BVwG - W214 2233132-1/27E

From GDPRhub
Revision as of 10:02, 13 February 2024 by MBa (talk | contribs)
BVwG - W214 2233132-1/27E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 15 GDPR
Article 15(1)(c) GDPR
Decided: 29.11.2023
Published: 09.01.2024
Parties:
National Case Number/Name: W214 2233132-1/27E
European Case Law Identifier: AT:BVWG:2023:W214.2233132.1.00
Appeal from: DSB
DSB-D205.157/0005-DSB/2019
Appeal to:
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: co

In a partial judgment on appeal, an Austrian Court held that a controller acted contrary to Article 15(1)(c) GDPR as it failed to store and provide information about the recipients of a data subject’s personal data.

English Summary

Facts

A data subject filed a complaint with the DSB claiming a violation of his right to access under Article 15 GDPR. The DSB partially upheld the complaint of the data subject, ordering the controller, an address publisher and direct marketing company, to disclose to the data subject information about the target groups of personal data about him being processed for advertising purposes and the names of the recipients of such data as it failed to fully comply with the access request.

The controller then appealed the decision before the BVwG, claiming that it is not obliged to disclose such information. The BVwG started evaluating the case but then suspended the proceedings, pending the decision of the CJEU in case C-154/21 and issued only a partial decision on 17 May 2022 (BVwG - W214 2233132-1/13E) annulling parts of the DSB's decision.

In January 2023, the CJEU delivered its judgment in case C-154/21 and the BVwG continued the case in May 2023.

Holding

Upon hearing further submissions by the parties, the BVwG issued its final decision on the remaining part of the case on 29 November 2023.

In the second partial judgment the court considered the two parts of the DSB’s decision that had not already been decided, namely: (2a) the order to the controller to disclose the names of all recipients of the data subject’s personal data and (1) the declaration that the controller violated the data subject’s right to access as it failed to fully comply with his request under Article 15 GDPR.

The Court first of all held that, part (2a) of the DSB’s decision should be dismissed, as the controller in its later submissions sufficiently proved that it was impossible for it to identify all recipients of the data subject’s personal data and thus it could and can not comply with the order to disclose their names.

As regards part (1) of the DSB’s decision, the BVwG held that, even though it was indeed impossible for the controller to identify the recipients of the data subject's personal data, this was due to the fact that the controller did not take the appropriate steps to save information about the transmission of personal data to recipients, even though controllers are generally obliged to do so. This, in turn, resulted in the data subject not being able to exercise its other rights under the GDPR and the controller could not comply with its obligation under Article 19 GDPR. For this reason, the court held that the GDPR violation did not just take place in the past but was still ongoing and the data subject's request was still not complied with. Further, the court rejected the argument that the list of recipients of the controller is covered by trade secret protection. As a matter of fact, the court considered that this would lead to the impossibility to ever apply Article 15(1)(c) GDPR, and the interpretation of a law leading to its disapplication is unlawful according to the case-law of the Austrian supreme court. Also, in this specific case, the existence of trade secret protection was negated by the controller at the oral hearing.

In light of the above, the BVwG concluded that the controller violated the data subject’s right to access under Article 15(1)(c) GDPR as it failed to store information about the recipients of his personal data and thus was unable to provide it to the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision date

November 29, 2023

standard

B-VG Art 133 Paragraph 4
DSG §24
DSG §4
GDPR Art 12
GDPR Art 15
GDPR Art 15 Paragraph 1 litc
GDPR Art77
UWG §26b paragraph 1

B-VG Art. 133 today B-VG Art. 133 valid from January 1st, 2019 to May 24th, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from May 25th, 2018 to December 31st, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art I No. 164/2013 B-VG Art by BGBl amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934

DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art No. 133/2009 DSG Art. 2 § 24 valid from January 1st, 2000 to December 31st, 2009

DSG Art. 2 § 4 today DSG Art. 2 § 4 valid from January 1st, 2020 last changed by Federal Law Gazette I No. 14/2019 DSG Art No. 24/2018 DSG Art. 2 § 4 valid from May 25, 2018 to May 24, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 4 valid from January 1, 2010 to May 24, 2018 last changed by Federal Law Gazette . I No. 133/2009 DSG Art. 2 § 4 valid from January 1st, 2000 to December 31st, 2009

UWG § 26b today UWG § 26b valid from January 29, 2019 last changed by Federal Law Gazette I No. 109/2018

saying

W214 2233132-1/27E

PARTIAL KNOWLEDGE

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through judge Dr. Eva SOUHRADA-KIRCHMAYER as chairwoman and the expert lay judges Mag. Huberta MAITZ-STRASSNIG and Mag. Claudia KRAL-BAST as assessors on the complaint XXXX, represented by Schönherr Rechtsanwälte GmbH, against points 1 and 2.a. of the data protection authority's decision of February 13, 2020, Zl. DSB-D205.157/0005-DSB/2019, rightly recognized: The Federal Administrative Court, through the judge Dr. Eva SOUHRADA-KIRCHMAYER as chairwoman and the expert lay judges Mag. Huberta MAITZ-STRASSNIG and Mag. Claudia KRAL-BAST as assessors on the complaint Roman XXXX represented by Schönherr Rechtsanwälte GmbH, against points 1 and 2.a. of the data protection authority's decision of February 13, 2020, Zl. DSB-D205.157/0005-DSB/2019, rightly recognized:

A)

The complaint is partially upheld and ruling point 2.a. of the contested decision has been remedied without replacement.

The complaint against point 1 of the contested decision is dismissed as unfounded with the proviso that this point must read as follows:

"The complaint is partially upheld and it is determined that the respondent has thereby violated the complainant's right to information in accordance with Article 15 (1) (c) GDPR by not providing him with information about the recipients of his personal data (or "The complaint is partially upheld and it is determined that the respondent has violated the complainant's right to information in accordance with Article 15, paragraph one, letter c, GDPR by not providing him with any negative information." has provided or provided information about the recipients of his personal data (or no negative information).”

B)

The revision is permissible in accordance with Article 133, Paragraph 4, B-VG.The revision is permitted in accordance with Article 133, Paragraph 4, B-VG.

text

Reasons for the decision

I. Process: Roman one. Process:

1. In his complaint dated May 30, 2019, addressed to the data protection authority (DSB, the authority concerned before the Federal Administrative Court), XXXX (co-participant in the proceedings before the Federal Administrative Court, former complainant before the authority concerned) alleged a violation of the right to information in accordance with Art. 15 GDPR by the complainant (respondent in the proceedings before the authority concerned). To this end, he stated (to the extent that it was still relevant to the case) that the complainant had not given him any information about the recipients of target group data. 1. In his complaint dated May 30, 2019, addressed to the data protection authority (DSB, the authority concerned before the Federal Administrative Court), Roman XXXX (co-participant in the proceedings before the Federal Administrative Court, former complainant before the authority concerned) alleged a violation of the right to information in accordance with Article 15, GDPR by the complainant (respondent in the proceedings before the authority concerned). To this end, he stated (to the extent that it was still relevant to the case) that the complainant had not given him any information about the recipients of target group data.

Attached to the data protection complaint was the letter of request from the co-participant to the complainant in accordance with Art. 15 GDPR dated January 12, 2019, the (undated) reply letter from the complainant and the email correspondence from the co-party to the complainant from April/May 2019. The data protection complaint was attached the letter of request from the co-party to the complainant in accordance with Article 15, GDPR dated January 12, 2019, the (undated) reply letter from the complainant and the email correspondence from the co-party to the complainant from April/May 2019.

2. At the request of the authority concerned, the complainant submitted a statement on August 27, 2019 and October 14, 2019 and stated in summary (to the extent that it was still relevant to the proceedings) that she had been informed that data had been passed on to business customers for marketing purposes. There is no obligation to inform specific recipients, as this would mean disclosing the complainant's distribution channels and its individual customer relationships and thus business and trade secrets, which, however, is not required in the context of an information response under the GDPR.

