BVwG - W298 2274626-1/8E

From GDPRhub
Revision as of 08:58, 11 December 2024 by Mba (talk | contribs) (→‎English Summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W298 2274626-1/8E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1) GDPR
§1(1) DSG
Decided: 13.09.2024
Published: 28.11.2024
Parties:
National Case Number/Name: W298 2274626-1/8E
European Case Law Identifier: ECLI:AT:BVWG:2024: W298.2274626.1 .00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: ao

A court held that the use of the Google reCaptcha function without the explicit consent of the data subject is unlawful.

English Summary

Facts

The data subject had brought a complaint to the Austrian DPA against the controller, a political party.

The data subject detailed that he had visited the controller’s website and noticed that Google reCaptcha was being used on the website even though the data subject had deactivated Google reCaptcha. After the data subject had deactivated all cookies and functions such as Google reCaptcha, he clicked on the “become a member” page on the website, which showed the transfer of 615 packages of information from and to Google. The data subject declared that he had not agreed to the data transfer and that he wasn’t adequately informed that his IP address and the connected data would be transferred to Google. Therefore, Google would have knowledge of which party the data subject wanted to become a member of.

The controller told the DPA that the information on the data subject’s membership sign-up remained entirely confidential and could not be accessed by others. The controller saw itself responsible for the content of the website while the design was carried out by an external person. Further, users had the option to reject cookies through the cookie banner. If cookies were rejected then no storage nor data transfer took place.

The data subject added on the 20 April 2023, that after the complaint with the DPA, the controller continued the practice. Google Fonts was automatically downloaded and users were only informed of this in the privacy policy after the download had been completed.

The DPA found that the data subject’s right to privacy had been infringed upon through implementing Google reCaptcha and processing the data subject’s IP address, certain unique identifiers and browser data. The cookie “_GRECAPTCHA” was held not to be of technological necessity and therefore required the data subject’s explicit consent. Therefore, none of the legal basis under Article 6(1) GDPR applied.

The controller appealed this decision to the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). It argued that the DPA had not analysed with which browser and operating system the data subject had accessed the website.

Holding

The BVwG held that the data subject had not given his clear consent to the reCatpcha data processing.

Even though the controller had not listed Article 6(1)(f) GDPR as a legal basis for processing, the court analysed whether this could legitimize the data processing. The Google reCaptca service was held to be unnecessary and therefore the controller could not rely on a legitimate interest.

Therefore, none of the legal bases under Article 6(1) GDPR applied and the data processing violated the data subject’s right to privacy under §1(1) of the Austrian Data Protection Act. The BVwG therefore upheld the decision of the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision date

13.09.2024

Standard

B-VG Art133 Abs4
DSG §1 Abs1
GDPR Art4
GDPR Art6

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 25.05.2018 to 31.12.2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to 24.05.2018 last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from 01.01.2014 to 31.07.2014 last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from 12/19/1945 to 12/24/1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01/01/2014 last amended by BGBl. I No. 51/2012 DSG Art. 1 § 1 valid from 01/01/2000 to 12/31/2013

Saying

W298 2274626-1/8E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, with Judge Mag. Mathias VEIGL as chairman and the expert lay judge Mag. Gerda Ferch-Fischer and the expert lay judge Mag. Adriana Mandl as assessors, decides on the complaint of XXXX (first complainant) and XXXX (second complainant), represented by Dr. Roman SCHIESSLER, lawyer in 8077 Gössendorf, against the decision of the Data Protection Authority dated May 30, 2023, GZ. XXXX (co-involved party: XXXX ) due to violation of the right to confidentiality: The Federal Administrative Court, through the judge Mag. Mathias VEIGL as chairman and the expert lay judge Mag. Gerda Ferch-Fischer and the expert lay judge Mag. Adriana Mandl as assessors, recognizes the complaint of the roman 40 (first complainant) and the roman 40 (second complainant), represented by Dr. Roman SCHIESSLER, lawyer in 8077 Gössendorf, against the decision of the data protection authority dated May 30, 2023, GZ. roman 40 (co-involved party: roman 40 ) due to violation of the right to confidentiality, rightly:

A) The complaint is dismissed as unfounded.

B) The appeal is not admissible according to Article 133, Paragraph 4 of the Federal Constitutional Law.B) The appeal is not admissible according to Article 133, Paragraph 4 of the Federal Constitutional Law.

Text

Reasons for the decision:

I. Procedure: Roman one. Procedure:

1. With a submission dated XXXX, amended by letter dated XXXX, XXXX (hereinafter "co-involved party") filed a data protection complaint with the authority concerned and alleged a violation of the right to confidentiality. According to this, he visited the website of the complainants " XXXX " on XXXX to register for party membership. The co-involved party deactivated Google reCaptcha in the data protection settings, but Google reCaptcha continued to be used on all pages of the homepage " XXXX " without proving the legality of the processing of user data in accordance with Article 5, Paragraphs 1 and 2 of the GDPR. Despite the fact that the co-involved party immediately deactivated all cookies and functions such as reCaptcha after opening the website and then only opened the "Become a Member" page, 615 packets had already been transmitted to and from Google in the background. The co-involved party had not consented and had not been informed that his personal data, namely his IP address, and the data of the browser used, etc. would be transmitted to Google, and that Google would therefore know which pages of the " XXXX " party had been opened and that a membership registration with the " XXXX " party had been carried out under his IP address.1. With a submission dated roman 40 , improved with a letter dated roman 40 , roman 40 (hereinafter "co-involved party") lodged a data protection complaint with the authority concerned, alleging a violation of the right to confidentiality. Accordingly, he had visited the complainants' website " roman 40 " on roman 40 in order to register for party membership. The party involved had deactivated Google reCaptcha in the data protection settings, but Google reCaptcha continued to be used on all pages of the “roman 40” homepage without proving the legality of the processing of user data in accordance with Article 5, paragraphs one and two of the GDPR. Despite the fact that the party involved immediately deactivated all cookies and functions such as reCaptcha after opening the website and then only opened the “Become a Member” page, 615 packages had already been sent to and from Google in the background. The party involved had not consented and had not been informed that his personal data, namely his IP address, and the data of the browser used, etc. would be transmitted to Google, and that Google would therefore know which pages of the “roman 40” party had been opened and that a membership registration with the “roman 40” party had been carried out under his IP address.

