Banner1.jpg

BVwG - W176 2295345-1

From GDPRhub
Revision as of 14:46, 27 January 2025 by Ao (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Name=Federal Administrative Court |Court_With_Country=BVwG (Austria) |Case_Number_Name=W176 2295345-1 |ECLI=ECLI:AT:BVWG:2024:W176.2295345.1.00 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20241204_W176_2295345_1_00/BVWGT_20241204_W176_2295345_1_0...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W176 2295345-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Decided: 04.12.2024
Published: 22.01.2025
Parties:
National Case Number/Name: W176 2295345-1
European Case Law Identifier: ECLI:AT:BVWG:2024:W176.2295345.1.00
Appeal from: DSB (Austria)
Appeal to:
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: ao

A court reduced the DPA's fine issued to a controller from €1,500 to €750, as it held that the reduced amount would still suffice to deter the controller from repeating the violations.

English Summary

Facts

On the 20 April 2024, the Austrian DPA (Datenschutzbehörde – DSB) received a complaint issued against the operator of a tobacco shop.

The controller had installed CCTV cameras in front of their shop but did not put up an appropriate notice. Additionally, the controller had screenshotted a woman who hadn’t cleaned up after her dog, printed out the screenshot and stuck it to the window next to the entrance of his tobacco shop.

The DSB found that the cameras did not just monitor the entrance to the tobacco shop but also the entrance to an apartment building, the footpath the leading up to it and partly the nearby tram stop.

The controller argued that tobacco shops are subject to higher risk of danger. Further, the CCTVs use had already been justified through enabling a vandal to be identified. The monitored public area had been kept to a minimum and the recordings were only stored for a maximum of 24 hours. In response to the printed out picture of the woman, the controller stated that he had put a sticker over her face and that the woman herself had most likely removed the sticker.

The controller also brought forward that based on training given by the Office of Criminal Investigation of Lower Austria (Landeskriminalamt Niederösterreich - LKA).

The DSB held that the controller had violated Article 5(1) (a)(b)&(c) GDPR, Article 6(1)(f) GDPR and Article 13 GDPR and issued a €1,500 fine.

The controller appealed the decision to the Federal Administrative Court of Austria (Bundesverwaltungsgericht – BVwG). He stated that thieves and criminals constantly threatened his shop and that he had to fear for his life. He disclosed that roughly a month before the appeal a bomb attack on his shop had been carried out, causing five-digit damage.

The DSB requested the controller’s claim to be rejected.

Holding

The BVwG held that the controller did have a legitimate interest in installing the CCTV but that the recorded area exceeded what was necessary. The BVwG rejected the controller’s claim that he had a legitimate interest in publicly displaying the dog owner’s picture. Further, it reiterated that a sticker is not an appropriate anonymization method. It also agreed with the DSB’s assessment that the pictograms showing a camera were not sufficient information on the data processing under Article 13 GDPR.

Therefore, the BVwG confirmed the DSB’s assessment of the violations of Article 5(1) (a)(b)&(c) GDPR, Article 6(1)(f) GDPR.

The BVwG however highlighted mitigating factors: First, it listed the fact that the controller regretted his actions. Second, it stated the affixing of pictograms to inform was a genuine erroneous belief on the part of the controller based on the inadequate training provided by the LKA. Third, it highlighted that the DSB only had vague information on CCTV information notices on its website.

The BVwG therefore decided to reduce the fine as this would suffice to deter the controller from repeating the violations. Based on the damage suffered by the bomb attack, the BVwG determined that a €750 fine would suffice.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Headquarters Vienna
                                                           Erdbergstraße 192 – 196, 1030 Vienna
                                                                        Tel: +43 1 601 49 – 0
                                                                  Fax: +43 1 711 23-889 15 41
                                                                           www.bvwg.gv.at



                    E N T C H E I D U N G S D A T U M

                                0 4 . 1 2 . 2 0 2 4

                           G E S C H A F T NUMBER




                       W 1 7 6 2 2 9 5 3 4 5 - 1 / 8 E

                I M N A M E N D E R R E P U B L I K!


The Federal Administrative Court, through Judge Mag. NEWALD as chairman and

the expert lay judges Mag. BOGENDORFER and RAUB, on the complaint of XXXX

against the penal decision of the Data Protection Authority dated 14.06.2024, No. D550.1031 2024-
0.365.245, after conducting a public oral hearing, rightly recognizes:

A)

I. The complaint is dismissed with regard to the ruling on the The sentence imposed is partially upheld and the fine imposed is reduced to a total of EUR 750 (alternative prison sentence of 45 hours). Correspondingly, the contribution to the costs of the criminal proceedings before the authority concerned is reduced to EUR 75 in accordance with Section 64 of the Criminal Prosecution Act. II. In Otherwise, the complaint is dismissed as unfounded.

III. According to Section 52 Paragraph 8 of the Administrative Court Act, the complainant is not required to bear the costs of the administrative court proceedings.

B)

The appeal is not admissible according to Article 133 Paragraph 4 of the Federal Constitutional Court Act. - 2 -

Reasons for the decision:

I. Course of proceedings:

1. On April 20th .2024, a report was received via the input form on the website of the

Data Protection Authority (hereinafter: DPO, concerned authority) that XXXX

(hereinafter: BF) had installed two video surveillance cameras on the outer wall of the building in which the tobacco shop he ran was located, which are not

legally marked and also cover the sidewalk. In addition, the BF publicly denounced a woman who had not cleaned up the excrement left by her dog in front of the tobacconist's by putting up a photograph of her on the basement window next to the entrance to the tobacconist's. 2. The authority concerned subsequently initiated a Administrative penal proceedings against the BF.

3. With a request for justification dated May 6, 2024, the authority concerned accused

the BF of having committed several administrative offenses as the person responsible. He is suspected of having unlawfully processed personal data at least in the period from April 20, 2024 to May 6, 2024 (time of the crime) in XXXX Graz, XXXX 11/EG (crime scene) by operating an image processing system (video surveillance system consisting of two cameras mounted on the outside wall of his business premises) at the crime scene, whereby the recording range of the system also covered an area or .

which is not within the exclusive control of those responsible.