3. The complainant's statements were brought to the attention of the co-participant by the relevant authority in a letter dated October 18, 2019. The co-participant responded to this in a statement dated November 5, 2019 and summarized (to the extent that it was still relevant to the case) that the alleged need to protect trade secrets was not a reason not to pass on the information about individual recipients of data, as otherwise no company would be obliged to provide such information and such a view would largely revoke the obligation under Article 15 (1) (c) GDPR. Otherwise, it would not be possible for a person affected to contact companies with requests for information and to request that their own data be deleted or corrected. In addition, in response to previous inquiries from other inquirers, the complainant named the individual recipients of marketing-capable data. 3. The complainant's statements were brought to the attention of the co-participant by the relevant authority in a letter dated October 18, 2019. The co-participant responded to this in a statement dated November 5, 2019 and summarized (to the extent that it was still relevant to the case) that the alleged need to protect trade secrets was not a reason not to pass on the information about individual recipients of data, since otherwise no company would be obliged to do so to provide such information and such a view would largely remove the obligation under Article 15, paragraph one, letter c, GDPR. Otherwise, it would not be possible for a person affected to contact companies with requests for information and to request that their own data be deleted or corrected. In addition, in response to previous inquiries from other inquirers, the complainant named the individual recipients of marketing-capable data.

4. With the contested decision, the co-participant's complaint was partially upheld and it was determined that the complainant had violated the co-party's right to information by providing incomplete information on April 3, 2019 (point 1). The complainant was ordered to provide the co-participant within a period of four weeks, if otherwise executed, a) to identify the specific recipients of the co-party's personal data, b) to provide generally understandable information about the terms of the possible advertising target groups "organic advertising", "self-employment" , “Advertising Investment”, “Target Group Characteristics”, “Life Phase”, “Advertising Donations” and “Advertising Relocation”, in particular about the meaning of the key terms used, as well as information about the relevant parameters for the evaluation and the allocation to the co-participant and c) to provide generally understandable information about the term “possible target group for academics” (point 2). Otherwise, the complaint was dismissed (point 3).

The authority concerned gave reasons with regard to points 1 and 2.a. stated that the co-participant in the present case received answers that were addressed to him personally but were largely standardized. The information only contains a general formulation regarding the recipients of the data stored about the co-participants: “XXXX uses data, to the extent legally permissible, as part of its activity as an address publisher and offers it to business customers for marketing purposes.” A balancing of interests is required in each individual case, in which the aspects of data protection interests of those involved and public confidentiality interests must be taken into account in order to determine whether specific recipients or just groups of recipients need to be informed. In the specific case, the co-participant's interest in providing information that is as complete as possible, which does not require further justification, in particular in order to be able to enforce subjective rights guaranteed under EU law, such as rights of correction and deletion, also against third parties and other responsible parties, is opposed to the complainant's interest in confidentiality. The complainant argues that naming specific recipients would reveal their distribution channels and customer relationships. However, the complainant leaves open why the disclosure of the business partners would affect her legitimate interests as an address publisher. From the perspective of the authority concerned, there would therefore be no legitimate interests of the complainant. In addition, it can be concluded from the fact that data is provided by address publishers for a fee that the complainant must have precise knowledge of who the data in question has been passed on to, solely for accounting reasons. At no time did she claim that the specific addressees were unknown to her. The authority concerned gave reasons for this with regard to points 1 and 2.a. stated that the co-participant in the present case received answers that were addressed to him personally but were largely standardized. The information only contains a general formulation regarding the recipients of the data stored about the co-participants: “Roman XXXX uses data, to the extent legally permissible, as part of its activity as an address publisher and offers it to business customers for marketing purposes.” A balancing of interests is required in each individual case, in which the aspects of data protection interests of those involved and public confidentiality interests must be taken into account in order to determine whether specific recipients or just groups of recipients need to be informed. In the specific case, the co-participant's interest in providing information that is as complete as possible, which does not require further justification, in particular in order to be able to enforce subjective rights guaranteed under EU law, such as rights of correction and deletion, also against third parties and other responsible parties, is opposed to the complainant's interest in confidentiality. The complainant argues that naming specific recipients would reveal their distribution channels and customer relationships. However, the complainant leaves open why the disclosure of the business partners would affect her legitimate interests as an address publisher. From the perspective of the authority concerned, there would therefore be no legitimate interests of the complainant. In addition, it can be concluded from the fact that data is provided by address publishers for a fee that the complainant must have precise knowledge of who the data in question has been passed on to, solely for accounting reasons. She also never claimed that the specific addressees were unknown to her.

5. The complainant lodged a timely complaint with the Federal Administrative Court against points 1 and 2 of this decision.

The complainant submitted (to the extent that it was still relevant to the case) that there was a right to choose whether categories of recipients or specific recipients were to be informed. The information provided about the recipient categories was therefore free of defects and the decision was illegal in terms of content. Providing information to all specific recipients would also involve a disproportionate amount of effort and would reveal the complainant's company and business secrets. As an address publishing and direct marketing company, the complainant's data transfer is always in accordance with Section 151 GewO. Not individual data but rather data packages would be passed on to the complainant's customers. The data packets passed on to a specific recipient are extracts from the complainant's extensive database, which are compiled depending on the request. The data packages could contain several hundred thousand or even millions of data records. However, it is not mandatory to log the transfer of every single data set within the data package. In this respect, it is actually not possible to provide information to all specific recipients - based on the data stored relating to a specific person. In order to protect the rights of those affected, monthly updates would be carried out, in which corrections, deletions and prohibitions on the transfer of data would be transmitted to the recipients of the data within the period specified in the GDPR and entered into their database. In many cases, whether a specific person is contained in a data set transmitted to a specific recipient can only be reconstructed retrospectively with considerable effort. The reconstruction is also subject to uncertainty because changes to the data record that occurred after the export day were not logged. Temporary blocking of the data record for data transfer could also lead to incorrect information. No obligation to store the recipients can be derived from the GDPR itself. This is also reinforced by the transparency guidelines of the Article 29 Data Protection Working Party. The fact that the specific recipients are not known does not result in a lack of legal protection, since the data subject's interest in legal protection is ensured by the “Robinson list” and the follow-up notification obligation in accordance with Article 19 of the GDPR. In addition, broadcasts for which this data would be used would have to contain information about who this data came from. The complainant submitted (to the extent that it was still relevant to the case) that there was a right to choose whether categories of recipients or specific recipients were to be informed. The information provided about the recipient categories was therefore free of defects and the decision was illegal in terms of content. Providing information to all specific recipients would also involve a disproportionate amount of effort and would reveal the complainant's company and business secrets. As an address publishing and direct marketing company, the complainant's data transfer is always in accordance with Section 151 of the GewO. Not individual data but rather data packages would be passed on to the complainant's customers. The data packets passed on to a specific recipient are extracts from the complainant's extensive database, which are compiled depending on the request. The data packages could contain several hundred thousand or even millions of data records. However, it is not mandatory to log the transfer of every single data set within the data package. In this respect, it is actually not possible to provide information to all specific recipients - based on the data stored relating to a specific person. In order to protect the rights of those affected, monthly updates would be carried out, in which corrections, deletions and prohibitions on the transfer of data would be transmitted to the recipients of the data within the period specified in the GDPR and entered into their database. In many cases, whether a specific person is contained in a data set transmitted to a specific recipient can only be reconstructed retrospectively with considerable effort. The reconstruction is also subject to uncertainty because changes to the data record that occurred after the export day were not logged. Temporary blocking of the data record for data transfer could also lead to incorrect information. No obligation to store the recipients can be derived from the GDPR itself. This is also reinforced by the transparency guidelines of Article 29, Data Protection Working Party. The fact that the specific recipients are not known does not result in any legal protection deficit, since the data subject's interest in legal protection is guaranteed by the “Robinson list” and the follow-up notification obligation in accordance with Article 19, GDPR. In addition, broadcasts for which this data would be used would have to contain information about who this data came from.

