DSB (Austria) - 2020-0.191.240

From GDPRhub
Revision as of 08:38, 18 August 2020 by MB (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2020-0.191.240 |ECLI=ECLI:A...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - 2020-0.191.240
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 9(1) GDPR
Article 9(1) GDPR
Article 16(2) TFEU
Article 53 CFR
Article 8 CFR
§ 1 DSG
§ 4 DSG
§ 24 DSG
Type: Complaint
Outcome: Rejected
Started:
Decided: 25.05.2020
Published: 14.08.2020
Fine: None
Parties: Bundesamt für Sicherheit im Gesundheitswesen (BASG)
unnkown GmbH (limited company), pharma trade
National Case Number/Name: 2020-0.191.240
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.191.240
Appeal: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: Marco Blocher

Lorem ipsum.

English Summary

Facts

Lorem ipsum.

Dispute

Lorem ipsum.

Holding

Lorem ipsum.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

GZ: 2020-0.191.240 of 25.5.2020 (number of proceedings: DSB-D124.1182)
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation.
Obvious spelling, grammar and punctuation errors have been corrected].
B E S C H E I D S P R U C H
The data protection authority decides on the data protection complaint of A***pharma GmbH (complainant) from **** U***, represented by L*** B*** Rechtsanwälte GmbH & Co KG in **** H***, of 1 August 2019 against the Federal Office for Safety in Health Care (respondent, hereinafter also BASG) for violation of the right to secrecy (Section 1 (1) DSG) as follows    The appeal is dismissed as unfounded.
Legal basis: Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (the basic data protection regulation, hereafter: DSGVO), OJ L 119, 4.5.2016
p. 1; Article 16 of the Treaty on the Functioning of the European Union (TFEU), OJ No C 202, 7.6.2016, p. 1; Article 8 of the Charter of Fundamental Rights of the European Union (EU-GRC), OJ No C 202, 7.6.2016, p. 389; Sections 1, 18(1) and 24(1) and (5) of the Data Protection Act (Datenschutzgesetz, DSG), BGBl. I No. 165/1999 as amended; §§ 62 et seq. of the German Medicines Act (AMG), Federal Law Gazette No. 185/1983 as amended; §§ 1 et seq. of the 2009 Medicines Operating Regulations (AMBO 2009), Federal Law Gazette II No. 324/2008 as amended; § 6a of the Health and Food Safety Act (GESG), Federal Law Gazette I No. 63/2002 as amended.
R E G R O U N D U N G
A. Arguments of the parties and procedure Arguments of the appellant:
     In her complaint, dated 1 August 2019 and received by the data protection authority by e-mail on the same day, the complainant, who is represented in a friendly manner, submitted the following (by submitting the documents enclosures ./A to ./C): She considered that her right to confidentiality of personal data pursuant to Article 1 (1) DSG had been violated since 14 March 2019 due to the unlawful collection, processing and disclosure as well as the failure of the defendant to delete her personal data through official channels.
    The complainant is authorised under trade law to engage in the wholesale trade in medicinal products and poisons under Paragraph 116(1)(5) of the GewO 1994 and has a licence under Paragraph 63 of the AMG to engage in the activity of a wholesaler in medicinal products. On 14 March 2019, the respondent had officially initiated an extraordinary - and therefore unannounced - tax audit procedure on the basis of § 68 of the German Medicines Act. The tax audit had taken place on the complainant's premises. The definition of the purpose of the official act by the authorities had been "review of supplier and customer qualification, as well as of the current list of traded pharmaceuticals". However, the defendant's inspectors also carried out an inspection of the complainant's premises, took photographs of packages of the medicinal product "P***" and threatened, without reason, to close the complainant's warehouse. Mr Alfred O***, MSc, the complainant's authorised signatory who was present, had been questioned and, with reference to the purpose of "customer and supplier qualification", had been asked to submit supplier lists, customer lists and, in particular, various invoice documents and to make copies of them to BASG. This affected a total of five files full of documents, most of which consisted of invoices. In view of the existing "printing situation", these documents had also been handed over to the defendant. These documents had been recorded in the minutes of the official act as Annexes 1 to 12.
 However,    the relevant information was partly incorrect, as invoice documents on the E*** pharmacy were also taken along, which did not originate from the year 2019 but from December 2018. Even a superficial examination, which had not been carried out, had shown the defendant's inspectors that these business documents (a) were not kept in connection with an obligation under pharmaceutical law and (b) had not been taken along in the context of an audit of the operation of a Section 68 AMG and that their data content should not have been processed for this purpose. Legally, there was a violation of the complainant's rights as a party. The taking of business documents and the taking of photographs was not covered by § 68 of the AMG. The actual purpose of the official act was still unknown to the complainant; the respondent had not answered a written inquiry to this effect.
    The defendant also failed to examine immediately after the taking of the business documents whether they were covered by the purpose of the official act and, if so, to delete those business documents to which this was not the case. This obligation arises from the fundamental right to data protection itself, which would be ineffective in its vertical effect if there were an official obligation to delete personal data which are not required and which have been processed unlawfully.
     According to the complainant's knowledge, the business documents had also been disclosed or transmitted to third parties without legal grounds. Specifically, the documents had been transmitted by means of automated data traffic to, inter alia, the Austrian Chamber of Pharmacists. In the complainant's view, the respondent had also violated her rights with regard to this data transfer, since data which the authority was not allowed to process could not be transferred to third parties.
    Since the tax audit of 14 March 2019, inspectors of the respondent would further contact existing and potential business partners of the complainant (three concrete cases were described) and, referring to the "informal" nature of the conversation, warn of "problems" that could arise from business relations with the complainant. In the course of these talks, personal data of the complainant had also been unlawfully transmitted.
    The complainant's fundamental right to data protection under Section 1(1) of the DSG was infringed (i) by the taking and subsequent processing of the photographs; (ii) by the processing (taking and storing or (ii) by the processing (taking along and storing or entering into the file system of the authority) of the business documents; (iii) by the unlawful disclosure of the business documents to the Austrian Chamber of Pharmacists (and any other entities); (iv) by the unlawful disclosure of the business documents to existing and potential future business partners of the complainant; 3.2019, which turned out to be unlawfully processed.