The recording area of the two cameras also included the entrance to the

apartment building in XXXX Graz, XXXX , as well as the adjacent public sidewalk

and the BF illegally printed out an excerpt from the video surveillance he had carried out

and attached it to the wall of his tobacconist’s shop, whereby this printout was in the request for justification was reproduced
(Offense point I.).

There is also a suspicion that the BF did not mark the video surveillance system appropriately at the crime scene at the time of the crime and thus did not comply with his obligation to provide information under Art. 12 and 13 GDPR (Offense point II.) . - 3 -

Finally, there is a suspicion that the system in question has been operated "to date"

and is still not suitably marked.

4. In a letter dated May 14, 2022, the BF submitted a justification on time and initially pointed out that all tobacconists were trained by the police in security matters because they were exposed to particular danger. The video surveillance therefore served a legitimate purpose. Attacks on tobacconists find themselves on a daily basis. In the case of the BF, video surveillance has already been successful in that the perpetrator of the damage to property has been identified. The cameras can only be mounted on the house wall and are positioned in such a way that the coverage of public areas is as low as possible. Therefore, video surveillance is limited to the extent that is absolutely necessary. The recordings are not stored for longer than twenty-four hours. Regarding the photograph that was displayed, the BF stated that he had obscured the face of the person depicted in it with a sticker. The sticker was probably removed by the woman herself. The woman had deliberately let her dog do its business in front of the vending machine belonging to the tobacconist's shop. After the incident, her brother came into the BF's tobacconist's shop and threatened him that he would ensure that no more customers would come into the tobacconist's shop , and he himself would relieve himself in front of the tobacconist's. The BF also denied having failed to comply with the obligation to provide information regarding the video surveillance.

5. In the contested penal decision of 14 June 2024, the authority concerned assumed that the BF had realised the following facts and thereby committed the following administrative offences: Firstly, as the person responsible, he had at least in the period from 20 April 2024 to 14 June 2024 (period of the offence ) in XXXX Graz, XXXX (crime scene), unlawfully processed personal
(image) data by operating two image processing systems for video surveillance at the crime scene. The recording area of the system includes not only the adjacent public sidewalk and bicycle path but also a section of the tram tracks at both stops XXXX in XXXX. The data processing by the BF using the system at the crime scene is therefore not appropriate and significant for the purpose and is limited to what is necessary for the purposes of the processing. The extent of the action was limited and, as a result, could not be supported by any legal basis pursuant to Art. 6 (1) GDPR.

In addition, the BF had attached an excerpt from the video recordings, in which a person could be seen, to the outside wall of his business premises. - 4 -

the BF committed administrative offenses pursuant to Art. 5 Para. 1 lit. a, b and c and Art. 6 Para. 1 lit. f
in conjunction with Art. 83 Para. 1 and 5 lit. a GDPR (judgment point I.).On the other hand, the BF, as the person responsible at the crime scene during the same period of time, violated its obligation to provide information pursuant to Art. 13 GDPR by not appropriately marking the video surveillance system or providing any other information to the persons concerned in order to inform them about the processing by the video surveillance system. As a result, the persons concerned when their personal data was collected in the reception area of the facility, they were not informed about the processing described above in accordance with Art. 12 and 13 GDPR. The BF therefore committed an administrative offence in accordance with Art. 5 para. 1 lit. a in conjunction with Art. 12 and 13 in conjunction with Art. 83 para. 1 and 5 lit. b GDPR (point II.).

For these administrative offences, the authority imposed a fine of EUR 1,500 on the BF pursuant to Article 83 of the GDPR and also required him to pay EUR 150 as a contribution to the costs of the administrative penal proceedings pursuant to Section 64 of the Administrative Penalty Act. The authority concerned found that the BF operated a tobacco shop in XXXX Graz, XXXX under the company name XXXX and that operated a video surveillance system consisting of two video cameras during an unspecified period of time, but in any case from April 20, 2024 to June 14, 2024. The two video cameras were mounted to the left and right of the entrance door to the tobacconist's shop and monitored the adjacent public sidewalk, the adjacent bicycle path and a section of the tram tracks at the stop

XXXX in the XXXX.

The DSB also found that the video cameras regularly recorded people who were in the recording area of the video cameras without these people having given their consent. To mark this, the BF had placed pictograms depicting a video camera in several places. . In addition, there is a screen inside the tobacconist's shop that transmits the recordings in real time. The BF operates the video surveillance system primarily to protect his assets. In addition, the BF did not mark the video surveillance or provide any information about the video surveillance. He also attached a printed excerpt from the video camera recordings, which showed a woman whose dog (also pictured) was doing its business in the entrance area of the tobacconist's, to the outside wall of the tobacconist's next to the cigarette machine and added the handwritten caption "THANKS FOR THIS SHIT!" Finally, the authority concerned - 5 -

established the information provided by the BF in his justification regarding his

financial situation.

Assessing the evidence, the DSB stated that the findings resulted from an inspection of

the central register of residents, the administrative criminal file, the information provided by the BF and the photographs he

submitted and from the submission to the DSB, which led to the initiation of the official investigation procedure.The authority concerned then stated from a legal point of view that the image data recorded by the video cameras in the present case undoubtedly constituted personal data within the meaning of Art. 4 Z 1 GDPR (and referred to ECJ 11.12.2014, C-

212/13 (Ryneš), para. 2). The operation of the video surveillance system is to be qualified as processing and the BF as the controller. The purpose of the operation is to protect against attacks.

Regarding the legality of the video surveillance system (point I.), it was stated that, in the absence of the consent of the person concerned, only the justification under Art. 6 para. 1 lit. f GDPR comes into consideration. Since the video surveillance serves to protect the property and physical integrity of the BF - for which he was able to give a concrete example - there is a legitimate interest within the meaning of Art. 6 Paragraph 1 Letter f of GDPR. However, in light of the requirement of data minimization and the case law of the ECJ, the video surveillance carried out is not necessary for this purpose, since the bicycle path adjacent to the sidewalk and the area around the XXXX tram stop in XXXX are also recorded by the video cameras. A more detailed balancing of interests is therefore not necessary and the video surveillance is unlawful to the extent actually carried out. The public denunciation of the dog owner is unlawful because, according to the BF, the public notice served to draw the dog owner's attention to her misconduct and thus served a different purpose than the original data processing, which served to protect the BF's property. The notice therefore constitutes improper further processing. In this regard, there is neither the consent of the person concerned nor a necessary and proportionate measure to protect the objectives set out in Article 23 Paragraph 1 of the GDPR, since the punishment of administrative offenses is the responsibility of the administrative penal authorities. The improper further processing therefore violates the principle of purpose limitation in accordance with Article 5 Paragraph 1 Letter b of the GDPR. The BF's claim that he had made the dog owner's face unrecognizable by attaching a sticker is a pure defensive claim and - 6 -

such an approach would in any case be unsuitable for ensuring the anonymity of the person depicted.