In addition, there was a violation of the right to be heard, the authority concerned had to present to the complainant the factual assumptions according to which, from the point of view of the authority concerned, there were no interests worthy of protection and no business secrets of the complainant and that the complainant had precise knowledge of the specific recipients for accounting reasons . These statements are also incorrect. With regard to the legal consequences of the procedure, the complainant should have been told that the authority concerned intended to request information from the specific recipients, as this was a controversial legal question. The contested decision therefore also suffers from illegality due to a violation of procedural regulations.

6. The authority concerned did not make use of the option of a preliminary decision on the complaint and submitted the complaint, including the relevant administrative act, to the Federal Administrative Court for a decision in a letter dated July 16, 2020.

7. In its decision of February 18, 2021, Zl. 6 Ob 159/20f, the OGH submitted the following question to the ECJ, which was pending on Zl. C-154/21, for a preliminary ruling:

“Is Article 15 paragraph 1 lit c of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter “GDPR”) must be interpreted as meaning that the right to information about recipient categories is limited if specific recipients have not yet been determined for planned disclosures However, the right to information must also necessarily extend to recipients of these disclosures if data has already been disclosed?" "Is Article 15, paragraph one, letter c, of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons when processing personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter referred to as “GDPR”) "that the right to information is limited to information about categories of recipients if specific recipients of planned disclosures have not yet been determined, but the right to information must also necessarily extend to recipients of these disclosures if data has already been disclosed?"

8. In a letter dated March 22, 2021, the complainant requested the suspension of the complaint proceedings in question in accordance with Section 17 VwGVG in conjunction with Section 38 AVG until the ECJ's decision on the OGH's reference order of February 18, 2021, 6 Ob 159/20f.8. In a letter dated March 22, 2021, the complainant requested the suspension of the complaint proceedings in question in accordance with Section 17, VwGVG in conjunction with Section 38, AVG until the ECJ's decision on the OGH's reference order of February 18, 2021, 6 Ob 159/20f.

9. The co-participant submitted a statement on July 15, 2021, in which he stated on point 2.a of the contested decision that the complainant had still not complied with the request. Since the information obligation is rarely met by the recipients of data in accordance with Article 14 [GDPR], in order to safeguard the rights in accordance with Article 15 GDPR, it is absolutely necessary that the person concerned is provided with information about which other recipients the data subject's data will be sent to had been passed on. This requires the naming of each individual recipient and not just the naming of the category. The mostly alleged threat to trade secrets according to Article 23 Paragraph i GDPR in conjunction with Section 4 Paragraph 6 DSG is in no way understandable, especially since otherwise the provisions of Article 15 [GDPR] would be meaningless, since the owners of data of the Those affected could not be found at all.9. The co-participant submitted a statement on July 15, 2021, in which he stated on point 2.a of the contested decision that the complainant had still not complied with the request. Since the information obligation is hardly met by the recipients of data in accordance with Article 14, [GDPR], in order to protect the rights in accordance with Article 15, GDPR, it is absolutely necessary that the data subject is provided with information about which other recipients the data subject's data is being sent to had been passed on. This requires the naming of each individual recipient and not just the naming of the category. The mostly alleged endangerment of trade secrets according to Article 23, Paragraph Litera i, GDPR in conjunction with Paragraph 4, Paragraph 6, DSG is in no way understandable, especially since otherwise the provisions of Article 15, [GDPR] would be meaningless, since the owners data of the person concerned could not be found at all.

10. In her submission dated April 8, 2022, on ruling point 1 of the contested decision, the complainant stated that, according to the jurisprudence of the Administrative Court of Justice, the issuance of a declaratory decision is inadmissible at all due to the principle of subsidiarity of declaratory decisions and declaratory decisions if the disputed legal question is resolved in the context of a other administrative procedure provided for by law or a judicial procedure. In accordance with Section 24 Paragraph 5 of the DSG, the authority concerned is authorized to issue benefit notices; the authority in question of the authority concerned as standardized in the DSG 2000 was deliberately not adopted. Because of the subsidiarity of declaratory decisions, it is also conceivable that the legislature intended to issue a performance and a declaratory decision at the same time. In the specific case, the authority concerned decided the same legal questions as in ruling point 1 through the performance orders in ruling point 2, which is why this should be remedied as unlawful.10. In her submission dated April 8, 2022 on ruling point 1 of the contested decision, the complainant stated that, according to the jurisprudence of the Administrative Court of Justice, the issuance of a declaratory decision is inadmissible at all as a result of the principle of subsidiarity of declaratory decisions and declaratory decisions if the disputed legal question is regulated under another law the proposed administrative procedure or a judicial procedure. According to paragraph 24, paragraph 5, of the DSG, the authority concerned is authorized to issue performance notices; the authority of the authority concerned as standardized in the DSG 2000 was deliberately not adopted. Because of the subsidiarity of declaratory decisions, it is also conceivable that the legislature intended to issue a performance and a declaratory decision at the same time. In the specific case, the authority concerned decided the same legal questions as in ruling point 1 through the performance orders in ruling point 2, which is why this should be repealed as unlawful.

11. With the partial ruling of the Federal Administrative Court dated May 17, 2022, Zl. W214 2233132-1/13E, points 2. b and c of the contested decision were repealed without replacement and the procedure pursuant to Section 17 of the Administrative Court Procedure Act, Federal Law Gazette I No. 33/ 2013 as amended (VwGVG) in conjunction with Section 38 of the General Administrative Procedure Act 1991 (AVG) with regard to points 1 and 2 a of the contested decision until the preliminary ruling by the Court of Justice of the European Union (ECJ) on the decision of the Supreme Court (OGH) of February 18th .2021, Zl. 6 Ob 159/20f (pending at the ECJ under C-154/21), submitted question suspended.11. With the partial ruling of the Federal Administrative Court dated May 17, 2022, Zl. W214 2233132-1/13E, points 2. b and c of the contested decision were repealed without replacement and the procedure pursuant to Paragraph 17, Administrative Court Procedure Act, Federal Law Gazette Part One, No. 33 was suspended 2013, as amended (VwGVG) in conjunction with paragraph 38, General Administrative Procedure Act 1991 (AVG) with regard to points 1 and 2 a of the contested decision until the preliminary ruling by the Court of Justice of the European Union (ECJ) on the decision of the Supreme Court ( OGH) of February 18, 2021, Zl. 6 Ob 159/20f (pending at the ECJ under C-154/21), submitted question suspended.

12. In its judgment of January 12, 2023, Zl. C-154/21, the ECJ rightly recognized the following question:

“Art. 15 paragraph 1 letter c of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC ( General Data Protection Regulation) must be interpreted as meaning that the data subject's right to access personal data concerning him or her, as provided for in that provision, requires that, where those data have been or are being disclosed to recipients, the controller is obliged to do so to the data subject to communicate to the person the identity of the recipients, unless it is not possible to identify the recipients or the controller proves that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Article 12 paragraph 5 of the Regulation 2016/679 are; in this case, the controller may only inform the data subject of the categories of recipients concerned.”“Art. 15(1), point (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC ( General Data Protection Regulation) must be interpreted as meaning that the data subject's right to access personal data concerning him or her, as provided for in that provision, requires that, where those data have been or are being disclosed to recipients, the controller is obliged to do so to the data subject to communicate to the person the identity of the recipients, unless it is not possible to identify the recipients or the controller proves that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Article 12, paragraph 5, of the Regulation 2016/679 are; in this case, the controller may only inform the data subject of the categories of recipients concerned."