2. In a statement dated March 7, 2023, the first complainant stated that the party involved had registered as a member on the website. The members' data is managed internally and no outsider has access. It cannot be determined to what extent confidentiality obligations have been violated.

3. In a statement dated March 17, 2023, the first complainant stated that he and the second complainant are responsible for the content of the " XXXX " page, but not for its design, which is external. When accessing the website, the visitor to the website decides for himself through his settings which cookies he sets or makes available for reading. The first complainant and the second complainant have no influence on this, unless these are system-related. No cookies are set before a website visitor makes the choice to allow cookies in the cookie banner of the " XXXX " website. When accessing the page, the visitor has the choice of 1. not setting or using any cookies at all, which means that it is not possible to answer inquiries or forward data, 2. setting necessary cookies for answering inquiries, this is done via and through the Google services and external services, these are Google Fonts, Google Maps, Google reCATPCHA, Vimeo and YouTube. All cookie settings are stored locally on the calling computer and not in the domain, unless they have been specifically released by the user for (domain) storage. The callers will be informed of these circumstances. If these points are not accepted, no domain storage or forwarding will take place, neither internally nor externally.3. In a statement dated March 17, 2023, the first complainant stated that he and the second complainant were responsible for the content of the “roman 40” page, but not for its design, which was external. When accessing the website, the visitor decides for himself through his settings which cookies he sets or makes available for reading. The first complainant and the second complainant have no influence on this, unless these are system-related. No cookies are set before a website visitor chooses to allow cookies in the cookie banner on the “roman 40” website. When accessing the page, the visitor has the choice of 1. not setting or using any cookies at all, which makes it impossible to answer queries or forward data, 2. setting the cookies necessary to answer queries. This is done via and through Google services and external services, namely Google Fonts, Google Maps, Google reCATPCHA, Vimeo and YouTube. All cookie settings are saved locally on the accessing computer and not in the domain, unless the user has specifically authorized (domain) storage. Those accessing the website will be informed of these circumstances. If these points were not accepted, no domain storage or forwarding would take place, neither internally nor externally.

Personal data would only be stored to the extent that it was provided by the person calling in a corresponding form. IP addresses, values and unique IDs would not be saved and content would only be queried according to the (possibly new) information provided by the person calling and transferred to an external user database in order to avoid double registration. The complainants would not actively or passively transmit any related data to third parties.

4. In a letter dated March 23, 2023, the first complainant pointed out that the statement of March 17, 2023 also counted as the statement of the second complainant.

5. The co-involved party replied in a statement dated April 20, 2023 that the complainants, as operators of the website, would not remedy the data protection violation despite the complaint to the data protection authority, although all that was needed was a simple setting so that Google Fonts were not downloaded but made available by the website itself. The privacy policy only indicates that the Google Fonts had been downloaded from the USA after this had already happened. This means that Google is aware that the co-involved party had visited the complainants' website. This cannot be prevented in advance. It is still not shown which cookies are used and for what reason. It is also not possible to subsequently change settings that have already been made via the privacy policy.6. With the decision of May 30, 2023 cited in the ruling, the authority concerned upheld the complaint of the co-participating party and found that the first complainant and the second complainant had violated the co-participating party's right to confidentiality by implementing Google services (at least the Google ReCAPTCHA service with the "grecaptcha" cookie) on their website " XXXX " as controllers through their decision and thus unlawfully processing personal data of the co-participating party (this is at least in combination with its online identifier in the form of the IP address and unique user identification numbers as well as browser data) on XXXX.6. With the decision of May 30, 2023 cited in the ruling, the authority concerned upheld the complaint of the co-participating party and found that the first complainant and the second complainant had violated the co-participating party's right to confidentiality by implementing Google services (at least the Google ReCAPTCHA service with the cookie "grecaptcha") on their website " roman 40 " through their decision and thus unlawfully processing personal data of the co-participating party (this is at least in combination with its online identifier in the form of the IP address and unique user identification numbers as well as browser data) on roman 40.

In its justification, the authority concerned stated that after the complainant visited the website " XXXX " on XXXX, cookies with a unique, randomly generated value were set and read in the co-participating party's terminal device. Subsequently, the cookie values and IP address of the complainant's end device were transmitted to Google's servers, among others. The complainants also did not provide any evidence in accordance with Art. 25 (1) GDPR - the requirements of which must be implemented before the actual data processing - that technical or organizational protective measures had been taken to prevent the cookie values and IP address from being linked to additional information (e.g. by Google). In any case, the cookie "_GRECAPTCHA" used was not a technically necessary cookie and consent would therefore have had to be obtained. Implementing this service with the cookie "_GRECAPTCHA" cannot be considered a technical necessity. For the reasons stated, the data processing that followed the implementation of Google services (at least the Google reCAPTCHA service) (specifically: the transmission of the complainant's data by implementing the service to third parties such as Google) was not covered by any justification under Art. 6 (1) GDPR, which is why there was a violation of the right to confidentiality. In its justification, the authority concerned stated that after the complainant visited the website “roman 40” on roman 40, cookies with a unique, randomly generated value were set and read in the end device of the party involved. Subsequently, the cookie values and IP address of the complainant’s end device were transmitted to Google’s servers, among others. The complainants also did not provide any evidence in accordance with Article 25, paragraph 1, GDPR – the requirements of which must be implemented before the actual data processing – that technical or organizational protective measures had been taken to prevent the cookie values and IP address from being linked to additional information (e.g. by Google). In any case, the cookie “_GRECAPTCHA” used was not a technically necessary cookie and consent would therefore have had to be obtained. Implementing this service with the cookie “_GRECAPTCHA” could not be considered a technical necessity. For the reasons stated, the data processing that followed the implementation of Google services (at least the Google reCAPTCHA service) (specifically: the transmission of the complainant's data by implementing the service to third parties such as Google) was not covered by any justification under Article 6, paragraph one, GDPR, which is why there was a violation of the right to confidentiality.

