BVwG - W101 2132183-1 and W101 2132039-1
| BVwG - W101 2132183-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(1) GDPR Article 4(7) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 15(1) GDPR Article 15(3) GDPR § 24 DSG § 27 DSG § 4 DSG § 69 DSG |
| Decided: | 11.09.2020 |
| Published: | 29.09.2020 |
| Parties: | unknown data subject Google LLC |
| National Case Number/Name: | W101 2132183-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2020:W101.2132183.1.00 |
| Appeal from: | DSB DSB-D122.471/0007-DSB/2016 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (in German) |
| Initial Contributor: | Marco Blocher |
The Austrian Federal Administrative Court held
a) that an (alleged) change of controllership from Google LLC to Google Ireland Limited does not have an ex-tunc effect - Google LLC qualifies as controller for (alleged) data protection violations that took place before the change of controllership
and
b) that Google is allowed to request a data subject exercising their right to access to log into their Google-account to authenticate the data subject and to provide access to their data using the Google account.
English Summary
Facts
Access request and Google's reply
On 30.10.2015, the data subject (user) sent an access request under § 26 DSG 2000 to Google Inc. (now Google LLC) via registered letter, including a copy of his passport. (§ 26 DSG 2000 used to be the Austrian provsion for access request prior to 25.05.2018.)
On 22.12.2015, Google Inc. replied and asked the user to log into his Google-Accont and use special tool provdided there in order to get access to his data. For data that could not be accessed from the user's account, Google asked him to use an online form, to make sure that the user would only receive personal data that are truly relating to him (and not some other natural person). The user refused to do so.
Complaint with the DSB and decision
On 01.02.2016, the user filed a complaint against Google Inc. with the Austrian Data Protection Authority (DSB) claiming a violation of his right to access under Article 15 GDPR - i.a. by requesting him to log into his Google account in order to gain acces to his data.
On 15.06.2016, that DSB held i.a. that Google Inc. violated Article 15 GDPR by not providing
- access to the user's data that has been processed outside the user's Google account;
- certain information on data recipients and data sources on data that has been processed outside the user's Google account;
- information on automated decision making;
- information on the purpose and the legal basis of the processing and
- information on data processors.
The DSB also ordered Google Inc. to provide the missing information within 4 weeks.
The DSB also rejected parts of the user's complaint: It held that requesting the user to log into his Google account was and asking him to use an online-form in order to authenticate him was in line with Article 12(1) and (2) GDPR.
Against that rejection, the user filed a complaint with the BVwG that was handled in a parallel procedure. More details on that complaint and its outcome can be found here. [Link to be inserted]
Google's complaint against the DSB's decion
Google Inc. filed a complaint with the BVwG against the decision of the DSB.
In the course of the pending procedurebefore the BVwG, Google Inc. stated that it had been renamed to "Google LLC" and that it is no longer controller regarding the processing of personal data of Google users in the EEA and Switzerland. Rather, Google Ireland limited was the controller of such processing.
Further, Google LLC. explained its legal view, that requesting the user to log into his Google account was neccessary for identification and authentication of the user.
User's complaint against the DSB's decions - parallel procedure before the BVwG
Dispute
a) Which Google company is the controller under Article 4(7) GDPR regarding the processing of the user's personal data? Google LLC (former Google Inc.) or Google Ireland Limited? Consequenty, which company is responsible for handling the user's access request and can be held liable for insufficiant compliance with this request?
b) Was it compliant with Article 12 GDPR to request
Holding
Lorem ipsum
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
