BVwG - W245 2247035-1/8E and W245 2251274-1/6E

From GDPRhub
Revision as of 09:53, 31 January 2023 by Fz (talk | contribs)
BVwG - W245 2247035-1/8E and W245 2251274-1/6E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 12 GDPR
Article 15 GDPR
§ 36 DSG
§ 44 DSG
Art 133(4) B-VG
Decided: 04.03.2022
Published: 22.04.2022
Parties:
National Case Number/Name: W245 2247035-1/8E and W245 2251274-1/6E
European Case Law Identifier: ECLI:AT:BVWG:2022:W245.2247035.1.00
Appeal from: DSB (Austria)
DSB-D124.3273
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Gabriel Frickh

The Austrian Federal Administrative Court (BVwG) held that controller's must only be objectively able to recognise a right to access (Article 15 GDPR) from the request's content for it to have legal force. Moreover, controllers are obliged to provide access to all categories of personal data listed in Article 15 GDPR, even if the request only refers to some of them.

English Summary

Facts

The data subject was a patient in a hospital department. The controller was the head of the department. The data subject was of the opinion that there has been a substantial mistreatment during the treatment.

Consequently, the data subject sent the following access request to the controller. It was titled "Application for data information in accordance with DSG, GDPR and any other conceivable legal basis", and read:

"I hereby submit the request for information in accordance with § 44 DSG and thus make use of my right to receive confirmation as to whether you process personal data concerning me and if this is the case, I make use of my right, To obtain information about the personal data concerned in accordance with § 44 DSG."

Although § 44 DSG does grant data subjects a right to access, according to its chapter in the DSG, it only applies to the "Processing of personal data for the purposes of the security police, including the protection of the constitution, military self-defence, the investigation and prosecution of criminal offenses, the execution of sentences and the enforcement of measures".

The controller objected to the request, arguing that they were not a controller pursuant to § 44 DSG. Subsequently, the data subject complaint to the Austrian DPA.

In its assessment, the DPA stated that Article 15 GDPR, the appropriate right to access in the present case, does not require any specific formulation. The only requirement for the applicability of a right, according to the GDPR, is that the addressed controller can recognize which right the data subject wished to apply. If this was the case, a controller would be obliged to respond to an access request within the time limits set by Article 12(3) GDPR.

This was objectively possible in the case at hand. It was clear from the request that the data subject wanted to rely on its right to access. Therefore, the controller should not have denied the data subject its right simply because the data subject mistakenly relied on the wrong legal provision.

In the course of the complaint procedure, the controller gave a limited right to access to the data subject. Corresponding to Article 15(1)(a)-(b) GDPR, the data subject was informed that their name, their address, and their date of birth had been processed. Nevertheless, the DPA deemed this insufficient, as there had been no right of access in the sense of Article 15(1)(c)-(h). Consequently, the data subject's complaint was upheld.

The controller decided to appeal the DPA's decision, stating that there is no obligation under Article 15 GDPR to provide access to all categories of data if a data subject specifically only requests access to some of the categories of data. In the present case, the controller argued that it only had to assume that the data subject wanted access to the categories data listed in the (wrongly applied) § 44 DSG. The categories of data listed in § 44 DSG corresponded to Article 15(1)(a)-(b) GDPR.

On this grounds, the controller appealed the case to the Austrian Federal Administrative Court (BVwG).

Holding

The BVwG rejected the appeal. It reaffirmed the DPA's reasoning in all accounts:

First, Article 15 GDPR grants a data subject's right to request whether personal data has been processed and, if so, a specific set of information (Article 15(1)(a)-(h) GPDR) to be provided. Second, concerning the request, no specific wording is required by law. It only has to be recognizable for the recipient that the submission is (supposed to be) a request under Article 15 GDPR. Third, in order to see whether it was recognizable, the content of the request has to be assessed. Benchmark for the assessment is the standard for a declaration of intent under private law. Hence, wording and understanding of the declaration have to be assessed from an objective point of view. Third, if the intent of the request is clear with regards to the above, as it was in the case at hand, it is irrelevant whether it is based upon the wrong legal basis. Lastly, since the categories of Article 15(1)(a)-(h) GDPR contain obligatory categories of information, which have to be provided, the court held that the controller's argument that Article 15 GDPR does not contain an obligation to provide a data subject with all the information listed, independent of the specific categories of data mentioned in a request, was incorrect. A concrete request for specific categories of personal data pursuant to Article 15(1)(a)-(h) GDPR is therefore not required from a data subject.

Comment

Share your comments here!

