DSB (Austria) - DSB-D124.0701/23
DSB - DSB-D124.0701/23 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(7) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 6(1)(c) GDPR Article 26(1) GDPR § 1(1) DSG § 1(2) DSG § 16(1) MeldeG § 18(1) MeldeG § 18(2) MeldeG § 18(5) MeldeG § 24(4) DSG |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.04.2023 |
Decided: | 06.11.2023 |
Published: | |
Fine: | n/a |
Parties: | Dr. Franziska A. Marktgemeinde N. |
National Case Number/Name: | DSB-D124.0701/23 |
European Case Law Identifier: | ECLI:AT:DSB:2023:2023.0.772.005 |
Appeal: | n/a |
Original Language(s): | German |
Original Source: | DSB (in DE) |
Initial Contributor: | Marie04 |
The Austrian DPA decided that sharing personal data despite an existing prohibition of disclosure without informing the data subject violates the right to secrecy.
English Summary
Facts
The data subject (Dr. Franziska A.) has an existing prohibition to disclose her registration data due to her occupation as a prosecutor. Nevertheless, an employee of the controller (Marktgemeinde N., a market town) passed said information to a detective agency upon their request on the 27 December 2021. The data subject was not informed.
On 27 January 2023, as a consequence of the detective agency gaining access, the data was used in proceedings to which the data subject's mother was party. The mother informed the data subject shortly afterwards.
Subsequently, the data subject demanded information from the municipal authority as to who had been given access to her registration data in the past three years on 31 January 2023. The authority's answer on 17 February 2023 included the the accessing and sharing of the registration data by the controller. On 2 March 2023 the controller confirmed this and referred to a decree of the ministry of the interior of 2015 as a legal basis.
The data subject lodged a complaint with the data protection authority claiming a violation of the right to secrecy on 5 April 2023. Following that, the controller apologized on 14 April 2023 and stated that the decree from 2015 did not apply in this case and that they had made a mistake
Holding
The Austrian DPA stated that not the employee but the controller as an entity is responsible in their role as a public authority. As such, they need a legal basis for the processing of personal data that is in accord with the MeldeG (the Austrian law of registration). The prohibition of disclosure of the data subject's registration data requires the controller to either withhold the personal data from the requesting entity or to inform the data subject of the request and allow her to state her opinion on the matter according to § 18(5) MeldeG. Since neither was done, the processing of personal data was already unlawful and in violation of the GDPR and more specifically the right to secrecy according to § 1(1) DSG (the Austrian data protection act).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text GZ: 2023-0.772.005 from November 6, 2023 (Procedure number: DSB-D124.0701/23) [Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected. NOTICE SAYING The data protection authority decides on Dr. Franziska A*** (complainant) of April 5, 2023 against the market town of N*** (respondent) for alleged violation of the right to secrecy as follows: The complaint is upheld and it is determined that the respondent violated the complainant's right to secrecy by providing information about the complainant to a private detective agency despite the existence of a block on information, without informing the complainant in advance and giving her the opportunity to do so to admit utterance. Legal bases: Art. 5, Art. 6, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR ), OJ No. L 119, 4.5.2016, p. 1; §§ 1 paragraph 1 and paragraph 2, 18 paragraph 1 as well as 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; §§ 16 and 18 of the Federal Law on Police Reporting (Meldegesetz 1991 - MeldeG), StF: Federal Law Gazette No. 9/1992 as amended: Article 5, Article 6, Article 51, paragraph one, Article 57, paragraph one , Litera f, as well as Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of May 4, 2016, p. 1; Paragraph one, paragraph one and paragraph 2, 18 paragraph one, as well as 24 paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part one, No. 165 from 1999, as amended; Paragraphs 16 and 18 of the Federal Law on Police Reporting (Reporting Act 1991 - Reporting Act), StF: Federal Law Gazette No. 9 from 1992, as amended. REASON A. Submissions of the parties and course of proceedings 1. In a complaint dated April 5, 2023, the complainant complained about a violation of the right to confidentiality and argued that the respondent had requested her registration data and transmitted it to B*** & Co KG, regardless of the block on information available to her in the central registration register , without complying with the requirements of Section 18 Paragraph 5 of the Registration Act. The complainant is a public prosecutor and her blocking of information is based on this function. She found out about the alleged violation shortly after January 27, 2023, as on that day a detective report was presented in the GZ proceedings: *4 C *32/22f of the BG D*** in which her