With regard to the information obligation under the GDPR (point II), the BF failed to inform the persons affected by the video surveillance about the purpose for which it was operating a video surveillance system, whether and in what form the recordings were stored and whether and to whom the recordings were transmitted. The markings it made in the form of pictograms therefore did not fulfil the information obligation under Article 5(1)(a) in conjunction with Articles 12 and 13 of the GDPR. With regard to the subjective aspect of the offense, the authority concerned stated that, according to the case law of the ECJ, violations of the GDPR could only lead to the imposition of a fine if the person responsible had acted culpably, whereby negligence was sufficient. This was the case in the present case because the BF had "consciously decided" to put the video surveillance system into operation. The printout showing the dog owner was intentional. In any case, however, there was negligence within the meaning of Art. 83 Paragraph 2 Letter b. GDPR because it was possible and reasonable for the BF to make enquiries before putting the video surveillance system into operation in order to ensure that the video surveillance was designed in accordance with data protection regulations.

Regarding the penalty, the DSB stated that the maximum penalty in the specific case was EUR 20,000,000 in accordance with Art. 83 Paragraph 5 Letter a GDPR. With regard to the BF's income and assets, the authority concerned assumed that his monthly net income was EUR 2,500 and that he was the owner of a house. This is offset by financial obligations amounting to EUR 159,000. The BF is responsible for the care of two children aged six and twelve. The operation of the video surveillance system violated the fundamental rights of the persons concerned over several months. The public exposure of those affected by the posting of the photograph showing the dog owner is to be regarded as an aggravating factor. The BF acted intentionally. The authority concerned considered the fact that the BF had not yet committed any administrative offenses under the GDPR and the BF's cooperation in establishing the facts to be mitigating factors. When determining the penalty, special and general preventive considerations must also be taken into account. The imposition of the fine - even in the amount imposed - was necessary in the interests of

effectiveness and deterrence, since the BF showed "no understanding at all" during the administrative procedure and in order to deter other responsible parties

from committing similar administrative offenses. The specific - 7 -

imposed penalty appears in its amount in view of the actual value of the offense -

measured against the available penalty range of up to EUR 20,000,000.00 and taking into account the assets and income of the BF -

appropriate to the offense and guilt and is at the lowest end of the available penalty range.

6. The complaint of June 25, 2024, which was filed on time and received by the DSB on June 28, 2024, is directed against this criminal judgment. In it, the BF stated that he was shocked by the criminal judgment. He is constantly being visited by "thieves and criminals" and has to fear for his life. Only recently (on May 20, 2024), a bomb attack was carried out on his tobacconist's shop, causing damage in the five-figure range, which proves how necessary the video surveillance system is. He takes data protection very seriously, but the operation of a video surveillance system is necessary due to the frequency of attacks on tobacconists. The mounted video cameras only record those public areas without which meaningful video surveillance is not possible. The

stop XXXX was not covered by the video cameras' recording areas and he had positioned the video cameras in such a way that the recording of public areas was limited to the bare essentials. He could not afford pixelation programs.

He had only hung up the photograph showing the dog owner to show her that

she had acted illegally, and he had made her face unrecognizable by attaching a round

sticker. Even without the sticker, however, the woman was not really recognizable. The dog owner had deliberately and repeatedly let her dog do its business in front of the vending machine belonging to the tobacconist's. However, he could not report her

as he did not know her name. In the photograph that was hung up, the woman was also not recognizable to anyone other than herself.

A fine was not appropriate as he had not acted intentionally or negligently.

The BF had only recently taken over the tobacconist's shop, was 50% disabled and an easy victim for criminals. The fine imposed was disproportionate and threatened his livelihood.

Regarding the breach of the duty to provide information, he stated that it was clear to anyone standing in front of his tobacconist's shop that a video surveillance system was in operation. The pictograms indicating this were very easy to see. In the training courses he had attended, it was pointed out that pictograms were particularly good for labelling, as they could also be understood by people who did not speak German. The purpose of the video surveillance was self-evident anyway, as the video cameras were mounted on the facade of a tobacconist's shop. Inside, the video surveillance was easily recognizable for every customer, as the recordings could be viewed on a screen.

The BF enclosed photographs with its complaint showing the masked perpetrator of the incident on May 20, 2024 and the devastation he caused, as well as a report confirmation regarding this incident. 7. In a statement dated June 4, 2024, the DSB denied the BF's complaint in its entirety, referred to the statements in the contested criminal judgment and requested that the Federal Administrative Court dismiss the complaint as unfounded and order the BF to bear the costs in accordance with Section 52 of the Administrative Court Act. At the same time, it submitted the complaint in question to the Federal Administrative Court, together with the administrative act. 8. In his statement of September 16, 2024, the BF submitted photographs intended to prove the now improved labeling of the video surveillance system, as well as photographs showing the sticker he used to disguise the dog owner and photographs intended to illustrate the attack on his tobacco shop. He also provided information about himself and his assets and income, which supplemented the previous information in the following respect: He had financial obligations in the form of monthly installments of EUR 1,400.00 and had received rehabilitation benefits totaling EUR 68,678.15 net from the Austrian Health Insurance Fund from April 1, 2022 to August 31, 2024. 9. On October 15, 2024, an oral appeal hearing took place before the Federal Administrative Court, in which the BF and the authority concerned participated and in which the BF was questioned as an accused. During his questioning, the BF initially stated that he had opened his tobacconist's in September 2023 and that it was to be assumed that he had made a loss in the previous year because investments had also to be made. He then stated that he had installed the video cameras shortly after the tobacconist's opened. Due to the local conditions, the video cameras could not be positioned in such a way that less public space was recorded without thwarting the purpose of the video surveillance. The recordings from the video surveillance system were deleted after twenty-four hours and the video cameras had never been repositioned. On the advice of the State Criminal Police Office, he marked the - 9 -

facility with pictograms, and the words "Caution video surveillance" were also added. In the meantime, he has put up notices in German,

English, French and Spanish and a sign containing information about the

purpose and storage period of the recordings as well as the rights of the people affected by the recordings. He sent photographs of these to the court in his

statement of September 16, 2024. During the training at the

State Criminal Police Office of Lower Austria, only a general reference was made to the obligation to mark the

video surveillance.