7. The complainants filed an appeal on time with a written submission dated June 27, 2023. In it, they essentially argued that the authority concerned had failed to determine which operating system and browser the party involved had used to access the " XXXX " page. This is particularly important because there are operating systems (e.g. Android) and browsers from various hardware manufacturers (e.g. Samsung) that already have cookies (including Google services) installed and activated for device and personal identification. Their use is already consented to by using the device or browser. It was also not ascertained whether the party involved had previously enabled and permitted the use of cookies, in particular reCAPTCHA, on other sites he had visited. In this case, according to Google's usage guidelines - to which he had already agreed beforehand - data would have been automatically transmitted when the page was accessed, but this would have had nothing to do with the "XXXX" website itself. The GDPR does not prohibit the processing of IP addresses and user identification numbers as well as browser data at any time. The claim that the "_grecaptcha" cookie was implemented is also false. The claim by the party involved that he accessed the complainants' homepage from his "static IP address" is also false. Consent was demonstrably obtained and granted by the party involved, whether this consent had already existed beforehand or had only been given as a result of "active action" by the party involved is legally and technically irrelevant - without consent he would not have been able to register as a member. Finally, the complainants pointed out that the cookie can be deleted at any time. 7. The complainants lodged an appeal on time in a written submission dated June 27, 2023. In it, they essentially argued that the authority in question had failed to determine which operating system and browser the co-participating party had used to access the “roman 40” page. This was particularly important because there are operating systems (e.g. Android) and browsers from various hardware manufacturers (e.g. Samsung) that already have cookies (including Google services) installed and activated for device and personal identification. Their use is already consented to by using the device or browser. It was also not determined whether the co-participating party had previously enabled and permitted the use of cookies, in particular reCAPTCHA, on other pages accessed by the party. In this case, according to Google's usage guidelines - which he had already agreed to beforehand - the page call would have automatically resulted in data being transmitted, which, however, would have had nothing to do with the "roman 40" website itself. The GDPR does not prohibit the processing of IP addresses and user identification numbers as well as browser data at any time. The claim that the "_grecaptcha" cookie was implemented is also false. The claim by the party involved that he accessed the complainants' homepage from his "static IP address" is also false. Consent was demonstrably obtained and granted by the party involved, whether this had already existed beforehand or had only been given as a result of "active action" by the party involved is legally and technically irrelevant - without consent he would not have been able to register as a member. The complainants finally pointed out that the cookie can be deleted at any time.

8. With a file submission dated July 3, 2023, the authority concerned submitted the administrative act to the Federal Administrative Court for a decision and pointed out in its statement that if the complainants believe that the operating system or software is important because the website visitor has already consented to the use of cookies "by using the device", they would overlook the fact that the subject of the complaint is in any case a technically necessary cookie and that express consent - as they themselves state in their complaint - would have had to be obtained, whereby a device pre-setting cannot constitute an unambiguous expression of intent (cf. Art. 4 Z 11 GDPR).8. With a file submission dated July 3, 2023, the authority concerned submitted the administrative act to the Federal Administrative Court for a decision and pointed out in its statement that if the complainants believe that the operating system or software is important because the website visitor has already consented to the use of cookies "by using the device", they would overlook the fact that the subject of the complaint is in any case a technically necessary cookie and that express consent - as they themselves state in their complaint - would have had to be obtained, whereby a device pre-setting cannot constitute an unambiguous expression of intent (see Article 4, paragraph 11, GDPR).

9. In a statement dated September 4, 2023, the co-participating party essentially repeated its previous submissions and added that even if the two website operators commissioned someone else to carry out the technical implementation of their desired content, both complainants would still be responsible for data protection violations. The co-involved party had visited the complainants' website in private mode and data had nevertheless been exchanged with Google (USA) without the co-involved party being informed of this.

10. In its statement of September 18, 2023, the authority concerned referred to the statement of the authority concerned on the parallel preliminary ruling proceedings of the ECJ on C-604/22, which was submitted in the appendix, in particular to the statements contained therein on the personal reference of cookies.

II. The Federal Administrative Court considered:

1. The following facts are established:

1.1. On XXXX, the co-participating party visited the website “ XXXX ” under the IP address “Static IP: XXXX ” using a notebook that uses the Windows 10 operating system. He used the “Firefox” browser in private mode. He visited the website several times. 1.1. On Roman 40, the co-participating party visited the website “ Roman 40 ” under the IP address “Static IP: Roman 40 ” using a notebook that uses the Windows 10 operating system. He used the “Firefox” browser in private mode. He visited the website several times.

1.2. The first complainant and the second complainant operate the website “ XXXX ” for their party “ XXXX ”. The founding members of this party are the first complainant and the second complainant. Both have the final decision on the content of the website and are therefore media owners. They make the decision under which conditions which cookies are set or read when the website is accessed. On the XXXX ” under the heading “Imprint” the complainants comply with their disclosure obligation according to Sections 24, 25 Media Act and describe themselves as the publisher of the online medium.1.2. The first complainant and the second complainant operate the website “ roman 40 ” for their party “ roman 40 ”. The founding members of this party are the first complainant and the second complainant. Both have the final decision on the content of the website and are therefore media owners. It decides under which conditions which cookies are set or read when the website is accessed. On the Roman 40 " under the heading "Imprint" the complainants comply with their disclosure obligation according to paragraphs 24, 25 Media Act and describe themselves as the publisher of the online medium.

