DSB (Austria) - 2022-0.792.182

From GDPRhub
Revision as of 08:41, 29 July 2024 by Ec (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - 2022-0.792.182
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law:
§1 AMSG
§1 DSG
§29 AMSG
§32 AMSG
Type: Complaint
Outcome: Rejected
Started:
Decided: 21.11.2022
Published:
Fine: n/a
Parties: Public Employment Service
National Case Number/Name: 2022-0.792.182
European Case Law Identifier: ECLI:AT:DSB:2022:2022.0.792.182
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in DE)
Initial Contributor: Annkathrin.a.dix

The DPA dismissed the complaint because the complainant’s data was deemed ‘generally available’ and the respondent’s processing thereof was justified by their legal mandate to efficiently place workers and provide labour market information.

English Summary

Facts

The controller was a service provider in accordance with public law — in particular, they oversaw the federal government’s labor market policy. In order to search for job openings on company websites, the controller used an algorithm — AMS job robot — and subsequently published the results on their own homepage. The background information pertaining to the position from the original advertisement was integrated into the JobRobot web ad. In addition, a link was embedded into the advertisement that took users directly to the job website of the respective company. When an original job advertisement was removed, the advertisement on the controller’s homepage was also deleted. Updates related to job offers would (typically) take place within 24 hours.

On 21 September 2021, the data subject argued that the controller violated their right to confidentiality by publishing the data subject’s data from a job advertisement on the controller’s own homepage.

Holding

Regarding the data subject’s standing

According to Section 1 and 24 Data Protection Act (Datenschutzgesetz), legal persons fall within the scope of protection, and can lodge complaints to assert the rights granted therein.

Regarding the right to confidentiality

Section 1, paragraph 1 Data Protection Act stipulates that everyone has the right to maintain personal data related to them confidential, if there is a legitimate interest in doing so. The exceptions to this is, however, if such data is generally available or cannot be traced back to the person concerned. The GDPR is limited to the processing of personal data of natural persons. In the present case, the data subject was a legal person, so the GDPR was inapplicable and the exception under Section 1, paragraph 1 Data Protection Act had to subsequently be considered. Data is considered ‘generally available’ if it is open to an unlimited and undetermined group of users — this requires a case-by-case assessment.

In the present case, the data subject published the job advertisement itself on their freely accessible public website. The controller merely reproduced this publicly available data without creating any additional informational value for the purpose of labor market placement. Moreover, the controller only processed such data to the extent that the original job advertisement was published on the data subject’s homepage. Thus, the data subject’s data from the job advertisement published on their website was considered to be generally available, and was not subject to confidentiality protection.

The DPA considered an alternative argument as well. Even if the data was deemed to not be generally available, the controller’s processing of data would still be justified. In particular, the controller acted as a public authority executing their legal mandate under Labor Market Service Act ("Arbeitsmarktservicegesetz") in order to efficiently place workers and provide information related to the labor market. The publication of the data subject’s data was carried out in accordance with these legally mandated responsibilities, whilst also adhering to the principle of data minimization enshrined in Article 5(1)(c) GDPR. The controller merely provided background information about the position which was extracted from the original advertisement, and provided for links that directed the user to the data subject’s website. Moreover, the information was only published on the controller’s website as long as the corresponding advertisement was still active on the respective employer’s website. Thus, the Labor Market Service Act provides a sufficient legal basis under the Data Protection Act for the controller's data processing activities in this case.

Consequently, DPA dismissed the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Text

GZ: 2022-0.792.182 of November 21, 2022 (case number: DSB-D124.5017)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.

The name of the respondent as a public corporation has not been pseudonymized because its legally defined labor market policy tasks are mentioned in the text of the justification, and therefore a meaningful and meaningful pseudonymization of the name was not possible in this decision to be published in accordance with Section 23 Paragraph 2 of the DSG.]The name of the respondent as a public corporation has not been pseudonymized because its legally defined labor market policy tasks are mentioned in the text of the justification, and therefore a meaningful and meaningful pseudonymization of the name was not possible in this decision to be published in accordance with Section 23 Paragraph 2 of the DSG.]