Regarding the printed and displayed photograph of the dog owner, the BF stated that he had noticed that dog excrement had been left in the same place again and again, which is why he assumed that this had not happened by chance but intentionally.

At first he ignored it, but after the fifth or sixth time he looked at the video material and then printed out the photograph in question. However, he had made the face unrecognizable by attaching a round sticker. The photograph then remained on the cellar door to the right of the cigarette machine for a day. The following day the dog owner came into the tobacconist's angrily and said that the BF would see what he got out of his actions, that he was only a small tobacconist and that she was studying law. The dog owner and her brother now walk past the tobacconist's every day laughing, but the dog excrement issue has at least stopped. Regarding the sticker he used to try to obscure the woman's face, he said that it was an adhesive label that he normally uses to mark prices. He did this to avoid administrative criminal proceedings. The purpose of putting up the printout in public was to get the dog owner to look at it and to refrain from future contamination. He was unable to go to the police about the dog excrement incidents because he did not know the dog owner's name. Although stickers of this type are easy to remove, the sticker used in this case certainly did not come off by itself, but was torn off. In his experience, even when such a sticker is removed from a newspaper, no residue is left behind. He had neither had a conversation with the woman nor had he intended to have one.

The authority concerned, however, took the view that the claim that the BF had attached a sticker to the printout was a protective claim.

However, even if this were true, in the light of the case law of the ECJ - 10 -

and the Administrative Court, attaching a sticker to anonymize the image was unsuitable. There was no evidence in the photographs available to the DSB that they had been manipulated, i.e. that adhesive residues had been retouched.

Regarding the possibility of limiting the recording range of the video cameras using technical means, the BF stated that using an aperture or a physical bar would make the image blurry, which he had also tried with a sheet of paper, and that pixelation software would cost a lot of money. However, he turned the video cameras as far as possible towards the house wall and thus limited the recording area. Later, the BF repeated that he assumed that pixelation programs or similar programs would cost a lot of money. The authority in question replied that it was clear from the BF's statements that he had not inquired about technical options for limiting the recording area. As far as the circumstances relevant to the assessment of the sentence are concerned, the BF stated that he had incurred renovation costs of EUR 20,000 as a result of the attack on his tobacconist's. His insurance company has so far refused to cover these costs and he assumes that this refusal will continue. The authority in question pointed out that in their opinion the BF had lacked insight and willingness to restore the situation to legal compliance during the administrative procedure. The BF had not informed himself sufficiently and was still operating the video surveillance system to the extent criticized by the DSB. The BF rejected this in its entirety. The DSB had not given him any specific advice on what he should change in the video surveillance system. He had complied with all of the DSB's requests and had provided everything that had been requested. It is highly likely that he would no longer display such a photograph publicly. Finally, the BF stated that he took data protection seriously and was sorry if he had committed any transgressions in this regard. These were certainly not intentional. The authority in question pointed out that the level of the penalty was primarily due to the public display of the photograph. The excessive video surveillance and the inadequate provision of information only played a minor role in determining the penalty. In addition, the crime scene is an extremely busy area, which is why a large number of people are affected by the video surveillance. General preventive considerations should not be ignored either, and even in the case of unfavorable income and assets, it cannot be assumed that there is a right to impose the minimum sentence. - 11 -

II. The Federal Administrative Court considered:

1. Findings:

The BF has been operating a tobacco shop at the address XXXX Graz, XXXX since September 2023 under the company XXXX .

Shortly after opening his tobacco shop, he installed two video cameras on the outside wall of the business premises. These two video cameras are located to the right and left of the entrance door to the tobacco shop and are aimed at it. The recordings from the video cameras are stored for twenty-four hours.

The recording area of the video cameras included not only the outside wall of the tobacconist's shop, but also the public sidewalk, the adjacent bicycle path and part of the XXXX tram stop including the tracks, and can be seen in the following photograph: The BF placed a pictogram on the company sign and a pictogram between the cigarette machines on a pipe. The two pictograms show a stylized surveillance camera. No further information could be found in the pictograms. Inside the shop there is a screen onto which the video camera recordings are transmitted in real time. Based on the information he received during a training session by the Lower Austrian State Office of Criminal Investigation, he assumed that marking the video surveillance system with pictograms was sufficient. The purpose of the video surveillance is to protect the BF's tobacconist's shop from damage to property, robberies and the like. On May 20, 2024, the tobacco shop was devastated by an explosion triggered by unknown persons. On March 16, 2024, property damage also occurred at the BF's tobacco shop. For a period of time that can no longer be determined, a printed excerpt from the video surveillance carried out by the BF, which had been put up by the BF, hung for about a day on the basement door to the right of the two cigarette machines belonging to the BF's tobacco shop. This excerpt showed a dog owner whose dog was relieving itself in front of the tobacco shop. In addition,

he wrote on the printout in his handwriting: "THANKS FOR THE SHIT!" The BF

intended to use this measure to convince the dog owner that her actions were illegal. He attached a sticker to the printout that could be easily removed without leaving any adhesive residue in order to obscure the dog owner's face.

The BF is a self-employed tobacconist, earns around EUR 2,500 net per month and

is responsible for the care of two underage children. He owns a single-family home and

has financial obligations of EUR 156,000, which he repays in monthly installments of EUR 1,400. In addition, he lost EUR 20,000 as a result of the above-mentioned bomb attack on his tobacconist's shop.

The BF cooperated in the investigation by the authority concerned and shows understanding for his misconduct. There are no relevant previous administrative criminal convictions against him.

2. Assessment of evidence:

The findings that the BF runs a tobacconist's shop in XXXX, installed video cameras next to the entrance door and that these video cameras also recorded public areas,

as well as the determination on the storage period of the recordings, could be made on the basis of the DSB's investigations as can be taken from the administrative act and the BF's consistent and plausible statements in the administrative proceedings and before the adjudicating court.