    The complainant was actively legitimised as a legal person to enforce her subjective right to data protection under Article 1 of the Data Protection Act. The business documents processed by the respondent were personal data of the complainant. The complainant was, on the one hand, individually determined directly by her company and, on the other hand, characteristics that were indirectly characteristic of her (e.g. invoice number, abbreviations) could be determined by her. By assigning them to a file or a unique electronic number, photographs also become personal data of the complainant. Whether a natural person or the complainant's company is recognisable on a photograph is irrelevant in this context.
     In the case of an undertaking such as the complainant, there is a legitimate interest in keeping business secrets secret, and even business documents which two other (legal) persons have issued to each other are already legitimate on the basis of the complainant's obligation to keep such business documents secret.
 The Data Protection Deregulation Act 2018 had not limited the simple-law part of the DPA to the protection of natural persons. Even if this were the case, there would be a loophole that was contrary to planning, which would have to be closed by analogy, since a provision that protects the subjective rights of a person affected at constitutional level must never remain without the possibility of enforcement.
    The defendant's official act of 14 March 2019 was unlawful, since an extraordinary audit is primarily aimed at inspecting facilities and means of transport, the manner of storage and transport, such as compliance with the cold chain for medicinal products. The proceedings pursuant to § 68 of the German Medicines Act were not administrative criminal proceedings and did not have the purpose of enabling additional - otherwise unattainable - investigative evidence while circumventing party rights of an administrative criminal proceeding. Inspection and copying is only permitted by law with regard to documents that must be kept in accordance with the provisions of the German Medicines Act. The latter are to be understood as Section VII (§§ 62 to 71a) of the AMG and the AMBO 2009. In the case of a tax audit pursuant to AMBO 2009, the quality assurance in the storage and distribution of pharmaceuticals is particularly important. The guidelines of the European Commission of 5 November 2013 on good distribution practice for medicinal products for human use, which are based on Articles 84 and 85b(3) of Directive 2001/83/EC (GDP guidelines), are not a directly applicable legal basis. Furthermore, with regard to photography and other gathering of evidence, a necessity test was required and the principle of the least invasive means would have had to be applied under data protection law.
 On the basis of the provisions of pharmaceutical law, with regard to customer qualifications as well as supplier qualifications and the purpose of the defendant's "list of traded medicinal products", only documents can be inspected which record (i) the identity of business partners and (ii) the traded medicinal products with them (but no quantity information). Under no circumstances is there any entitlement beyond this. Therefore, turnover, the specific business model and other internal company information, even within the proceedings pursuant to Section 68 of the German Medicines Act, were covered and protected by the fundamental right to data protection and their processing by the respondent thus constituted an unlawful interference.
    In any event, this concerned the following data, which were not necessary for a review of the complainant's operations under Section 68 AMG (earmarking: "review of the qualification of suppliers and customers and of the current list of traded medicinal products"):
 Appendix 2: Complete inventory list A***pharma Deadline 14.3.2019;
 Appendix 4: Example for the supply from the F***pharmacy (wholesale) to the A***pharma
 Annex 5: Transport order letter for collection from pharmacies on behalf of the E*** pharmacy (wholesale), 24 pieces *R.1*848*47.1 1*;
 Appendix 6: List of the sources of supply of E*** and F*** as well as A***pharma direct supply;
 Annex 7: Copy of logistics contract with F*** Apotheke KG; Annex 8: Copy of logistics contract with E*** Apotheke KG;
 Appendix 9: Copy of business agreements with E*** Apotheke KG;
    Appendix 11: Copy of the documents of all the medicinal products related to wholesale trade from the E*** pharmacy (January to March 2019);
 Annex 12: Copies of the documents of all drugs purchased from F*** Apotheke Großhandel (January to March from 2019).
    As has already been stated, the defendant unlawfully failed to carry out the official deletion of data required at the latest after the examination of these documents.
    Since Section 80(1) of the German Medicines Act requires the transmission of personal data of the complainant to the authorities referred to in Paragraph 3 of the German Law on the Protection of Human Drugs and Drug Safety only for the purpose of ensuring the safety of medicinal products, it is not necessary for the complainant to provide such data. Since § 80.1 AMG only permits the transfer of personal data of the complainant to the recipients mentioned in Subsection 3 of the Law, this provision does not apply to the transfer of internal business information of the complainant to the Chamber of Pharmacists.
 The right to secrecy pursuant to Article 1.1 of the Data Protection Act would also protect the complainant against oral transmission of her data. For this reason, conversations between inspectors of the respondent with various third parties, irrespective of the question of the correctness or incorrectness of the content, would also be data transfers that would require a legal basis that the respondent would have to explain.
    The complainant submitted the applications that the data protection authority should be granted "by analogy pursuant to Section 24 of the DSG" on the grounds of a violation of the right to data protection pursuant to Section 1 of the DSG,
 conduct an appeal procedure,
    declare the unlawfulness of the processing of the personal data referred to above, in particular the unlawfulness of
 Collection of the business documents and their further processing in the course of the defendant's official act on 14 March 2019 (listed in point 5.1.7 of the appeal)
 Collection in the course of the defendant's official act on 14.3.2019 of the photos mentioned in point 2.1 and their further processing; and
 Disclosure of personal data from or in connection with the official act of 14.3.2019, such as in particular by verbal notification or retention of business documents or the insinuation of administrative criminal and/or criminal facts in connection with the threat of "trouble" and with the naming of the complainant's company or its authorised representative body to third data recipients such as in particular existing business partners of the complainant;
 Disclosure of personal data from or in connection with the official act of 14.3.2019, such as in particular by allegation or insinuation of administrative criminal and/or criminal law facts, naming the name of the complainant's company or its authorised representative body, to third data recipients such as in particular the complainant's existing business partners.
    Furthermore, the complainant has suggested that the respondent should be prohibited from the "conduct" complained of, in particular the transmission of business documents, photographs and the oral data transmissions covered by point b. of her applications, "by analogy pursuant to Article 25.1 in conjunction with Article 22.4 of the first case DSG".