DECISION

RULING

The Data Protection Authority decides on the data protection complaint from A*** & B*** Betriebs GmbH (complainant), represented by Mag. F***, Mag. T*** Rechtsanwälte OG, dated September 21, 2021 against the Public Employment Service (respondent) for violation of the right to confidentiality as follows:

1. The complaint of a violation of the right to confidentiality is dismissed as unfounded.

2. The complainant's supplementary complaint of November 2, 2022 of a violation of the right to information is dismissed.

Legal basis: Sections 1, 18 paragraph 1 and 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended.Legal basis: Paragraphs one, 18 paragraph one, and 24 paragraph one and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended.

REASONS

A. Arguments of the parties and course of proceedings

1. In her submission of September 21, 2021 initiating the proceedings, the complainant summarized that she considered her right to confidentiality to have been violated by the respondent because in 2021, without her consent or order, the respondent used her data to place people as workers for the complainant without being asked and without need.

2. The respondent responded in his statement of October 21, 2021 that the complainant had placed a job advertisement on her homepage on June 14, 2020, and that the respondent had then found this information freely available on the Internet and automatically placed a reference (link) to it in a self-provided, structured and freely accessible job platform. The complainant had also not taken any steps to prohibit crawling technologies from capturing the job advertisement.

3. In her statement of 15 December 2021, the complainant argued that the fact that the complainant's homepage was publicly accessible only meant that anyone could view it if they were looking for the complainant, but that it did not mean that the facts contained on the homepage were generally known or known to the courts, which is why it could not simply be described as generally available data, nor was the present use of the complainant's data from her homepage limited to mere reproduction, as it was a link on the respondent's own homepage.

4. In a further statement of 20 September 2022, the respondent argued that, according to the complainant's submission, the respondent's brokerage activity, which was the subject of the complaint, took place a few days before 22 March 2021. Specifically, it was an advertisement for two positions listed in the online output area of the AMS web application "JobRoboter", namely one for a technician and one for an office worker. This was neither a personal service activity by the respondent's business consultants, nor was a completely automated copy of the advertisement created; rather, only rudimentary background information about the position was displayed in the JobRoboter web advertisement, which only led the user directly to the job website managed by the complaining party itself when the link integrated in the advertisement was activated (i.e. by "clicking"). The complainant could have prevented this either by removing the job advertisement in question from its online listing or by marking its position as inactive in accordance with the recognized state of the art for road users operating on the internet (natural persons and automated road users such as the AMS JobRoboter). However, by moving the advertisement to the archive area, the complaining party had focused exclusively on perception by natural persons and had failed to choose a form of perception of deactivation that was also in line with the state of the art for automated road users, otherwise the JobRoboter would have removed the link created in this way to the complaining party's job advertisement within 24 hours. The complainant's argument that general availability of the data should not be considered due to a limited group of people is also irrelevant, since the complainant failed to take the precautions possible for her and those expected of an average, business-running Internet user to limit the use of the advertisement as much as possible.

5. The complainant replied in her statement of 2 November 2022 that the respondent had not yet fulfilled the complainant's right to information, and that the complaint was therefore expressly upheld on the point of violation of the right to information, in addition to the violation of the right to confidentiality, as already asserted in the application to the data protection authority. Whether or not the respondent actively engaged in brokerage activities does not change the processing of the data by the respondent and the fact that the data falls within the scope of the DSG. It is also not the complainant's job to ensure that third parties, even an automated crawler, are not able to interfere with the fundamental right to data protection by placing advertisements "in accordance with the state of the art". Rather, it is the respondent's job to program its application in such a way that inadmissible interference does not take place at all. In addition, the respondent also overlooks the decision of the data protection authority on land register data of 23 April 2019, DSB-D123.626/0006-DSB/2018: just because data can be viewed by anyone does not mean that the facts on the complainant's homepage are generally known or that the data is therefore generally available. Regardless of this, not all data that has been published or is publicly accessible may be used by a responsible party for any purpose of their own.

B. Subject of the complaint

The subject of the complaint is the question of whether the respondent violated the complainant's right to confidentiality by publishing the complainant's data from a job advertisement on the respondent's own homepage.

C. Findings of fact

1. The respondent is a public service company. It is responsible for the federal labor market policy.

2. The respondent uses an algorithm to search for open job vacancies on company websites and then publishes them on the respondent's homepage ("AMS job robot").

3. The rudimentary background information about the position from the original advertisement is taken into the JobRobot's web advertisement. In addition, a link integrated into the advertisement takes you directly to the job website of the respective company.

