings at 10% of the penalty imposed, but at least at 10 euros; in the case of prison sentences, one day of imprisonment is to be taken into account for the calculation of the costs, equal to 100 euros. The contribution to the costs is paid to the local authority, which must bear the authority's costs.
(3) If cash expenses are incurred in the course of the administrative penal proceedings (Section 76 AVG), the person punished is to be ordered to reimburse these expenses, unless they are caused by the fault of another person; the amount to be reimbursed is to be set out in figures, if possible, in the judgment (of the penalty order), otherwise by special notice. This does not apply to fees due to the interpreter and translator who was assigned to the accused.(3) If cash expenses are incurred in the course of the administrative penal proceedings (Section 76, AVG), the person punished must be required to reimburse these expenses, provided they are not caused by the fault of another person; the amount to be reimbursed hereunder is to be set out in the judgment (of the penal order) if possible, otherwise by special notice. This does not apply to fees due to the interpreter and translator who was assigned to the accused.
(4) The collection of the cost contributions (Section 1 and Section 54d) and the cash expenses is to be waived if it can be reasonably assumed that this would be unsuccessful.(4) The collection of the cost contributions (Section 1 and Section 54d) and the cash expenses is to be waived if it can be reasonably assumed that this would be unsuccessful.
(5) Sections 14 and 54b (1), (1a) and (1b) shall apply mutatis mutandis.(5) Sections 14 and 54b (1), (1a) and (1b) shall apply mutatis mutandis.
(6) If an application by the person convicted to reopen criminal proceedings is not granted, the preceding provisions shall apply mutatis mutandis with regard to the obligation to bear the costs of the proceedings.
3.2. Application of the legal basis to the specific case:
3.2.1. Criminal liability of a legal person and limitation period for prosecution:
The ECJ stated the following regarding the criminal liability of legal persons in Case C-807/21:
“In particular, it is clear from the tenth recital of the GDPR that its provisions include, inter alia, have the objectives of ensuring a uniform and high level of data protection for natural persons when personal data are processed throughout the Union and, to that end, of ensuring that the rules protecting the fundamental rights and freedoms of such persons are applied uniformly and consistently throughout the Union when such data is processed. However, it would be contrary to that purpose of the GDPR to allow Member States to require unilaterally and as a necessary condition for the imposition of a fine pursuant to Article 83 of the GDPR on a controller which is a legal person that the infringement in question has previously been attributed to or can be attributed to an identified natural person. Moreover, such an additional requirement could ultimately weaken the effectiveness and deterrent effect of fines imposed on legal persons as controllers, in breach of Article 83(1) of the GDPR. In view of the questions referred by the referring court, it must be stated that the concept of ‘undertaking’ within the meaning of Articles 101 and 102 TFEU is irrelevant to the question whether and under what conditions a fine under Article 83 of the GDPR can be imposed on a controller which is a legal person, since that question is exhaustively regulated in Article 58(2) and Article 83(1) to (6) of the GDPR. In the light of the foregoing, the answer to the first question is that Article 58(2)(i) and Article 83(1) to (6) of the GDPR must be interpreted as precluding national legislation under which a fine for an infringement referred to in Article 83(4) to (6) of the GDPR can be imposed on a legal person in its capacity as controller only if that infringement has previously been attributed to an identified natural person. In this regard, with regard to the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine under Art. 83 GDPR, it should be made clear that a controller can be sanctioned for conduct that falls within the scope of the GDPR if he could not have been unaware of the illegality of his conduct, regardless of whether he was aware that it violated the provisions of the GDPR. If the controller is a legal person, it should also be made clear that the application of Art. 83 GDPR does not require any action or even knowledge on the part of the management body of that legal person. In view of all of the foregoing, the answer to the second question is that Article 83 of the GDPR is to be interpreted as meaning that, under that provision, a fine may only be imposed if it is proven that the controller, who is a legal person and at the same time an undertaking, committed an infringement referred to in Article 83(4) to (6) of the GDPR intentionally or negligently.” (ECJ 5 December 2023, (Deutsche Wohnen SE) C-807/21) “In particular, it is clear from recital 10 of the GDPR that its provisions aim, inter alia, to ensure a uniform and high level of data protection for natural persons throughout the Union when processing personal data and, to that end, to ensure that the rules protecting the fundamental rights and freedoms of those persons are applied uniformly and uniformly throughout the Union when processing such data. However, it would be contrary to the purpose of the GDPR to allow Member States to unilaterally require, as a necessary condition for the imposition of a fine pursuant to Article 83 GDPR on a controller which is a legal person, that the infringement in question has previously been or can be attributed to an identified natural person.In addition, such an additional requirement could ultimately weaken the effectiveness and deterrent effect of fines imposed on legal persons as controllers, in breach of Article 83(1) GDPR. With regard to the questions posed by the referring court, it should be noted that the term ‘undertaking’ within the meaning of Articles 101 and 102 TFEU is irrelevant to the question of whether and under what conditions a fine under Article 83 GDPR can be imposed on a controller that is a legal person, since this question is exhaustively regulated in Article 58(2) and Article 83(1) to (6) GDPR. In view of the foregoing, the answer to the first question is that Article 58(2)(i) and Article 83(1) to (6) of the GDPR must be interpreted as precluding a national provision under which a fine for an infringement referred to in Article 83(4) to (6) of the GDPR can only be imposed on a legal person in its capacity as controller if that infringement was previously attributed to an identified natural person. In this regard, with regard to the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine under Article 83 of the GDPR, it must also be made clear that a controller can be sanctioned for conduct that falls within the scope of the GDPR if it could not have been unaware of the illegality of its conduct, regardless of whether it was aware that it violated the provisions of the GDPR. If the controller is a legal person, it must also be made clear that the application of Article 83, GDPR does not require any action or even knowledge on the part of the management body of that legal person. In view of all of the above, the answer to the second question is that Article 83, GDPR is to be interpreted as meaning that a fine may only be imposed under this provision if it is proven that the controller, who is a legal person and at the same time an undertaking, intentionally or negligently committed an infringement referred to in Article 83, paragraphs 4 to 6 of the GDPR." (ECJ 05.12.2023, (Deutsche Wohnen SE) C-807/21)
It follows that a legal person can be the accused in administrative penal proceedings without the data protection violation having previously been attributable to a natural person from the circle of the undertaking (Section 9 VStG, Section 30 DSG). The VwGH confirmed the transferability of the decision on the German legal situation to the Austrian legal situation with its ruling of February 1, 2024, Ra 2020/04/0187. This thus deviated from its established case law on the criminal liability of legal persons in administrative penal proceedings and is to establish criminal liability and to determine the penalty on its own or with the exhaustive catalogue of Art. 83 GDPR, whereby fault in the form of intent or negligence is mandatory. However, this does not mean that an action or knowledge on the part of the management body of the legal person is required. The national regulations in Section 9 VStG and Section 30 DSG, which contradict these statements, must remain unapplied when assessing the case at hand. The treatment of the complainant's further submissions on this topic (including two requests for justification addressed to the BF, the management board and the responsible representative) could therefore be omitted. For this reason, the complainant's argument made in the course of the proceedings regarding the statute of limitations that has already expired (in several cases) is also irrelevant. It follows that a legal entity can be accused in administrative penal proceedings without the data protection violation having previously been attributable to a natural person from the company's circle (Section 9, VStG, Section 30, DSG). The transferability of the decision on the German to Austrian legal situation was confirmed by the VwGH in its ruling of February 1, 2024, Ra 2020/04/0187. This thus deviated from its established case law on the criminal liability of legal entities in administrative penal proceedings and is to establish criminal liability and to carry out the penalty assessment alone or with the conclusive catalogue of Article 83, GDPR, whereby fault in the form of intent or negligence is mandatory. However, this does not mean that an action or knowledge on the part of the management body of the legal entity is required. The national regulations in paragraph 9 of the Administrative Offenses Act and paragraph 30 of the Data Protection Act, which contradict these statements, are not to be applied when assessing the case at hand. The further arguments put forward by the complainant on this topic (including two requests for justification addressed to the BF, the board and the responsible representative) could therefore be omitted. For this reason, the arguments put forward by the complainant in the course of the proceedings regarding the statute of limitations having already expired (in several cases) are also irrelevant.
3.2.2. On data processing, the requirement to facilitate and the claim that there is no penalty/blank-filling norm:
The principle of transparency was not explicitly mentioned in the Data Protection Directive and the Data Protection Act 2000, but was implicitly included in the form of the provisions on the obligation to provide information. In the GDPR, the principle of transparency is specified in Articles 13 and 14 on the obligation to provide information and Article 12 on the relevant modalities. The content of the principle of transparency can therefore be derived from these provisions and from Recitals 39 and 58: data subjects must be able to see that personal data is being processed, what data is being processed, for what purposes it is being processed, by whom it is being processed (identity of the controller) and to whom it may be transmitted. In addition, data subjects should be informed of the risks, rules, guarantees and rights associated with the processing and of how to assert these rights. This information must be precise, easily accessible and understandable, and written in clear and simple language. The importance of the transparency of processing and thus of the obligation to provide information lies in particular in its function as a necessary prerequisite for the exercise of the rights of data subjects. (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art 5 Rz 18, 19 GDPR (as of 7.5.2020, rdb.at))The principle of transparency was not explicitly mentioned in the DS-RL and the DSG 2000, but was implicitly included in the form of the provisions on the obligation to provide information. In the GDPR, the principle of transparency is specified in Articles 13 and 14 on the obligation to provide information and Article 12 on the relevant modalities. The content of the principle of transparency can therefore also be derived from these provisions and Recitals 39 and 58: It must be clear to those affected that personal data is being processed, which data is being processed, for what purposes it is being processed and by whom it is being processed (identity of the controller) and to whom it may be transmitted. In addition, those affected should be informed about the risks, regulations, guarantees and rights in connection with the processing and about how to assert these rights. This information must be precise, easily accessible and understandable, and written in clear and simple language. The importance of the transparency of processing and thus the obligation to provide information lies in particular in its function as a necessary prerequisite for the exercise of the rights of those affected. (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Article 5, paragraph 18, 19 GDPR (as of May 7, 2020, rdb.at))
The fact that the processing of data on party affiliation and other data, such as name or address, is a processing (cf. Art. 4 Z 2 GDPR) of personal data within the scope of Art. 2 Para. 1 GDPR has not been disputed and is also not in question for the deciding Senate. In addition, the complainant is undisputedly the controller within the meaning of Art. 4 Z 7 GDPR. In this context, the data subjects have the right in particular to have the processing concerning them subject to a legality check and the exercise of the data subject's rights in accordance with Articles 15-22 of the GDPR must be guaranteed. The fact that the processing of data on party affiliation and other data, such as name or address, is processing (see Article 4, paragraph 2, GDPR) of personal data within the scope of Article 2, paragraph 1, of the GDPR has not been disputed and is not in question for the Senate hearing the case. In addition, the complainant is undisputedly the controller within the meaning of Article 4, paragraph 7, of the GDPR. In this context, the data subjects have the right in particular to have the processing concerning them subject to a legality check and the exercise of the data subject's rights in accordance with Articles 15-22 of the GDPR must be guaranteed.