Arguments of the defendant:
    The respondent, requested by the Data Protection Authority by a procedural order of 2 August 2019, ref. DSB-D124.1182/0001-DSB/2019, replied to this in his opinion of 30 August 2019:
    The defendant first contested the admissibility of the appeal. The simple-law provisions of the DPA, in particular those which would regulate the complaints procedure, were, like the DPA itself, limited to the legal protection of natural persons. The complainant's request to apply the provisions of the DSG, in particular §§ 24 f of the DSG, "by analogy" was not capable of changing this.
    The defendant is the authority responsible under Paragraph 6a of the GESG for implementing the AMG, responsible for licensing, improving the safety of medicinal products, recording and assessing their risks and monitoring their circulation. In order to achieve the objectives of drug safety, the defendant is not only permitted, but also obliged, to process personal data and to check whether undertakings which place drugs on the market comply with the legal provisions applicable to them.
 Counterfeit medicines currently on the market would pose    a particular problem of drug safety in the European Union and worldwide. They would contain inferior or counterfeit ingredients or none at all, or ingredients, including active ingredients, that are wrongly dosed, so that they would pose a significant threat to public health. Experience to date shows that such counterfeit medicines would reach patients not only through illegal channels but also through the legal supply chain.
    The processing of personal data by the respondent is lawful pursuant to Article 9(7) of the CESCR, provided that the processing is carried out in the course of the performance of legal tasks pursuant to Article 6a of the CESCR. Data processing for the purpose of tax audits was lawful under Section 9.7 in conjunction with Section 6a.1(1)(1) of the CESG in conjunction with Section 67 et seq. in conjunction with Section 80.1 of the AMG. With regard to such processing, the rights and obligations under Articles 13, 14, 18 and 21 DSGVO were excluded under Article 9(8) CESTA. Pursuant to Article 9.2(i) of the DSGVO, the defendant was entitled to lawfully process personal data of (special categories of) natural persons, since the processing was necessary for reasons of public interest in the field of public health, in particular to ensure high standards of quality and safety of medicinal products, on the basis of Union law or the law of a Member State. This must also apply to the data of a legal person, for reasons of equality and also "by analogy". Furthermore, applying the same considerations, there was an exception to the obligation to delete data pursuant to Article 17 (3) lit. c in conjunction with Article 9 (2) lit. i DSGVO, if this was necessary for the reasons mentioned above.
 According to Paragraph 67 of the AMG, the defendant has the right and the duty to periodically inspect establishments pursuant to Paragraph 62(1) of the AMG, before granting a licence pursuant to Paragraph 63(1) of the AMG or, if necessary, before granting a licence pursuant to Paragraph 65(1) of the AMG, and subsequently, on the basis of a risk assessment, in order to ascertain whether the provisions of Section VII of the AMG or the regulations issued on the basis of that section are complied with and whether the quality of the medicinal products or active substances required for human or animal health and life is guaranteed. All the data processed by the defendant were necessary to assess whether the high standards of quality and safety of medicinal products were met and whether the safety of medicinal products was guaranteed, and were therefore lawfully processed in the light of the public interest in those objectives.
    For the most part, the complainant did not assert any alleged violations of data protection law, but complained about (alleged) violations of procedural rules and duties of care of the respondent (according to the AVG, GESG and AMG, as well as the applicable ordinances).
    While the facts described by the complainant in her complaint under 1. are confirmed as correct from the point of view of the defendant, the following argument must be expressly disputed:
    The complainant's allegation that she had been unfoundedly threatened with the closure of her camp before the inspection started on 14 March 2019 was explicitly disputed. It was correct that organs of the public security service had been informed by the complainant. This was because the clarification of the question whether there was a counterfeiting of medicinal products within the meaning of § 1.25 of the German Medicines Act fell within the competence of the security authority because of the criminal liability of this act. However, no relevance of this involvement in terms of data protection law was apparent.
 The claim that the defendant had put the complainant's staff in a "printing situation" and thereby caused the publication of business documents was expressly disputed. As is customary and permissible in the case of a works inspection (see §§ 62 et seq. of the German Medicines Act, §§ 15, 22, 29 and 30 of the German Medicines Code), documents - but only those which the complainant was required to keep by virtue of statutory obligations arising from the defendant's sphere of enforcement - were requested as evidence of compliance with the statutory requirements. The fact that the handing over of documents was admissible was confirmed by telephone by the complainant's managing director to the staff member who was present on the spot. Subsequently, the handover had been voluntary and without any intervention whatsoever on the part of the defendant's bodies.
    Furthermore, it is not correct that business documents and the data contained therein were copied, taken away and processed without any examination with regard to the purpose of the proceedings and in large numbers ('five files'). The complainant claimed that processing obligations in the sense of obligations to keep records had been imposed on her. The complainant's list of suppliers (Annex 1 to the minutes) consisted of data which were to be processed pursuant to §§ 3.8 and 9, 15.3, 22, 29 and 30 of the AMBO. The complainant's inventory list (Annex 2 to the minutes) was data which were to be processed pursuant to §§ 15, 22 and 30 AMBO. The supplier qualification (Annex 3 to the minutes) was data to be processed pursuant to §§ 3, 15, 22, 29 and 30 AMBO. The invoice concerning a delivery of pharmaceuticals to the complainant (Annex 4 to the minutes) was data which were to be processed pursuant to §§ 3, 15, 22, 29, 30 AMBO. The transport order letter (Annex 5 to the minutes) was data which were to be processed in accordance with §§ 3, 15, 22, 30 AMBO. The list of suppliers (Annex 6 to the minutes) is data which are to be processed in accordance with §§ 3 paras. 8 and 9, 15
Paragraphs 3, 22, 29 and 30 of the AMBO. The Logistics Agreement (Annexes 7 and 8 to the minutes) was data which were to be processed in accordance with §§ 3, 15, 22, 29 and 30 AMBO. The business agreement (Annex 9 to the minutes) is data which are to be processed in accordance with §§ 3, 15, 22, 29 and 30 AMBO. In the case of incoming pharmaceuticals (Annex 10 to the minutes), the data in question are data which are to be processed in accordance with §§ 3, 15, 22, 29 and 30 AMBO. In the case of invoices relating to purchased pharmaceuticals (Annexes 11 and 12 to the minutes), this was data which were to be processed in accordance with §§ 3, 15, 22, 29 and 30 AMBO. The investigation and further processing by the respondent had initially been carried out with the consent of the complainant, but in any event covered by statutory authorisations and public interests (supervision of medicinal products, safety of medicinal products) and in the lawful exercise of official authority conferred on the respondent under §§ 63 et seq.