4. If the original job advertisement is taken offline, the job advertisement on the respondent's homepage is also removed.

5. Job offers are usually updated within 24 hours.

Assessment of evidence: The findings are based on internal correspondence from the respondent submitted with the statement of December 15, 2021, as well as the respondent's supplementary statement of September 20, 2022.

6. Job advertisements were published on the complainant's homepage on October 14, 2020 and May 7, 2021.

7. The respondent then took the complainant's data from the job advertisement and published it on the job platform on its homepage. In addition, a link integrated into the advertisement led directly to the job advertisement on the complainant's website.

Assessment of evidence: The findings are based on the undisputed information provided by the respondent in his statement of December 15, 2021 and the internal correspondence submitted with it, as well as the respondent's supplementary statement of September 20, 2022.

D. From a legal perspective, this leads to the following:

On point 1 of the ruling

a) On the complainant's standing

The data protection authority has already stated several times that legal persons are also subject to the scope of protection pursuant to Section 1 of the Data Protection Act and are also entitled to lodge a complaint pursuant to Section 24 of the Data Protection Act in order to assert the rights granted therein (see the decision of the data protection authority of May 25, 2020, GZ: D124.1182, 2020-0.191.240 for details). The Data Protection Authority has already stated several times that legal persons are also subject to the scope of protection pursuant to paragraph 1, DSG and are also entitled to lodge a complaint pursuant to paragraph 24, DSG in order to assert the rights granted therein (for details, see the decision of the Data Protection Authority of 25 May 2020, GZ: D124.1182, 2020-0.191.240).

b) On the right to confidentiality

According to Section 1, Paragraph 1 of the DSG, everyone has the right to keep personal data concerning them confidential, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the person concerned. According to Paragraph 1, Paragraph 1 of the DSG, everyone has the right to keep personal data concerning them confidential, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the person concerned.

The very general assumption that there is no violation of legitimate confidentiality interests for lawfully published data does not apply within the scope of application of the GDPR (see the decision of the DSB of October 31, 2018, GZ DSB D123.076/0003 DSB/2018 with further references), but the application of the GDPR is limited to the processing of personal data of natural persons pursuant to Art. 1 GDPR. However, the complainant is a legal entity, which does not open up the scope of application of the GDPR and the exception of generally available data pursuant to Section 1 Paragraph 1 DSG must be observed. The very general assumption that there is no violation of legitimate confidentiality interests for lawfully published data does not apply within the scope of the GDPR (see the decision of the DSB of October 31, 2018, GZ DSB D123.076/0003 DSB/2018 mwN), however, the application of the GDPR is limited to the processing of personal data of natural persons in accordance with Article 1 of the GDPR. However, the complainant is a legal entity, which does not open up the scope of the GDPR and the exception for generally available data under paragraph 1, subsection 1 of the DSG must be observed.

Data is “generally available” if it is accessible to an unlimited, individually undetermined group of users (cf. OGH of September 3, 2002, 11 Os 109/01; DSK of February 25, 2009, K121.419/0007-DSK/2009). Whether data is to be classified as “generally available” requires an examination on a case-by-case basis, with particular attention being paid to whether general accessibility still actually exists at the time of the intended use (see the ErlRV to the StF of Section 1 DSG 2000, 1613 BlgNR 20. GP 34 f). Data is “generally available” if it is open to an unlimited, individually undetermined group of users (cf. OGH of 3 September 2002, 11 Os 109/01; DSK of 25 February 2009, K121.419/0007-DSK/2009). Whether data can be classified as “generally available” requires an examination on a case-by-case basis, with particular attention being given to whether general accessibility still actually exists at the time of the intended use (see the ErlRV to the StF of paragraph one, DSG 2000, 1613 BlgNR 20. GP 34 f).

In fact, the complainant published the job advertisement itself on its website; the complainant’s website is freely accessible and publicly available to a wide, unrestricted group of people. It should also be noted that – contrary to what the complainant believes – no informational added value was created in fact, since only data from the job advertisement was reproduced and this was even published for the same purpose – namely, to recruit workers for the complainant. The processing by the respondent only took place for as long as the job advertisement was published on the complainant's homepage or, if applicable, insignificantly longer, since the respondent's job advertisements are usually updated within 24 hours by the algorithm implemented there.