The fact that the cameras were installed shortly after the tobacconist's shop opened in September 2023 is evident from the BF's statement in the oral hearing.

Based on the photographs submitted and the credible information provided by the BF, it was determined that the BF placed the described pictograms in two places. The finding that the BF assumed that the placement of pictograms was sufficient is also based on the BF's description, which convinced the Senate. The fact that unknown perpetrators triggered an explosion in May 2024 by using explosives is evident from the photographs submitted by the BF and its comprehensible information on this. The BF was also able to provide confirmations of reports regarding damage to property on March 16, 2024 and the explosion mentioned on May 20, 2024. The latter was also mentioned by the local media "Der Grazer" in its reporting. The fact that the video surveillance

serves the purpose of protecting the BF's assets is understandable for the court hearing the case

in view of the large number of attacks on tobacconists, which the two

incidents mentioned also illustrate. - 13 -

The findings regarding the public display of the printout showing the dog owner on the submission underlying the proceedings before the DSB, the

investigation procedure subsequently carried out by the authority concerned and the plausible

statements of the BF. The fact that the BF attempted to make the dog owner's face unrecognizable by attaching a

sticker to the printout is based on the specific

and comprehensible statement of the BF.The findings made regarding the BF's income and assets are based on the BF's comprehensible and consistent statements in this regard throughout the proceedings. The fact that he only reported the damage caused by the explosion at the oral hearing is understandable for the court, given the fact that the explosion only occurred on May 20, 2024, i.e. shortly before the penal decision was issued. The fact that the BF cooperated with the authority concerned in the administrative proceedings is evident from his statements to the DSB. Since he expressed his regret at the oral hearing before the Federal Administrative Court about the data protection violations he had committed, it was found that he showed understanding in this regard. The BF's integrity in terms of data protection is evident from the statements made by the
authority concerned in the contested criminal judgment.

3. Legal assessment:

According to Section 6 BVwGG, the Federal Administrative Court decides by a single judge, unless
federal or state laws provide for a decision by a senate. According to

Section 27 DSG, the Federal Administrative Court decides by a senate in proceedings on complaints against

decisions, for violation of the duty to inform pursuant to Section 24 Para. 7 DSG and for violation of the duty to decide by the data protection authority. The senate

consists of a chairman and one expert lay judge each from the circle of

employers and the circle of employees.

According to Section 28 Para. 1 VwGVG, the administrative court must settle the legal matter by a decision

unless the complaint is rejected or the proceedings are to be discontinued.

According to Section 31 Paragraph 1 VwGVG, decisions and orders are made by resolution,
unless a ruling is to be made. - 14 -

According to Section 28 Paragraph 2 VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130

Paragraph 1 Item 1 B-VG if (1.) the relevant

facts are established or (2.) the determination of the relevant facts by the

administrative court itself is in the interest of speed or is associated with significant

cost savings.

On the partial granting of the complaint:

The relevant provisions of the GDPR read in extracts:

“Article 4

Definitions

For the purposes of this Regulation, the following terms shall apply:

1. ‘personal data’ means any information relating to an identified or identifiable

natural person (hereinafter ‘data subject’); a natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, alignment or linking, restriction, erasure or destruction; […]

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

[…]

Article 5

Principles for the processing of personal data

(1) Personal data must:

a) be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’); - 15 -

b) be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes; further processing
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible
with the original purposes pursuant to Article 89(1) (‘purpose limitation’);

c) be adequate, relevant and limited to what is necessary for the purposes of the processing
(‘data minimisation’);

d) be accurate and, where necessary, kept up to date; every reasonable
measure shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay (‘accuracy’);

e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for a longer period provided that the personal data are processed exclusively for archiving purposes in the public interest or for scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('storage limitation'); (f) are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures ('integrity and confidentiality'); (2) The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate compliance ('accountability'). Article 6

Lawfulness of processing

(1) Processing shall be lawful only if at least one of the following conditions is met:

a) the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; - 16 -

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.

(2) Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation to processing for the purposes of fulfilling points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure lawful and fair processing, including for other specific processing situations as referred to in Chapter IX.

(3) The legal basis for processing operations referred to in points (c) and (e) of paragraph 1 shall be determined by

a) Union law or

b) Member State law to which the controller is subject.

The purpose of the processing must be specified in that legal basis or, as regards

the processing referred to in point (e) of paragraph 1, it must be necessary for the performance of a task carried out in the

public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the
application of the rules of this Regulation, including provisions on
the general conditions governing the lawfulness of processing by the
controller, the types of data processed, the data subjects concerned, to which entities and for which purposes the personal data may be disclosed, the purpose limitation, the period of storage and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate purpose pursued.(4) Where processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to protect the objectives referred to in Article 23(1), the controller shall, in order to determine whether processing for a different purpose is compatible with that for which the personal data were initially collected, take into account, inter alia: (a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing; (b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller; (c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offences pursuant to Article 10, - 17 -

d) the possible consequences of the intended further processing for the data subjects,

e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

[…]

Article 12

Transparent information, communication and modalities for exercising the rights of the data subject

(1) The controller shall take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 and all communications referred to in Articles 15 to 22 and Article 34 relating to the processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language; this shall apply in particular to information specifically addressed to children. The information shall be provided in writing or in another form, including, where appropriate, electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven in another form.

[…]

(5) Information pursuant to Articles 13 and 14 and all notifications and measures pursuant to

Articles 15 to 22 and Article 34 shall be provided free of charge. […]

[…]

(7) The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to provide a meaningful overview of the intended processing in an easily perceptible, understandable and clearly comprehensible form. If the icons are presented in electronic form, they must be machine-readable.