13. The Federal Administrative Court informed the parties of the continuation of the proceedings in a letter dated May 8, 2023 and asked the complainant to announce within two weeks of receiving the letter whether the complaint would be maintained in light of the ECJ's decision.

14. The complainant issued a statement on May 24, 2023 and on August 10, 2023, in which she stated that the statutory retention obligations were fulfilled and that the transmission of the number of data records was documented, but not the persons affected by these data records. The invoice is only based on the number of data records transmitted. As can also be seen from the case law of the former Data Protection Commission, the transfer of data records in the documents of address publishers and direct marketing companies is regularly documented in a way that does not relate to the affected parties. Therefore, the documents retained (invoices, contracts, etc.) do not state which data of which data subjects (in particular those of the co-involved party) were transmitted to which specific recipients. The complainant does not have any protocol or documentation data that includes the identities of any recipients of the co-participant's data, nor can the complainant reconstruct any recipients of the co-party's data set from her documents. According to the case law of the ECJ, it is therefore not possible for the complainant to disclose the identities of the specific recipients. However, the complainant did not resort to the position that she had no information about the specific recipients, but rather tried to reconstruct the specific recipients with a lot of research effort. As the Federal Administrative Court is aware, in many cases specific recipients could actually have been reconstructed. In the case of the co-participant, however, the complainant's investigations led to the conclusion that no specific recipient of the co-participant's data could be identified. It can no longer be determined whether the co-participant's data had been passed on.

15. The co-participant also submitted a further statement on September 5, 2023, in which he essentially repeated his previous statements that if the individual recipients were not disclosed, a data subject would have no opportunity to check whether this data was correct and not the data provided to him in accordance with Art. 16 and 17 GDPR can exercise their rights. 15. The co-participant also submitted a further statement on September 5, 2023, in which he essentially repeated his previous statements that if the individual recipients were not disclosed, a data subject would have no opportunity to check whether these data were correct and not those provided to him in accordance with Article 16 and 17 GDPR can exercise rights.

16. The complainant submitted another submission on November 8, 2023, in which she repeated her argument that no recipients of the co-participant's data could have been reconstructed. The data recipients were neither stored in the co-participant's data record nor were they assigned to his name in a database. The complainant was therefore unable to identify specific recipients through a simple database query. Even during the attempted reconstruction by linking several pseudonymized data sets in different formats from different databases, no disclosures could have been found about the co-participant. It cannot therefore be ruled out with certainty that data was passed on with regard to the co-participant, although it is not unlikely that there was in fact no data passed on at all.

Attached to the submission was a screenshot of the “recipient database” newly set up by the complainant, from which it can be seen that no data transfer could be reconstructed with regard to the co-participant.

17. On November 8, 2023, an oral hearing also took place before the Federal Administrative Court in the presence of the complainant and her legal representation, the co-participant and a representative of the authority concerned.

In the oral hearing, the head of the complainant's legal department was examined as a witness.

Among other things, she stated that the complainant had assumed for a long time that the specific recipients did not need to be informed and stored. This was also in view of the fact that there were rules of conduct approved by the authority concerned, which were also accompanied by a sample letter as to what information should look like to the persons concerned, with “advertisers” listed as the recipient category. The information about who the exact data set had been sent to had no added value for the complainant and therefore these data sets were generally not saved. There were exceptions for certain customers who expressly wanted the recipients to store the data of which people they had received. In some cases, the recipient was also saved for certain products, but not comprehensively. The storage that took place was not at the personal level, but rather pseudonymized. For example, a household ID was saved. At the beginning of January, the ECJ decided that the recipients must be informed. From that point on, the complainant tried to comply with past requests for information as far as possible with a reconstruction. The reconstruction actually began in 2019/2020, the complainant was confronted with many requests for information and wanted to comply with them. Various databases were used and an attempt was made to merge them using the household ID. Since January 1, 2022, the address publishing area has been “tracking” who the personal data of a data subject has been passed on to.

II. The Federal Administrative Court has considered: Roman II. The Federal Administrative Court has considered:

1. Findings:

The procedure described under point I. is used as the basis for the findings. The one under point one. The procedure presented will be used as a basis for the findings.

This makes it clear in particular:

The complainant is a logistics and delivery service provider. It has the commercial authority of an address publishing and direct marketing company.

On January 12, 2019, the co-participant submitted an application to the complainant in accordance with Art. 15 GDPR and requested information regarding the personal data processed. On January 12, 2019, the co-participant submitted an application to the complainant in accordance with Article 15 of the GDPR and requested information regarding the personal data processed.

The complainant then provided the co-participant with information in which, among other things, it was stated that the complainant used the data, to the extent legally permissible, as part of its activity as an address publisher and offered it to business customers for marketing purposes. Furthermore, in the information on the data record of the co-participant, “Data transfer is permitted in accordance with Section 151 of the Trade Code” was noted. Specific recipients of the co-participant's personal data were not provided. The complainant then provided the co-participant with information in which, among other things, it was stated that the complainant used the data, to the extent legally permissible, as part of its activity as an address publisher and offered it to business customers for marketing purposes. Furthermore, in the information on the data record of the co-participant, “Data transfer is permitted in accordance with Section 151, Trade Code” was noted. Specific recipients of the co-participant's personal data were not provided.

The co-participant subsequently lodged a data protection complaint with the relevant authority on May 30, 2019, in which he alleged a violation of the complainant's right to information in accordance with Article 15 of the GDPR and, among other things, stated that the complainant had not given him any information about the data protection Recipients of target group data had been granted.The co-participant subsequently lodged a data protection complaint with the relevant authority on May 30, 2019, in which he claimed a violation of the complainant's right to information in accordance with Article 15 of the GDPR and, among other things, argued that he The complainant had not provided any information about the recipients of target group data.

With the contested decision, the co-participant's complaint was partially upheld and it was determined that the complainant had violated the co-party's right to information by providing incomplete information on April 3, 2019 (point 1). The complainant was ordered to provide the co-participant within a period of four weeks, if otherwise executed, a) to identify the specific recipients of the co-party's personal data, b) to provide generally understandable information about the terms of the possible advertising target groups "organic advertising", "self-employment" , “Advertising Investment”, “Target Group Characteristics”, “Life Phase”, “Advertising Donations” and “Advertising Relocation”, in particular about the meaning of the key terms used, as well as information about the relevant parameters for the evaluation and the allocation to the co-participant and c) to provide generally understandable information about the term “possible target group for academics” (point 2). Otherwise, the complaint was dismissed (point 3).

The complainant lodged a timely complaint with the Federal Administrative Court against points 1 and 2 of this decision.

With the partial ruling of the Federal Administrative Court dated May 17, 2022, Zl. W214 2233132-1/13E, points 2. b and c of the contested decision were repealed without replacement and the procedure was terminated in accordance with Section 17 of the Administrative Court Procedure Act, Federal Law Gazette I No. 33/2013 as amended (VwGVG) in conjunction with Section 38 General Administrative Procedure Act 1991 (AVG) with regard to points 1 and 2 a of the contested decision until the preliminary ruling by the Court of Justice of the European Union (ECJ) on the decision of the Supreme Court (OGH) of February 18, 2021 , Zl. 6 Ob 159/20f (pending at the ECJ under C-154/21), the question submitted was suspended. With the partial ruling of the Federal Administrative Court of May 17, 2022, Zl. W214 2233132-1/13E, the ruling points 2. b and c of the contested decision is repealed without replacement and the procedure pursuant to Paragraph 17, Administrative Court Procedure Act, Federal Law Gazette Part One, No. 33 from 2013, as amended (VwGVG) in conjunction with Paragraph 38, General Administrative Procedure Act 1991 (AVG) with regard to ruling points 1 and 2. a of the contested decision until the preliminary ruling by the Court of Justice of the European Union (ECJ) on the decision of the Supreme Court (OGH) of February 18, 2021, No. 6 Ob 159/20f (pending at the ECJ under C-154/21), submitted question suspended.