    A quick review of the December folder shortly before the end of the inspection and after inquiring whether the drugs in December originated from pharmacies other than those in 2019 did not provide a concrete answer to this question. It was correct that this further data collection had not been included in the minutes.
    However, in (analogous) application of the DSGVO, it must be stated that the respondent may lawfully process personal data (special categories) pursuant to Article 9(2)(i) DSGVO and, if necessary for the specific purpose (public interest in the field of public health), is not subject to an obligation to delete them (cf. Article 17(3)(c) in conjunction with Article 9(2)(i) DSGVO). The assertion that the respondent had failed to examine ex post whether the taking along and processing of the copied business documents was covered by the purpose of the official act was contested. An examination in this respect had been carried out without delay.
 The result of this examination was, as the defendant had explained in more detail (opinion of 30 August 2019, pages 11 to 15), that the majority of the data and documents identified were needed for the purpose of the current official act. With regard to the others (Annexes 2, 11 and 12 to the minutes and the photographs), the deletion had been ordered and carried out.
 The appellant's assertion that the business documents were also disclosed or transmitted to third parties, including the Österreichische Apothekerkammer (Austrian Chamber of Pharmacists), without justification, is contested in its entirety. The complainant's submissions in this respect were neither sufficiently substantiated, since in particular it was not stated which data had been transmitted in concrete terms, when and to whom, nor was any evidence submitted, which meant that it was not possible to comment on the content of the submissions.
    The allegation that the defendant's bodies had been in contact with potential business partners of the complainant was not only incorrect, but also logically impossible. In the absence of knowledge of "potential" business partners, no contact could or could be made with them in any way. It was correct that organs of the respondent had been informed by the complainant in the course of the inspection of the
14 March 2019 or business partners resulting from the business documents. These contacts in the form of
Inspections would be carried out at the level within the defendant's legal jurisdiction
(further) obligation to check whether the complainant or possibly her
contractual partners, possibly also by incitement or aiding and abetting according to § 7 VStG, have violated provisions of the AMBO or the AMG and thus committed administrative offences. With regard to the allegation that in the course of the interviews the complainant and her organs had been named and that this "disclosure" violated her (alleged) right to secrecy, it was stated that this disclosure had actually been made.
    On the one hand, the relevant disclosure had only concerned data that were publicly accessible (e.g., the complainant's company name or the name of its managing director) and, on the other hand, the disclosure had been necessary to investigate the truth and to safeguard the rights of the persons involved in the relevant official acts. The processing of the complainant's data was thus necessary for the fulfilment of the legal obligations to which the respondent was subject and was carried out in the exercise of official authority vested in the respondent. It had thus been lawful.
    Proceedings under Section 68 of the German Medicines Act were still being conducted against the complainant. There was a suspicion of the unlawful sale of medicinal products from a pharmacy to a wholesaler of medicinal products, in breach of the provisions of the German Medicines Law. It had therefore been necessary to determine the extent to which there was an offence under Paragraph 7 of the VStG in order to report to the competent administrative penal authority if necessary. The submission of a complaint naturally presupposed the description of a concrete set of facts.
    The complainants' eligibility to file an application as a legal person was disputed, since the DSGVO did not protect legal persons and an analogous application of Union law to legal persons was ruled out. However, it was not disputed that business documents and photographs could constitute personal data, but their processing had been lawful.
    An inspection under Paragraph 68 of the AMG serves to check compliance with all the provisions of the AMG and is not limited to compliance with the AMBO. § Paragraph 3(9) of the AMBO 2009 requires that, where a pharmaceutical product is procured from another pharmaceutical wholesaler, each pharmaceutical wholesaler must check whether the latter complies with good distribution practice. This also included checking whether the supplying pharmaceutical wholesaler had a corresponding authorisation under Section 63(1) of the German Medicines Act or a corresponding authorisation from a competent authority of another EEA State. Accordingly, the AMBO 2009 already provides that it is not only necessary to check whether the supplying wholesaler has a corresponding authorisation, but that it is also necessary to check whether good distribution practice is observed. Therefore, the obligation to check goes beyond a mere inspection of registers. In order to verify compliance with the AMBO 2009, it was also permissible to inspect all documents which provided information as to whether in particular Sections 15, 22, 29 and 30 AMBO 2009 were complied with.
 The transfer of data to the Chamber of Pharmacists or to pharmacists is covered by Paragraph 80(3)(4) or (4)(1) of the AMG. Since the complainant had, however, only expressed an assumption that such a data transfer would take place, it was not possible to comment on it.
Arguments of the appellant:
 In her opinion of 18 November 2019, the complainant replied as follows:
 The scope of the data collected is not covered by Section 68 of the AMG. The respondent was not competent to conduct administrative criminal proceedings under the AMG, but had himself admitted to having collected data for the purposes of administrative criminal proceedings. This constituted an infringement of the law because data had been inadmissibly determined.
    The defendant claimed that it had deleted several documents through official channels, thus acknowledging that there was no legal basis for the processing of these data.
 It is incorrect that an open procedure under Paragraph 68 of the AMG is pending. § Paragraph 68(5) of the AMG provides that the defendant issues a certificate after completion of an examination. Such a certificate had not been issued to date, so that the proceedings were to be regarded as terminated.
B. Subject matter of the complaint
    The object of the complaint is the question of whether the respondent infringed the complainant's right to confidentiality by inspecting and copying documents during an on-site audit on 14 March 2019 without any legal basis for doing so and by continuing to process parts of these documents.
Another subject of the complaint is the question of whether the complainant's right to confidentiality was infringed by the defendant's disclosure of the complainant's data to third parties.