The decision of the data protection authority of 23 April 2019, DSB-D123.626/0006-DSB/2018, cited by the complainant, on the protection of data from public registers such as the land register is therefore not comparable in this respect, since, unlike in the case at hand, the publication of this data was not carried out by the persons concerned themselves, the use of this data created informational added value and was therefore not a mere reproduction, and the data processing ultimately took place within the scope of application of the GDPR, meaning that the exception to the scope of protection could not even apply due to a lack of legitimate interest. In this case, it can therefore be assumed that the complainant’s data from the job advertisement published on her website is generally available.

Even if one assumes that the data is not generally available and therefore falls within the scope of application of Section 1, Paragraph 1 of the DSG, this intervention would be justified for the following reasons: Even if one assumes that the data is not generally available and therefore falls within the scope of application of Paragraph 1, Paragraph 1 of the DSG, this intervention would be justified for the following reasons:

The respondent is a corporation under public law and is responsible for federal labor market policy in accordance with Section 1 of the AMSG. The respondent is therefore to be qualified as an “authority” in the functional sense; pursuant to Section 1, Paragraph 2 of the DSG, interventions by a state authority in the right to confidentiality are only permissible on the basis of law (see also Article 18 of the B-VG). Such laws must regulate with sufficient precision, i.e. in a way that can be predicted by everyone, under which conditions the collection or use of personal data is permissible for the performance of specific administrative tasks, i.e. must have a sufficiently high degree of determination (VfSlg. 18.643/2008; see also the decision of the VfGH of December 12, 2019 on G 164/2019-25 and G 171/2019-24). The respondent is a public corporation and, according to paragraph one of the AMSG, is responsible for the federal labor market policy. The respondent is therefore to be qualified as an "authority" in the functional sense; according to paragraph one, paragraph 2 of the DSG, interventions by a state authority in the right to confidentiality are only permissible on the basis of laws (see also Article 18 of the B-VG). Such laws must regulate with sufficient precision, i.e. in a way that can be predicted by everyone, under which conditions the collection or use of personal data is permissible for the performance of specific administrative tasks, i.e. they must have a sufficiently high degree of determination (VfSlg. 18.643/2008; see also the decision of the Constitutional Court of 12 December 2019 on G 164/2019-25 and G 171/2019-24).

According to Section 29 AMSG, the respondent’s aim is to work towards bringing together labour supply and demand and thereby to best ensure the supply of labour to the economy and the employment of all persons available to the Austrian labour market. According to paragraph 2 leg. cit., the respondent must, among other things, provide services aimed at efficiently placing suitable workers in jobs (item 1) and counteracting the confusion of the labour market (item 3). Pursuant to Section 32 AMSG, the respondent must provide its services whose purpose is to place job seekers in job vacancies, to secure employment and to secure their livelihood within the meaning of Section 29 leg. cit. According to Section 32 Paragraph 2 AMSG, this also includes information about the job market and the world of work (Item 1), supporting companies in finding and selecting suitable workers (Item 5), and supporting job seekers in finding and selecting a job (Item 6). Pursuant to Paragraph 29 AMSG, the respondent’s aim is to work towards bringing together labor supply and demand, and thereby to best ensure the economy is supplied with workers and the employment of all people available to the Austrian labor market. According to Paragraph 2, leg. cit. the respondent must, among other things, provide services aimed at efficiently placing suitable workers in jobs (point one) and counteracting the confusion of the labor market (point 3). According to paragraph 32, AMSG, the respondent must provide its services in the form of services whose purpose is to place job seekers in vacancies, to secure employment and to secure livelihoods within the meaning of paragraph 29, leg. cit. According to paragraph 32, paragraph 2, AMSG, this also includes information about the labor market and the professional world (point one), supporting companies in finding and selecting suitable workers (point 5) and supporting job seekers in finding and selecting a job (point 6).

The present publication of the complainant’s data was based on the tasks assigned to the respondent by law and in accordance with the principle of data minimisation pursuant to Article 5, Paragraph 1, Letter c of GDPR, as only rudimentary background information about the position was taken from the original advertisement and, in addition, an integrated link led directly to the corresponding job advertisement on the complainant’s website. Information about job vacancies is also published on the respondent’s website only as long as the respective job advertisement is also available on the respective employer’s website. The present publication of the complainant’s data was based on the tasks assigned to the respondent by law and in accordance with the principle of data minimisation pursuant to Article 5, Paragraph 1, Letter c of GDPR, as only rudimentary background information about the position was taken from the original advertisement and, in addition, an integrated link led directly to the corresponding job advertisement on the complainant’s website. Furthermore, information about job vacancies will only be published on the respondent's website as long as the respective job advertisement is also available on the respective employer's website.