In its judgment of January 12, 2023, Zl. C-154/21, the ECJ decided on the question submitted by the OGH.

With the aim of taking into account the case law of the ECJ, the complainant set up a “recipient database” in which the identities of those requesting information from requests for information were linked to the recipients of their personal data before the end of 2021. The complainant linked several pseudonymized data sets in different formats from different databases and tried to gain insight into which people actually passed on data to customers/recipients through their contracts with advertising customers and the products and target areas recorded therein.

In some cases, the complainant was able to reconstruct the recipients in this way, but in the case of the co-participant, the query in the “recipient database” did not produce any results. However, it cannot be ruled out with certainty that the co-participant's personal data was transmitted to third parties despite a negative query in the "recipient database".

Since January 2022, the complainant has been “tracking” which personal data is transmitted to which recipients.

Before the “recipient database” was set up, the complainant only stored the recipients’ data on the data subjects if the customers/recipients expressly requested this or as part of the “address check” product, in which the complainant verified that the address set was correct and up-to-date confirmed to the customer/recipient. The complainant's customers/recipients of the personal data received monthly lists from the complainant with updated records. The customers/recipients were obliged to update their data records with the new list to ensure that any objections from those affected were taken into account. During the address check, the customers/recipients were informed separately about any deletions or corrections.

2. Assessment of evidence

The findings result from the administrative act submitted and the court file in question, in particular from the minutes of the oral hearing. The complainant has credibly argued that, in the case of the co-participant, it was not possible to identify specific recipients of his personal data or to exclude with certainty that his personal data were transmitted to recipients/customers of the complainant.

3. Legal assessment

3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality.3.1. According to Article 130, paragraph one, number one, B-VG, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality.

According to Section 6 BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for the decision by senates. In accordance with Section 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings on complaints against notices due to violations of the obligation to provide information in accordance with Section 24 Paragraph 7 and the data protection authority's duty to make decisions through the Senate. The Senate consists of a chairman and an expert lay judge from the employer group and one from the employee group. According to paragraph 6, BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for the decision by senates. According to Section 27, Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings regarding complaints against decisions due to violations of the obligation to provide information in accordance with Section 24, Paragraph 7 and the data protection authority's duty to make decisions through the Senate. The Senate consists of a chairman and an expert lay judge from the employer and employee circles.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, BGBl. I 2013/33 as amended by BGBl. I 2013/122 (§ 1 leg.cit.). According to Section 58 Paragraph 2 VwGVG, conflicting provisions that were already announced at the time this federal law came into force remain in force. The procedure of the administrative courts with the exception of the Federal Finance Court is governed by the VwGVG, BGBl. Roman one 2013/33 in the version BGBl. Roman one 2013/122, regulated (paragraph one, leg.cit.). According to paragraph 58, paragraph 2, VwGVG, conflicting provisions that were already announced at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise provided in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 as well as Part IV and others apply to the complaint procedure in accordance with Article 130 Paragraph 1 B-VG The laws mentioned (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws that the authority applied or would have applied in the proceedings preceding the proceedings before the administrative court are to be applied mutatis mutandis. According to paragraph 17, VwGVG, to the extent that This federal law does not provide otherwise, the procedure for complaints in accordance with Article 130, paragraph one, B-VG, the provisions of the AVG with the exception of paragraphs one to 5 as well as Roman Part IV and others specified in more detail (not relevant in the present case). ) Laws and, moreover, those procedural provisions in federal or state laws that the authority applied or would have applied in the proceedings preceding the proceedings before the administrative court.

According to Section 28 Paragraph 1 VwGVG, the administrative court must settle the case through a ruling unless the complaint is rejected or the proceedings are discontinued. According to Section 31 Paragraph 1 VwGVG, the decisions and orders are made by resolution unless a finding is to be made. According to Paragraph 28, paragraph one, VwGVG, the administrative court has to settle the case by means of a finding, unless the complaint is rejected or the proceedings are discontinued is. According to paragraph 31, paragraph one, VwGVG, decisions and orders are made by resolution unless a finding has to be made.

According to Section 28 Para. 2 VwGVG, the administrative court has to decide on complaints in accordance with Art. 130 Para speed or is associated with significant cost savings. According to paragraph 28, paragraph 2, VwGVG, the administrative court has to decide on the matter itself on complaints in accordance with Article 130, paragraph one, number one, B-VG if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.

3.2. Regarding the process requirements:

The complaint was filed within the deadline in accordance with Section 7, Paragraph 4 of the VwGVG and the other procedural requirements were also met. The complaint was lodged within the deadline in accordance with Section 7, Paragraph 4 of the VwGVG and the other procedural requirements were also met.

3.3. In the matter

3.3.1. Legal situation:

Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the CouncilArticle 12, of Regulation (EU) 2016/679 of the European Parliament and of the Council

dated April 27, 2016 on the protection of natural persons when processing personal data

Data, the free movement of data and the repeal of Directive 95/46/EC (General Data Protection Regulation) - GDPR reads:

“Art. 12 GDPR

Transparent information, communication and modalities for exercising the rights of the data subject

1. The controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 and all communications referred to in Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, understandable and easily accessible manner to convey form in a clear and simple language; This applies in particular to information aimed specifically at children. 2The information is transmitted in writing or in another form, if necessary also electronically. If requested by the data subject, the information may be provided verbally, provided that the data subject's identity has been proven in another way.

(2) The controller shall facilitate the data subject's exercise of his or her rights pursuant to Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller may only refuse to exercise his or her rights pursuant to Articles 11 upon the data subject's request 15 to 22 to take action if he credibly demonstrates that he is unable to identify the person concerned.

3. The controller shall provide the data subject with information on the measures taken upon request in accordance with Articles 15 to 22 without undue delay and in any case within one month of receipt of the request. This deadline may be extended by a further two months if necessary taking into account the complexity and number of applications. The controller will inform the data subject of an extension of the deadline within one month of receipt of the request, together with the reasons for the delay. If the person concerned submits the application electronically, he or she must be informed electronically, if possible, unless he or she states otherwise.

(4) If the person responsible does not take action in response to the data subject's request, he shall inform the data subject without delay, but no later than within one month of receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority to seek legal redress.

5. Information referred to in Articles 13 and 14 and all notifications and measures referred to in Articles 15 to 22 and Article 34 shall be made available free of charge. In the case of obviously unfounded or - especially in the case of frequent repetition - excessive requests from a data subject, the person responsible can either

(a) charge an appropriate fee, taking into account the administrative costs of providing information or notification or implementing the requested measure, or

b) refuse to act on the request.

The person responsible must provide evidence that the application is obviously unfounded or excessive.

6. Without prejudice to Article 11, if the controller has reasonable doubts as to the identity of the natural person making the request in accordance with Articles 15 to 21, he may request additional information necessary to confirm the identity of the data subject.

(7) The information to be provided to data subjects in accordance with Articles 13 and 14 may be provided in combination with standardized icons in order to provide a meaningful overview of the intended processing in an easily perceivable, understandable and clearly understandable form. 2If the image symbols are presented in electronic form, they must be machine-readable.

8. The Commission is empowered to adopt delegated acts in accordance with Article 92 to determine the information to be represented by icons and the procedures for providing standardized icons."