registration details were disclosed . The complainant's mother was a party to these proceedings and informed her of the disclosure. As a result, on January 31, 2021, she submitted an inquiry to the municipality of the city of C***, which is responsible as the registration authority for her main residence. He stated that her registration data had been requested by the municipality of N***, among others, but that she had to contact those authorities for inquiries from authorities other than the municipality of C***. Her request to the respondent for information as to why her registration data had been passed on despite the existence of a block on information was answered on March 2, 2023. The respondent admitted that the request was transmitted by B*** Co KG without complying with the requirements of Section 18, Paragraph 5, of the Reporting Act. The complainant is a public prosecutor and her blocking of information is based on this function. She found out about the alleged violation shortly after January 27, 2023, as on that day a detective report was presented in the GZ proceedings: *4 C *32/22f of the BG D*** in which her registration details were disclosed . The complainant's mother was a party to these proceedings and informed her of the disclosure. As a result, on January 31, 2021, she submitted an inquiry to the municipality of the city of C***, which is responsible as the registration authority for her main residence. He stated that her registration data had been requested by the municipality of N***, among others, but that she had to contact those authorities for inquiries from authorities other than the municipality of C***. Her request to the respondent for information as to why her registration data had been passed on despite the existence of a block on information was answered on March 2, 2023. The respondent admitted that B*** & Co KG's request for all of the intervener's registration data was answered despite the information ban, even though she knew that her data was subject to a information ban. It should be noted that the detective company commissioned by E***IMMOBILIEN AG had, like a general staff, requested all registration data not only of the complainant and her family, but also of the other tenants and presumably their family members in several houses in the municipality of N***. It is doubtful whether a legal interest has been proven anywhere here. The answer to the query shows that the municipality of N***, when failing to examine a legal interest - in its case completely wrongly - may have referred to a decree of the Federal Minister of the Interior dated August 3, 2015, which corresponds to the wording and the The meaning of Section 18 Paragraph 1b of the Registration Act is diametrically opposed. The involvement of a detective does not relieve the need to demonstrate a legal interest. Co KG about all of the intervener's reporting data were answered despite the information block, even though she knew that her data was subject to a information block. It should be noted that the detective company commissioned by E***IMMOBILIEN AG had, like a general staff, requested all registration data not only of the complainant and her family, but also of the other tenants and presumably their family members in several houses in the municipality of N***. It is doubtful whether a legal interest has been proven anywhere here. The answer to the query shows that the municipality of N***, when failing to examine a legal interest - in its case completely wrongly - may have referred to a decree of the Federal Minister of the Interior dated August 3, 2015, which corresponds to the wording and the The meaning of paragraph 18, paragraph one b, of the Registration Act is diametrically opposed. The involvement of a detective does not relieve the need to demonstrate a legal interest. 2. In a submission dated April 14, 2023, the respondent replied and stated that there had been misconduct on the part of one of the respondent's employees and that she had apologized for the mistake of ignoring the information block. It was a one-off case of misconduct and all the information provided up to that point had been given lawfully. The legal basis is the BMI circular, which is written in a legally misleading manner. The respondent, as the reporting authority, is the last in this data chain to be subject to the requirements of the law and the legal opinion of the BMI. 3. The data protection authority granted the complainant a hearing on September 29, 2023. The complainant made no further comment. B. Subject of the complaint The subject of the complaint is the question of whether the respondent violated the complainant's right to secrecy by providing information about the complainant to a private detective agency despite the existence of a block on information, without informing the complainant in advance and giving her the opportunity to comment. C. Findings of Fact The data protection authority has identified the following facts that are essential to the decision: 1. The complainant works as a public prosecutor and there is a block on providing information about her in the central population register. 