[…]

Article 13

Information obligation when personal data are collected from the data subject

(1) Where personal data are collected from the data subject, the controller shall inform the data subject of the following at the time of collection of the data:

a) the name and contact details of the controller and, where applicable, of his representative;

(b) where applicable, the contact details of the data protection officer;

(c) the purposes for which the personal data are to be processed and the
legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by
the controller or by a third party;

(e) where applicable, the recipients or categories of recipients of the personal data; and - 18 -

[…]

(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject

at the time of collecting those data with the following additional information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or, if that is not possible,

the criteria used to determine that period;

b) the existence of a right to information from the controller about the personal data concerned, as well as to rectification or erasure or restriction of processing, or to object to processing and the right to data portability;

c) where the processing is based on Article 6(1)(a) or Article 9(2)(a),

the existence of a right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal;

d) the existence of a right to lodge a complaint with a supervisory authority;

(e) whether the provision of the personal data is required by law or contract or is necessary for entering into a contract, whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide them; and (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. (3) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with information about that other purpose and any other relevant information pursuant to paragraph 2 before such further processing. (4) Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has the information. Article 24

Responsibility of the controller

(1) The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the

processing is carried out in accordance with this Regulation, taking into account the nature, scope, context and

purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Those measures shall be reviewed and updated where necessary.

[…]

Article 83

General conditions for the imposition of administrative fines - 19 -

(1) Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for

infringements of this Regulation pursuant to paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case.

(2) Administrative fines shall be imposed in addition to or instead of measures referred to in points (a) to (h) and (j) of Article 58(2), depending on the circumstances of the case. In deciding on the imposition of an administrative fine and on the amount thereof, due account shall be taken in each individual case of: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected by the processing and the extent of the damage suffered by them; (b) the intentional or negligent nature of the infringement; (c) any measures taken by the controller or processor to mitigate the damage caused to data subjects; (d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures taken by them in accordance with Articles 25 and 32; (e) any relevant previous infringements by the controller or processor;

f) the level of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects;

g) categories of personal data affected by the infringement;

h) how the infringement became known to the supervisory authority, in particular whether and, if so, to what extent the controller or processor communicated the infringement;

i) compliance with measures previously ordered pursuant to Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures were ordered;

j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

k) any other aggravating or mitigating circumstances specific to the case, such as financial benefits or losses avoided directly or indirectly as a result of the infringement.

[…]

(5)In accordance with paragraph 2, infringements of the following provisions shall be subject to administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)the principles for processing, including the conditions for consent, set out in Articles 5, 6, 7 and 9; […]”

Recital 148 of the GDPR states: - 20 -

“In order to ensure more consistent enforcement of the provisions of this Regulation, infringements of this Regulation should be subject to sanctions, including administrative fines, in addition to or instead of appropriate measures imposed by the supervisory authority under this Regulation. In the case of a minor infringement or if the expected fine would impose a disproportionate burden on a natural person, a warning may be issued instead of a fine. However, due account should be taken of the nature, gravity and duration of the infringement, the intentional nature of the infringement, the measures taken to mitigate the damage caused, the degree of responsibility or any previous infringement, the manner in which the infringement came to the knowledge of the supervisory authority, compliance with the measures ordered against the controller or processor, compliance with codes of conduct and any other aggravating or mitigating circumstance. For the imposition of sanctions, including fines, there should be appropriate procedural safeguards that comply with the general principles of Union law and the Charter, including the right to effective legal protection and a fair trial.” The relevant provisions of the VStG read in extracts: “Guilt Section 5. (1) Unless an administrative regulation on fault provides otherwise, negligent conduct is sufficient for criminal liability. Negligence can be assumed without further ado in the case of contravention of a prohibition or non-compliance with an order if the occurrence of damage or danger is not part of the administrative offence and the perpetrator does not credibly demonstrate that he is not at fault for the violation of the administrative regulation.(1a) Paragraph 1, second sentence does not apply if the administrative offence is punishable by a fine of more than 50,000 euros. (2) Ignorance of the administrative regulation that the offender has violated is only an excuse if it can be proven that it was not his fault and the offender could not have seen that his conduct was unlawful without knowledge of the administrative regulation. Penalties Section 10. (1) The type of punishment and the penalty are based on the administrative regulations, unless otherwise provided for in this federal law. (2) If no special punishment is set for administrative offence, in particular for violations of local police regulations, they are punishable by a fine of up to 218 euros or by imprisonment of up to two weeks. Determination of the penalty

§ 19. (1) The basis for determining the penalty is the importance of the legal interest protected by criminal law and the intensity of its impairment by the act.

(2) In the ordinary procedure (§§ 40 to 46), the aggravating and mitigating factors that come into consideration according to the purpose of the threat of punishment must also be weighed against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the guilt. Taking into account the nature of administrative criminal law, §§ 32 to 35 of the Criminal Code are to be applied accordingly. The income and assets and any duty of care of the accused must be taken into account when determining fines. - 21 -

[…]

Costs of criminal proceedings

§ 64. (1) Every penal decision must state that the person sentenced must contribute to the costs of the criminal proceedings.

(2) This contribution is to be calculated for the first instance proceedings at 10% of the sentence imposed, but at least at 10 euros; in the case of prison sentences, one day of imprisonment is to be counted as 100 euros when calculating the costs. The contribution to the costs goes to the local authority, which has to bear the authority's costs."

Applied to the present case, this means the following:

On image processing in general:

The Senate hearing the case prefaces the following with its assumption that there is no scope for the application of
Sections 12 and 13 DSG due to the lack of a corresponding opening clause in the GDPR

and that these provisions must therefore remain unapplied (ECJ 09.03.1978,

C-106/77 (Simmenthal II)).

This is because the Austrian legislator bases the enactment of Sections 12 f DSG on Article 6
Paragraphs 2 and 3 as well as Article 23 GDPR and Chapter IX GDPR in conjunction with Recital 10. Although Article 6 Para.

allows 2 and 3 GDPR, to maintain or issue more specific regulations at national level (if the other requirements are met), but only for processing based on the permissions in Art. 6 Para. 1 lit. c and lit. e GDPR. However, Art. 6 Para. 1 lit. f GDPR is to be used as the legal basis for carrying out video surveillance by private individuals or within the framework of private sector administration. (Kastelitz/Hötzendorfer/TschohlinKnyrim (ed.), DatKomm, Art.6 GDPR, para. 79; Souhrada-

Kirchmayer in Jahrbuch Öffentliches Recht 2018, NWV, p. 68; and also in this sense on the

German legal situation regarding video surveillance for private purposes:

Buchner/Petri in Kühling/Buchner (ed.), GDPR - BDSG, Art. 6 GDPR, para. 172, p. 277;

also see German BVwerG 27.03.2019, 6 C 2.18, according to which “the opening clauses of Art. 6 para.