Further Resources

For considerations regarding the assessment of access requests, see para 41 ff of the EDPB Guidelines 01/2022 on data subject rights - Right of access, adopted 18th Jan 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf (last accessed 16th January 2023).

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

03/04/2022

standard

B-VG Art133 Para.4
DSG §36
DSG §44
GDPR Art12
GDPR Art15

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 2 § 36 today DSG Art. 2 § 36 valid from December 1st, 2021 last changed by Federal Law Gazette I No. 148/2021 DSG Art. 2 § 36 valid from May 25th, 2018 to November 30th, 2021 last changed by Federal Law Gazette I No. 24/2018 DSG Art. 2 § 36 valid from May 25th, 2018 to May 24th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art I No. 83/2013 DSG Art. 2 § 36 valid from 01.07.2010 to 31.12.2013 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 36 valid from 01.01.2010 to 30.06.2010 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 36 valid from 01/01/2000 to 12/31/2009

DSG Art. 2 § 44 today DSG Art. 2 § 44 valid from May 25th, 2018 to May 24th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 44 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 24/2018 DSG Art. 2 § 44 valid from 01/01/2014 to 05/24/2018 last amended by Federal Law Gazette I No. 83/2013 DSG Art. 2 § 44 valid from 01/01/2000 to 12/31/2013

saying

W245 2247035-1/8E

W245 2251274-1/6E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, judged by Mag. Bernhard SCHILDBERGER, LL.M. as chairperson and Mag.a Viktoria HAIDINGER as expert lay judge and Mag. Thomas GSCHAAR as expert lay judge on the complaint of 1. XXXX, represented by XXXX and 2. XXXX, against the decision of the data protection authority of September 1st, 2021, Zl. 2021-0.594 .945 (DSB-D124.3273), regarding violation of the right to information, rightly recognised:

A) The complaint of XXXX and XXXX is dismissed as unfounded.

B) The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

I.1. On November 19, 2020, the party involved XXXX (hereinafter also “MB”) brought a data protection complaint to the data protection authority (hereinafter “responsible authority”, also “bB”) against complainant XXXX (hereinafter also “BF1”) and their legal representative or complainant XXXX (hereinafter also "BF2") for violation of the data information (VWA ./1, see point II.2). In it, the MB essentially stated that on November 12, 2020 he had sent an application for data information to BF1. The BF2 replied on November 18, 2020 as legal representative for the BF1 and stated that the request of the MB would not be followed and that he would not receive any data information.

As a result, the MB also sent an application for data information to the BF2 on November 19, 2020. BF1 committed data theft. She stole MB's personal data from her employer and handed it over to her legal representative (BF2). In this regard, proceedings are already pending before the BA for GZ XXXX. The MB wanted to find out what data BF1 had stolen by means of data disclosure.

The data protection complaint was accompanied by the MB’s application for data information dated November 12, 2020 (VWA ./2, see point II.2), the reply letter from BF2 as legal representative for BF1 dated November 18, 2020 (VWA ./3, see point II.2) and the letter from the MB to the BF2 dated November 19, 2020 (VWA ./4, see point II.2) enclosed.

I.2. In a letter from the bB dated July 6th, 2021, the BF1 and the BF2 were asked to comment on the MB’s data protection complaint (VWA ./5, see point II.2).

With a statement dated July 15, 2021 (VWA ./6, see point II.2), BF1 and BF2 essentially replicated that the MB suffered from an impulse control disorder according to their own statements and that BF1 had been bothered by countless emails. Therefore, an injunction was obtained from the regional court XXXX and at the end of December 2020 a comparison was made that the MB would never bother BF1 again. Since then there have been no further contacts or harassment by the MB against BF1.

The MB’s request for information of November 12th, 2020 was expressly based on § 44 DSG and not, as stated in his complaint of November 19th, 2020, on “DSG, DSGVO and every other conceivable legal basis”. Accordingly, nothing changes in the legal view of BF1. In addition, reference is made to a statement to the data protection authority dated October 27th, 2020 (enclosure, VWA ./7, see point II.2) on the procedure with GZ XXXX, which also fully answers the MB's current complaint.

The BF1, as head of the XXXX department in which the MB had been treated for a long time, was involved with his treatment documentation. Not a single file from this time was used by her for personal, i.e. non-professional purposes, or even sent to BF2 as her legal representative. If the MB's request for information would also concern correspondence between BF1 and its legal representative (BF2), this would be opposed by the lawyer's duty of confidentiality.

I.3. With a letter from the BA dated August 11, 2021, the MB was sent the statement of BF1 and BF2 and given the opportunity to comment (VWA ./8, see point II.2).