Art. 12 GDPR provides as a principle for the manner in which information is to be exchanged for any processing of personal data that all communications in connection with Art. 13, 14, 15-22 and 34 must be communicated in a precise, transparent, intelligible and easily accessible form, in clear and plain language, in writing, electronically or orally (see paragraph 1). The controller is obliged to facilitate the exercise of the data subject's rights in accordance with Articles 15 to 22, and refusal is only permissible if the controller is unable to identify the data subject (see paragraph 2). Paragraphs 3 and 4 contain the deadlines to be observed in this context. The information must in principle be provided free of charge (see paragraph 5) and the request for proof of identity is only permissible in the event of reasonable doubt (see paragraph 6). Paragraphs 7 and 8 regulate the use of standardised icons and the Commission's power to adopt more specific provisions.Article 12 of the GDPR provides as a principle for the manner in which information is exchanged for any processing of personal data that all communications relating to Articles 13, 14, 15-22 and 34 must be communicated in a precise, transparent, intelligible and easily accessible form, in clear and plain language, in writing, electronically or orally (see paragraph 1). The controller is obliged to facilitate the exercise of the data subject's rights in accordance with Articles 15 to 22 and a refusal is only permissible if the controller is unable to identify the data subject (see paragraph 2). Paragraphs 3 and 4 contain the deadlines to be observed in this context. The information must in principle be provided free of charge (see paragraph 5) and the request for proof of identity is only permissible in the case of reasonable doubt (see paragraph 6). Paragraphs 7 and 8 regulate the use of standardised symbols and the Commission’s power to adopt more specific provisions.
Article 12 paragraph 2 first sentence of the GDPR requires the exercise of the rights of the data subject to be made easier in accordance with Articles 15 to 22 of the GDPR (relevant to the complaint). Article 12 paragraph 2 of the GDPR represents part of the principle of transparency stipulated in Article 5 paragraph 1 lit a of the GDPR. The appeal proceedings are based on the allegation that the complainant made it more difficult for the data subject to exercise their rights in accordance with Articles 15 to 22 of the GDPR by switching the electronic accessibility to a contact form with mandatory identification by photo ID and a limitation to three specific rights of the data subject (with a free text field), while at the same time discontinuing the communication channel of the email address XXXX (and later another email address XXXX ). The receipt of a large number of requests for information in accordance with Article 15 of the GDPR and the exercise of a large number of other rights of the data subject are on record. Art. 83 (5)(b) GDPR can be considered as a criminal provision, which punishes violations of the rights of the data subjects in accordance with Art. 12 to 22 GDPR with a fine. This includes Art. 12 (2) first sentence GDPR. For this reason alone, there are no concerns about the criminal liability of conduct in accordance with Art. 83 (5)(b) GDPR in conjunction with Art. 12 (2) GDPR. Article 12 (2) first sentence GDPR requires the facilitation of the exercise of the data subjects' rights in accordance with Articles 15 to 22 GDPR (relevant to the complaint). Article 12, paragraph 2, GDPR represents part of the principle of transparency standardized in Article 5, paragraph one, letter a, GDPR. The appeal proceedings are based on the allegation that the complainant made it more difficult for those affected to exercise their rights within the meaning of Articles 15 to 22 of the GDPR by switching the electronic accessibility to a contact form with mandatory identification by photo ID and a limitation to three specific rights of the data subject (with free text field), while at the same time discontinuing the communication channel of the email address roman 40 (and later another email address roman 40 ). The receipt of a large number of requests for information in accordance with Article 15, GDPR and the exercise of a large number of other rights of the data subject is on record. Article 83, paragraph 5, letter b, GDPR can be considered as a criminal provision, which punishes violations of the rights of the data subjects in accordance with Articles 12 to 22 of the GDPR with a fine. This includes Article 12, paragraph 2, first sentence of the GDPR. For this reason alone, there are no concerns about the criminality of conduct under Article 83, paragraph 5, letter b, GDPR in conjunction with Article 12, paragraph 2, GDPR.
In addition, in light of the relatively new situation of the applicability of the penal provisions of the GDPR, the criticized requirement of sufficient specificity of the penal provisions must be addressed at this point:
In the context of a blanket penal provision in the Goods Transport Act, the Constitutional Court stated that “[t]he Constitutional Court has consistently ruled (cf. VfSlg. 12.947/1991 with numerous references to case law) that the legal process of externally separating the offence from the threat of punishment, as is characteristic of blanket penal provisions, is constitutionally unobjectionable. However, it has also considered it essential in the case of blanket criminal provisions that the offence is clearly identified by the law as a prohibition and thus as a punishable offence; that, furthermore, if the punishable offence consists in contravening a mandatory norm, the unlawfulness of an omission is clearly recognizable; and, finally, that the offence of a blanket criminal provision must be clearly identified so that everyone is able to understand it as such (VfSlg. 12.947/1991 mwN). Therefore, unlawful and therefore punishable conduct may only be assumed on the basis of blanket criminal provisions if and to the extent that the person addressed by the provision can clearly see the distinction between permissible and unlawful conduct so that any justified doubt on the part of the person subject to the provision about the content of his or her duty-bound conduct is excluded (VfSlg. 14.319/1995).” (VfGH, VfSlg. 17479, 04.03.2005). In the context of a blanket criminal provision in the Goods Transport Act, the VfGH stated that “the Constitutional Court has consistently held (see VfSlg. 12.947/1991 with numerous case law references) that the legal process of externally separating the offence from the threat of punishment, as is characteristic of blanket criminal provisions, is constitutionally unobjectionable. However, it has also considered it essential in the case of blanket criminal provisions that the offence is clearly identified by the law as a prohibition and thus as a punishable offence; that, furthermore, if the punishable offence consists in contravening a mandatory norm, the unlawfulness of an omission is clearly recognizable; and, finally, that the offence of a blanket criminal provision must be clearly identified so that everyone is able to understand it as such (VfSlg. 12.947/1991 mwN). Therefore, on the basis of blanket criminal provisions, unlawful and therefore punishable conduct may only be assumed if and to the extent that the person addressed by the provision can clearly see the distinction between permissible and unlawful conduct so that any justified doubt on the part of the person subject to the provision about the content of his or her duty-bound conduct is excluded (VfSlg. 14.319/1995).” (VfGH, VfSlg. 17479, 04.03.2005).
In this regard, the Senate is assuming that Art. 12 para. 2 first sentence of the GDPR satisfies the requirement of sufficient specificity in that the requirement to facilitate the exercise of the rights of the data subject (Recital 59) is regulated sufficiently clearly in direct relation to the accessibility (communication channels) of the controller for the purpose of asserting these rights. In this case, the Senate assumes that Article 12, paragraph 2, first sentence of the GDPR satisfies the requirement of sufficient specificity in that the requirement to facilitate the exercise of data subject rights (Recital 59) is regulated sufficiently clearly in direct relation to the accessibility (communication channels) of the controller for asserting these rights.
While it is acknowledged that Article 12, paragraph 2, first sentence of the GDPR does not explicitly contain any concrete measures to facilitate the exercise of data subject rights, it can be deduced from this that no further hurdles may be set up for the provision of information under Articles 13 and 14 and that notifications under Articles 15–22 and 34 must be carried out in accordance with the statutory requirements (cf. Articles 15–22) (e.g. lack of or limited accessibility, costly communication, imprecise contact addresses, content or linguistic requirements are not taken into account). (Illibauer in Knyrim, DatKomm Art 12 DSGVO Rz 71 (as of 1.12.2021, rdb.at))While it is recognized that Article 12, paragraph 2, first sentence of the GDPR does not explicitly contain any concrete measures to facilitate the exercise of data subject rights, it can be deduced from this that no further hurdles may be set up for the provision of information under Articles 13 and 14 and that notifications under Articles 15 –, 22 and 34 must be carried out in accordance with the legal requirements (see Articles 15 –, 22,) (e.g. lack of or limited accessibility, costly communication, imprecise contact addresses, content-related or linguistic requirements are not taken into account). (Illibauer in Knyrim, DatKomm Article 12, GDPR Rz 71 (as of 1.12.2021, rdb.at))
In connection with the question of the sufficient specificity of the penal provisions, the Constitutional Court pointed out in the above-cited decision with regard to the Goods Transport Act that the applicable provisions were provisions of primary law or directly applicable regulatory provisions, and that the penal provisions were addressed to the "drivers", who as such are in any case obliged to familiarize themselves with the national and Community law provisions applicable to their professional practice (cf. VfSlg. 17479/2005). In connection with the question of the sufficient specificity of the penal provisions, the Constitutional Court pointed out in the above-cited decision in relation to the Goods Transport Act that the applicable provisions were provisions of primary law or directly applicable regulations, and that the penal provisions were aimed at the "drivers", who as such are in any case obliged to familiarise themselves with the national and Community law provisions applicable to their professional activities (cf. VfSlg. 17479/2005).