1.3. There is a "Become a member" button on the complainants' website to offer visitors to the website the opportunity to become a party member.

1.4. The party involved visited the website of the first complainant and the second complainant " XXXX " to originally register as a party member. He used the electronic form available on the website, which requested the following data: salutation, title; first name, last name, address, zip code, town/city, email address and telephone number.1.4. The co-participating party visited the website of the first complainant and the second complainant "roman 40" to initially register as a party member. He used the electronic form available on the website, which requested the following data: salutation, title; first name, last name, address, postcode, town/city, email address and telephone number.

At the time of the data protection complaint by the co-participating party, the complainants had implemented the Google service reCAPTCHA on their website. At the time of the co-participating party's visit to the website, Google reCAPTCHA was installed.

The complainants had already set up reCAPTCHA on their homepage and the visitors to the website, including the co-participating party, had no way of avoiding it:

The visitors to the website were not informed of this fact beforehand.

At the time the page was accessed, at least the following cookie was set in the complainant's device or browser: "_GRECAPTCHA", which contained the following unique randomly generated value (random number): " XXXX ".At the time the page was accessed, at least the following cookie was set in the complainant's device or browser: "_GRECAPTCHA", which contained the following unique randomly generated value (random number): " Roman 40 ".

Regardless of whether an individual setting is made, the cookie "_GRECAPTCHA" is set on the website visitor's device (even if the visitor selects "Do not accept"). There is no actual option to consent to or withdraw consent to the cookie "_GRECAPTCHA".

1.5. About cookies:

Cookies can be used to collect information that is generated by a website and stored via an Internet user's browser. It is a small file or piece of text information (usually less than one kilobyte) that is placed by a website on the hard drive of an Internet user's computer or mobile device through an Internet user's browser.

A cookie allows the website to "remember" the user's actions or preferences. Most web browsers support cookies, but users can set their browsers to refuse cookies. They can also delete cookies at any time.

Websites use cookies to identify users, remember their customers' preferences, and enable users to complete tasks without having to re-enter information when they move to another page or revisit the website later.

Cookies can also be used to collect information based on online behavior for targeted advertising and marketing. For example, companies use software to track user behavior and create personal profiles that allow users to be shown advertising tailored to their previous searches.

Those cookie values (for Google reCaptcha) were set on the device when the party involved visited the website that is the subject of the complaint: XXXX ".Those cookie values (for Google reCaptcha) were set on the device when the party involved visited the website that is the subject of the complaint: Roman 40 ".

1.6. reCAPTCHA is a Captcha service that has been operated by Google LLC since 2009. It tries to distinguish whether a certain action on the Internet is carried out by a person or by a computer program or bot. reCAPTCHA helps website operators protect their websites from fraudulent activities, spam and misuse. The basic function of Google reCAPTCHA is to enable website operators to distinguish as precisely as possible whether an input was made by a natural person or abusively by machine and automated processing by incorporating a verification step.

With reCAPTCHA, a JavaScript element is integrated into the source code of the website. The tool runs in the background and analyzes interaction with the website. To analyze behavior, data such as: IP address, referrer URL, information about the operating system and browser, cookies if applicable, mouse movements and keystrokes, length of stay and settings of the user device (e.g. language settings, location, browser settings, etc.) are sent to Google. reCAPTCHA sets a cookie (_GRECAPTCHA) when it is executed to provide its risk analysis. This is a cookie that contains a unique user identification number, which marks a device.

2. The findings arise from the following assessment of evidence:

The findings on the facts arise from the administrative act and from the act of the Federal Administrative Court and are no longer disputed.

The statements regarding the general use and general functioning of cookies come from the Advocate General's opinion in Case C-673/17 (Planet49), para. 36 ff.

The functioning of reCAPTCHA can be found on the Google website https://developers.google.com/recaptcha/, where Google goes into more detail about the technical development of reCAPTCHA. A good overview of the basic use of data at Google can be found in Google's own privacy policy https://policies.google.com/privacy?hl=de.

3. Legal assessment:

The subject of the complaint is whether unlawful data processing by Google services, in particular reCAPTCHA, took place by using reCAPTCHA on the website of the first complainant and the second complainant.

The admissible complaint is unfounded.

Regarding A) Rejection of the complaint:

According to Section 1 Paragraph 1 of the Data Protection Act, everyone has the right to keep personal data concerning them confidential, in particular with regard to respect for their private and family life, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the person concerned. If the use of personal data is not in the vital interest of the person concerned or with their consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person. According to Paragraph 1, Paragraph 1 of the Data Protection Act, everyone has the right to keep personal data concerning them confidential, in particular with regard to respect for their private and family life, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the person concerned. To the extent that the use of personal data is not in the vital interest of the data subject or with his or her consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another party.

Recitals 26 and 30 of the GDPR state:

(26) The principles of data protection should apply to all information relating to an identified or identifiable natural person. Personal data subject to pseudonymisation which could be attributed to a natural person by the use of additional information should be considered as information about an identifiable natural person. In determining whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used by the controller or by another person to identify the natural person, directly or indirectly, such as screening. In determining whether means reasonably likely to be used to identify the natural person, all objective factors should be taken into account, such as the cost and time of identification, taking into account the technology available at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, i.e. for information which does not relate to an identified or identifiable natural person, or personal data which have been rendered anonymous in such a way that the data subject cannot or can no longer be identified. This Regulation therefore does not concern the processing of such anonymous data, including for statistical or research purposes.