As a result, the respondent could therefore also rely on a legal basis within the meaning of Section 1 Paragraph 2 of the DSG, which is why the complaint had to be dismissed in accordance with the ruling.As a result, the respondent could therefore also rely on a legal basis within the meaning of Paragraph 1, Paragraph 2 of the DSG, which is why the complaint had to be dismissed in accordance with the ruling.

On ruling point 2

Insofar as the complainant stated in her last statement of November 2, 2022 that, in addition to the violation of the right to confidentiality, "as already asserted in the application to the DSB", she was also expressly maintaining her complaint on the point of the violation of the right to information, it should be noted that no such application for a determination of the right to information could be inferred from the complaint initiating the proceedings. In this, the complainant (represented by a lawyer), using the model form for complaints regarding a violation of the fundamental right to confidentiality pursuant to Section 1 Paragraph 1 of the Data Protection Act, merely stated in general terms in the context of her presentation of the facts that "A request from the legal representatives to disclose what other data about the complainant is stored and processed remained unanswered." Insofar as the complainant stated in her last statement of November 2, 2022 that, in addition to the violation of the right to confidentiality, "as already asserted in the application to the DSB", she also expressly maintains her complaint on the point of the violation of the right to information, it is pointed out that no such request for a determination of the right to information could be inferred from the complaint initiating the proceedings. In this, the complainant (represented by a lawyer) merely made a general statement in her statement of the facts using the model form for complaints about a violation of the fundamental right to confidentiality pursuant to paragraph one, subsection one, DSG, stating that "a request from the legal representatives to disclose what other data about the complainant is stored and processed remained unanswered."

When interpreting an application, not only the wording of the complaint is important, but also the will of the party, provided that the subject matter of the proceedings - even after interpretation of the submission within the meaning of sections 6 and 7 ABGB - can be identified without doubt, i.e. without any possibility of confusion (VwGH 13.11.2014, Ra2014/12/0010). When assessing a submission, it is not designations and random verbal forms that matter, but the content of the submission, i.e. the identifiable or inferable aim of a party's step (VwGH November 27, 1998, 95/21/0912). However, it cannot be inferred here that the complainant intended to file an application for a declaration of a violation of the right to information with the above-cited complaint of September 21, 2021. When interpreting a submission, not only the wording of the complaint but also the will of the party is important, provided that the subject matter of the proceedings - even after interpreting the submission within the meaning of Sections 6 and 7 ABGB - can be identified beyond doubt, i.e. without the possibility of confusion (VwGH November 13, 2014, Ra2014/12/0010). When assessing a submission, it is not designations and random verbal forms that are important, but the content of the submission, i.e. the identifiable or inferable goal of a party's step (VwGH 27.11.1998, 95/21/0912). However, it cannot be inferred here that the complainant intended to file an application for a declaration of a violation of the right to information with the above-cited complaint of 21 September 2021.

However, such an application can now be inferred within the framework of an interpretation of the submission of 2 November 2022. However, this is a new, different and supplementary submission and thus a new subject matter of the complaint, which affects the essence of the subject matter of the proceedings pursuant to Section 13 Paragraph 8 AVG (see also the decision of the BVwG of October 20, 2021, GZ W211 2231475-1/9E). However, such an application can now be derived within the framework of an interpretation of the submission of November 2, 2022. However, this is a new, different and supplementary submission and thus a new subject matter of the complaint, which affects the essence of the subject matter of the proceedings pursuant to Paragraph 13, Paragraph 8, AVG (see also the decision of the BVwG of October 20, 2021, GZ W211 2231475-1/9E).

Against this background, the supplementary submission had to be rejected pursuant to Section 13 Paragraph 8 AVG. In this context, however, the complainant is free to file a new complaint with the data protection authority. Against this background, the additional complaint had to be rejected in accordance with paragraph 13, section 8 of the AVG. In this context, however, the complainant is free to file a new complaint with the data protection authority.

The decision was therefore based on the ruling.