On August 21, 2021, the MB received a statement in which the arguments of BF1 or its legal representative (BF2) were disputed (VWA ./9, see point II.2). In an email dated August 22, 2021, the MB supplemented his statement to the effect that the attached request for information dated November 12, 2021 shows that BF1’s assertion that his request for information dated November 12, 2021 was based only on the DSG and not on the GDPR. is clearly wrong (VWA ./10, see point II.2).

I.4. With the decision of the bB of September 1st, 2021, the MB's data protection complaint of November 19th, 2020 was upheld and it was found that BF1 and its legal representative (BF2) violated the MB's right to information by not providing him with complete information (point 1 ). The BF1 and her legal representative (BF2) were instructed to provide the MB with the following information within four weeks, otherwise execution:

"a. the recipients or categories of recipients to whom the personal data of the complainant have been or will be disclosed, in particular recipients in third countries or international organizations;

b. the envisaged period for which the complainant’s personal data will be stored or, if this is not possible, the criteria used to determine that period;

c. the existence of a right to rectification or erasure of personal data concerning the complainant or to restriction of processing by the person responsible or a right to object to this processing;

i.e. the existence of a right of appeal to a supervisory authority;

e. if the personal data were not collected from the complainant, all available information about the origin of the data and

f. the existence of automated decision-making including profiling in accordance with Article 22 Paragraphs 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the complainant" (point 2; VWA . /11, see point II.2).

In justification, the bB stated that an application to the person responsible must first be submitted in order to claim a right that requires an application (including the rights to information, deletion and objection) under the GDPR. A specific form or wording of this request cannot be found in the GDPR, but it must at least be recognizable to the person responsible that it is a request based on a specific right under the GDPR, since the receipt of the request triggers obligations on the part of the person responsible , in particular the provision of the information specified in Art. 12 (3) GDPR or the notification of an extension of the deadline within one month of receipt of the request. When assessing whether there is a request for a specific right under the GDPR that is recognizable to the person responsible, the content of this should be checked, whereby the same standard should be applied that also applies to unilateral declarations of intent under private law. According to this, the wording and understanding of the declaration should be viewed from an objective point of view, i.e. as the recipient could understand it according to its wording and purpose when viewed objectively (cf. BVwG 05/03/2018, W256 2190554-1, on the request for information § 26 DSG 2000 and regarding the interpretation with reference to the case law of the Supreme Court, such as Supreme Court September 15, 1999, 9 ObA 148/99a).

According to the standards presented, it is clear from the requests of the MB that he wanted information about the personal data processed for him. The non-represented MB cannot be accused of misrepresenting the legal norm in this regard. The data subject's right to information is regulated in Art. 15 GDPR. This provision provides that a data subject can request confirmation as to whether a controller is processing their personal data. In the event that a person responsible actually processes data on the person concerned, he has a right to information about this data as well as more detailed information defined in paragraph 1 lit. a to h leg. cit. The purpose of this provision is to enable a data subject to gain an insight into the "whether and how" of the processing (Art. 4 Z 2 GDPR) of personal data, whereby the data subject should be able to check the legality of the processing. The right to information and the associated notifications and measures would thus also serve to effectively enforce the law (cf. Paal in Paal/Pauly, General Data Protection Regulation, Art. 15, margin no. 3). A prerequisite for the provision of information in accordance with Art. 15 GDPR is that the person concerned submits a corresponding request to the person responsible.

With regard to Art. 15 (1) lit. a and b GDPR, data information was given in a statement dated July 15, 2021 (first and last name, full postal address and date of birth of the MB for the purpose of filing a temporary injunction and action for an injunction). With regard to letters c to h, however, no data was provided, so the complaint was to be upheld in these points. This is also not a matter of correspondence between BF1 and its legal representative (BF2). The performance mandate is based on Article 58 (2) (c) GDPR. It was therefore to be decided overall in accordance with the verdict.

I.5. On September 14, 2021, the BF1 and BF2 requested the transmission of the procedural input of the MB of November 19, 2020 cited in the contested decision and the protocol on the hearing of the parties, which the MB had been granted on August 21, 2021 (VWA ./12, see point II .2). The required file components were sent to the BF1 and the BF2 with an e-mail from the bB on September 20th, 2021 (VWA ./13, see point II.2).