…

(30) Natural persons may be associated with online identifiers such as IP addresses and cookie identifiers provided by their device or software applications and tools or protocols, or other identifiers such as radio frequency identifiers. This may leave traces which, in particular in combination with unique identifiers and other information received by the server, can be used to create profiles of natural persons and to identify them.”

Article 4 of the GDPR provides:Article 4 of the GDPR provides:

“For the purposes of this Regulation, the following definitions apply:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); a natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction;

…

7. ‘controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others decides on the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

...

11. 'Consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative act, signifies agreement to the processing of personal data concerning him or her;

...“

Article 6 of the GDPR reads:Article 6 of the GDPR reads:

"(1) Processing shall only be lawful if at least one of the following conditions is met:

a) the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;

…

f) the processing is necessary to safeguard the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.

…“

The processes initiated by visiting the operator's website on the open Internet fall within the scope of the GDPR. The operation of a website represents an information society service within the meaning of Section 3 Z 1 ECG and Art 4 Z 25 GDPR. (THIELE in Jahnel (ed.), Data Protection Law: Yearbook (2022) Data protection violations by Google® Webfonts - a practical case). The processes initiated by visiting the operator's website on the open Internet fall within the scope of the GDPR. The operation of a website represents an information society service within the meaning of paragraph 3, number one, ECG and article 4, number 25, GDPR. (THIELE in Jahnel (ed.), Data Protection Law: Yearbook (2022) Data protection violations by Google® Webfonts - a practical case).

IP addresses represent - now undisputed - personal data within the meaning of Art. 4 Z 1 GDPR. This applies regardless of whether they are "dynamic" or "static" IP addresses (ECJ 19.10.2016, C‑582/14 para. 31ff). IP addresses represent – now undisputed – personal data within the meaning of Article 4, paragraph 1, GDPR. This applies regardless of whether the IP addresses are “dynamic” or “static” (ECJ 19.10.2016, C‑582/14 para. 31ff).

In this regard, it should be noted that Article 4(1) GDPR defines the term “personal data” as “any information relating to an identified or identifiable natural person” and clarifies that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (ECJ 7 March 2024, C‑604/22). As the ECJ has already ruled, the use of the term "indirect" by the Union legislature indicates that, in order for information to be classified as personal data, it is not necessary that the information in itself enables the person concerned to be identified (see, by analogy, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 41). On the contrary, Article 4(5) of the GDPR, read in conjunction with Recital 26 of the GDPR, states that personal data that could be attributed to a natural person by using additional information should be considered as information about an identifiable natural person (judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 58). It is not necessary for all the information necessary to identify the person concerned to be in the hands of a single person in order to qualify data as “personal data” within the meaning of Article 4(1) of this Regulation (see, by analogy, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 43). In this regard, it should be noted that Article 4(1) of the GDPR defines the term “personal data” as “any information relating to an identified or identifiable natural person” and makes it clear that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (ECJ 07.03.2024, C‑604/22). As the ECJ has already ruled, the use of the term ‘indirect’ by the Union legislature indicates that in order for information to be classified as personal data, it is not necessary that the information in itself enables the identification of the person concerned (see, by analogy, judgment of 19.10.2016, Breyer, C‑582/14, EU:C:2016:779, para. 41). On the contrary, Article 4(5) of the GDPR, in conjunction with Recital 26 of the GDPR, states that personal data that could be attributed to a natural person by using additional information should be considered as information about an identifiable natural person (judgment of December 5, 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 58). It is not necessary for all the information necessary to identify the person concerned to be in the hands of a single person in order to qualify data as "personal data" within the meaning of Article 4(1) of this Regulation (see, by analogy, judgment of October 19, 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 43).

As soon as additional data, in particular the IP address of a user’s device or other identifiers, enable the identification of that user, it can be assumed that information about an identifiable user is available and thus personal data within the meaning of Art. 4(1) GDPR is present, which is confirmed by Recital 30 of the GDPR, which expressly refers to such a case (ECJ March 7, 2024, C‑604/22).As soon as additional data, in particular the IP address of a user’s device or other identifiers, enable the identification of that user, it can be assumed that information about an identifiable user is available and thus personal data within the meaning of Article 4, paragraph 1, GDPR is present, which is confirmed by Recital 30 of the GDPR, which expressly refers to such a case (ECJ March 7, 2024, C‑604/22).

As already established, the reCAPTCHA set up on the website of the first complainant and the second complainant set a cookie (_GRECAPTCHA) when it was executed to provide its risk analysis. This is a cookie that contains a unique user identification number, which marks a device. The fact that the data collected by the cookies is personal data within the meaning of Art. 4 Z 1 GDPR is no longer in dispute: the cookies in question contain unique identification numbers and were stored on the device or in the browser of the party involved. With these identifiers, the complainants were able to distinguish between website visitors and also to obtain information about whether they were new or returning website visitors. Without these identification numbers, it is not possible to distinguish between website visitors. In this context, it should be noted that all data records that contain identification features that can be used to separate users are considered personal data under the GDPR. A "digital footprint" can be generated simply from the combination of the information transmitted when a website is accessed, such as online identifiers, IP address, information on the browser, operating system, screen resolution, language selection, etc., which allows the end device and subsequently the specific user to be uniquely individualized (see also BVwG W211 2281997-1). Cookies that contain a unique, randomly generated value (random number) and that are set with the purpose of individualizing and separating people meet the definition of Art. 4 Z 1 GDPR. As already stated, the reCAPTCHA set up on the website of the first complainant and the second complainant set a cookie (_GRECAPTCHA) when it was executed to provide its risk analysis. This is a cookie that contains a unique user identification number, which identifies a device. There is no longer any dispute that the data collected by the cookies is personal data within the meaning of Article 4, paragraph 1, GDPR: the cookies in question contain unique identification numbers and were stored on the device or in the browser of the party involved. With these identifiers, the complainants were able to distinguish between website visitors and also obtain information about whether they are new or returning website visitors. Without these identification numbers, it is not possible to distinguish between website visitors. In this context, it should be noted that all data records that contain identification features that can be used to identify users are considered personal data under the GDPR. A "digital footprint" can be generated from the combination of the information transmitted when a website is accessed, such as online identifiers, IP address, information about the browser, operating system, screen resolution, language selection, etc., which allows the end device and subsequently the specific user to be clearly individualized (see also BVwG W211 2281997-1). Cookies that contain a unique, randomly generated value (random number) and that are set with the purpose of individualizing and separating people meet the definition of Article 4, paragraph one, GDPR.