However, it must first be examined whether the complainant is at all legitimate to file an application as a legal person. C. Findings of the facts
    The complainant [Editor's note: in the original due to an obvious editorial error "Respondent"] is a limited liability company, registered in the Commercial Register under FN *3*8*14 h, with its registered office in **** U***, K***straße *6. It holds a trade licence for the manufacture of pharmaceuticals and poisons and wholesale trade in pharmaceuticals and poisons, limited to wholesale trade in pharmaceuticals and poisons pursuant to Section 116 (1) 5 GewO 1994 (registered under GISA number *7*4*22*5) and has a licence pursuant to Section 63 AMG for the activity of a pharmaceutical wholesaler.
Evaluation of evidence: These findings result on the one hand from the undisputed
Arguments of the complainant and, on the other hand, from an official inspection of the commercial register (carried out on 25 May 2020) and the GISA (also carried out on 25 May 2020).
    On 14 March 2019, between 11:30 and 18:45 hrs, a tax audit pursuant to Section 68 of the German Medicines Act (AMG) took place at the complainant's seat, which was carried out by organs of the respondent, in part with the involvement of organs of the public security service. The subject of the official act was the "examination of the supplier and customer qualification, as well as the current list of medicinal products" with emphasis on inputs of the medicinal product "P***". In the course of the official act, the respondent, after reviewing documents, pointed out that there was a suspicion that medicines were being supplied to wholesalers by unauthorised suppliers (pharmacies without a wholesale licence). Furthermore, that medicinal products which were intended for supply to private individuals on the basis of a medical prescription were not supplied to them, but were directly or indirectly supplied to pharmacies and/or the wholesale trade. It was pointed out that further marketing of drugs contrary to the legal provisions constitutes an administrative offence and the liability as a contributory offender according to § 7 VStG was pointed out.
The complainant was given the opportunity to comment on this in the course of the official act, but she declined to do so.
The complainant was instructed to refrain from any contact with the E*** Pharmacy and the F*** Pharmacy and their wholesalers until 10 a.m. on 15 March with regard to the ongoing surveys.
Several photographs were taken both in the warehouse and in the office.
The following documents of the complainant were taken by the defendant:
 Annex 1: List of suppliers of A***pharma (19 suppliers)
 Appendix 2: Complete inventory list A***pharma, cut-off date 14 March 2019
 Appendix 3: E*** Pharmacy GDP Certificate (supplier qualification)
 Annex 4: Example for the supply of the F***-pharmacy (wholesale) to A***pharma
    Annex 5: Transport order letter for collection from pharmacies on behalf of the E*** pharmacy (wholesale), 24 pieces
 Appendix 6: List of the sources of supply of E*** and F*** as well as A***pharma direct supply
 Annex 7: Copy of logistics contract with F*** Apotheke KG    Annex 8: Copy of logistics contract with E*** Apotheke KG Annex 10: Inputs P*** from 1 January 2019
    Annex 11: Copies of the documents of all medicines purchased from E*** Pharmacy Wholesale (January to March 2019)
    Appendix 12: Copies of the documents of all products purchased from F*** Apotheke Großhandel
Pharmaceuticals (January to March 2019)
Furthermore, photographs of invoices from a pharmacy to the E*** pharmacy were taken.
Invoice documents for the E*** Pharmacy Wholesale, which date from December 2018, were also taken along.
Evaluation of evidence: These findings result from the minutes of the official act of 14 March 2019 submitted by the complainant to the data protection authority.
The finding that invoice documents relating to the E*** Apotheke Großhandel of December 2018 - and not only, as stated in the minutes, of the period from January to March 2019 - were also taken along, results, on the one hand, from the submissions in the appeal and, on the other hand, from the defendant's statement of 30 August 2019, in which the defendant admitted that this data collection was not included in the minutes.
    The data according to Appendix 10, Appendix 9, Appendix 2, Appendix 11 and Appendix 12 as well as the photographs taken were examined in detail by the
Respondent considered unnecessary for the purpose of the examination and deleted.
Evaluation of evidence: These findings result from the defendant's undisputed statement of 30 August 2019.
    After the official act on 14 March 2019, personal data of the complainant - namely at least the company name, the fact that the investigation is taking place and the indication that the complainant is acting unlawfully - were disclosed by the respondent to at least the following third parties:
 Elsa V***, E*** pharmacy    Mag. W***, F*** pharmacy
 Roberta G***, L*** Pharmacy T***
The E*** Pharmacy, the F*** Pharmacy and the L*** Pharmacy T*** are public pharmacies.
Furthermore, these data were disclosed to other business partners of the complainant, but not known by name, which were collected in the course of the official act on 14 March 2019.
It cannot be established that data of the appellant were transmitted by the respondent to other third parties, in particular the Chamber of Pharmacists.
Evaluation of evidence: On the one hand, the data protection authority follows the comprehensible explanations in the complaint. The comprehensibility results from the fact that the information provided by
The complainant subsequently substantially reduced the business relationship with the complainant or at least announced that it would reconsider the business relationship. It is therefore evident to the data protection authority that these steps are directly related to the official act on 14 March 2019, in which at least two of the recipients mentioned (E*** and F*** pharmacy) played a role.
Furthermore, these findings result from the defendant's statement of 30 August 2019, in which the defendant admitted to having contacted those of the complainant's business partners that could be identified from the complainant's business documents, without, however, mentioning them by name.
The statement regarding the E***, F*** and L*** pharmacy T*** is based on an official review on the website of the Austrian Chamber of Pharmacists.
The negative finding is based on the fact that, although the complaint also mentions recipients other than those mentioned globally (potentially future business partners), as does the Chamber of Pharmacists, the complainant has failed to provide any evidence that such data transfers took place. Nor can anything of the kind be inferred from the defendant's statement of 30 August 2019. D. From a legal point of view, it follows that
D.1 The relationship between Article 1 of the DSG and Article 8 EU-GRC and the complainant's eligibility to file an application
 The complainant affirms her right to file a complaint as a legal person and refers in this regard to Paragraph 1 of the DSG, which continues to protect legal persons.
    The respondent contests the legitimacy of the complaint and refers to the DSGVO, which expressly protects only natural persons.