Article 15 GDPR reads:Article 15 GDPR reads:

“Art. 15 GDPR

Right to information of the data subject

(1) The data subject has the right to request confirmation from the controller as to whether personal data concerning him or her is being processed; If this is the case, you have the right to access this personal data and the following information:

a) the processing purposes;

b) the categories of personal data processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) if possible, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining that period;

e) the existence of a right to rectification or deletion of personal data concerning them or to restriction of processing by the controller or a right to object to such processing;

f) the existence of a right to lodge a complaint with a supervisory authority;

g) if the personal data are not collected from the data subject, any available information about the origin of the data;

(h) the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards referred to in Article 46 in relation to the transfer.

(3) The controller provides a copy of the personal data that is the subject of processing. 2For all further copies requested by the data subject, the person responsible may demand an appropriate fee based on the administrative costs. 3If the person concerned submits the application electronically, the information must be provided in a common electronic format unless they state otherwise.

(4) The right to receive a copy in accordance with paragraph 3 shall not prejudice the rights and freedoms of other persons."

Art. 77 GDPR reads:Article 77, GDPR reads:

“Art. 77 GDPR

Right to complain to a supervisory authority

(1) Every data subject shall, without prejudice to any other administrative or judicial remedy, have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or the place of the alleged infringement, if the data subject considers that the processing the personal data concerning them violates this Regulation.

(2) The supervisory authority to which the complaint was lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Article 78."

Section 4 Paragraph 6 of the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act - DSG), Federal Law Gazette I No. 165/1999 as amended reads as follows: Paragraph 4, Paragraph 6, of the Federal Act on the Protection of Natural Persons in Processing of personal data (Data Protection Act - DSG), Federal Law Gazette Part One, No. 165 from 1999, as amended is as follows:
"(6) The data subject's right to information in accordance with Article 15 of the GDPR generally does not exist in relation to a person responsible, without prejudice to other legal restrictions, if the provision of this information would jeopardize a business or trade secret of the person responsible or third parties." "(6) The data subject's right to information pursuant to Article 15 of the GDPR does not generally apply to a person responsible, without prejudice to other legal restrictions, if the provision of this information would jeopardize a business or trade secret of the person responsible or third parties."

§ 24 DSG reads as follows:Paragraph 24, DSG reads as follows:

“3. Section

Remedies, Liability and Sanctions

Complaint to the data protection authority

§ 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if he or she is of the opinion that the processing of personal data concerning him or her violates the GDPR or Section 1 or Article 2, 1st part. (1) Every data subject has the right to lodge a complaint with the data protection authority if he or she is of the opinion that the processing of personal data concerning him or her violates the GDPR or paragraph one or Article 2 1st part.

(2) The complaint must contain:

1. the name of the right deemed to have been violated,

2. to the extent this is reasonable, the name of the legal entity or body to which the alleged infringement is attributed (respondent),

3. the facts from which the violation of the law is derived,

4. the reasons on which the claim of illegality is based,

5. the request to establish the alleged infringement and

6. the information necessary to assess whether the complaint was filed in a timely manner.

(3) A complaint must, if necessary, be accompanied by the application on which it is based and any response from the respondent. In the event of a complaint, the data protection authority must provide further support at the request of the data subject.

(4) The right to have a complaint dealt with expires if the person intervening does not submit it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years of the alleged event taking place. Late complaints must be rejected.

(5) If a complaint proves to be justified, it must be followed. If a violation is attributable to a person responsible for the private sector, he or she must be ordered to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified violation of the law. If the complaint proves to be unfounded, it must be dismissed.

(6) A respondent can subsequently eliminate the alleged violation of the law by complying with the complainant's requests until the proceedings before the data protection authority have been completed. If the data protection authority considers the complaint to be irrelevant, it must hear the complainant about it. At the same time, he should be made aware that the data protection authority will informally terminate the proceedings if he does not explain within a reasonable period of time why he still considers the originally alleged violation of the law to have been at least partially remedied. If such a statement by the complainant changes the nature of the matter (Section 13 Para. 8 AVG), it can be assumed that the original complaint will be withdrawn and a new complaint will be submitted at the same time. In this case, too, the original complaint procedure must be terminated informally and the complainant must be informed of this. Late statements are not to be taken into account. (6) A respondent can subsequently eliminate the alleged violation of the law by complying with the complainant's requests until the end of the proceedings before the data protection authority. If the data protection authority considers the complaint to be irrelevant, it must hear the complainant about it. At the same time, he should be made aware that the data protection authority will informally terminate the proceedings if he does not explain within a reasonable period of time why he still considers the originally alleged violation of the law to have been at least partially remedied. If such a statement by the complainant changes the nature of the matter (Section 13, Paragraph 8, AVG), it can be assumed that the original complaint will be withdrawn and a new complaint will be submitted at the same time. In this case, too, the original complaint procedure must be terminated informally and the complainant must be informed of this. Late comments are not to be taken into account.

(7) The complainant will be informed by the data protection authority about the status and result of the investigation within three months of the complaint being lodged.

(8) Any data subject may refer the matter to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or outcome of the complaint within three months.

(9) The data protection authority can - if necessary - involve official experts in the procedure.

(10) The following are not included in the decision period in accordance with Section 73 AVG: (10) The following are not included in the decision period in accordance with Section 73 AVG:

1. the time during which the proceedings are suspended until a final decision on a preliminary question is made;

2. the time during a procedure according to Articles 56, 60 and 63 GDPR."2. the time during a procedure according to Articles 56, 60 and 63 GDPR.”

§ 26b paragraph 1 of the Federal Act against Unfair Competition 1984 - UWG, Federal Law Gazette No. 448/1984 (WV) as amended reads as follows: Paragraph 26 b, paragraph one, of the Federal Act against Unfair Competition 1984 - UWG, Federal Law Gazette No. 448 from 1984, (WV) as amended reads as follows:

"§ 26b paragraph 1 (1) trade secret is information that" § 26b paragraph one, (1) trade secret is information that

1. is secret because it is neither generally known nor readily accessible in its entirety nor in the exact arrangement and composition of its components to the people in the circles who usually deal with this type of information,

2. is of commercial value because it is secret, and

3. is subject to confidentiality measures appropriate to the circumstances by the person exercising lawful control over this information.”

3.3.2. Applied to the present case, this results in the following:

3.3.2.1. First of all, it should be noted that the Federal Administrative Court has already remedied points 2 b and c of the contested decision without replacement in its partial ruling dated May 17, 2022, Zl. W214 2233132-1/13E.

Therefore, only points 1 and 2.a are relevant to the proceedings. of the contested decision, which partially upheld the co-participant's complaint and determined that the complainant violated the co-party's right to information by providing incomplete information on April 3, 2019 (point 1) and ordered the complainant to do so was to inform the co-participant of the specific recipients of the co-participant's personal data within a period of four weeks if otherwise executed (point 2.a.).

3.3.2.2. Insofar as the complainant argues that there was a violation of the right to be heard by the parties because the authority concerned had to provide the complainant with certain factual assumptions and legal assessments made in the decision, it should be pointed out that the results of the investigation are reproduced in full in the contested decision, which means that Any violation of the party's right to be heard is in any case remedied by the possibility of a statement associated with a complaint (cf. VwGH August 8, 2017, Ra 2017/19/0082, with further references). 3.3.2.2. Insofar as the complainant argues that there was a violation of the right to be heard by the parties because the authority concerned had to provide the complainant with certain factual assumptions and legal assessments made in the decision, it should be pointed out that the results of the investigation are reproduced in full in the contested decision, which means that Any violation of the party's right to be heard is in any case remedied by the possibility of a statement associated with a complaint (see VwGH August 8, 2017, Ra 2017/19/0082, mwN).

3.3.2.3. Regarding point 2.a. of the contested decision:

With saying point 2.a. of the contested decision, the complainant was ordered by the authority concerned to inform the co-participant of the specific recipients of the co-participant's personal data within a period of four weeks, otherwise the execution would take place.