2. Based on a request from the detective company B*** & Co KG on December 27, 2021, an employee of the respondent carried out a query and provided information about the complainant's main residence and subsequently transmitted this information to B*** & Co KG . 3. The complainant was not informed before the information was provided to B*** & Co KG and the complainant was not given the opportunity to comment. 4. The complainant's mother was a party to the proceedings on the GZ: *4 C *32/22f, at the BG D***. As part of these proceedings, a detective report was submitted on January 27, 2023, which contained registration details of the complainant. The complainant's mother informed the complainant about the submission of the detective report shortly after January 27, 2023. 5. On January 31, 2023, the complainant requested information from the municipality of the city of C***, which is the registration authority responsible for her main residence, about who had accessed the complainant's data in the central registration register in the last three years. 6. In a letter dated February 17, 2023, the **** of the magistrate of the city of C*** provided the complainant with the requested information and, among other things, this information indicated that the respondent had access to the complainant's data. 7. In a letter dated March 2, 2023, the respondent's office manager confirmed access to the complainant's data and its transmission to B*** & Co KG by one of the respondent's employees. The respondent's head of office stated that the employee acted in querying and transmitting the complainant's data in relation to a communication from the BMI dated August 3, 2015 BMI-VA1500/0168-III/3/2015. Assessment of evidence: The findings made are based on the contents of the file and the arguments of the parties. The findings regarding the process of issuing the registration information result from the consistent submissions of the complainant and the respondent. The respondent itself admitted both in the present proceedings and in the letter of March 2, 2023 submitted by the complainant that an employee of the respondent gave the information without involving the complainant. The findings that the complainant only became aware of the query made about her and the information passed on to B*** & Co KG in the context of civil proceedings in which the complainant's mother is a party is also based on the complainant's submissions. D. In legal terms it follows: D.1. On the timeliness of the complaint According to Section 24 Para. 4 DSG, the right to have a complaint dealt with expires if the person intervening does not submit it within one year of becoming aware of the event causing the complaint, but at the latest within three years of the alleged event taking place. Late complaints must be rejected. According to paragraph 24, paragraph 4, DSG, the right to have a complaint dealt with expires if the intervener does not submit it within one year after he became aware of the event causing the complaint, but at the latest within three years after the event was alleged has taken place to a large extent. Late complaints must be rejected. The deadlines specified in Section 24 DSG are pre-exclusive deadlines (see OGH July 31, 2015, 6 Ob 45/15h and Jahnel, Data Protection Law, Update, p. 191 on the previous provision of Section 34 Paragraph 1 DSG 2000 as well as those in paragraph 24 , DSG are preclusive deadlines (see OGH July 31, 2015, 6 Ob 45/15h and Jahnel, Data Protection Law, Update, S 191 on the previous provision of paragraph 34, paragraph one, DSG 2000 as well as Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl, DSG, p. 190 to § 24 DSG), which must be taken into account ex officio, i.e. if the facts are established, without objection (cf. , DSG, p. 190 to paragraph 24, DSG), which must be taken into account ex officio, i.e If the facts are established, consideration must be given without objection (see Dohr/Pollirer/Weiss/Knyrim, Data Protection Law, Section 34, Note 2 to the previous provision of Section 34 Para. 1 DSG 2000). From , Data protection law, paragraph 34,, note 2 to the previous provision of paragraph 34, paragraph one, DSG 2000). Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl show that the limitation rule of Section 24 Para. 4 DSG with regard to the time limit for the expiry of the right to have a complaint dealt with largely corresponds to Section 34 Para. 1 DSG 2000 (subjective period of one year from knowledge of the facts and an objective period of three years from the occurrence of the event). It appears that the limitation rule in paragraph 24, paragraph 4, DSG with regard to the time requirements for the expiry of the right to deal with a complaint largely corresponds to paragraph 34, paragraph one, DSG 2000 (subjective deadline of one year from knowledge of the facts and objective deadline of three years from the occurrence of the event). As is clear from the findings, the complainant's data was queried from the central population register on December 27, 2021 and these were transmitted to B*** & Co KG. As further established, the complainant was not informed about the query and only became aware of this process on January 27, 2023 at the earliest as a result of the submission of a protocol in the GZ proceedings: *4 C *32/22f in which the complainant's mother