2 and 3 GDPR for processing pursuant to Art. 6 para. 1 subpara. 1 letter e GDPR

do not cover video surveillance by private controllers”). The Federal Administrative Court has already assumed the inapplicability of Sections 12f DSG in connection with private video surveillance in its decisions of November 20, 2019 (W256 2214855-1/6E), November 25, 2019 (W211 2210458-1/10E), March 12, 2021 (W211 2223696-1/11E) and April 21, 2023 (W245 2246467-1/11E). - 22 - The facts in question must therefore be examined on the basis of the GDPR. Irrespective of this, the requirements of Section 12 Para. 2 Z 1 to 3 DSG are not met in the proceedings. Fulfillment of the objective elements of the offence:

The authority concerned assumed, within the framework of the facts it had established,

that the BF had unlawfully processed personal data in an undetermined period of time up until the issuance of the

penalty decision, that the data processing was not appropriate for the purpose and was not limited to the necessary extent, and thus had violated, on the one hand, the principle of

processing personal data lawfully, in good faith and in a manner that is understandable to those affected, as set out in the GDPR, and, on the other hand, the principle of data processing appropriate to the purpose and the principle of data minimisation.

The BF contradicted this assessment by the DSB in that he stated that the video surveillance system he operated was necessary to protect his assets and

the posting of the dog owner's photograph had only served the purpose of alerting her to her misconduct. He also denied having acted intentionally.

The BF cannot prevail with this argument, however:

The legal definition of the term processing in Art. 4 Z 2 GDPR consists of a

general definition and a demonstrative list of different

types of processing. Processing is therefore any operation carried out with or without the aid of automated

procedures in connection with personal data or any

such series of operations. According to the wording, it must therefore be an executed operation

or a executed series of operations, whereby the requirement for execution indicates a

conscious action. The list of processing operations is

demonstrative and serves to concretize the definition (Hödl in Knyrim (ed.), DatKomm,

Art. 4 GDPR, paras. 27 and 28).

The term processing according to Art. 4 Z 2 GDPR therefore includes not only the storage,

but also the collection or recording of personal data. The GDPR

does not differentiate in terms of the intensity or duration of each processing,

nor is a differentiation made in connection with the technology used for the processing - 23 -

(Jahnel, Commentary on the GDPR, Art. 4 Z 2 GDPR, margin numbers 5 and 18).

The fact that video surveillance as carried out in the present case basically represents

processing of personal data within the meaning of Art. 4 Para. 2 GDPR and is also covered by the

scope of Art. 2 Para. 1 GDPR was not disputed by the BF and

is also not in question for the deciding Senate.

On the legality of the data processing in question:

According to the case law of the ECJ, in principle any processing of personal data must comply with the principles set out in Art. 5 GDPR with regard to the

processing of personal data and one of the principles set out in Art. 6 GDPR with regard to the admissibility of the processing of data (on the

predecessor provision Art. 6 DS-RL: ECJ 20.05.2003, joined cases C-465/00, C-138/01 and C-

139/01 (ÖsterreichischerRundfunk u.a.), para. 65; ECJ 16.12.2008, C-524/06 (Huber), para. 48).

For the legality of processing personal data, Article 6 Paragraph 1

GDPR contains an exhaustive and final list of six justifications

(on the previous provision Article 7 GDPR: ECJ 24.11.2011, joined cases C-468/10 and C-469/10

(ASNEF), para. 30 ff; ECJ 19.10.2016, C-582/14 (Breyer), para. 57).

According to the processing principles under Art. 5 GDPR, personal data must be processed lawfully, fairly and in a manner that is understandable for the data subject (“lawfulness, fairness and transparency”; see Art. 5 Para. 1 lit. a GDPR) and be appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing (“data minimization”; see Art. 5 Para. 1 lit. c GDPR). The processing of personal data is lawful, among other things, under Art. 6 Para. 1 lit. f GDPR if it is necessary to protect the legitimate interests of the controller (or a third party), unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail. A case-by-case balancing of interests must be carried out, in which the legitimate interests of the controller or a third party for the processing must be compared with the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data. In doing so, the interests of the controller and of third parties and, on the other hand, the interests, rights - 24 -

and expectations of the data subject must be taken into account (Recital 47 GDPR). The admissibility of video surveillance for private purposes is determined by this justification (Heberlein in Ehmann/Selmayr (ed.), GDPR Commentary, 2018, Art. 6, K 26). Processing in accordance with Art. 6 (1) (f) GDPR is therefore permissible under three cumulative

conditions: 1. the legitimate interest of the controller, 2. the necessity of the processing and 3. the fundamental rights and freedoms of the data subjects do not outweigh them (ECJ 11.12.2019, C-708/18 (Asociatia de

Proprietari bloc M5A-ScaraA), para. 40, with further references).

At this point, reference should also be made to the EDSA guidelines on video surveillance,
according to which it must be checked before commissioning whether video surveillance measures are absolutely

necessary. Even if video surveillance appears absolutely necessary,

measures must be taken to limit the recording area, such as installing a

physical shutter or pixelating irrelevant areas (see

EDSA Guidelines 3/2019 on the processing of personal data by

video devices, version 2.1, paras. 25-27). In addition, many video cameras

have the option of digitally limiting the recording area.

The BF has a legitimate interest in the sense of Article 6 (1)(f) GDPR in the present case, since the BF - as established - put the video surveillance system into operation in order to protect his tobacconist and thus his assets from attacks in the form of property damage, robberies or similar. Precautions to protect against such incidents are necessary because general life experience already shows that robberies on tobacconists or property damage in the outdoor areas of tobacconists are common. From the point of view of the deciding Senate, the BF has no milder means of achieving the described purpose than operating a video surveillance system. A balance must then be made as to whether the BF's legitimate interests or the interests or fundamental rights and freedoms of the persons affected by the video surveillance outweigh the interests. In the present case, the BF's interest in protecting his assets must be affirmed, since the interests of those affected are only slightly impaired by the video surveillance, which only covers the area in front of the tobacconist's, while the BF understandably has a great interest in protecting his tobacconist's, which is the basis of his existence. - 25 - According to the DSB's case law, private video surveillance systems may also cover the adjacent public space if and to the extent that this is necessary to enable meaningful video surveillance. The authority concerned assumes that the coverage of a 50 cm wide strip of the adjacent public traffic areas is still permissible. In the present case, however, the investigation revealed that the recording areas of the video surveillance system in question, which the BF operated at the location of his tobacconist's shop in XXXX Graz, XXXX, at least in the period from September 2023 to May 20, 2024, covered an area that also covered the entire public sidewalk, the adjacent bicycle path, part of the XXXX tram stop and part of the tram tracks.