On the responsibility of the complainants:

The term "controller" in Article 4, Paragraph 7 of the GDPR is broadly defined as a natural or legal person, public authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data.The term "controller" in Article 4, Paragraph 7 of the GDPR is broadly defined as a natural or legal person, public authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data.

In addition, the term "controller", since it refers to the body which "alone or jointly with others" decides on the purposes and means of processing personal data, as Article 4(7) of the GDPR expressly provides, does not necessarily refer to a single body and may concern several actors involved in this processing, each of whom is then subject to data protection rules (see, accordingly, judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, para. 29, and of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, para. 65).In addition, the term "controller", since it refers to the body which "alone or jointly with others" decides on the purposes and means of processing personal data, as Article 4(7) of the GDPR expressly provides, decides, does not necessarily refer to a single body and may concern several actors involved in this processing, each of whom is then subject to data protection rules (see, by analogy, judgments of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, para. 29, and of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, para. 65).

The ECJ has also ruled that a natural or legal person who, out of self-interest, influences the processing of personal data and thus participates in the decision on the purposes and means of this processing, can be regarded as a controller within the meaning of Article 4, Paragraph 7, GDPR (cf. judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, para. 68)The ECJ has also ruled that a natural or legal person who, out of self-interest, influences the processing of personal data and thus participates in the decision on the purposes and means of this processing, can be regarded as a controller within the meaning of Article 4, Paragraph 7, GDPR (cf. judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, para. 68)

The data protection responsibility of the The data protection responsibility of the first complainant and the second complainant within the meaning of Article 4, paragraph 7, GDPR in connection with the complained cookies on their own website is based on the fact that they decide on the purposes and means of the complained data processing via the cookies they set on the website they operate.The data protection responsibility of the first complainant and the second complainant within the meaning of Article 4, paragraph 7, GDPR in connection with the complained cookies on their own website is based on the fact that they decide on the purposes and means of the complained data processing via the cookies they set on the website they operate.

Furthermore, there is no doubt that the first complainant and the second complainant are media owners within the meaning of the Media Act who own a media company within the meaning of Section 1 Paragraph 1, paragraph 6, letter b of the Media Act. According to the case law of the ECJ, it is sufficient for the role of data protection controller if an actor influences the processing of personal data out of self-interest and thus participates in the decision on the purposes and means of this processing. In the context of (possible) joint responsibility, it is not necessary for all actors to have access to the personal data in question (cf. ECJ 29 July 2019, C-40/17, para. 68 f). The only prerequisite for classification as a data protection controller is that they influence the data processing out of self-interest and thus participate in the decision on the purposes and means of processing. The first complainant and the second complainant are the founder and founder of the party “ XXXX ”. They operate a website for the purpose of informing other people about this party and to create the opportunity to obtain additional party members. Under these circumstances, it can be assumed that the first complainant and the second complainant influence the processing of personal data in question out of self-interest and thus determine the means underlying these processes. The complainants therefore have a self-interest in influencing the processing of personal data. The first complainant and the second complainant complied with their disclosure obligation under Section 25 of the Media Act in the imprint of their website and listed themselves as the sole media owner. No other names were given. Even if another person were responsible for the design of the website, the first complainant and the second complainant are responsible for deciding on the purposes and means of processing. For this reason, the complainants' responsibility under data protection law can be affirmed. Furthermore, there is no doubt that the first complainant and the second complainant are media owners within the meaning of the Media Act who own a media company within the meaning of paragraph one, subsection one, item 6, letter b, of the Media Act. According to the case law of the ECJ, it is sufficient for the role of data protection controller if an actor influences the processing of personal data out of self-interest and thus participates in the decision on the purposes and means of this processing. In the context of (possibly) joint responsibility, it is not necessary for all actors to have access to the personal data in question (cf. ECJ 29 July 2019, C-40/17, para. 68 f). The only prerequisite for classification as a data protection controller is that it influences the data processing out of self-interest and thus participates in the decision on the purposes and means of processing. The first complainant and the second complainant are the founders of the “Roman 40” party. They operate a website for the purpose of informing other people about this party and to create the opportunity to obtain additional party members. Under these circumstances, it can be assumed that the first complainant and the second complainant influence the processing of personal data in question out of self-interest and thus determine the means on which these processes are based. It is therefore in the complainants’ own interest to influence the processing of personal data. The first complainant and the second complainant complied with their disclosure obligation under Section 25 of the Media Act in the imprint of their website and listed themselves as the sole media owner. No other names were given. Even if another person were responsible for the design of the website, the first complainant and the second complainant are responsible for deciding on the purposes and means of the processing. For this reason, the complainants’ responsibility under data protection law can be affirmed.

On the lack of consent:

The ECJ defines cookies as text files that the provider of a website stores on the user's computer and can retrieve when the user visits them again. This is intended to make navigation on the Internet easier and to obtain information about user behavior (ECJ October 1, 2019, C-673/17, para. 31).