was a party and she informed the complainant of the submission. The complainant's complaint of April 5, 2023 was made within the deadline specified in Section 24 (4) DSG. The complainant's complaint of April 5, 2023 was made within the deadline set in paragraph 24, paragraph 4, DSG. D.2. Regarding the alleged violation of the right to secrecy General information on the processing of personal data and the principles for their processing According to Section 1 Para. 1 DSG, everyone has the right to keep their personal data confidential if there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the person concerned. According to paragraph one, paragraph one of the DSG, everyone has the right to confidentiality of the personal data concerning them, provided that this is worthy of protection There is interest in it. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the data subject. The GDPR and in particular the principles enshrined therein must be taken into account when interpreting the right to confidentiality (cf. the DSB's decision of October 31, 2018, GZ DSB-D123.076/0003-DSB/2018).The GDPR and in particular The principles enshrined therein must be taken into account when interpreting the right to secrecy (see the DSB's decision of October 31, 2018, GZ DSB-D123.076/0003-DSB/2018). As established, the complainant was blocked in the central population register at least at the time of the query in question. According to Section 16 Paragraph 1 of the Registration Act, the registration authorities, as jointly responsible parties, are authorized in accordance with Art. 4 Z 7 in conjunction with Art Any existing information blocks and associated deregistrations are to be processed jointly in such a way that each person responsible also has access to the data in data processing that was made available to them by the other persons responsible (central registration register). According to paragraph 16, paragraph one, of the Registration Act The registration authorities, as jointly responsible parties in accordance with Article 4, paragraph 7, in conjunction with Article 26, paragraph one, GDPR, are authorized to share their registration data - with the exception of information on religious belief - together with any existing information blocks and associated de-registrations for the purposes of maintaining the central registration register processed in such a way that each person responsible also has access to the data in data processing that was made available to them by the other persons responsible (central registration register). In accordance with Section 18 Paragraph 1 of the Registration Act, the registration authority shall, upon request, provide proof of identity within the scope of Section 16 Paragraph 1 of the Legislature. to provide information from the central registration register as to whether and, if applicable, where within the federal territory a clearly identifiable person is or was registered. According to paragraph 18, paragraph one, Registration Act, the registration authority must, upon request, provide proof of identity to the extent of paragraph 16, paragraph one, leg. cit. to provide information from the central population register as to whether and, if applicable, where within the federal territory a clearly identifiable person is or was registered. If the person you are looking for does not have a registered or last registered main residence or if there is a block on providing information in relation to them, the information from the registration authority must read: “There is no data available for registration information about the person you are looking for.” Can If the information provided by the person who made the request is not assigned to just one person who has been registered, the information from the registration authority must read: “Based on the identity information, the person being sought cannot be clearly identified; No information can be provided.” The residence (seat) or residence (Section 3 Z 3 AVG) of the person making the request is decisive for the responsibility for providing information. If the person you are looking for does not appear to have a registered or last registered main residence or if there is a block on information in relation to him, the information from the registration authority must read: “There is no data available for registration information about the person(s) being sought.” Can the information of the person who made the request not only If a person is assigned to a registered person, the information from the registration authority must read: “Based on the identity information, the person being sought cannot be clearly identified; No information can be provided.” The residence (seat) or residence (paragraph 3, number 3, AVG) of the person making the request is decisive for the responsibility to provide information. According to Section 18, Paragraph 2, leg ). The application must be granted if an interest worthy of protection can be credibly demonstrated. If such an interest is obvious, the block on information can also be ordered or extended ex officio. The ban on information can be imposed or extended for a maximum period of five years; During this time it also applies in the event of deregistration. According