 In its decision of 13 September 2018, ref. no.: DSBD216.713/0006-DSB/2018, the data protection authority has already affirmed the eligibility of a legal person to make a request in the event of an alleged breach of confidentiality. Due to the fact that the eligibility to file an application is now - in contrast to the facts on which the cited decision was based - expressly disputed, the data protection authority feels obliged to present its legal view in more detail:
 The question of whether legal persons can invoke and enforce rights under the DSG and DSGVO is controversial in the literature (negative Anderl/Hörlsberger /Müller, Kein einfachgesetzlicher Schutz für Daten juristische Personen, in ÖJZ 3/2018, p 7 ff; Kriegner, Anmerkung zu § 1 DSG nach Inkrafttreten der Datenschutz-Grundverordnung (DSGVO), wbl 2019, p 79 ff.approving Lachmayer in Knyrim, DatKomm Art. 1 DSGVO (status
1.12.2018, rdb.at); Dopplinger in Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 1 (status 12.6.2018, rdb.at); Gamper in Gantschacher†/Jelinek/Schmidl/Spanberger, commentary on the Data Protection Act [2018], § 1).
 First of all, it should be noted that the statement that Art. 8 EU GRC and the DSGVO do not protect legal persons does not apply in this general context. The ECJ has already stated that the scope of protection of Art. 8 EU-CRC does indeed include legal persons, but only to a very limited extent. In its judgement of 9 November 2010, C-92/09 and C-93/09, it held in margin no. 53 that the scope of protection is in any case open if the name of a natural person is used in the name of the legal entity. This legal view was upheld in the decision of 22 November 2017, T-670/16.
 In the present case, the appellant's company name (A***pharma) does not contain the name of a natural person, and therefore the case law of the ECJ is not relevant.
    § Section 1 DSG also protects legal persons - this is not disputed by opponents of the protection of legal persons. In this respect, the scope of protection of Article 1 DSG goes beyond that of Article 8 EU GRC (and thus also beyond the DSGVO). It is questionable, however, whether this "overhang" applies in view of the full harmonisation of the protection of personal data that has taken place. Furthermore, it is questionable whether - if the first question is answered in the affirmative - the simple-law part of the DPA, in particular the provisions on the complaints procedure before the data protection authority, are open to legal persons.
On the possibility of including legal persons in the fundamental right to data protection
    According to Article 16(2) TFEU, there is a Union competence to lay down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of Union law.
 Also according to Art. 8 EU CRC - following the case law of the European Court of Justice described above - only natural persons can in principle invoke the scope of protection of this norm within the scope of application of Union law.
    Insofar as a situation therefore falls within the scope of application of Art. 8 EU GRC, any constitutional provisions offering the same guarantee must, on the one hand, remain "dormant in force" to the extent of this concordance and the assessment is based exclusively on the Union law provision (cf. in this regard, most recently the decision of the German Federal Constitutional Court of 6 November 2019, GZ 1 BvR 276/17, margin no. 47 et seq.; cf. also VfSlg. 19.632/2012, where the Constitutional Court has already stated that in the case of the conformity of constitutionally guaranteed rights with the EU GRC, it uses the latter as a control criterion).
    On the other hand, however, this also means that the competence to enact Union rules is limited to the protection of natural persons, so that the Member States are not prevented from providing protection that goes beyond this - as is the case for legal persons (see in detail Lachmayer, loc.cit., margin no. 79 f).
    The fact that a protection by constitutionally guaranteed rights of the Member States beyond the provisions of the EU GRC is possible also results from Art. 53 EU GRC, according to which no provision of the EU GRC is to be interpreted as a restriction or violation of human rights and fundamental freedoms which - as far as relevant here - are recognised by the constitutions of the Member States.
 However,    according to the case law of the ECJ on Article 53 EU GRC, any more extensive protection guaranteed by the constitution of a Member State may not have the effect of reducing either the level of protection of the EU GRC, as interpreted by the ECJ, or the primacy, unity and effectiveness of Union law (judgment of 26 February 2013, C-399/11, margin no. 60 et seq.).
 In the present case, this leads to the following conclusions:
The complainant as a legal person can invoke the scope of protection of Section 1 DSG in its entirety, because on the one hand, the competence of the Member States to ensure protection extending beyond the EU GRC exists and, on the other hand, neither the level of protection of the EU GRC nor the primacy, unity and effectiveness of Union law are affected by the inclusion of the protection of legal persons in the fundamental right to data protection under Section 1 DSG.
On the question of whether legal persons may rely on the simple law implementing provisions of the DSG
    Pursuant to Section 4 (1) DSG, the provisions of the DSGVO and the DSG apply to the fully or partially automated processing of personal data of natural persons and to the non-automated processing of personal data of natural persons which are stored or are to be stored in a file system.
In accordance with the will of the legislator, the provisions of the DSG under the ordinary law, including the complaint under Section 24 DSG, are therefore limited to the protection of natural persons.
    § However, Section 1 of the DSG also protects legal persons, as explained above. Against the background of § 1 DSG, an interpretation of the simple-law provisions, in particular of §§ 4 and 24 DSG, to the effect that only natural persons are entitled to lodge a complaint with the data protection authority, whereas legal persons are not, would assume that these provisions contain a content that is contrary to equality and thus unconstitutional. The legislature cannot be accused of wanting to treat legal persons grossly disadvantageously differently from natural persons in the pursuit of their constitutionally guaranteed rights without comprehensible reason (see also Lachmayer, loc.cit., margin no. 82 ff; Dopplinger, loc.cit., margin no. 7).
 In conclusion, it must therefore be stated that the complainant, as a legal person, is actively legitimised to lodge a complaint under Section 24 of the DSG before the data protection authority if it alleges a violation of the rights guaranteed by Section 1 of the DSG.
D.2. In the matter
The appeal, although admissible, is unfounded.
On the scope of the data collected in the course of the official action on 14 March 2019
    The appellant complains that, in the course of the official act, personal data, namely business documents, were processed by the defendant in excess, that is to say, beyond what was necessary.
 In this regard, it should first be noted that business documents and the like can be qualified as personal data insofar as they relate to an identified or identifiable person - in this case the complainant (cf. by analogy Art. 4 No. 1 DSGVO; see also the cited judgment of the ECJ of 9 November 2010 in which grants to (legal) persons were qualified as personal data). However, contrary to what the respondent alleges, this is not "sensitive" data within the meaning of Art. 9(1) DSGVO, because none of the facts mentioned therein applies to this data of a legal entity.