The factual and legal situation relevant to the Federal Administrative Court is determined - in the absence of any other legal regulation - by the time of the administrative court decision (see, for example, VwGH March 24, 2015 Ro 2014/09/0066), or at most the factual situation is determined by the time of the conclusion of the investigation procedure (Section 17 VwGVG in conjunction with Section 39 Paragraph 3 AVG; see Kolonovits/Muzak/Stöger Administrative Procedure Law11 Rz 835/1). The factual and legal situation relevant to the Federal Administrative Court is determined - in the absence of any other legal regulation - based on the time of the administrative court decision e.g. VwGH March 24, 2015 Ro 2014/09/0066), at most the situation is determined by the time at which the investigation proceedings are concluded (Section 17, VwGVG in conjunction with Section 39, Paragraph 3, AVG; see Kolonovits/Muzak/Stöger Administrative Procedure Law11 Rz 835/1).

As established, it was not possible for the complainant - despite a thorough analysis of the databases - to reconstruct specific recipients of the co-participant's personal data or to rule out with certainty that the co-party's personal data was not passed on to any recipients. It was therefore not possible to provide any information (not even in the form of “negative information”).

The complainant is therefore effectively unable to fulfill the service contract because (possible) recipients of the co-participant's personal data could not be identified, which is why point 2.a. of the contested decision was to be remedied without replacement (cf. also Hengstschläger/Leeb, AVG § 68 [as of March 1, 2018, rdb.at] with reference to the jurisprudence of the VwGH on § 68 Para. 4 Z 3 AVG [VwSlg 1723 A/ 1950; 2198 A/1951; VwGH 20. 2. 1990, 89/01/0259; VwSlg 2198 A/1951], according to which notices can be declared null and void by the relevant higher authority which obliges someone to take an action or omission, i.e. behavior has been imposed that fails due to objectively existing obstacles that stand in the way of fulfillment and § 68 Para. 4 Z 3 AVG is particularly applicable to notices that oblige to perform a service which is actually impossible for the addressee of the notice to provide and which therefore cannot be compulsorily enforced by means of enforcement, although it is not required that the actual impracticability was already present when the decision was issued.) The complainant is therefore actually not able to fulfill the performance order because (possible) recipients the personal data of the person involved could not be identified, which is why point 2.a. The contested decision was to be remedied without replacement, see also Hengstschläger/Leeb, AVG paragraph 68, [as of March 1, 2018, rdb.at] with reference to the case law of the VwGH on paragraph 68, paragraph 4, number 3, AVG [VwSlg 1723 A /1950; 2198 A/1951; VwGH February 20, 1990, 89/01/0259; VwSlg 2198 A/1951], according to which notices can be declared null and void by the relevant higher authority that imposes on someone an obligation to act or omit, i.e. to conduct, that is due to objectively existing obstacles to fulfillment contradict, fails and paragraph 68, paragraph 4, number 3, AVG is applicable in particular to notices that require a service, the provision of which is in fact impossible for the addressee and which therefore cannot be compulsorily enforced by means of enforcement, although not required is that the actual impracticality was already present when the decision was issued.)

3.3.2.4. Regarding point 1 of the contested decision:

With ruling point 1. of the contested decision, the co-participant's complaint was partially upheld and it was determined that the complainant had violated the co-party's right to information by providing incomplete information on April 3, 2019 (ruling point 1.).

The complainant submits that, according to the case law of the VwGH, the issuance of a declaratory decision is inadmissible at all due to the principle of subsidiarity of declaratory decisions and declaratory decisions if the disputed legal question can be decided within the framework of another legally provided administrative procedure or a judicial procedure. In the specific case, the authority concerned decided the same legal questions as in ruling point 1 through the performance orders in ruling point 2, which is why this should be repealed as unlawful.

However, the complainant is not correct in her statements:

It is true that according to the case law of the VwGH on the Data Protection Act 2000 (DSG 2000) BGBl I No. 165/1999, in the version BGBl I No. 13/2005, whereby the main considerations of the Administrative Court continue to be applied to the new legal situation can, a right to determination in connection with another data protection right, the right to deletion, was denied (cf. VwGH September 27, 2007 2006/06/0330 with reference to the fundamental decision VwGH March 28, 2006 2004/06/0125), however, the The present case is different: It is true that according to the case law of the VwGH on the Data Protection Act 2000 (DSG 2000) Federal Law Gazette Part One, No. 165 from 1999, in the version of Federal Law Gazette Part One, No. 13 from 2005, whereby the The main considerations of the Administrative Court can continue to be applied to the new legal situation, a right to determination in connection with another data protection right, the right to deletion, was denied, see VwGH September 27, 2007 2006/06/0330 with reference to the fundamental decision VwGH March 28, 2006 2004 /06/0125), however, the present case is different:

The matter was stated by the authority concerned in ruling point 2.a. The service order issued by the Federal Administrative Court was canceled due to the actual impossibility of providing information.

Nevertheless, there is a violation of the law by the complainant:

The complainant is only unable to comply with the service mandate because - as stated - before the ECJ judgment of January 12, 2023, Zl Recipients' personal data were transmitted by those affected and in the case of the co-participant no such storage took place and a reliable reconstruction of the recipients in the case of the co-participant was also not possible.

However, the person responsible is fundamentally obliged to store the information about which data he has disclosed to which recipients in order to be able to provide the required information. Otherwise, the data protection rights of the data subject vis-à-vis the person responsible and the recipients linked to the disclosure would be largely invalidated. Recital 64 does not conflict with this obligation, as this only concerns data that enables the data subject to be identified, but this does not say anything about the storage of meta-information about personal data (Bäcker in Kühling/Buchner DS-GVO - BDSG, 15 Rz 18; see also Mester in Taeger/Gabel GDPR - BDSG - TTDSG, Art. 15 Rz 7 and Dix in Simitis | Hornung | Spiecker Data Protection Law GDPR with BDSG, Art. 15 Rz 20 with reference to ECJ C-553 /07 Rijkeboer). However, the person responsible is fundamentally obliged to store the information about which data he has disclosed to which recipients in order to be able to provide the required information. Otherwise, the data protection rights of the data subject vis-à-vis the person responsible and the recipients linked to the disclosure would be largely invalidated. Recital 64 does not conflict with this obligation, as this only concerns data that enables the data subject to be identified, but this does not say anything about the storage of meta-information about personal data (Bäcker in Kühling/Buchner DS-GVO - BDSG, Article 15, Rz 18; also compare Mester in Taeger/Gabel GDPR - BDSG - TTDSG, Article 15, Rz 7 as well as Dix in Simitis | Hornung | Spiecker Data Protection Law GDPR with BDSG, Article 15, Rz 20 with reference to ECJ C-553/ 07 Rijkeboer).

The complainant has also not argued that such a storage obligation would place an excessive burden on her and this has not become apparent, particularly given that the complainant has been “tracking” which personal data is transmitted to which recipients since January 1, 2022. The data must also be retained at least as long as the data subject still has the opportunity to assert rights against recipients (Mester in Taeger/Gabel GDPR - BDSG - TTDSG, Art. 15 Rz 8). The complainant has also not argued that such a storage obligation would place an excessive burden on her and this has not become apparent, particularly given that the complainant has been “tracking” which personal data is transmitted to which recipients since January 1, 2022. The data must also be retained at least as long as the data subject still has the opportunity to assert rights against recipients (Mester in Taeger/Gabel GDPR - BDSG - TTDSG, Article 15, paragraph 8).