to Section 18 Paragraph 5 of the Registration Act, if there is a block on information regarding a person, the information from the registration authority must read: “There is no data available for registration information about the person(s) being sought”. In these cases, information in accordance with paragraph 1 must be provided if the applicant proves that he or she can assert a legal obligation on the part of the person concerned. In such a case, the registration authority must inform the person required to report before providing the information and give him the opportunity to make a statement. According to paragraph 18, paragraph 5, of the Registration Act, if there is a ban on providing information regarding a person, the information from the registration authority must read: “It “There is no data available for registration information about the person(s) being sought.” In these cases, information in accordance with paragraph one must be provided if the applicant proves that he can assert a legal obligation on the part of the person concerned. In such a case, the reporting authority must inform the person required to report before providing the information and give them the opportunity to comment. D.3. In the matter Regarding the complainant, there is a ban on providing information in accordance with Section 18 Paragraph 2 of the Registration Act. Accordingly, the respondent would have been obliged to inform that there is a block on information regarding the complainant as a wanted person in accordance with Section 18, Paragraph 2, Registration Act. Accordingly, the respondent would have been obliged to inform that there was no data available for registration information about the complainant as a wanted person or the respondent would have been obliged to do so in accordance with Section 18 Paragraph 5 of the Legislature. As a reporting authority, the obligation has been made to inform the complainant, as the person obliged to report, before providing information and to give her the opportunity to comment. However, as alleged by the respondent herself, the respondent's employee who carried out the questioned query failed to do so. or the respondent should have done so under paragraph 18, paragraph 5, leg. cit. As a reporting authority, the obligation has been made to inform the complainant, as the person obliged to report, before providing information and to give her the opportunity to comment. However, as alleged by the respondent herself, the respondent's employee who carried out the questioned query failed to do so. In this context, it should be noted that employees who have access to personal data within an organization are generally not to be seen as controllers or processors, but the processing is ultimately attributed to the controller (see, for example, the BVwG's decision of 27. April 2022, GZ: W214 2237072-1). In this context, it should be noted that employees who have access to personal data within an organization are generally not to be seen as controllers or as processors, but rather the processing is ultimately attributed to the controller (see, for example, the BVwG's ruling of April 27, 2022). , GZ: W214 2237072-1). The respondent is a “state authority” in accordance with Section 1 Para. 2 DSG, which means that the use of personal data requires a (formal) legal basis and the query also took place within the framework of the sovereign administration, namely when issuing a registration information in accordance with Section 18 Paragraph 1 Reporting Act. The respondent is a “state authority” according to paragraph one, paragraph 2, DSG, which means that the use of personal data requires a (formal) legal basis and the query was also carried out within the framework of the sovereign administration, namely when issuing a registration information Paragraph 18, paragraph one, Reporting Act. Especially since there was a ban on information about the complainant at the time of the query in question, such reporting information was only possible under the provisions of Section 18 Paragraph 5 Leg. Cit. permissible to grant. However, as the respondent herself argued, the complainant was not informed before the registration information was issued and was not given the opportunity to comment, which means the respondent violated the requirements of Section 18 Paragraph 5 Leg. Cit. has violated.Especially since there was a ban on information about the complainant at the time of the query in question, such reporting information was only possible under the conditions of paragraph 18, paragraph 5, leg. cit. permissible to grant. However, as the respondent herself argued, the complainant was not informed before the registration information was issued and was not given the opportunity to comment, which means the respondent was in breach of the requirements of paragraph 18, paragraph 5, leg. cit. has injured. In the absence of legal cover, the processing in question proves to be unlawful and the complaint had to be upheld. Given this result, it is unnecessary to go into the question in more detail as to whether there was a legal interest on the part of third parties to receive the registration information. The decision therefore had to be made in accordance with the verdict.