    The documents inspected in the course of the official act and ultimately reproduced provide information about the complainant's business relations, her inventory and the stock on hand. They relate to the complainant's business activity as an authorised pharmaceutical wholesale company. They thus constitute personal data in the above sense.
    As noted, the data referred to as Annexes 1 to 12, as well as photographs and other invoices, were collected from the defendant. Parts of this data were - as noted - after a more detailed examination by the respondent identified as not relevant to the proceedings and deleted.
    In this context, the question therefore arises whether the data processing that took place on 14 March 2019 was proportionate and therefore lawful.
    In this regard, it should first be noted that the unlawfulness of official actions which are carried out in the exercise of direct official command and coercive power - such as searches and the like - can be challenged to the competent administrative court in the context of a complaint under Article 130 (1)(2) of the Federal Constitution. This concerns above all the alleged violation of the substantive legal provisions underlying such an official act.
    However, this does not apply if a violation of data protection rights is claimed. In this case, the data protection authority has exclusive jurisdiction under Sections 1 and 24 of the German Data Protection Act. In this case, an administrative court appealed to under Article 130(1)(2) B-VG must declare itself to be incompetent (see VwSlg. 19.098 A/2015).
    The data protection authority is therefore - within the framework of Section 1 of the DSG - responsible for dealing with the legal infringement that has been raised.
    However, there are limits to the supervisory power of the data protection authority, which are determined by the so-called 'prohibition of excessive powers'. According to the established case-law of the Data Protection Commission/Data Protection Authority, a "[B]Â complaint request to prohibit the competent authority from investigating data or using evidence which it believes it needs to establish a factual situation to be investigated by it would have the effect that the Data Protection Commission - at least in part - takes the place of the competent authority responsible for the matter in question and arrogates to it a factual omnisponsibility in a detour over the objection to the admissibility of investigations of the facts. It is evident that this cannot be permissible in view of the principle of a fixed distribution of competences between state bodies and the fundamental right to proceedings before the legal judge. The Data Protection Commission therefore assumes that its competence to assess the permissibility of data investigations in administrative proceedings is limited to the prohibition of overkill: if it is conceivable that the data investigated by an authority competent in the matter are suitable in terms of their nature and content for establishing the relevant facts, the admissibility of the investigation is given from a data protection perspective. The recourse to a more in-depth assessment of the suitability of the investigative steps chosen by the authority competent in the matter would have the effect of encroaching on the investigating authority's substantive competence, which would violate the principle of a precise delimitation of the authority's competence according to objective criteria, which is derived from the right to bring proceedings before the legal judge (VfSlg. 3156, 8349), in a precise (VfSlg. 9937, 10,311) and unambiguous manner (VfSlg. 11,288, 13,029, 13,816) (see, for example, the decision of 7 March 2019, Journal of Civil Law Matters: DSB-D123.154/0004-DSB/2019). This is also recognised by the Federal Administrative Court (cf. e.g. the decision of 11 July 2018, Journal of Civil Law Reports: W214 2183935-1
    An encroachment by an authority on the basic right to data protection is only permitted on the basis of a qualified legal basis (Article 1 (2) DSG).
    Pursuant to Section 67(1) of the AMG, the defendant has to notify establishments pursuant to Section 62(1) of the Act. cit. before granting a licence pursuant to Section 63 (1) leg. cit. or, if necessary, before granting a licence pursuant to Section 65 (1) leg. cit. and subsequently periodically on the basis of a risk assessment to check whether the provisions of this section or the ordinances issued on the basis of this section are complied with and whether the quality of the medicinal products or active substances required for the health and life of humans or animals is guaranteed. For this purpose, pursuant to Section 68 (1) AMG, organs of the respondent are entitled to inspect establishments pursuant to Section 62 (1) leg. cit. and facilities and means of transport of such establishments which are operated by establishments pursuant to Section 62 (1) leg. cit., insofar as these can be used for the storage or transport of drugs or active substances, and to take samples in the quantity required for an examination and to inspect the records of the establishment, which must be kept in accordance with the provisions of the German Drug Law, and to make copies thereof as well as photographs and video recordings in the establishment, insofar as this is necessary for the preservation of evidence. At the same time, it is also possible to inspect the certificate of any required trade licence in accordance with the Trade Regulation Act 1994. These official acts are to be carried out during business hours, except in cases of imminent danger.
    §§ Sections 67 and 68 AMG therefore provide a legal basis within the meaning of Section 1 (2) of the German Data Protection Act for the processing of certain data, so that no consent of the data subject is required for this. It cannot therefore be said that there is no legal basis at all for the data processing in question.
     Section VII of the AMG, to which Section 67(1) of the AMG refers, is entitled 'Operating regulations'. § Section 62 AMG regulates the detailed requirements for the enactment of the AMBO 2009, which must be complied with by the pharmaceutical companies. This includes the order that medicinal products may only be purchased from certain manufacturers or importers, namely those who have a licence pursuant to Section 63 AMG or a corresponding authorisation from a competent authority of another contracting party of the EEA. During the review on 14 March 2019, the suspicion arose that the complainant had, inter alia, infringed the provision by obtaining medicines from public pharmacies.
 On the basis of the above statements on the prohibition of excessive use, the data processed by the respondent in the course of the official act on 14 March 2019 cannot therefore be regarded as contradictory to Article 1 of the Data Protection Act. In his statement of 30 August 2019, the respondent clearly demonstrated that these documents could at least conceivably be relevant in the context of an examination pursuant to Sections 67 and 68 of the German Medicines Act. This is especially against the background that the defendant is not only responsible for the authorisation of the activities of pharmaceutical companies according to Section 63 AMG, but also for the subsequent imposition of conditions according to Section 66 AMG or the withdrawal of an authorisation according to Section 66a AMG or also the imposition of interim measures in case of imminent danger to human or animal health from medicinal products according to Section 69 AMG. For all these procedures, data collected in the course of a company audit may be relevant for decision-making.