I.6. The appeal lodged in due time on October 1, 2021 (VWA ./14, see point II.2) was directed against the decision of the BA. In the complaint, the complainants essentially stated that the full content of the contested decision violated BF1 and its legal representative (BF2) in their right to the statutory judge, in that they were instructed to provide the MB with information that, according to the application, he had not wanted at all . It was also stated that Art. 15 GDPR does not include an obligation to provide a data subject with all the information listed in Art. 15 (1) lit. a to h GDPR, regardless of the specific request for information. This is all the less so if the request for information in question expressly only refers to two of the littera listed in paragraph 1, but omits the others, which can be transferred to § 44 DSG, which was incorrectly quoted by the MB. If, like the BA in the contested decision, one assumes that the wording and the understanding of the declaration are to be viewed from an objective point of view, it is correct to assume that the MB initially wanted to receive information about which personal data from BF1 and its legal representative (BF2) had been processed. The bB also assumes this. In the event that personal data would be processed via the MB, he had made use of his right to receive information about the personal data concerned in his submissions. This request was granted in full. Contrary to the view of the DA, the MB and his request for information should not be measured against that of a simple, unrepresented complainant, for whom a misguided request or an unintentionally incomplete request for information could be forgiven. Rather, the MB is a data protection expert who knows exactly what he is asking for, if you look at the 40 ongoing proceedings at the BB since 2015, which are listed in his prepared brief in the proceedings before the regional court XXXX to XXXX of November 26th, 2020 note what he had exerted up to that point. Since, in summary, neither the MB's request, which was limited to certain information, nor Art. 15 GDPR and § 24 DSG indicate that all the information specified in Art. 15 (1) GDPR is to be provided, the finding in the contested decision is BF1 and its legal representative (BF2) would have violated the MB's right to information by not providing him with complete information and the order to provide the MB with more detailed information (lit. a-f) would be unlawful and the BF1 and its legal representative (BF2 ) violated their right to the legal judge.

I.7. In his e-mail of October 3rd, 2021 to the BA, the MB stated that the BF1 and her legal representative (BF2) had not provided the data information to date. Nor was he informed whether an appeal had been lodged against the complaint. It therefore applied that the BA should enforce its right to data information and execute the decision (VWA ./15, see point II.2).

I.8. The complaint in question and the related administrative act (including the components VWA ./1 to ./15 see point II.2) were submitted to the Federal Administrative Court (hereinafter also "BVwG") by the BA in a letter dated October 5th, 2021. In its statement, the BA completely denied the complaints submitted by BF1 and BF2 and referred in full to the contested decision (VWA ./16, see point II.2). In a letter dated October 5th, 2021, the bB informed the parties that the complaint, including the case files, had been submitted to the BVwG for a decision (VWA ./17, see point II.2).

II. The Federal Administrative Court considered:

II.1. Findings:

The facts relevant to the decision are clear.

II.1.1. About the procedure:

The course of the procedure described under point I is determined and used as a basis for the decision.

II.1.2. Subject of complaint:

The subject of the complaint is the question of whether BF1 and its legal representative (BF2) violated the MB's right to information by not complying with his request for data information of November 12, 2020 or November 19, 2020.

II.1.3. On the processing of the personal data of the MB by BF1:

The BF1 is head of the department for XXXX in the XXXX. The MB was in inpatient treatment in the department mentioned at the end of 2019.

XXXX (BF2) represents BF1 as a lawyer.

The MB is of the opinion that there was massive mistreatment during the inpatient treatment in the hospital. The MB then, among other things, lodged a complaint with XXXX and with XXXX with XXXX. The BF1, on the other hand, is of the opinion that the MB insulted and slandered the BF1 in numerous e-mails, which the MB allegedly also sent to many executives, administrative staff and members of the treatment team at XXXX. Therefore, the BF1 initially asked for a cease and desist. As a result, a (judicial) application for the issuance of an injunction was made and an action for an injunction was brought against the MB. In this regard, proceedings regarding GZ XXXX were pending at the XXXX regional court. The subject of the injunction and the action for an injunction was that the MB might be obliged to refrain from further insults to BF1 in the future. The BF1 used data from the MB (first and last name, full postal address, date of birth) to submit the application for the issuance of an injunction and the action for an injunction and was also represented by a lawyer. The data of the MB are known to the BF1 due to her capacity as head of the department for XXXX in XXXX.

XXXX (BF2) also represented BF1 in the proceedings before the regional court XXXX in the proceedings regarding GZ XXXX in a legally friendly manner.

II.1.4. Regarding the MB’s request for information to BF1:

The MB addressed a letter to BF1 dated November 12th, 2020 and stated “Application for data information in accordance with DSG, DSGVO and any other conceivable legal basis” in the subject line.

In this request for information dated November 12, 2020, the MB stated to BF1:

"[...]

I hereby submit the request for information in accordance with § 44 DSG and thus make use of my right to receive confirmation as to whether you are processing personal data concerning me and if this is the case, I make use of my right to information about the affected personal data according to § 44 DSG.

[...]"