In this sense, it therefore seems unobjectionable to point out to the complainant, who is subject to the norm here, that she is called upon to deal with the specific design of Art. 12 Para. 2 first sentence of the GDPR in the light of her additional and voluntary activity (as an address publisher), which is not part of her core activity and which is expected to result in a higher number of people who actually exercise their rights as data subjects. This also includes the examination of the regulations that have been in force to date (cf. Art. 12 lit. a DS-RL), the case law, and the evaluation and assessment of the established communication channels for the exercise of data subject rights. The complainant must implement any necessary and supplementary measures in an appropriate form. In this sense, it therefore seems harmless to point out to the complainant, who is subject to the norm here, that she is called upon to deal with the concrete design of Article 12, Paragraph 2, first sentence of the GDPR in light of her additional and voluntary activity (as an address publisher), which is not part of her core activity and which is expected to result in a higher number of people actually exercising their data subject rights. This also includes the examination of the regulations that have been in force to date (cf. Article 12, Letter a, DS-RL), the case law, and the evaluation and assessment of the established communication channels for the exercise of data subject rights. The complainant must implement any necessary and supplementary measures in an appropriate form.
Article 12, paragraph 2 of the GDPR is therefore sufficiently specific to form the basis for a penal provision. In the present case, the first sentence of Article 12, paragraph 2 of the GDPR is to be read in conjunction with the relevant rights of the data subject in the subsequent provisions and is also subject to a proportionality test.Article 12, paragraph 2 of the GDPR is therefore sufficiently specific to form the basis for a penal provision. In the present case, the first sentence of Article 12, paragraph 2 of the GDPR is to be read in conjunction with the relevant rights of the data subject in the subsequent provisions and is also subject to a proportionality test.
3.3. On the guilty verdict pursuant to Article 83, paragraph 5, letter b, GDPR in conjunction with Article 12, paragraph 2 of the GDPR:3.3. On the guilty verdict pursuant to Article 83, paragraph 5, letter b, GDPR in conjunction with Article 12, paragraph 2 of the GDPR:
3.3.1. On the existence of criminal liability (objective elements):
The provision of Article 12, Paragraph 2 of the GDPR stipulates, among other things, that the controller makes it easier for the data subject to exercise their rights. Recital 59 states: "Modifications should be laid down to facilitate the exercise of the rights conferred on them by this Regulation by a data subject, including mechanisms to ensure that they can request and, where appropriate, obtain access to personal data and their rectification or erasure free of charge, or to exercise their right to object. The controller should also ensure that requests can be made electronically, in particular when the personal data are processed electronically. The controller should be obliged to respond to the data subject's request without delay, but no later than within one month, and, where appropriate, to give reasons for refusing the request." The provision of Article 12, Paragraph 2 of the GDPR stipulates, among other things, that the controller makes it easier for the data subject to exercise their rights. Recital 59 states: ‘Methods should be laid down to facilitate the exercise of the rights conferred on a data subject by this Regulation, including mechanisms to ensure that he or she can request and, where appropriate, obtain access to personal data, rectification or erasure, or exercise his or her right to object free of charge. In particular, the controller should ensure that requests can be made electronically, in particular where the personal data are processed electronically. The controller should be obliged to respond to the data subject’s request without undue delay and at the latest within one month, giving reasons for refusing the request, where appropriate.’
The controller must make it easier for data subjects to exercise their rights of access, rectification, erasure, restriction, data portability and objection (also known as the ‘facilitation principle’). This means that no further hurdles may be put in place for the provision of information in accordance with Articles 13 and 14, and that notifications in accordance with Articles 15–22 and 34 must be made in accordance with the statutory requirements (cf. Articles 15–22) (e.g. lack of or limited accessibility, costly communication, imprecise contact addresses, content-related or linguistic requirements are not taken into account). If the controller can no longer identify the data subject because identification is no longer necessary for the purpose of processing, the controller can refuse to take action. In this case, the rights of the data subject can naturally no longer be exercised unless the data subject provides additional information that enables their identification. In these cases, the controller must itself provide credible evidence that it is not in a position to identify the data subject (Article 12 paragraph 2). (Illibauer in Knyrim, DatKomm Art 12 GDPR Rz 71, 72 (as of December 1, 2021, rdb.at))The controller must make it easier for the persons affected by data processing to exercise their rights to information, rectification, erasure, restriction, data portability and objection (also known as the "facilitation principle"). This means that no further hurdles may be set up for the provision of information in accordance with Articles 13 and 14 and notifications in accordance with Articles 15 -, 22 and 34 must be carried out in accordance with the legal requirements (see Articles 15 -, 22,) (e.g. lack of or limited accessibility, costly communication, inaccurate contact addresses, content-related or linguistic requirements are not taken into account). If the controller can no longer identify the data subject because identification is no longer necessary for the purpose of processing, the controller can refuse to take action. In this case, the rights of the data subject can naturally no longer be exercised unless the data subject provides additional information that enables him or her to be identified. In these cases, the controller must himself provide credible evidence that he or she is unable to identify the data subject (Article 12, paragraph 2). (Illibauer in Knyrim, DatKomm Article 12, GDPR Rz 71, 72 (as of December 1, 2021, rdb.at))
This obligation, which goes beyond a mere prohibition of obstruction, underlines the importance of the rights of those affected as an essential prerequisite for informational autonomy and obliges those responsible to take this into account by advising the persons concerned, providing simple information options and channels, and by facilitating the exercise of rights themselves (cf. Dix in Simitis/Hornung/Spiecker, Data Protection Law, Art. 12 Rz 23).This obligation, which goes beyond a mere prohibition of obstruction, underlines the importance of the rights of those affected as an essential prerequisite for informational autonomy and obliges those responsible to take this into account by advising the persons concerned, providing simple information options and channels, and by facilitating the exercise of rights themselves (cf. Dix in Simitis/Hornung/Spiecker, Data Protection Law, Article 12, Rz 23).
The controller must organize its communication with the data subjects in such a way that their rights can actually be fulfilled without excessive effort (see Bäcker in Kühling/Buchner, General Data Protection Regulation Commentary, Article 12, paragraph 25 ff). "It is therefore not permissible to refer the data subjects to certain communication channels in order to exercise their rights, especially if the controller offers personalized services" (see Leiter in Gantschacher/Jelinek/Schmidl/Spanberger, Commentary on the General Data Protection Regulation, Article 12, paragraph 4, p. 159). The controller must organize its communication with the data subjects in such a way that their rights can actually be fulfilled without excessive effort (see Bäcker in Kühling/Buchner, General Data Protection Regulation Commentary, Article 12, paragraph 25 ff). "It is therefore not permissible to refer the data subjects to certain communication channels in order to exercise their rights, in particular if the controller offers personalized services" (see Leiter in Gantschacher/Jelinek/Schmidl/Spanberger, Commentary on the General Data Protection Regulation, Article 12, paragraph 4, session 159).
The authority's classification of the facts established under the provisions of Article 12, paragraph 2 of the GDPR proves to be correct in the end.The authority's classification of the facts established under the provisions of Article 12, paragraph 2 of the GDPR proves to be correct in the end.
On July 17, 2019, the complainant set up a data protection contact form on its website for the processing of electronic data subject enquiries, but limited it to three specific (the most important at the time) data subject rights. From this point onwards, those affected who submitted or wanted to submit an application by email to the (still active) electronic mailbox XXXX were referred to the exclusive use of the data protection contact form. From July 17, 2019, even those affected who, for example, responded to the accused's last request to submit a copy of their ID were systematically advised by the accused via an automated response to use the data protection contact form. For example, from July 17, 2019, the complainant used a data protection contact form on its website to handle electronic requests from those affected, but limited it to three specific (the most important at the time) rights of those affected. From this point onwards, those affected who submitted or wanted to submit an application by email to the (still active) electronic mailbox Roman 40 were referred to the exclusive use of the data protection contact form. From July 17, 2019, even those affected who, for example, responded to the accused's last request to submit a copy of their ID card were systematically informed by the accused via an automated response to use the data protection contact form.
In addition, the complainant did not inform those affected (externally) about the possibilities of alternative submission, either in this response or in the contact form (data protection information updated several times). Ultimately, all available electronic communication channels referred to the newly introduced contact form. Only when the person concerned refused to use the contact form was his request processed/forwarded. The complainant thus gave those affected the impression that they only had to use the data protection contact form for electronic inquiries. However, submission by fax or post was always possible in parallel.
Within the scope of the contact form in question, the data subjects only had the choice between three specific data subject rights ("Information", "Objection", "Deletion of data for third-party marketing purposes"). The data subjects had to assert the remaining data subject rights either via the "Service offer - Other services" at XXXX (the contact form for all - including non-data protection - concerns concerning the complainant) or - at least until December 14, 2020 - by email to XXXX. In addition, as stated in the contact form, there was the alternative option of submitting the other rights by letter/fax. Only the most frequently claimed data subject rights were listed in the data protection contact form. The use of the contact form in question could therefore also give the data subjects the - misleading - impression that they could only exercise the three data subject rights specified by the complainant within the electronic channel by using the data protection contact form. Within the scope of the contact form in question, the data subjects only had the choice between three specific data subject rights ("Information", "Objection", "Deletion of data for third-party marketing purposes"). The data subjects had to assert the remaining data subject rights either via the "Service offer - Other services" at roman 40 (the contact form for all - including non-data protection - concerns concerning the complainant) or - at least until December 14, 2020 - by email to roman 40. In addition, as stated in the contact form, there was the alternative option of submitting the other rights by letter/fax. Only the most frequently claimed data subject rights were listed in the data protection contact form. The use of the contact form in question could therefore also give the data subjects the - misleading - impression that they could only exercise the three data subject rights specified by the complainant within the electronic channel by using the data protection contact form.