This is not contradicted by the fact that the ECJ ruled in the judgment of January 12, 2023, Zl. C-154/21, that Article 15 Paragraph 1 Letter c GDPR is to be interpreted as meaning that the right of the person provided for in this provision to the data subject to access the personal data concerning him or her, the controller, if these data have been or are still being disclosed to recipients, is obliged to inform the data subject of the identity of the recipients, unless this is not possible to identify the recipients. This is not contradicted by the fact that the ECJ stated in the judgment of January 12, 2023, Zl. C-154/21, that Article 15, paragraph one, letter c, GDPR is to be interpreted as meaning that the right of the person provided for in this provision to the data subject to access the personal data concerning him or her, the controller, if these data have been or are still being disclosed to recipients, is obliged to inform the data subject of the identity of the recipients, unless this is not possible to identify the recipients.

According to the ECJ, this impossibility is particularly the case when these are not yet known (paragraph 48 of the judgment cited). The last example alone shows that the impossibility can only be asserted in exceptional cases. However, an “impossibility” cannot be raised if the person responsible has not fundamentally organized himself in such a way that he can also provide information to the recipients in accordance with Article 15 (1) GDPR. Otherwise, any person responsible could decide not to process the recipients in principle and thus reduce the right to information regarding the recipients to absurdity. According to the ECJ, this impossibility is particularly the case if they are not yet known (paragraph 48 of the cited judgment). The last example alone shows that the impossibility can only be asserted in exceptional cases. However, an “impossibility” cannot be argued if the person responsible has not fundamentally organized himself in such a way that he can also provide information to the recipients in accordance with Article 15, paragraph one, GDPR. Otherwise, any person responsible could decide not to process the recipients in principle and thus reduce the right to information regarding the recipients to absurdity.

In the same judgment, the ECJ states that - in order to ensure the practical effectiveness of the rights of Articles 16, 17 and 18 GDPR - the data subject must in particular have the right to have the identity of the specific recipients communicated to him if their personal data have already been disclosed (see paragraphs 38 and 39 of the cited judgment). In the same judgment, the ECJ states that - in order to ensure the practical effectiveness of the rights of Articles 16, 17 and 18 GDPR - the data subject in particular, must have the right to be informed of the identity of the specific recipient if their personal data has already been disclosed (see paragraphs 38 and 39 of the judgment cited).

In the present case, however, it is not possible for the co-participant to assert his rights under Articles 16, 17 and 18 GDPR because he has no information regarding the (possible) recipients of his personal data and the complainant is not able to do so either to provide this information because - contrary to the obligations arising from the GDPR - in the case of the co-participant, it has not stored any information about potential recipients of the co-party's personal data. In the present case, however, it is not possible for the co-participant to assert his rights under Articles 16, 17 and 18 GDPR because he has no information regarding the (possible) recipients of his personal data and the complainant is also unable to do so to provide this information because - contrary to the obligations arising from the GDPR - in the case of the co-participant, it has not stored any information about potential recipients of the co-party's personal data.

For the sake of completeness, reference should be made to the provision of Article 19 GDPR, which norms a fundamental obligation of the controller to provide all recipients to whom personal data has been disclosed any correction or deletion of personal data or a restriction of processing in accordance with Article 16, Article 17 paragraph 1 and Article 18. In this context too, the exceptions must be interpreted restrictively. For the sake of completeness, reference should be made to the provision of Article 19 of the GDPR, which stipulates a fundamental obligation of the controller to provide all recipients to whom personal data has been disclosed with any correction or deletion of personal data or a restriction of processing in accordance with Article 16, Article 17 paragraph 1 and Article 18. In this context too, the exceptions must be interpreted restrictively.

From what has been said above it follows that in the present case - unlike in the cases to which the legal opinion of the Administrative Court cited above refers - a legal violation that took place in the past was not or could not be eliminated, but continues to have an effect.

The present case is therefore comparable to the cases in which the Administrative Court stated that § 24 DSG gives the person whose personal fundamental right has been violated the opportunity to have the violation of rights that has occurred against them determined, since the deletion of the data in question did not lead to the “claim” being fulfilled or the goal of the complaint being achieved (see VwGH December 14, 2021, Ro 2020/04/0032). The present case is therefore comparable to the cases in which the VwGH stated has that Paragraph 24, DSG gives the person whose personal fundamental right has been violated the opportunity to have the violation of rights that has occurred against them determined, since the deletion of the data in question did not result in the “claim” being fulfilled or the goal of the Complaint was received see VwGH December 14, 2021, Ro 2020/04/0032).

The Federal Administrative Court does not ignore the fact that there were different opinions on the legal situation in the period before the ECJ ruling and that, after the relevant ECJ ruling was available, the complainant immediately organized itself in such a way that the recipients of the personal data are now processed in such a way that they too can be informed accordingly. If the complainant argues that - based on the case law of the relevant authority and (ordinary) courts - it was assumed for a long time that the specific recipients did not have to be informed and stored, it should be noted that the GDPR does not indicate fault in the administrative procedure of the person responsible is stopped. It therefore (only) matters that a violation objectively occurred, which had to be affirmed for the reasons given above. The complainant should therefore have organized its data processing from the start of the GDPR in such a way that the rights of those affected could be guaranteed.

According to the case law of the Supreme Court, the complainant's original objection that the request for information conflicts with the complainant's overriding confidentiality interests is also not applicable, because a complete disclosure of all specific recipients would at the same time reveal the complainant's customer base in the context of carrying out the business as an address trading and direct marketing company , since otherwise Art. 15 Para. 1 lit .2023, 6 Ob 19/23x with reference to RS0010053). Furthermore, the existence of a trade secret for the specific case was also denied by the complainant in the oral hearing. According to the case law of the Supreme Court, the objection originally raised by the complainant does not apply either , that the complainant's request for information is contradicted by the complainant's overriding interests in confidentiality, because a complete disclosure of all specific recipients would simultaneously reveal the complainant's customer base in the context of carrying out the business as an address trading and direct marketing company, since otherwise Article 15, paragraph one, letter c, GDPR would never apply would lead to the disclosure of individual recipients because this would always reveal “trade secrets”. The interpretation of a law that results in the law having no scope of application is prohibited (OGH March 24, 2023, 6 Ob 19/23x with reference to RS0010053). Furthermore, the existence of a trade secret for the specific case was also denied by the complainant in the oral hearing.

The complaint against ruling point 1 of the contested decision was therefore to be dismissed as unfounded with the proviso that the co-participant's data protection complaint was partially upheld and it was determined that the complainant thereby violated the co-party's right to information in accordance with Article 15 Para. 1 lit. c GDPR violated or violated the GDPR by not giving him any information or negative information about the recipients of his personal data. The complaint against ruling point 1 of the contested decision was therefore dismissed as unfounded with the proviso that the data protection complaint of the co-participant was partially is upheld and it is established that the complainant has thereby violated or violated the co-participant's right to information in accordance with Article 15, paragraph one, letter c, GDPR by not providing him with any information or negative information about the recipients of his personal data and granted.

Regarding B) Admissibility of the revision:

According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Article 133 Paragraph 4 B-VG. The statement needs to be briefly justified. The appeal is admissible in the present case because there is a lack of jurisprudence from the Administrative Court on the question of whether, in the case of a right to performance under the GDPR, a determination of a violation of the law can be considered as an exception if a service order cannot be issued due to the impossibility of providing it, but the violation of the law still occurs continues to work. It was therefore necessary to declare that the appeal is permissible in accordance with Article 133 Paragraph 4 B-VG. According to Paragraph 25a, Paragraph One, VwGG, the administrative court must state in its ruling or decision whether the revision is in accordance with Article 133, Paragraph 4 , B-VG is permissible. The statement needs to be briefly justified. The appeal is admissible in the present case because there is a lack of jurisprudence from the Administrative Court on the question of whether, in the case of a right to performance under the GDPR, a determination of a violation of rights is exceptionally possible if a service order cannot be issued due to the impossibility of providing it, but the violation of rights still occurs continues to work. It was therefore necessary to declare that the revision was permissible in accordance with Article 133, Paragraph 4, B-VG.