In a letter dated November 18, 2020, BF1 and its legal representative (BF2) rejected the requested provision of information on the grounds that neither BF1 nor its legal representative are responsible within the meaning of Section 44 (1) DSG and are therefore not obliged to provide information to the MB.

In a letter dated November 19th, 2020, the MB lodged a data protection complaint about a violation of his right to information in accordance with the DSG and DSGVO and any other conceivable legal basis.

II.1.5. Regarding the request for information from the MB to the BF2:

With an email dated November 19, 2020, the MB submitted a request for information to BF2. In the subject line, the MB stated "Application for data information in accordance with DSG, DSGVO and any other conceivable legal basis".

The MB also stated in his e-mail to BF2 on November 19, 2020:

"In addition to my letter of November 12, 2020, which contains an application for data information in accordance with DSG, DSGVO and any other conceivable legal basis to BF1, I am expanding this application to you. The same application is hereby made to you as a lawyer and also to your entire law firm.

I hereby submit the request for information in accordance with § 44 DSG and thus make use of my right to receive confirmation as to whether you are processing personal data concerning me and if this is the case, I make use of my right to information about the affected personal data according to § 44 DSG.

...."

In a letter dated November 19th, 2020, the MB lodged a data protection complaint about a violation of his right to information in accordance with the DSG and DSGVO and any other conceivable legal basis.

II.2. Evidence assessment:

Evidence was collected through inspection of the administrative file of the bB [hereinafter referred to as "VWA" with the components ./1 - data protection complaint of the MB from 19.11.2020 (see point I.1), ./2 - application of the MB to the BF1 to data information dated November 12, 2020 (see point I.1), ./3 - Response letter from BF1 by way of legal representative (BF2) dated November 18, 2020 (see point I.1), ./4 - Letter from MB to legal representative ( BF2) of November 19th, 2020 (see point I.1), ./5 - Request for a statement from the bB to BF1 and BF2 of July 6th, 2021 (see point I.2), ./6 - Statement of the BF1 and BF2 of July 15th .2021 (see point I.2), ./7 - Statement of the BF1 from October 27th, 2020 in the procedure XXXX (see point I.2), ./8 - Notification from the AA to the MB from August 11th, 2021 (see point I .3), ./9 - Statement of the MB of August 21, 2021 (see point I.3), ./10 - Supplementary statement of the MB of August 22, 2021 (see point I.3), ./11 - Notice of the DA of 09/01/2021 (see point I.4), ./12 - Letter from BF1 and BF2 to the BA of 09/14 .2021 (see point I.5), ./13 - e-mail from the BA to BF1 and BF2 from September 20th, 2021 (see point I.5), ./14 - complaint from the BF1 and BF2 from October 1st, 2021 ( see point I.6), ./15 - e-mail from the MB to the AA of October 3rd, 2021 (see point I.7), ./16 - file submission by the AA of October 5th, 2021 (see point I.8) , ./17 - notification of the bB of 05.10.2021 (see point I.8) ] and in the court file of the BVwG (file components are marked with an ordinal number, "OZ" for short).

II.2.1. About the procedure:

The above procedure results from the unobjectionable and indubitable file content of the submitted administrative file of the bB and the court file of the BVwG.

II.2.2. Subject of complaint:

The object of the complaint results, among other things, from the notification of the bB of September 1st, 2021 (VWA ./11, page 3) and is considered undisputed.

II.2.3. On the processing of the personal data of the MB by BF1:

The findings in this regard are based on the factual findings in the contested decision, which were not disputed by the parties (VWA ./11, page 3 f). In particular, it can be seen from the statement by BF1 of October 27, 2020 on GZ XXXX that BF1 used the first and last name, full postal address and date of birth of the MB for the purpose of filing an injunction and an action for an injunction (VWA ./7, page 4 f ). Sohin this was to be determined.

II.2.4. Regarding the MB’s request for information to BF1:

The relevant findings are based on the MB’s data protection complaint of November 19, 2020 (VWA ./1), the MB’s application to BF1 for data information of November 12, 2020 (VWA ./2) and the reply letter from the legal representative of BF1 (BF2) dated November 18, 2020 (VWA ./3) and the letter from the MB to legal representatives (BF2) dated November 19, 2020 (VWA ./4).

II.2.5. Regarding the request for information from the MB to the BF2:

The relevant findings are based on the MB’s data protection complaint of November 19, 2020 (VWA ./1) and the MB’s letter to legal representatives (BF2) of November 19, 2020 (VWA ./4).

II.3. Legal assessment:

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.