In addition, until July 2020, those affected were only referred to the data protection information at the end of the form. Although the customer service email address was listed as a contact option in the data protection information (until January 30, 2020), those affected were not informed in a transparent manner in the contact form or in the data protection information that they were entitled to further rights beyond those mentioned in the form and which input channels they should use to submit them. Although the data protection information contained a general description of all the rights of those affected, those affected were subsequently referred to the contact form to exercise their rights electronically.
As part of the data protection contact form, those affected were systematically asked in advance to attach a legible copy of a valid photo ID to their application by implementing an "upload field" as a mandatory field in the contact form. In addition, the person concerned was required to provide their date of birth and address. However, even before the implementation of the contact form, the accused accepted a number of other means of identification in the context of dealing with the rights of the data subject: in particular the digital signature (if the date of birth was also known), a registration form or if the data subject provided at least the following: name, address and date of birth. Thus, before the implementation of the data protection contact form, a large number of identification variants were permitted, which were initially massively restricted with the use of the form on July 17, 2019 and then expanded again, initially unofficially and step by step.
The complainant finally redesigned the electronic input channel for the rights of the data subject by no longer making the email inbox for any email inquiries available to the data subject from December 14, 2020. From this point on, the data subject only had the choice between the data protection contact form (for exercising the three specifically specified rights of the data subject) or the general contact form (for exercising other rights of the data subject) within the electronic channel.
Overall, the information in the data protection notice (including the multiple amendments) and the options for electronic contact in data protection matters through these measures in the relevant period prove to be confusing for those affected and restrictive compared to the previous period (before January 2019). It is therefore correct for the authority to state that the procedure just described and established at the time of the data protection breach violated the facilitation requirement and consequently constitutes an offence under Art. 83 (5) (b) GDPR. The ECJ's case law on C-807/21 does not fundamentally change this assessment. Overall, the information in the data protection notice (including the multiple amendments) and the options for electronic contact in data protection matters through these measures in the relevant period prove to be confusing for those affected and restrictive compared to the previous period (before January 2019). It is therefore correct for the authority to state that the procedure just described and established at the time of the data protection violation violated the facilitation requirement and consequently constituted the criminal offense under Article 83, Paragraph 5, Letter b, GDPR. The ECJ's case law on C-807/21 does not fundamentally change this assessment.
3.3.2. On the degree of fault (subjective elements of the offense):
Since the authority imposed the fault on the attributable natural persons (board members and the responsible representative), this had to be reassessed. Strict liability is out of the question and intent or negligence is always a mandatory requirement for fulfilling the criminal offense under Art. 83 Paragraph 5 Letter b GDPR.Since the authority imposed the fault on the attributable natural persons (board members and the responsible representative), this had to be reassessed. Liability without fault is out of the question and intent or negligence is always a mandatory requirement for the criminal offense under Article 83, Paragraph 5, Letter b, GDPR.
It should also be pointed out that according to the new case law, the application of Article 83 GDPR does not require any action or even knowledge on the part of a management body of a legal person. Rather, it must be objectively assessed whether the legal person is to blame for the data protection violation that occurred. It should also be pointed out that according to the new case law, the application of Article 83 GDPR does not require any action or even knowledge on the part of a management body of a legal person. Rather, it must be objectively assessed whether the legal person is to blame for the data protection violation that occurred.
It is undisputed that the procedure described under 3.3.1. was carried out on the basis of direct instructions from the responsible representative in her autonomous area of responsibility and decision-making, which was granted to her by the complainant's board of directors. Despite the consultations carried out and the unrestricted access to three communication channels (contact form, fax and post) throughout the relevant period, the complainant has since restricted the electronic communication options in its external presence (website) so rigorously that this constitutes a fault in the sense of slight negligence. This particularly applies to the period from January 31, 2020 and more so from December 14, 2020, as well as the (official) restriction to identification by photo ID.
The trigger for these measures was the complainant's lack of provision for increased data protection inquiries in connection with a relevant sensitive business area outside of the core activity.
The Federal Administrative Court agrees with the data protection authority insofar as the allegation in the present case represents the restriction of the exercise of data subjects' rights over a longer period of time - triggered by the wave of inquiries from January 7, 2019 - starting with the restriction of electronic communication options from July 17, 2019. Since the complainant - also through the responsible representative - also allowed other identification options internally and continued communication by email was also able to be enforced through the insistence of customers, the complainant's actions as a whole cannot be viewed as "extremely careless" in this context.
The measures taken by the complainant - specifically the responsible representative - were not intentionally driven by the aim of impairing/restricting data subjects' rights, but focused on the structured and secure processing of inquiries within the framework of the company structure. In this context, an excessive restriction of electronic communication options was made - slightly negligently.
The establishment of an electronic contact form in itself and its particularly prominent placement on the website is in any case not to be seen as problematic.
It should also be noted that the more than 32,000 inquiries received by email in the mailbox XXXX before July 17, 2019 were processed by the complainant.It should also be noted that the more than 32,000 inquiries received by email in the mailbox Roman 40 before July 17, 2019 were processed by the complainant.
The authority cannot therefore be contradicted when it affirms that the subjective elements of the offence exist. However, the actions of the complainant are only minor negligence based on the above.
3.3.3. On the error of law:
Insofar as the complainant denies fault and argues in particular that there is an excusable error of law, the following must be stated:
The accused can be blamed for ignorance of the law if he has not informed himself about the content of the relevant norms - despite having reason to do so. There is therefore a duty to investigate. The Administrative Court practically always affirms such an obligation to investigate if the existence of relevant rules for the respective activity is evident. If the accused fails to make such inquiries when there is a required duty to inform, a relevant error of law can be blamed (established case law, e.g. Administrative Court 10.2.1999, 98/09/0298). (Lewisch/Fister/Weilguni, VStG3, § 5, Rz 18). The accused can be accused of ignorance of the prohibition if he has not informed himself about the content of the relevant norms - despite having reason to do so. There is therefore a duty to investigate. The VwGH affirms such a duty to investigate practically all the time if the existence of relevant rules for the respective activity is evident. If the accused fails to make such inquiries when there is a required duty to provide information, he can be accused of a relevant error of prohibition (established case law, e.g. VwGH 10.2.1999, 98/09/0298). (Lewisch/Fister/Weilguni, VStG3, Paragraph 5, Rz 18).
In the present situation, the complainant must have been aware that there are relevant data protection regulations, all the more so as the GDPR was widely reported and discussed in public when it came into effect in 2018, a large number of media articles appeared on this topic and the complainant voluntarily decided to pursue the activity of an address publisher in addition to her core activity. This would have required an intensive examination of the questions surrounding the rights of those affected and their processing or enforcement, due to the sensitivity of the matter.
If the perpetrator receives incorrect information during his inquiries and follows this, his error is excusable if he proceeded with due care in obtaining this information (legal advice). According to the case law of the VwGH (VwSlg 14.020 A/1994), reliance on the consistent case law of the highest court, the (notified) administrative practice of the competent authority and other reliable information from knowledgeable persons or institutions based on complete information on the facts of the case is an excuse (see most recently VwGH 02.09.2015, Ra 2015/08/0073 and /0075; 10.01.2023, Ra 2022/06/0314). (Lewisch in Lewisch/Fister/Weilguni, VStG3 § 5 Rz 19-20 (as of 1.7.2023, rdb.at))If the perpetrator receives incorrect information during his inquiries and follows it, his error is excusable if he has proceeded with due care in obtaining this information (legal advice). According to the case law of the VwGH (VwSlg 14.020 A/1994), reliance on the consistent case law of the highest court, the (communicated) administrative practice of the competent authority and other reliable information from knowledgeable persons or institutions based on complete information on the facts of the case excuses (see most recently VwGH 02.09.2015, Ra 2015/08/0073 and /0075; 10.01.2023, Ra 2022/06/0314). (Lewisch in Lewisch/Fister/Weilguni, VStG3 Paragraph 5, Rz 19-20 (as of July 1, 2023, rdb.at))
On the legal advice provided by professional party representatives (e.g. lawyers or chartered accountants): The exculpatory effect of such information is (often only) recognized in principle (already VwGH 12.05.1931, 0740/29). The case law is ultimately very restrictive. The case law requires - with good reason - that such legal advice must also be based on the relevant case law of the highest courts and, if applicable, on the legal opinion of the competent authority (VwSlg 11.744 A/1985). However, it does not do justice to the fact that an error in this regard is that of the party's representative and not of the accused, who is himself not sufficiently knowledgeable and is only just seeking expert advice; the incorrectness of the information does not give rise to blame towards the accused. Reliance on the legal advice is only blameworthy if the accused is aware of the conflict with an opposing opinion of the authorities (or a different opinion: VwGH 15. 9. 2022, Ra 2022/02/0141) or if doubts arise directly from the content of the information that are obvious even to the non-expert (VwGH 22.02.2006, 2005/17/0195; 12.08.2014, 2013/10/0203); however, the requirements in this regard must not be exaggerated. As far as can be seen, there is no case law on the assessment of legal advice by a legal department employee (in-house counsel). Under the aforementioned requirements - complete information on the facts, orientation towards the relevant supreme court case law - reliance on his assessment would also be considered exculpatory. In concreto, however, with regard to the assessment of a newly hired legal employee without previous experience in the matter, fault is affirmed. (Lewisch in Lewisch/Fister/Weilguni, VStG3 § 5 Rz 21 (as of July 1, 2023, rdb.at))On the legal advice of professional party representatives (e.g. lawyers or chartered accountants): The exculpatory effect of such information is (often only) recognized in principle (already VwGH May 12, 1931, 0740/29). The case law is ultimately very restrictive in the end. Case law requires – with good reason – that such legal advice must also be based on the relevant case law of the highest courts and, if applicable, on the legal opinion of the competent authority (VwSlg 11.744 A/1985). However, it does not do justice to the fact that an error in this regard is that of the party's representative and not of the accused, who is not himself sufficiently knowledgeable and who is only just seeking expert advice; the incorrectness of the information does not constitute blameworthy action against the accused. Reliance on legal advice is only reprehensible if the accused is aware of the conflict with an opposing opinion of the authorities (or a different opinion: VwGH September 15, 2022, Ra 2022/02/0141) or if doubts arise immediately from the content of the information that are obvious even to a non-expert (VwGH February 22, 2006, 2005/17/0195; August 12, 2014, 2013/10/0203); however, the requirements in this regard must not be exaggerated. As far as can be seen, there is no case law on the assessment of legal advice by a legal department employee (in-house counsel). Under the aforementioned requirements - complete information on the facts, orientation towards the relevant supreme court case law - trust in his assessment would also be considered excusable. In concreto, however, with regard to the assessment of a newly hired legal employee without prior experience in the subject matter, fault is affirmed. (Lewisch in Lewisch/Fister/Weilguni, VStG3 Paragraph 5, Rz 21 (as of July 1, 2023, rdb.at))
From the complainant's submissions in the course of the administrative proceedings, it can be seen that she received only oral advice from internal and external consultants or lawyers, who consistently affirmed the legal admissibility of the complainant's actions. As can be seen from the legal statements, the existence of an error of prohibition must be assessed very restrictively. The authority is to be confirmed if it assumes that a blanket statement regarding internal and external advice without appropriate documentation or verifiability does not meet the strict requirements of the VwGH case law. On this basis, an exculpatory error of prohibition cannot be based on either the "in-house counsel" or the external consultations. Rather, in its supplementary statement of July 20, 2022, the authority presented training documents that contradicted the complainant's statements (see also the testimony of witnesses before the Federal Administrative Court on February 2, 2024). These were prepared by an external consultant on behalf of the complainant for the rights of those affected in accordance with Art. 15 GDPR and suggest that requests from those affected should be redirected exclusively for requests made orally. These also included the note that requests from those affected should in principle be made in any way and answered in this way. The complainant must therefore have had doubts about the legal opinions previously obtained orally, as she acted contrary to this (actually documented) advice. From the complainant's statements during the administrative procedure, it can be inferred that she was only given oral advice by internal and external consultants or lawyers, who consistently affirmed the legal admissibility of the complainant's actions. As can be seen from the legal statements, the existence of an error of law must be assessed very restrictively. The authority is to be confirmed when it assumes that a blanket statement regarding internal and external advice without corresponding documentation or verifiability does not meet the strict requirements of the VwGH jurisprudence. On this basis, an exculpatory error of law cannot be based on either the "in-house counsel" or the external advice. Rather, in its supplementary statement of July 20, 2022, the authority presented training documents that contradicted the complainant's statements (see also the testimony of witnesses before the Federal Administrative Court on February 2, 2024). These were prepared by an external consultant on behalf of the complainant for the rights of those affected in accordance with Article 15 of the GDPR and suggest that requests from those affected be redirected exclusively for requests made orally. These also contained the note that requests from those affected should in principle be made in any way and answered in this way. The complainant must therefore have had at least doubts about the legal opinions previously obtained orally, since she acted contrary to this (actually documented) advice.