 The fact that several data sets were subsequently deleted by the authorities because they did not turn out to be relevant to the proceedings after a thorough review does not change this fact: It must be taken into account that in the context of an unannounced official act, such as that of 14 March 2019, there is only limited time to review documents and secure any evidence relevant to the proceedings. Similar to a house search, it is therefore characteristic of the nature of such an official act that objects are searched for which it is unknown where they are located (see on this again VwSlg. 19.098 A/2015). This means that under certain circumstances - at least initially - data may be processed in an excessive manner. However, this does not raise any concerns if a review is carried out promptly and irrelevant data are deleted.
 The complaint therefore proves to be unfounded on this point. Regarding the data submitted
    The appellant further considers that its right to confidentiality has been infringed by the fact that the defendant disclosed personal data originating from the official act of 14 March 2019 to third parties.
 As noted, only part of the data transmissions complained of could be identified. To the extent of these findings, however, the complaint proves to be partially justified:
 First of all, it should be noted that certain forms of transmission are not relevant for a violation of the right to confidentiality. Electronic data transmissions are covered by Article 1 paragraph 1 DSG as well as oral communications (cf. the ruling of the Administrative Court of 28 February 2018, Ra 2015/04/0087 mwN).
    It has been established that the complainant's data were demonstrably disclosed to representatives of the E*** pharmacy, the F*** pharmacy and the L*** pharmacy T***. The respondent does not deny this either and argues that it is his task to check whether the suppliers of the complainant's contractual partners are businesses within the meaning of Section 62 of the German Medicines Act, whether the complainant's contractual partners comply with the provisions of the AMBO 2009 and whether the complainant is in breach as a principal or contributory offender within the meaning of Section 7 of the German Income Tax Act. In particular, there is a suspicion that pharmaceuticals were unlawfully supplied to the wholesale trade - and thus to the complainant - by unauthorised pharmacies (without a licence for pharmaceutical wholesale trade).
 Insofar as the respondent claims to have also carried out investigations into a possible principal and contributory perpetrator, the following must be replied to:
 Investigating a case from the perspective of administrative criminal law is not the task of the respondent, but of the competent district administrative authorities (on criminal investigations by a Federal Ministry instead of the Public Prosecutor's Office, see the decision of 26 November 2018, ref. no.: DSB-D216.697/0011-DSB/2018), since the conduct of such proceedings and the imposition of administrative penalties under the AMG - and, in connection with this, the authority to process personal data - does not fall within the competence of the respondent.
    Notwithstanding the above, the transmissions found not to be illegal are nevertheless found not to be unlawful:
    As already stated above, there was suspicion of the unlawful purchase of medicines from public pharmacies. Therefore, for the purpose of establishing the relevant facts to which the respondent is obliged under Paragraph 6a(3) of the GESG in conjunction with Paragraph 39 of the AVG, it cannot be recognised as unlawful if surveys are carried out at those pharmacies or business partners from whom it is suspected that drugs were purchased contrary to the requirements of the AMG and the AMBO 2009. Such investigative steps can possibly provide useful investigation results which may be relevant in proceedings of the respondent - especially according to Sections 66 ff AMG. Whether "annoyance" was threatened or other unobjective statements were made in the course of the investigation is not the subject of complaint proceedings under Section 24 DSG.
 The complaint therefore also proves to be unfounded on this point. On the storage period of the determined data and the failure to delete them
    Finally, the complainant complains that the failure to delete all those personal data which - although only after the official act of 14 March 2019 - turned out to have been unlawfully processed constitutes a violation of the right to confidentiality.
 This objection is not justified:
    First of all, the complainant submitted a request for deletion to the defendant on 8 July 2019, in which it requested the deletion of data. However, in the complaint initiating the proceedings, only the right to secrecy pursuant to § 1.1 of the Data Protection Act was expressly cited as being infringed. As a result, it is only a matter of the procedure within the meaning of Section 13 (8) AVG to examine whether there has been a violation of this right. A violation of the right to deletion, which is also available to legal persons pursuant to Article 1 para. 3 no. 2 DSG, is therefore not to be examined. Moreover, a subjective right to deletion exists only on the basis of an application by the person concerned to the person responsible. However, the obligation of the person responsible to delete data from his or her own data does not constitute a subjective right of the data subject and a possible breach of this obligation cannot therefore be asserted in proceedings under Section 24 FADP (see the notice of 25 July 2014, ref. no.: DSB-D122.106/0008-DSB/2014 mwN).
    However, failure to delete or destroy data may result in a violation of the right to secrecy under Section 1 (1) of the DSG if data are kept longer than necessary (cf. with regard to unstructured paper files VfSlg. 19.937/2014). The GESG does not contain any provision as to the duration for which the respondent may store identified data. In the absence of an explicit time limit, the case law of the data protection authority allows for the retention of data for the limited period of time necessary to verify the legality of the authority's actions. However, the continued retention of data must be justified by a concretely emerging procedure. However, the mere possibility that a procedure may be initiated (at some point) is not sufficient (see the decision of 28 May 2018, ref: DSB-D216.471/0001-DSB/2018, mHa the ruling of the Constitutional Court of 12 December 2017, ref: E 3249/2016).
 In the present case, the data were established by the defendant on 14 March 2019. The complainant subsequently submitted various requests to the respondent (deletion, information under the AuskPflG). The present complaint was filed on 1 August 2019.
 On the basis of the above recital, the period of time that has elapsed so far - also in view of the requests made or the proceedings initiated before the data protection authority - does not appear to be so long that a violation of the right to secrecy would exist if the deletion was not carried out. This is particularly the case because the data collected play a role in the context of the requests made or the proceedings instituted.
 The complaint had therefore to be rejected on this point.
D.3 Summary
 The complaint therefore turns out to be unfounded overall, which is why it had to be dismissed pursuant to the last sentence of § 24.5 of the DPA.
Keywords
Confidentiality, lawfulness of processing, legal person, responsible person,
Right of appeal, supervisory authority, pharmaceutical wholesale trade, audit,
Investigation proceedings, evidence, relevance, prohibition of overkill, official duty to delete
European Case Law Identifier (ECLI)
ECLI:AT:DSB:2020:2020.0.191.240
Last updated on
14.08.2020
Document number
DSBT_20200525_2020_0_191_240_00