According to Article 5, paragraph 3 of Directive 2002/58/EC as amended by Directive 2009/136/EC [on the processing of personal data and the protection of privacy in the electronic communications sector (Privacy Directive for electronic communications)], Member States must ensure that the storage of information or access to information already stored in a user's terminal equipment is only permitted if the user in question has actively given his consent on the basis of clear and comprehensive information that he receives in accordance with Directive 95/46/EC (Data Protection Directive), including on the purposes of the processing. According to Article 5, paragraph 3, of Directive 2002/58/EC as amended by Directive 2009/136/EC [on the processing of personal data and the protection of privacy in the electronic communications sector (Privacy Directive for electronic communications)], Member States must ensure that the storage of information or access to information already stored in a user's terminal equipment is only permitted if the user concerned has actively given his consent on the basis of clear and comprehensive information received in accordance with Directive 95/46/EC (Data Protection Directive), including on the purposes of the processing.

As already stated, the co-participating party's legal considerations are based essentially on the fact that when the complainants visited their website, no consent was given to the use of the Google reCAPTCHA service and the subsequent setting of the cookies identified, which resulted in the infringement of the co-participating party's rights due to the data processing carried out by the complained cookies due to the lack of legality.

As regards the wording of Article 5(3) of Directive 2002/58, it should be noted that, although it expressly provides that the user must have ‘given his consent’ for the storing and accessing of cookies on his device, it does not specify how consent is to be given. However, the words ‘given his consent’ suggest an interpretation of the wording that requires the user to take action to express his consent. In that regard, it is clear from recital 17 in the preamble to Directive 2002/58 that, for the purposes of that directive, the user’s consent may be given in any appropriate way which expresses the user’s wishes in a specific, informed and freely chosen way, including ‘checking a box on an internet website’. According to Article 2(h) of Directive 95/46, the term ‘consent of the data subject’ means ‘any freely given, specific and informed indication of the data subject’s wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her’. Finally, as regards the legislative history of Article 5(3) of Directive 2002/58, the original version of that provision merely provided that the user must have the right to refuse the storing of cookies after having received clear and comprehensive information, in particular on the purposes of the processing, in accordance with Directive 95/46. Directive 2009/136 substantially amended the wording of that provision by replacing that version with the phrase ‘has given his or her consent’. The history of Article 5(3) of Directive 2002/58 thus indicates that the user's consent can no longer be presumed and must result from active behavior on the part of the user (ECJ 1 October 2019, C‑673/17, paras 49, 51, 56). Regarding the wording of Article 5(3) of Directive 2002/58, it should be noted that it expressly provides that the user must have "given his consent" to the storage and retrieval of cookies on his device. However, it does not contain any information on how the consent is to be given. However, the words "given his consent" suggest an interpretation of the wording according to which the user must take action to express his consent. In this regard, it is clear from recital 17 in the preamble to Directive 2002/58 that, for the purposes of that directive, the user's consent may be given in any appropriate way which expresses the user's wishes in a specific, informed and freely given indication, including "checking a box on an internet website". According to Article 2(h) of Directive 95/46, the term "consent of the data subject" means "any freely given, specific and informed indication of his or her wishes by which the data subject agrees to the processing of personal data concerning him or her". Finally, with regard to the legislative history of Article 5(3) of Directive 2002/58, it should be noted that the original version of that provision merely provided that the user must have the right to refuse the storage of cookies after having received clear and comprehensive information, in particular on the purposes of the processing, in accordance with Directive 95/46. Directive 2009/136 significantly changed the wording of this provision by replacing the above version with the phrase "has given his consent". The history of Article 5, paragraph 3, of Directive 2002/58 thus indicates that the user's consent can no longer be presumed and must result from active behavior on the part of the user (ECJ 1 October 2019, C‑673/17 paras 49, 51, 56).

The party involved never consented to the use of reCAPTCHA. The complainants' claim that the party involved had previously consented to the use of reCAPTCHA was merely made unsubstantiated. According to Recital 42 of the GDPR, consent cannot be considered to have been freely given if the data subject does not have a genuine freedom of choice or is unable to refuse or withdraw his or her consent without suffering disadvantages. The co-involved party was not informed that the complainants' website uses reCAPTCHA, which is why the co-involved party could not effectively consent to the data processing. The complainants were never able to prove effective consent from the co-involved party.

Regarding the alleged violation of law:

In this specific case, there is no evidence that the co-involved party actively consented to the data processing or that the vital interests of the co-involved parties are affected. The only possible option is therefore processing based on the overriding legitimate interests of the first complainant and the second complainant.

The requirements for lawful data processing are specified in Art. 6 GDPR. According to this, the legality of any processing requires that the processing - cumulatively with the other principles regulated in Art. 5 Para. 1 - must satisfy at least one of the legal grounds conclusively defined in Art. 6 Para. 1 GDPR (cf. Selmayr in Ehmann/Selmayr, General Data Protection Regulation, Commentary², Art. 5 Rz 8 f.). In the specific case, only Art. 6 Para. 1 lit. f GDPR comes into question. There are no other legal bases within the meaning of Art. 6 Para. 1 GDPR for the processing and the complainant has not claimed any. The requirements for lawful data processing are specified in Article 6, GDPR. According to this, the legality of any processing requires that the processing - cumulatively with the other principles regulated in Article 5, paragraph one - must satisfy at least one of the legal grounds conclusively defined in Article 6, paragraph one, GDPR (see Selmayr in Ehmann/Selmayr, General Data Protection Regulation, Commentary², Article 5, margin number 8 et seq.). In the specific case, only Article 6, paragraph one, letter f, GDPR comes into question. No other legal bases within the meaning of Article 6, paragraph one, GDPR for the processing are apparent and were not claimed by the complainant.