It is also evident that the relevant literature (e.g. Gantschacher/Jelinek/Schmidl/Spanberger, Commentary on the General Data Protection Regulation Article 12, para. 4) argues otherwise. It can therefore be assumed that the process of obtaining legal advice was not carried out with the necessary care, although the complainant did not intend to weaken the rights of the data subjects. It is also evident that the relevant literature (e.g. Gantschacher/Jelinek/Schmidl/Spanberger, Commentary on the General Data Protection Regulation Article 12, para. 4) argues otherwise. It can therefore be assumed that the process of obtaining legal advice was not carried out with the necessary care, although the complainant did not intend to weaken the rights of the data subjects.
The excusability cannot be justified by the fact that the complainant did not have enough time to carefully research and obtain legal advice due to the high number of requests from data subjects. Simply because of the activity outside the core area - and in a matter that is sensitive in terms of data protection law - this question should have been given much greater attention.
3.3.4. On the assessment of the penalty:
The ECJ stated the following in margin numbers 56 to 59 regarding the assessment of the penalty to be imposed on a legal person for an infringement that can be subsumed under Article 83 GDPR: The ECJ stated the following in margin numbers 56 to 59 regarding the assessment of the penalty to be imposed on a legal person for an infringement that can be subsumed under Article 83 GDPR:
"56 For the purposes of applying the competition rules laid down in Articles 101 and 102 TFEU, this concept of an undertaking includes any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed. It therefore refers to an economic unit, even if from a legal point of view this unit consists of several natural or legal persons. That economic unit consists of a single organisation of personal, tangible and intangible resources which pursues a specific economic purpose on a permanent basis (judgment of 6 October 2021, Sumal, C‑882/19, EU:C:2021:800, paragraph 41 and the case-law cited).'56 For the purposes of applying the competition rules laid down in Articles 101 and 102 TFEU, that concept of undertaking covers any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed. It thus designates an economic unit, even if, from a legal point of view, it consists of several natural or legal persons. This economic unit consists in a single organisation of personal, tangible and intangible resources which pursues a specific economic purpose on a permanent basis (judgment of 6 October 2021, Sumal, C‑882/19, EU:C:2021:800, paragraph 41 and the case-law cited).
57 Thus, it follows from Article 83(4) to (6) of the GDPR, which concerns the calculation of fines for the infringements listed in those paragraphs, that where the addressee of the fine is an undertaking within the meaning of Articles 101 and 102 TFEU or belongs to such an undertaking, the maximum amount of the fine is to be calculated on the basis of a percentage of the total worldwide annual turnover of the preceding financial year of the undertaking concerned.57 Thus, it follows from Article 83(4) to (6) of the GDPR, which concerns the calculation of fines for the infringements listed in those paragraphs, that where the addressee of the fine is an undertaking within the meaning of Articles 101 and 102 TFEU or belongs to such an undertaking, the maximum amount of the fine is to be calculated on the basis of a percentage of the total worldwide annual turnover of the preceding financial year of the undertaking concerned.
58 Ultimately, as the Advocate General observed in point 47 of his Opinion, only a fine the amount of which is set by the supervisory authority on the basis of the actual or material capacity of the addressee, on the basis of the concept of an economic unit within the meaning of the case-law cited in paragraph 56 of the present judgment, can satisfy the three conditions laid down in Article 83(1) of the GDPR, namely to be effective, proportionate and dissuasive.58 Ultimately, as the Advocate General observed in point 47 of his Opinion, only a fine the amount of which is set by the supervisory authority on the basis of the actual or material capacity of the addressee, on the basis of the concept of an economic unit within the meaning of the case-law cited in paragraph 56 of the present judgment, can satisfy the three conditions laid down in Article 83(1) of the GDPR, namely to be effective, proportionate and dissuasive.
59 Therefore, where a supervisory authority decides, on the basis of its powers under Article 58(2) of the GDPR, to impose a fine pursuant to Article 83 of the GDPR on a controller which is or belongs to an undertaking within the meaning of Articles 101 and 102 TFEU, it is obliged, pursuant to Article 83, read in the light of recital 150 of the GDPR, to use the term ‘undertaking’ within the meaning of Articles 101 and 102 TFEU when calculating the fines for the infringements referred to in Article 83(4) to (6) of the GDPR.”59 Therefore, where a supervisory authority decides, on the basis of its powers under Article 58(2) of the GDPR, to impose a fine pursuant to Article 83 of the GDPR on a controller which is or belongs to an undertaking within the meaning of Articles 101 and 102 TFEU, it is obliged, pursuant to Article 83, read in the light of recital 150 of the GDPR, to use the term ‘undertaking’ within the meaning of Articles 101 and 102 TFEU when calculating the fines for the infringements referred to in Article 83(4) to (6) of the GDPR.” Recital of the GDPR obliges the Commission to use the term "undertaking" within the meaning of Articles 101 and 102 TFEU when calculating fines for the violations referred to in Article 83, paragraphs 4 to 6 of the GDPR."
The basis for calculating the fine is EUR 2.1892 billion (corresponding to the group's sales revenue in 2020) and is fundamentally undisputed. In a letter dated January 12, 2024, the authority pointed out that it had "mistaken" the specific figure in the first instance criminal proceedings and had used sales revenue of just under EUR 1.9 billion instead of just under EUR 2.2 billion. However, there is no conflict with the prohibition of deterioration, which is also relevant in administrative criminal law, due to the penalty calculation detailed below.
As already explained above, in the event of a breach of Article 83 (4) to (6) of the GDPR, which concerns the fines for the infringements listed in these paragraphs, it is required under EU law to determine the maximum amount of the fine on the basis of a percentage of the total worldwide annual turnover of the previous financial year (EUR 2.1892 billion) of the legal person concerned. In particular, when assessing the amount of the penalty to be imposed, the actual or material capacity of the addressee must be taken into account; however, this penalty must be both effective, proportionate and deterrent.As already explained above, in the event of a breach of Article 83 (4) to (6) of the GDPR, which concerns the fines for the infringements listed in these paragraphs, it is required under EU law to determine the maximum amount of the fine on the basis of a percentage of the total worldwide annual turnover of the previous financial year (EUR 2.1892 billion) of the legal person concerned. In particular, when assessing the amount of the penalty to be imposed, the actual or material performance capacity of the addressee must be taken into account; however, this penalty must be effective, proportionate and deterrent.
In the present case of Art. 12 Para. 2 GDPR, this is determined according to Art. 83 Para. 5 lit. b GDPR. The penalty range therefore extends according to Art. 83 Para. 5 GDPR up to an amount of EUR 20,000,000 or, in the case of a company, up to 4% of the worldwide annual turnover of the previous financial year, whichever is higher. In the present case of Article 12, Paragraph 2, GDPR, this is determined according to Article 83, Paragraph 5 lit. b GDPR. According to Article 83, Paragraph 5, GDPR, the penalty range is up to EUR 20,000,000 or, in the case of a company, up to 4% of the worldwide annual turnover of the previous financial year, whichever is higher.