The contested decision is based on a decision by the bB in accordance with Art. 15 GDPR. This matter is covered by Senate decisions in accordance with § 27 DSG.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

Pursuant to Section 28 (1) VwGVG, the administrative courts have to settle the legal matter by finding it unless the complaint is to be dismissed or the proceedings are to be discontinued. According to para. 2 leg.cit. the administrative court has to decide on complaints according to Art. 130 Para. 1 Z 1 B-VG itself if

1. the relevant facts have been established or

2. the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.

As already explained above, the relevant facts in the matter are certain on the basis of the file situation. The Federal Administrative Court must therefore decide on the matter itself.

Regarding A) Rejection of the complaint:

II.3.1. Regarding the legal situation in the present complaints procedure:

Section 36 DSG - scope and definitions - reads in part:

"Article 36. (1) The provisions of this main part apply to the processing of personal data by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, including protection against and averting threats to public security, as well as for purposes of national security, intelligence and military self-security.

(2) For the purposes of this Chapter, the term means:

[..] 8. “Responsible person” means the competent authority which, alone or together with others, decides on the purposes and means of the processing of personal data; [...]"

Section 44 of the DSG – the data subject’s right to information – reads:

"Article 44. (1) Every data subject has the right to obtain confirmation from the controller as to whether personal data relating to them are being processed; if this is the case, you have the right to receive information about personal data and the following information:

1. the purposes of the processing and its legal basis,

2. the categories of personal data being processed,

3. the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organizations,

4. if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration,

5. the existence of a right to correction or deletion of personal data or restriction of the processing of personal data of the person concerned by the person responsible,

6. the existence of a right of appeal to the data protection authority and their contact details and

7. Communication on the personal data that are the subject of the processing, as well as all available information on the origin of the data.

(2) Restrictions on the right to information are only permissible under the conditions set out in Section 43 (4).

(3) If the information pursuant to paragraph 2 is not provided, the person responsible must immediately inform the data subject in writing of the refusal or restriction of the information and the reasons for this. This does not apply if the provision of this information would run counter to one of the purposes specified in Section 43 (4). The controller shall inform the data subject of the possibility of filing a complaint with the data protection authority.

(4) The person responsible must document the reasons for the decision not to provide the information pursuant to paragraph 2. This information must be made available to the data protection authority.

(5) To the extent that data processing for a data subject can be viewed by law with regard to the data processed about them, they have the right to information in accordance with the provisions providing for the right of inspection. For the procedure of inspection (including its refusal) the more detailed provisions of the law that provides for the right of inspection apply. Components of information mentioned in paragraph 1 that are not covered by the right of inspection can nevertheless be asserted under this federal law.”

Art. 12 GDPR - Transparent information, communication and modalities for exercising the rights of the data subject - reads in part:

"[...] (3) The controller shall provide the data subject with information on measures taken on a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. This period can be extended by a further two months if this is necessary taking into account the complexity and the number of applications. The controller shall inform the data subject of an extension of the deadline within one month of receipt of the request, together with the reasons for the delay. If the data subject submits the request electronically, they must be informed electronically if possible, unless they state otherwise.

(4) If the person responsible does not act upon the request of the data subject, he shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority or to lodge a judicial remedy. [...]"

Art. 15 GDPR – the data subject’s right to information – reads:

“(1) The data subject has the right to request confirmation from the person responsible as to whether personal data relating to him or her are being processed; if this is the case, you have the right to information about this personal data and the following information:

a) the processing purposes;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) if possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

e) the existence of a right to correction or deletion of the personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing;

f) the existence of a right of appeal to a supervisory authority;

g) if the personal data are not collected from the data subject, all available information about the origin of the data;

h) the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) and — at least in these cases — meaningful information about the logic involved and the scope and envisaged effects of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards in accordance with Article 46 relating to the transfer.

(3) The person responsible provides a copy of the personal data that are the subject of the processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be made available in a common electronic format, unless otherwise specified.

(4) The right to obtain a copy under paragraph 3 shall not prejudice the rights and freedoms of any other person."

II.3.2. Against this background, the following results for the complaint:

The BF1 did not comply with the MB’s request for information of November 12, 2020 or November 19, 2021 and justified this by saying that neither the BF1 nor their legal representatives (BF2) are responsible within the meaning of Section 44 (1) DSG and are therefore not obliged to provide information to the MB.

The BF1 and its legal representative (BF2) were wrong with this procedure:

According to Art. 15 Para. 1 GDPR, a person concerned has the right to request confirmation from the person responsible as to whether personal data is being processed and, if this is the case, to obtain information about this personal data. In addition, there is a requirement for information in accordance with lit. a to h leg. cit.