The processing of personal data is permissible, among other things, in accordance with Article 6, paragraph 1, letter f, GDPR if it is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail. A case-by-case balancing of interests must be carried out, in which the legitimate interests of the controller or a third party for the processing must be compared with the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In doing so, the interests of the controller and of third parties must be taken into account on the one hand and the interests, rights and expectations of the data subject on the other (Recital 47 GDPR). In the course of this balancing of interests, the following conditions must be met cumulatively: (i) existence of a legitimate interest, (ii) necessity of processing the personal data in question in order to pursue this interest, (iii) no outweighing of the fundamental rights and freedoms of the data subject (cf. Jahnel, Commentary on the General Data Protection Regulation Art. 6 GDPR Rz 71 [as of 1.12.2020, rdb.at]). The processing of personal data is permissible, among other things, in accordance with Article 6, paragraph one, letter f, GDPR, if it is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail. A case-by-case balancing of interests must be carried out in which the legitimate interests of the controller or a third party for the processing must be compared with the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In doing so, the interests of the controller and of third parties must be taken into account on the one hand and the interests, rights and expectations of the data subject on the other (Recital 47 GDPR). In the course of this balancing of interests, the following conditions must be met cumulatively: (i) existence of a legitimate interest, (ii) necessity of processing the personal data in question in order to pursue this interest, (iii) no outweighing of the fundamental rights and freedoms of the data subject (cf. Jahnel, Commentary on the General Data Protection Regulation Article 6, GDPR Rz 71 [as of 1.12.2020, rdb.at]).

According to the ECJ ruling of July 4, 2023 in Case C-252/21, Article 6, Paragraph 1, Letter f, GDPR is to be interpreted as meaning that such processing can only be considered necessary to safeguard the legitimate interests of the controller or a third party within the meaning of this provision if the operator in question has communicated to the users from whom the data was collected a legitimate interest pursued with the data processing, if this processing is carried out within the limits of what is strictly necessary to achieve this legitimate interest and if a balancing of the opposing interests, taking into account all relevant circumstances, shows that the interests or fundamental rights and freedoms of these users do not outweigh the legitimate interest of the controller or a third party.According to the ECJ ruling of July 4, 2023 in Case C-252/21, Article 6, Paragraph 1, Letter f, GDPR is to be interpreted as meaning that such Processing can only be considered necessary to safeguard the legitimate interests of the controller or of a third party within the meaning of this provision if the operator in question has informed the users from whom the data was collected of a legitimate interest pursued with the data processing, if this processing is carried out within the limits of what is strictly necessary to achieve this legitimate interest and if a balancing of the opposing interests, taking into account all relevant circumstances, shows that the interests or fundamental rights and freedoms of these users do not outweigh the legitimate interest of the controller or of a third party.

The first complainant and the second complainant did not inform the co-participating party of a legitimate interest pursued with the data processing.

In the opinion of the deciding Senate, cookies set by the Google reCAPTCHA service are not necessary for the operation of a website, which is why the complainants do not have a legitimate interest, regardless of the fact that preventing bot entries is beneficial for website operators. The implementation of reCAPTCHA is not technically necessary for the operation of the website, as it has no influence on the functionality of the website, which is why there is no legitimate interest and the consent of the other party involved would have had to be obtained.

The appeal by the first appellant and the second appellant was therefore dismissed.

On the cancellation of the oral hearing:

According to Section 24 Paragraph 4 of the Administrative Court Act, an oral hearing - which was not requested by any of the parties - could be dispensed with, as the facts appear to have been clarified from the undisputed file in connection with the appeal and an oral discussion is not expected to provide further clarification of the legal matter. Neither Article 6 Paragraph 1 of the Convention for the Protection of Human Rights and Fundamental Freedoms, Federal Law Gazette No. 210/1958, nor Article 47 of the Charter of Fundamental Rights of the European Union, Official Journal No. C 83 of 30 March 2010, p. 389, stand in the way of the cancellation of the hearing. The holding of an oral hearing – which was not requested by any of the parties – could be dispensed with in accordance with Paragraph 24, Paragraph 4 of the Administrative Court Act (VwGVG), since the facts of the case appear to have been clarified from the undisputed file in connection with the complaint and an oral discussion is not expected to provide further clarification of the legal matter. Neither Article 6, Paragraph 1, of the Convention for the Protection of Human Rights and Fundamental Freedoms, Federal Law Gazette No. 210 of 1958, nor Article 47 of the Charter of Fundamental Rights of the European Union, OJ No. C 83 of 30.03.2010, p. 389, stand in the way of the cancellation of the hearing.

On B) Inadmissibility of the appeal:

According to Section 25a, Paragraph 1 of the Administrative Court Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act. The ruling must be briefly justified.According to Section 25a, Paragraph 1, of the Administrative Court Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act. The ruling must be briefly justified.

The appeal is not admissible according to Article 133, Paragraph 4 of the Federal Constitutional Court because the decision does not depend on the solution of a legal question of fundamental importance. The decision in question does not deviate from the previous case law of the Administrative Court, nor is there a lack of case law; furthermore, the current case law of the Administrative Court cannot be judged as inconsistent. There are also no other indications of the fundamental importance of the legal question to be resolved. Specific legal questions of fundamental importance were neither raised in the complaint in question, nor did they arise in the proceedings before the Federal Administrative Court.The appeal is not admissible according to Article 133, Paragraph 4 of the Federal Constitutional Court because the decision does not depend on the solution of a legal question of fundamental importance. The decision in question does not deviate from the previous case law of the Administrative Court, nor is there a lack of case law; furthermore, the current case law of the Administrative Court cannot be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be resolved. Specific legal questions of fundamental importance were neither raised in the present complaint nor emerged in the proceedings before the Federal Administrative Court.