Article 83, Paragraph 2, GDPR provides for the following criteria (to be used in the present case) when determining the penalty: Article 83, Paragraph 2, GDPR provides for the following criteria (to be used in the present case) when determining the penalty:
a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, as well as the number of persons affected by the processing and the extent of the damage suffered by them;
b) the intentional or negligent nature of the infringement;
c) any measures taken by the controller to mitigate the damage caused to the persons concerned;
(d) the degree of responsibility of the controller, taking into account the technical and organisational measures taken by the controller in accordance with Articles 25 and 32;
(e) any relevant previous infringements by the controller;
(f) the level of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects;
(g) the categories of personal data concerned by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether and, if so, to what extent the controller communicated the infringement;
(…)
(k) any other aggravating or mitigating circumstances specific to the case, such as financial benefits gained or losses avoided directly or indirectly as a result of the infringement.
The determination of the sentence within a statutory penalty range is a discretionary decision that must be made according to the criteria set out by the legislator in Section 19 of the Criminal Offenses Act (VwGH 05.09.2013, 2013/09/0106). The determination of the sentence within a statutory penalty range is a discretionary decision that must be made according to the criteria set out by the legislator in Paragraph 19 of the Criminal Offenses Act (VwGH 05.09.2013, 2013/09/0106).
The basis for determining the sentence is the importance of the legal interest protected by criminal law and the intensity of its impairment by the act (Section 19 Paragraph 1 of the Criminal Offenses Act). In addition, the aggravating and mitigating factors that come into consideration must be weighed against each other. Particular attention must be paid to the extent of the guilt. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied accordingly. The accused's income and assets and any care obligations must be taken into account when determining fines (Section 19, Paragraph 2 of the Administrative Criminal Law Act). The basis for determining the penalty is the importance of the legal interest protected by criminal law and the intensity of its impairment by the act (Section 19, Paragraph 1, Administrative Criminal Law Act). In addition, the aggravating and mitigating factors under consideration must be weighed against each other. Particular attention must be paid to the extent of the guilt. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied accordingly. The accused's income and assets and any care obligations must be taken into account when determining fines (Section 19, Paragraph 2, Administrative Criminal Law Act).
The penalty is determined on the basis of the Guidelines 04/2022 for the calculation of fines within the meaning of the GDPR of the European Data Protection Board, version 2.1; adopted on May 24, 2023 (also "Guidelines" of the EDPB) and based on the degree of severity "mild". On this basis, the amount of the fine had to be set well in the lower range of the penalty range as part of a balancing exercise. According to these, for turnovers over EUR 500 million, a dynamic range is to be used, which should be 0% to 0.4% with regard to Art. 83 Para. 5. The appeal procedure provided no indications to deviate from this calculation method and the guidelines used were brought to the attention of the parties at the oral hearing before the Federal Administrative Court. The penalty is determined on the basis of the Guidelines 04/2022 for the calculation of fines within the meaning of the GDPR of the European Data Protection Board, version 2.1; adopted on May 24, 2023 (also known as the EDPB Guidelines) and based on the severity level of "minor". On this basis, the amount of the fine had to be set well in the lower range of the penalty range as part of a balancing exercise. According to these, for sales of more than EUR 500 million, a dynamic range is to be used, which should be between 0% and 0.4% with regard to Article 83, paragraph 5. The appeal procedure did not provide any indications to deviate from this calculation method and the guidelines used were brought to the attention of the parties at the oral hearing before the Federal Administrative Court.
According to Art. 83 (2) (a) GDPR, the amount of damage incurred as well as the number of people affected by the violation and the impact or risk on their rights and freedoms must be assessed. The time component also plays a role. According to the Article 29 Data Protection Working Party, it also plays a role whether any damage has occurred at all. (Illibauer in Knyrim, DatKomm Art 83 GDPR Rz 68-69 (as of December 1st, 2021, rdb.at)) According to Article 83, Paragraph 2, Letter a, GDPR, the amount of damage incurred as well as the number of people affected by the violation and the impact or risk to their rights and freedoms must be assessed. The time component also plays a role. According to the Article 29 Data Protection Working Party, it also plays a role whether any damage was caused at all. (Illibauer in Knyrim, DatKomm Article 83, GDPR Rz 68-69 (as of December 1st, 2021, rdb.at))
Due to the underlying facts, only the number of people affected could be considered an aggravating factor. Through the violation of Article 12 paragraph 2 GDPR, the accused prevented a large number of data subjects from exercising their rights under Articles 15 to 22 GDPR. In particular, those data subjects who had already submitted an incomplete request by email to the accused before the implementation of this contact form were asked to submit a new application. The fact that the complainant nevertheless dealt with the matter despite the data subject's refusal does not change the basic procedure and its problematic nature, but must be assessed in the context of culpability and thus also the sentencing. The same applies to the official requirement of exclusive identification by means of photo ID, which was handled internally in a different way - more friendly to those affected. There is no evidence of particular severity, as no significant damage was caused. In this context, it has been proven that with a short-term volume of over 30,000 requests in accordance with Art. 15-22 GDPR, problems arose or errors occurred in only a few cases (low double-digit range). The processing was carried out as part of a specially set up "task force" by the complainant in order to avert any negative consequences for those affected. This is also related to the serious crisis management and the rapid action of the complainant in the context of the data protection violation that occurred, which meant that the duration of the violation could be limited to an actual period of a few months. The complainant began to correct the alleged data protection violation immediately after the first request for justification. Due to the underlying facts, only the number of those affected could be considered an aggravating factor. By violating Article 12, paragraph 2, GDPR, the accused prevented a large number of those affected from exercising their rights under Articles 15 to 22 GDPR. Above all, those affected who had already submitted an incomplete request by email to the accused before this contact form was implemented were asked to submit a new application. The fact that the complainant nevertheless dealt with the matter despite the person concerned refusing does not change the basic procedure and its problematic nature, but it must be assessed in the context of culpability and thus also the sentencing. The same applies to the official requirement of exclusive identification by means of photo ID, which was handled internally in a different way - more patient-friendly. There is no evidence of any particular severity, as in particular no significant damage was caused; in this context, it has been proven that with a short-term volume of over 30,000 requests in accordance with Articles 15 -, 22, GDPR, problems arose or errors occurred in only a few cases (low double-digit range). The processing took place within the framework of a specially set up "task force" by the complainant in order to avert any negative consequences for the persons concerned. This is also related to the serious crisis management and the rapid action of the complainant in the context of the data protection violation that occurred, which meant that the duration of the violation could be limited to an actual period of a few months. The complainant began correcting the alleged data protection violation immediately after the first request for justification.
As already discussed above, the complainant, as the person responsible for the data processing in question, can only be proven to have been "slightly negligent" with regard to the violation of the facilitation of the rights of the data subject in accordance with Art. 12 Para. 2 GDPR. There is no evidence of grossly negligent violations by the person responsible, nor of any behavior on the part of the complainant or measures taken by the person responsible within the relevant time frame that would be considered "extremely careless". The complainant was able to credibly demonstrate that her actions were intentionally motivated by the desire to ensure that the data subjects' requests were processed, and corrective measures were also repeatedly taken (during the first-instance administrative penal proceedings). As the person responsible for the data processing in question, the complainant can only be proven to have been "minorly negligent" with regard to the violation of the facilitation of the data subjects' rights in accordance with Article 12, Paragraph 2, GDPR (as already discussed above). There is no evidence of grossly negligent violations by the person responsible, nor of any behavior on the part of the complainant or measures taken by the person responsible within the relevant time frame that would be considered "extremely careless." The complainant was able to credibly demonstrate that her actions were intentionally motivated by the desire to ensure that the data subjects' requests were processed, and corrective measures were also repeatedly taken (during the first-instance administrative penal proceedings).
In addition, the fact that no relevant previous violations of the relevant provisions of the GDPR appear to be a mitigating factor must be taken into account. For the sake of completeness, it should be noted at this point that although the complainant has already been confronted with other administrative penal proceedings in the context of the GDPR, these are not relevant to the violations in question here.
In addition, the complainant cooperated in the investigation before the data protection authority and the Federal Administrative Court and made a significant contribution to finding the truth (particularly through the responsible representative). It should also be emphasized that the mitigating factors cited in the contested criminal judgment (page 51f) again clearly emerged in the appeal hearing.
Regardless of this, due to the economic size of the complainant and the inadequate preparation in connection with a business area that is particularly sensitive in terms of data protection law (apart from the core activity), general preventive considerations must in any case be taken into account when determining the sentence. For these reasons alone, waiving a sentence was in any case out of the question.
In summary, the level of punishment imposed by the decision in question, in the lowest range of the penalty range, is on the one hand appropriate to the guilt but also sufficiently deterrent for the complainant, who has already made improvements during the ongoing appeal proceedings and intensified consultations with the authorities.
3.4. On the other complaints:
3.4.1. First request for justification and certainty of the verdict of the penal decision:
Section 42, paragraph 1, item 1 of the Criminal Procedure Act requires the clear description of the offence the accused is accused of and the relevant administrative regulation. Section 42, paragraph one, item one of the Criminal Procedure Act requires the clear description of the offence the accused is accused of and the relevant administrative regulation.
The description of the offence must be so clear that the accused is in a position to offer evidence related to the specific charge (Walter/Thienel II2 § 42 Note 2). The mere notification of the receipt of certain documents, combined with the granting of the opportunity to comment, is not a (sufficient) request (VwGH 27.5.1988, 88/18/0015). The subject of the administrative penal proceedings can only be the offence specified in the request (Walter/Thienel II2 § 42 Note 2). (Fister in Lewisch/Fister/Weilguni, VStG3 § 42 Rz 4 (as of 1.7.2023, rdb.at))The description of the offence must be so clear that the accused is in a position to offer evidence related to the specific charge (Walter/Thienel II2 Paragraph 42, Note 2). The mere notification of the receipt of certain documents, combined with the granting of the opportunity to comment, is not a (sufficient) request (VwGH 27.5.1988, 88/18/0015). The subject of the administrative penal proceedings can only be the offence specified in the request (Walter/Thienel II2 Paragraph 42, Note 2). (Fister in Lewisch/Fister/Weilguni, VStG3 Paragraph 42, Rz 4 (as of 1.7.2023, rdb.at))
The authority fulfilled its obligation (in the first request for justification) by describing the offence the complainant was accused of in sufficient detail and naming the corresponding legal bases; in any case, it was not a matter of the mere submission of documents combined with a request for justification. The authority's explicit choice of words: "...the exercise of data subject rights was restricted by the mandatory use of a data protection request form" was also an umbrella term that also covers the partial restriction within the electronic channel.