A specific formulation of a request for information is not provided for by law. However, it must be clear to the recipient that the request is based on data protection law. This is important insofar as direct obligations are linked to the receipt of a request for information, namely in particular to provide the information within the statutory period or to justify in writing why it is not or not fully provided (see VwGH 27.11.2007, 2006 /06/0262 on the request for information according to § 26 DSG 2000).

In order to assess whether the recipient has a request for information that is recognizable as a request for information under data protection law, the content of this request must be examined, whereby the same standard must be applied that also applies to unilateral declarations of intent under private law. Accordingly, the wording and understanding of the declaration must be viewed from an objective point of view, i.e. as the recipient could understand it according to its wording and purpose when viewed objectively (see the case law of the Supreme Court, inter alia, the judgment of July 10, 1996, 9 Ob A2139/96s; 15.09.1999, 9 Ob A148/99a and many more). When determining the application, it is not the name of the applicant that matters, but the content of the entry, i.e. the recognizable and deducible goal of the applicant (VwGH 19.03.2013, 2012/21/0082). In this direction, the MB also stated that he wanted to know which data and why the BF1 had stolen his data (VWA ./2, page 2). From these statements it can also be inferred that the MB's application was aimed at a request for information under data protection law.

The letter from the MB clearly contains a request for data protection information. The fact that the MB incorrectly bases his request on § 44 DSG is - as the DA correctly explained - irrelevant. The BF1 agrees that § 44 DSG for the processing of personal data by competent authorities for the purpose of preventing, investigating, uncovering or prosecuting criminal offenses or the execution of sentences, including protection against and averting dangers to public security, as well as for The purpose of national security, the intelligence service and the military's own security applies (cf. § 36 Para. 1 DSG). In this context, it should be noted that the wording of the provisions of Section 44 DSG and Art. 15 GDPR is similar and the MB submitted the application without legal representation.

Insofar as the BF1 and its legal representative (BF2) point out that the MB only made an application in accordance with § 44 DSG, this reading must be countered by the fact that the MB in his applications clearly in the subject (also) made an application for data information in accordance with the GDPR ("Application for data information in accordance with DSG, DSGVO and any other conceivable legal basis"). For this reason alone, the BF1 and its legal representative (BF2) could not assume without a doubt that the MB only submitted an application in accordance with Section 44 DSG. It should also be noted that the BF1 and its legal representative (BF2) must not assume in case of doubt that the MB has made a pointless or inadmissible application from the outset (according to VwGH 03/26/2021, Ra 2020/03/0149). An application by the MB to BF1 or its legal representative (BF2) on the basis of Section 44 DSG is to be regarded as pointless. The complainants also indicate in their own complaint that the MB erroneously quoted Section 44 DSG (VWA ./14, page 4, first paragraph).

It is therefore possible to uphold the view of the relevant authority that the unrepresented MB cannot be accused of violating the legal norm. If BF1 and its legal representative (BF2) state in their complaint that the MB is a data protection law expert, this view is not justifiable. The BF1 and the BF2 argue in this regard with about 40 ongoing procedures at the BA since 2015, which the MB have initiated. Even from the number of data protection procedures initiated by the MB, it cannot be deduced that he has the comprehensive data protection knowledge of an expert. The fact that the MB wrongly bases his applications on § 44 DSG (see above) does not exactly speak for assessing him as a data protection law expert.

Overall, a request for data protection information can be clearly inferred from the applications of the MB. Against this background, intentions expressed to the outside are irrelevant (VwGH 19.03.2013, 2012/21/0082). The opinion of BF1 or her legal representative (BF2) that the MB (only) made an application in accordance with § 44 DSG contradicts the fact that such an application is downright pointless and, moreover, the MB has clearly expressed that he ( also) requests information in accordance with the GDPR. Therefore, BF1 and its legal representative (BF2) could not assume that there was an apparently unfounded application pursuant to Art. 12 (3) GDPR, which excludes the provision of information pursuant to Art. 15 GDPR. Finally, it can no longer be inferred from the MB's procedural application to the BA that he based his application for information on Section 44 DSG (VWA ./1).

The right to information is regulated in Art. 15 GDPR. In terms of content, the right to information grants the data subject the right to request confirmation from the person responsible as to whether their personal data has been processed. If there is one or more such processing operations, the data subject has a right to information about the personal data and other information specified in Article 15 (1) lit. a to h leg. cit. defined information. This information must be provided so that the purpose of this right of the data subject can be fulfilled, namely to enable the data subject to gain an insight into the "whether and how" of the processing of their personal data. (Jahnel, Commentary on the General Data Protection Regulation Art. 15 GDPR [as of December 1st, 2020, rdb.at] margin no. 2). To a certain extent, the claim ranges from the "whether" of the data processing (Article 15 Paragraph 1 Clause 1 GDPR) to the "How" (Article 15 Paragraph 1 Clause 2 lit. a-h, Paragraph 2 GDPR) to the "What" ( Art 15 para. 1 clause 2, para. 3 GDPR).

