BVwG - W211 2222613-2/llE
BVwG - W211 2222613-2/llE | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 5 GDPR Article 14 GDPR Article 15 GDPR Article 25 GDPR |
Decided: | 09.08.2021 |
Published: | |
Parties: | CRIF |
National Case Number/Name: | W211 2222613-2/llE |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Pending appeal |
Original Language(s): | German |
Original Source: | Not yet published (in German) |
Initial Contributor: | n/a |
The Federal Administrative Court of Austria (BVwG) decided that the decision of a DPA to dismiss an objection an incomplete access request has to be partially rectified. The court held that general information on storage periods and lacking information on recipients violates the GDPR. In this regard, Article 77 GDPR grants an independent right to lodge a complaint with Data Protection Authorities irrespective of restrictions or formal requirements imposed by member states national law.
English Summary
Facts
In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit scoring agency operating in Austria. The complainant, however, stated a violation of the right to access due to an insufficient response by the agency.
The complainant stated that the respondent failed to precisely name data sources, purposes and the storage period for the complainant’s personal data. Furthermore, the respondent did not provide a full copy of the personal data processed on the complainant. In this regard, also the requirement of previous information of the complainant about the recipients about transmission of their personal was violated. Moreover, the respondent breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data.
The respondent later on indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant.
The Austrian DPA dismissed the complaint, reasoning that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient, arguing that a data copy does not include entire documents, exact copies or a facsimile of the data, but is in the choice of the controller how exactly the data is delivered. Moreover, Article 77 GDPR is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements.
Holding
The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period and purposes as well as the principles of minimization and confidentiality of the data. Further objections concerning the access to a copy of personal data were referred to the CJEU for a preliminary ruling (see here).
Regarding the information on the data sources involved, the Court held, that the disclosure of several public sources and companies, in particular regarding the origin of the complainant's address data, may be considered complete and therefore in line with Article 15(1)(g) GDPR.
In terms of the storage period, however, the general information provided by the respondent (risk minimisation, identification, combating fraud, money laundering, terrorist financing) do not allow the complainant to assess how long his data will be stored. The missing possibility to assess when the data, in the opinion of the co-operating party it is no longer necessary to process, is therefore in breach of Article 15(1)(d) GDPR.
Furthermore, the respondent failed to inform the complainant on the disclosure to new recipients beforehand. As the complainant could consequently not be aware of the forwarding of their personal data, the lack of such obligatory information violates Article 14 GDPR.
The Court also stated that Article 77 GDPR does not require to be transposed into national law and allows a data subject to contact the data protection authority directly to lodge a complaint with a supervisory authority. It formulates an independent right to complaint, which is not linked to formal or substantive requirements or the provision of evidence. In this regard, already violations on basic principles such as Article 5(c)(f) GDPR may concern the processing of the complainant's personal data. Any rejection with regard to the alleged violations of the DPA thereof is therefore considered invalid and must be rectified.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.