The act assumed to be proven is the fact that constitutes the criminal offense. The accused has a subjective right to have the act assumed to be proven correctly and completely presented to him (VwGH 8.8.2008, 2008/09/0042; 17.9.2014, 2011/17/0210; 24.4.2015, 2013/17/0400; 6.9.2016, Ra 2016/09/0049). A penalty may only be imposed for the offence to which the first prosecution act (cf. § 32) – which initiated the criminal proceedings – referred (Mannlicher/Quell II8 § 44a Note 3; Walter/Thienel II2 § 44a Note 4; Schulev-Steindl6 Rz 624). The offence presumed to be proven is the fact that constitutes the offence. The accused has a subjective right to have the offence presumed to be proven correctly and completely brought to his attention (VwGH 8.8.2008, 2008/09/0042; 17.9.2014, 2011/17/0210; 24.4.2015, 2013/17/0400; 6.9.2016, Ra 2016/09/0049). A penalty may only be imposed for the offence to which the first prosecution act – which initiated the criminal proceedings – referred (see paragraph 32) (Mannlicher/Quell II8 paragraph 44 a, note 3; Walter/Thienel II2 paragraph 44 a, note 4; Schulev-Steindl6 Rz 624).
The conduct of the offence must be described in the verdict itself (and not only in the reasons for the decision). The description of the offence assumed to be proven must be based on the offence picture under consideration in each case; the question of its conformity with the requirements of Section 44a Z 1 VStG must therefore be assessed individually in each specific case (VwGH 17.9.2009, 2008/07/0067; 5.9.2013, 2013/09/0065; 18.5.2016, Ra 2015/17/0029) and is therefore generally not revisable (VwGH 4.7.2016, Ra 2016/04/0053). However, sufficient specification will generally require the location of the crime, the time of the crime and the essential content of the crime (VwGH 27.4.2011, 2010/08/0091; 20.11.2018, Ra 2017/02/0242; 26.6.2019, Ro 2018/03/0047), but in principle not the results of the evidence or all of the circumstances relevant to the sentencing (VwGH 16.2.2023, Ra 2021/02/0170). (Fister in Lewisch/Fister/Weilguni, VStG3 § 44a Rz 3 (as of 1.7.2023, rdb.at))The conduct of the crime must be described in the verdict itself (and not only in the grounds for the decision). The description of the offence assumed to be proven must be based on the offence picture under consideration in each case; the question of its conformity with the requirements of paragraph 44a, number one, VStG must therefore be assessed individually in each specific case (VwGH 17.9.2009, 2008/07/0067; 5.9.2013, 2013/09/0065; 18.5.2016, Ra 2015/17/0029) and is therefore generally not revisable (VwGH 4.7.2016, Ra 2016/04/0053). However, sufficient specification will generally require the indication of the place of the crime, the time of the crime and the essential content of the crime (VwGH 27.4.2011, 2010/08/0091; 20.11.2018, Ra 2017/02/0242; 26.6.2019, Ro 2018/03/0047), but in principle not the results of the evidence or all of the circumstances relevant to the determination of the sentence (VwGH 16.2.2023, Ra 2021/02/0170). (Fister in Lewisch/Fister/Weilguni, VStG3 Paragraph 44 a, Rz 3 (as of July 1, 2023, rdb.at))
Contrary to the complainant's submission in her complaint, the ruling of the penal decision of September 28, 2021 does not concern the complainant's administrative criminal conduct in relation to the introduction or implementation of a contact form for three specific rights of those affected (with a free text field). The subject of the authority's penal decision is the simultaneous, gradual restrictions of the electronic communication channel to the aforementioned contact form and the creation of further obstacles for those affected (see objective elements of the offense). In addition, the authority determined the place of the offense, the time period and the events of the offense with sufficient precision.
3.4.2. Acts of persecution:
Similar things can be said with regard to the submission that the authority has taken several acts of persecution, in particular several requests for justification. The first request only listed the complainant and the second also listed the board members and the responsible representative as accused. This approach is inadmissible and the authority violates the fundamental right to a fair trial and Section 25 of the Criminal Prosecution Act. A similar statement can be made with regard to the argument that the authority has taken several acts of persecution, in particular several requests for justification. The first request only listed the complainant and the second also listed the board members and the responsible representative as accused. This approach is inadmissible and the authority violates the fundamental right to a fair trial and Section 25 of the Criminal Prosecution Act.
As far as the argument concerns acts of persecution against persons who were attributed to the complainant (to justify guilt), reference should be made to the ECJ decision in Case C-807/21 and this argument should not be subjected to any further consideration.
Prosecution acts include in particular the penal order (e.g. VwGH 18.3.1998, 96/09/0246), the summons (e.g. VwGH 21.9.1988, 88/03/0042), a request for legal assistance processed on time (e.g. VwGH 29.4.2011, 2008/09/0286), a formal presentation of the results of the investigation (e.g. VwGH 29.2.2012, 2008/10/0191), the notification of the content of the report with the request to submit a statement on justification if the report contains all the essential elements of the offence (e.g. VwGH 18.10.2011, 2011/02/0281; 24.2.2014, 2012/17/0462), bringing the administrative criminal act to the attention of the accused when granting the right to be heard (e.g. VwGH 19.7.2011, 2011/02/0097) and the request of the first instance authority to bring the entire evidence procedure to the attention of the accused and to record a counter-statement (e.g. VwGH 26.5.1993, 93/03/0037). (Weilguni in Lewisch/Fister/Weilguni, VStG3 § 32 Rz 22 (as of 1.7.2023, rdb.at))Prosecution acts are in particular the penal order (e.g. VwGH 18.3.1998, 96/09/0246), the summons (e.g. VwGH 21.9.1988, 88/03/0042), a request for legal assistance processed on time (e.g. VwGH 29.4.2011, 2008/09/0286), a formal presentation of the results of the investigation (e.g. VwGH 29.2.2012, 2008/10/0191), the disclosure of the content of the report with the request to submit a statement on justification if the report contains all the essential elements of the offense (e.g. VwGH 18.10.2011, 2011/02/0281; 24.2.2014, 2012/17/0462), bringing the administrative criminal act to the attention of the accused when granting the right to be heard (e.g. VwGH 19.7.2011, 2011/02/0097) and the request of the first instance authority to bring the entire evidence procedure to the attention of the accused and to record a counter-statement (e.g. VwGH 26.5.1993, 93/03/0037). (Weilguni in Lewisch/Fister/Weilguni, VStG3 Paragraph 32, Rz 22 (as of July 1, 2023, rdb.at))
The authority therefore carried out countless prosecution actions, including its witness interviews, the parties' hearings, requests for justification and submission orders, to which it is entitled and even legally obliged, in order to establish the facts relevant to the decision and to protect the parties' rights within the framework of the principle of material truth.
3.4.3. Advice instead of punishment - Section 33a VStG - Refusal by the data protection authority:3.4.3. Advice instead of punishment - Paragraph 33 a, VStG - Refusal by the data protection authority:
According to Section 33a VStG, none of the exceptions mentioned in paragraph 5 apply, which exclude the applicability of paragraphs 1 and 2. The applicability of Section 33a VStG requires, according to paragraph 1, that the authority determines an infringement and that the importance of the legal interest protected by criminal law, the intensity of the impairment and the culpability of the accused are minor. According to paragraph 3, the intensity of the impairment of the legal interest protected by criminal law is not small if the violation has had a detrimental effect on people or property or the occurrence of such effects is to be expected if the criminal conduct or criminal activities last even a short time. According to paragraph 33 a, VStG, none of the exceptions mentioned in paragraph 5, which exclude the applicability of paragraphs 1 and 2, apply. The applicability of paragraph 33 a, VStG requires, according to paragraph 1, that the authority determines an offense and that the importance of the legal interest protected by criminal law, the intensity of the impairment and the guilt of the accused are small. According to paragraph 3, the intensity of the impairment of the legal interest protected by criminal law is not small if the violation has had a detrimental effect on people or property or the occurrence of such effects is to be expected if the criminal conduct or criminal activities last even a short time.
In the present case, advice in accordance with Section 33a VStG was ruled out because the importance of the legal interest protected under criminal law cannot be considered to be insignificant. In its decision of June 19, 2018, Ra 2017/02/0102, with regard to the legal interest of maintaining public safety in road traffic under the StVO, the VwGH stated that the importance of this legal interest was not insignificant because Section 99 Paragraph 3 Letter a StVO provides for a penalty range for fines of up to EUR 750 and the value of the legal interest protected by the violated norm is also reflected in the amount of the statutory penalty range. This must therefore be the case with the penalty range of Section 83 Paragraph 5 Letter b GDPR of up to EUR 20,000,000. For this reason alone, the authority should not proceed with advice but rather initiate administrative penal proceedings. In the present case, advice pursuant to paragraph 33 a, VStG was ruled out, since the importance of the legal interest protected by criminal law cannot be considered to be insignificant. In its decision of June 19, 2018, Ra 2017/02/0102, the VwGH stated with regard to the legal interest of maintaining public safety in road traffic under the StVO that the importance of this legal interest was not insignificant because paragraph 99, paragraph 3, letter a, StVO provides for a penalty range for fines of up to EUR 750 and the value of the legal interest protected by the violated norm is also reflected in the amount of the statutory penalty range. This must therefore be the case with the penalty range of paragraph 83, paragraph 5, letter b, GDPR of up to EUR 20,000,000. For this reason alone, the authority should not proceed with advice, but rather initiate administrative penal proceedings.