If the person responsible processes the data of the person concerned, he must provide information about the specific characteristics including the additional information and hand over a copy of the data himself (Art. 15 para. 1 lit. a to h, para. 2, 3 and 4; Haidinger in Knyrim, DatKomm Art. 15 GDPR [as of December 1, 2021, rdb.at] margin no. 27; Jahnel, Commentary on the General Data Protection Regulation Art. 15 GDPR [as of December 1, 2020, rdb.at] margin no. 2, 14 ff).

Since the enumeration in lit. a to h leg. cit. contains mandatory content of the provision of information, the argument of BF1 and its legal representative (BF2) proves that Article 15 GDPR does not contain an obligation to provide a data subject with all information specified in lit. a to h leg. cit. to grant the information given as inaccurate. A specific application request for individual information pursuant to lit. a to h leg. cit is therefore not required from a data subject.

It is undisputed that the BF1 issued the MB with a statement dated July 15, 2021, data information within the scope of Art. 15 Para. 1 lit a and b GDPR (first and last name, full postal address and date of birth of the MB for the purpose of filing a temporary injunction and injunctive relief, see VWA ./6).

Furthermore, it is undisputed that no data was disclosed in accordance with Article 15(1)(c) to (h). The DA thus rightly upheld the MB's data protection complaint and found that the BF1 and her legal representative (BF2) violated the MB's right to information by not providing him with complete information and that the BF1 and her legal representative (BF2) in subsequently rightly instructed to provide the MB with the relevant information within four weeks, otherwise execution.

The appeal was therefore dismissed as unfounded.

II.3.3. To cancel the negotiation:

II.3.3.1. Regarding the legal situation in the present complaints procedure:

§ 24 para. 1 to 4 VwGVG - negotiation - reads:

(1) The administrative court shall hold a public oral hearing on application or, if it deems it necessary, ex officio.

(2) The hearing can be omitted if

1. the party's application initiating the previous administrative procedure or the complaint is to be rejected or it is already certain on the basis of the file situation that the decision contested with the complaint is to be annulled or the contested exercise of direct administrative authority to give orders and coercive powers is to be declared illegal or

2. the complaint about default is to be rejected or dismissed;

3. If the legal matter is settled by a magistrate.
(3) The complainant shall apply for a hearing to be held in the complaint or in the application for a referral. The other parties must be given the opportunity to submit an application for a hearing to be held within a reasonable period of time, which does not exceed two weeks. A request for a hearing can only be withdrawn with the consent of the other parties.

(4) Unless otherwise provided by federal or state law, the administrative court may, regardless of a party's application, refrain from a hearing if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and if the hearing is omitted Art. 6 (1) of the Convention for the Protection of Human Rights and Fundamental Freedoms, BGBl. No. 210/1958, nor Art. 47 of the Charter of Fundamental Rights of the European Union, OJ No. C 83 of 30.03.2010 p. 389 ( Section 24 (4) VwGVG).

II.3.3.2. Against this background, the following results for the complaint:

The relevant facts could be considered as sufficiently clarified by the file situation. The complaint did not raise any factual issues that still needed to be clarified in a concrete and substantiated manner, and there was also no complex legal issue to be resolved (VwGH of July 31, 2007, Zl. 2005/05/0080). It was therefore possible to refrain from holding an oral hearing. Article 6(1) of the ECHR and Article 47 of the Charter of Fundamental Rights of the European Union do not conflict with the refusal to negotiate.

Finally, BF1 and its legal representative (BF2) did not apply for a complaint hearing or provide concrete evidence. Therefore, it was also possible to refrain from conducting a hearing for these reasons (VwGH October 19, 2016, Ra 2016/12/0073).

Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The present decision neither deviates from the previous case law of the Administrative Court, nor is there any case law; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent (see in particular the case law cited under A)). There are also no other indications of a fundamental importance of the legal question to be solved. Concrete legal questions of fundamental importance were neither raised in the present complaint nor in the proceedings before the BVwG, especially since in the present case the clarification of factual questions was the basis for the decision to be made.

The judicature of the VwGH cited above in the legal assessment was issued in part for earlier legal situations, but in the opinion of the adjudicating court it can be transferred unchanged to the provisions of the current legal situation, which are largely identical in content.

It was therefore to be decided accordingly.