3.4.4. No applicable case law of the Federal Administrative Court on reference to online tools:
The authority's legal assessment is correct if it assumes that referring the data subjects to the contact form is not covered by the case law of the Federal Administrative Court (e.g. W101 2132039-1). The decision cited by the complainant in her complaint deals with secure remote access to user data, which guarantees registered customers access to all of their personal data at any time and enables them to delete or correct it immediately. In addition, Recital 63 is not relevant in the current complaint procedure (if possible, the controller should be able to provide remote access to a secure system that would allow the data subject direct access to their personal data).
It is undisputed that the complainant did not set up such an area (or a user account) for the data subjects, as she argued throughout the entire procedure that data subjects must exercise their rights via the data protection contact form. All answers and actions were carried out by the complainant herself, without any person affected having direct access to his personal data.
3.5. Costs of the criminal proceedings:
After the level of the penalty was reassessed, the contribution to the costs of the criminal proceedings to be awarded in accordance with Section 64, Paragraphs 1 and 2 of the Administrative Penalty Act had to be reassessed. This amounts to 10% of the penalty imposed, but at least EUR 10, and was therefore determined to be EUR 50,000 in accordance with the ruling. A contribution to the costs of the administrative court proceedings did not have to be awarded because the complaint (with regard to the level of the penalty) was upheld in accordance with Section 52, Paragraph 8 of the Administrative Court Act.After the level of the penalty was reassessed, the contribution to the costs of the criminal proceedings to be awarded in accordance with Section 64, Paragraphs 1 and 2 of the Administrative Penalty Act had to be reassessed. This amounts to 10% of the penalty imposed, but at least EUR 10, and was therefore determined to be EUR 50,000 in accordance with the ruling. A contribution to the costs of the administrative court proceedings was not to be made because the complaint (with regard to the amount of the penalty) was upheld in accordance with paragraph 52, paragraph 8, VwGVG.
The admissibility of the flat-rate cost contribution under EU and constitutional law, which the complainant disputes, is based on the ECJ decision of October 14, 2021, C-231/20. However, a national regulation is not in conflict with Article 56 TFEU (paragraph 58 of the ECJ decision mentioned above) if a contribution to the costs of the proceedings in the amount of 10% of the fines imposed is to be made, provided that this contribution is neither excessive in view of the actual costs of such proceedings nor violates the right of access to the courts enshrined in Article 47 of the Charter. For the Federal Administrative Court, there is no indication that even one of the two requirements is not met. The cost contribution of EUR 50,000 is not disproportionate to an administrative criminal proceeding that has been ongoing since June 26, 2020 and does not therefore result in any (in particular economic) obstacle for the complainant to access a court. In its ruling of June 26, 2018, G44/2018, the Constitutional Court also already held that there are no such concerns in connection with the rights guaranteed by the constitution, in particular with regard to Art. 6 ECHR. The admissibility of the flat-rate cost contribution under Union and constitutional law, which the complainant disputes, is based on the decision of the ECJ of October 14, 2021, C-231/20. However, a national regulation is not in conflict with Article 56 TFEU (paragraph 58 of the aforementioned ECJ decision) if a contribution to the costs of the proceedings in the amount of 10% of the fines imposed is to be made, provided that this contribution is neither excessive in view of the actual costs of such proceedings nor violates the right of access to courts enshrined in Article 47 of the Charter. The Federal Administrative Court sees no indication that either of the two requirements is not met. The contribution to the costs in the amount of EUR 50,000 is not disproportionate to administrative criminal proceedings that have been ongoing since June 26, 2020 and therefore does not create any (in particular economic) obstacle for the complainant to access to a court. In its ruling of June 26, 2018, G44/2018, the Constitutional Court also stated that there are no such concerns in connection with the rights guaranteed by the constitution, in particular with regard to Article 6 of the ECHR.
3.6. On the suspension of the appeal proceedings:
According to the established case law of the Administrative Court, the question of how Union law is to be interpreted (cf. VwGH 20.2.2003, 2001/16/0518; 26. 6. 2003, 98/18/0334; 26.4.2011, 2011/03/0015), including the question of whether it is directly applicable (VwGH 29.1.2003, 99/03/0151) and supersedes domestic law (VwGH 4.3.1999, 98/16/0166; 31.1.2003, 2002/02/0158; 3.7.2003, 2000/15/0137), is a (such) preliminary question because, according to the ECJ's monopoly on interpretation in matters of primary and secondary Union law is to be decided by one (this) court (see also VwSlg 15.560 A/2001 and VwGH 28.10.2008, 2008/05/0129). The VwGH therefore considers both the (administrative) authorities and the VwG (cf. VwGH 20. 11. 2018, Ra 2017/12/0072; 14. 1. 2020, Fr 2019/12/0042) and - in countless decisions - itself to be entitled to suspend the proceedings pursuant to (Section 17 VwGVG or Section 62 Para. 1 VwGG in conjunction with) Section 38 last sentence AVG if the relevant (not yet decided) question is raised in particular on the basis of a request for a preliminary ruling - for example from the VwGH itself or an ordinary court or a court within the meaning of Art. 267 TFEU of another Member State (cf. VwGH 20.2.2003, 2001/16/0518; 17.11.2004, 2002/14/0056; 10. 4. 2020, Ra 2017/09/0005) - is already pending before the ECJ in a similar case (see also VwGH 19.12.2000, 99/12/0286 mwN; 16.11.2016, Ra 2016/18/0172; 18.12.2020, Ra 2020/15/0059). (Hengstschläger/Leeb, AVG § 38 Rz 17, 18 (as of 1.4.2021, rdb.at))According to the consistent case law of the Administrative Court, the question of how Union law is to be interpreted (cf. VwGH 20.2.2003, 2001/16/0518; 26.6. 2003, 98/18/0334; 26.4.2011, 2011/03/0015), including the question of whether it is directly applicable (VwGH 29.1.2003, 99/03/0151) and supersedes domestic law (VwGH 4.3.1999, 98/16/0166; 31.1.2003, 2002/02/0158; 3.7.2003, 2000/15/0137), is a (such) preliminary question because, according to the ECJ's monopoly on interpretation in matters of primary and secondary Union law, it is to be decided by (this) court (see also VwSlg 15.560 A/2001 and VwGH 28.10.2008, 2008/05/0129). The VwGH therefore sees both the (administrative) authorities and the VwG (cf. VwGH 20. 11. 2018, Ra 2017/12/0072); 14. 1. 2020, Fr 2019/12/0042) and - in countless decisions - consider themselves entitled to suspend the proceedings in accordance with (Section 17, VwGVG or Paragraph 62, Paragraph one, VwGG in conjunction with Paragraph 38, last sentence AVG, if the relevant (not yet decided) question is already pending before the ECJ in a similar case, in particular on the basis of a request for a preliminary ruling - for example from the VwGH itself or an ordinary court or a court within the meaning of Article 267, TFEU of another Member State, see VwGH 20.2.2003, 2001/16/0518; 17.11.2004, 2002/14/0056; 10. 4. 2020, Ra 2017/09/0005) see also VwGH 19.12.2000, 99/12/0286 mwN; 16.11.2016, Ra 2016/18/0172; 18.12.2020, Ra 2020/15/0059). (Hengstschläger/Leeb, AVG Paragraph 38, Rz 17, 18 (as of 1.4.2021, rdb.at))
In this context, it should be noted that the deadlines to be observed in the context of the administrative penal proceedings (including Section 34 Para. 1 VwGVG, Section 43 Para. 1 VwGVG) were suspended during the suspended appeal proceedings until the decision of the European Court of Justice in Case C-807/21. The appeal proceedings therefore did not have to be discontinued and the authority's penal decision did not become invalid. Since the complainant filed the complaint in question on time on October 25, 2021, the Federal Administrative Court, by order of October 12, 2022, suspended the proceedings pursuant to Section 17 VwGVG in conjunction with Section 38 AVG until the ECJ's decision in case C-807/21 on the request of the Berlin Higher Regional Court of December 6, 2021, (exclusively) concerning the question of the issuance of a penal order in relation to a legal person, and the European Court of Justice ruled on the submitted proceedings on December 5, 2023, which is why the suspension was thus terminated ex lege, the decision-making period for the Federal Administrative Court was open at the time of the decision.In this context, it should be noted that the deadlines to be observed in the context of administrative penal proceedings (including Paragraph 34, Paragraph one, VwGVG, Paragraph 43, Paragraph one, VwGVG) during of the suspended appeal proceedings were suspended until the decision of the European Court of Justice in Case C-807/21. The appeal proceedings therefore did not have to be discontinued and the authority's penal decision did not expire. Since the complainant filed the complaint in question on time on October 25, 2021, the Federal Administrative Court suspended the proceedings in accordance with paragraphs 17, VwGVG in conjunction with 38 AVG until the ECJ's decision in Case C-807/21 on the request of the Berlin Higher Regional Court of December 6, 2021, (exclusively) concerning the question of issuing a penal decision in relation to a legal person, and the European Court of Justice decided the submitted proceedings on December 5, 2023 by judgment, which is why the suspension was thus terminated ex lege, the deadline for the decision for the Federal Administrative Court was open at the time of the decision.
B) Admissibility of the appeal:
According to Section 25a, Paragraph 1 of the Administrative Court Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act. The ruling must be briefly justified.According to Paragraph 25a, Paragraph 1 of the Administrative Court Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act. The ruling must be briefly justified.
The appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act because the decision depends on the solution of a legal question that is of fundamental importance and because there is no case law from the Administrative Court. This concerns the questions of using the principle of facilitation (Article 12 GDPR) as the basis for criminal proceedings and the admissibility of a structured - in this sense "limited" - electronic input channel for data protection enquiries for the more efficient administration of the same.The appeal is admissible pursuant to Article 133, Paragraph 4, B-VG because the decision depends on the solution of a legal question that is of fundamental importance and because there is no case law from the Administrative Court. This concerns the questions of using the principle of facilitation (Article 12, GDPR) as the basis for criminal proceedings and the admissibility of a structured - in this sense "limited" - electronic input channel for data protection enquiries for the more efficient administration of the same.