There is no legitimate interest of the BF in the case, which is why the aforementioned public areas must be covered.

The BF merely claimed in his statements, his complaint and in his questioning at the oral hearing that the video cameras only cover those public traffic areas whose recording is necessary for the meaningful implementation of video surveillance. However, this is contradicted by the photographs showing the recording area of the video cameras. The BF has therefore not succeeded in proving that the requirements of Articles 5 and 6 (1)(f) GDPR have been met. No other legal basis under Article 6 (1) GDPR was put forward by the BF, nor did one emerge in the proceedings. Regardless of the question of whether the assumption of a strip of public space defined in centimetres and still lawfully recorded makes sense in each individual case, the surveillance of public traffic areas carried out in the present case goes beyond what is necessary for meaningful video surveillance. With regard to the posting of the dog owner's photograph, the BF stated that the purpose of this posting was to draw the dog owner's attention to her misconduct. With the best will in the world, the Senate cannot see any legitimate interest in this within the meaning of Art. 6 Paragraph 1 Letter f of GDPR, since the punishment of administrative offenses falls exclusively within the jurisdiction of the administrative penal authorities. In this regard, too, no other justification under Art. 6 Paragraph 1 of GDPR was put forward, nor has one emerged. The fact that the BF - as established - affixed a sticker over the dog owner's face on the printout - 26 - does not change the illegality of his actions, since the affixing of such a sticker, which - as the BF himself stated - can easily be removed again, is not a suitable means of anonymizing the dog owner, especially since the printout was hung in a relatively busy location. The authority concerned was therefore right to classify the processing of the image data and the public display of the photograph as unlawful and consequently concluded that this constituted an objective violation of the principles of processing pursuant to Art. 5 (1)(a) and (c) Art. 6 (1) GDPR, as neither the principle of the lawfulness of data processing nor the principle of data minimization was complied with nor was there a legitimate interest in the excessive recording of public traffic areas.

On the violation of the obligation to provide information:

Art. 5 (1)(a) GDPR stipulates that personal data may only be processed lawfully, in accordance with the principles of good faith and in a manner that is comprehensible to the person concerned. This principle of transparency is specified in Art. 13 and 14 GDPR on the obligation to provide information and Art. 12 on the relevant measures and modalities. The following content of the principle of transparency can therefore be derived from these provisions as well as from Recitals 39 and 58 of the GDPR: It must be clear to those affected that personal data is being processed, which data is being processed, for what purposes it is being processed and by whom it is being processed. In addition, those affected should be informed about the risks, rules, guarantees and rights in connection with the processing of their data and about how they can assert their rights. This

information must be precise, easily accessible and understandable and written in clear and

simple language. The importance of the transparency of processing and thus

the obligation to provide information lies in particular in the fact that the provision of the relevant

information is a necessary prerequisite for the exercise of the rights of the data subject: If the data subject is

not aware that his data is being processed or does not know who is

doing this, he cannot assert his rights in this regard under Art. 15-21

(Hötzendorfer/Tschohl/Kastelitz in Knyrim (ed.), DatKomm, Art. 5 GDPR, para. 18f).

As can be seen from the findings, after it was

put into operation in September 2023, until the DS issued the criminal decision, the video surveillance system was only

marked by two pictograms depicting a stylized video camera attached to the outside wall of the business premises or to a pipe. In addition, the recordings from the video cameras were transmitted to a screen in the cash register area inside the tobacconist's shop. Those affected did not receive any further information regarding the operation of the video surveillance system. The authority concerned stated in the penal decision that the placement of such a pictogram could only represent the first "layer" of information provision, whereby the minimum information specified in EDSA Guideline 3/2019 must already be included on the first layer, as well as an indication of where the remaining information can be viewed or accessed, and the BF had thus violated his information obligations as the responsible party for the entire period of the offense (despite the placement of the pictograms). The BF merely replied to this point that the video cameras were clearly visible to everyone anyway. Since the BF was therefore unable to demonstrate that the conclusively substantiated violation of the information obligations as the responsible party in relation to the operation of the video surveillance system, which the authority concerned accused him of in the

criminal judgment, did not exist and that no such violation arose elsewhere, the Senate therefore also came to the conclusion that the BF committed this violation during the entire period of the offense between September 2023 and June 14, 2022 and thereby fulfilled the objective aspect of the offense concerning Art. 5 Para. 1 lit. a

in conjunction with Art. 12 and 13 GDPR.

On the administrative criminal liability and the fault of the BF:

According to Art. 4 Z 7 GDPR, the natural or legal person, authority, institution or

other body that alone or jointly with others decides on the purposes and means of

processing personal data is to be regarded as the controller within the meaning of the GDPR.

The fact that the BF is the controller in the sense of data protection law with regard to the

image processing that is the subject of the proceedings was neither disputed by the BF nor

the deciding Senate casts doubt on this.

It should be noted at this point that the substantive requirements that a

supervisory authority must observe when imposing such a fine are precisely defined in Art. 83 paras. 1 to 6 GDPR and are listed without any discretion for the Member States (ECJ December 5, 2023, C-807/21 (DeutscheWohnenSE), para. 45; ECJ December 5, 2023, C-683/21 (Nacionalinis visuomenes sveikatos centras), para. 67). - 28 -

The ECJ has ruled that Article 83 GDPR is to be interpreted as meaning that, under this provision, a fine may only be imposed if it is proven that the controller has intentionally or negligently committed an infringement referred to in Article 83 (4) to (6) GDPR (ECJ 05.12.2023, C-807/21 (Deutsche Wohnen SE); ECJ
05.12.2023, C-683/21 (Nacionalinis visuomenes sveikatos centras)).

Furthermore, the ECJ takes the view that a controller can be punished for conduct that falls within the scope of the GDPR if he could not have been unaware of the illegality of his conduct, regardless of whether he was aware that it violated the provisions of the GDPR (ECJ June 18, 2013, C-681/11 (Schenker & Co. et al.), para. 37 and the case law cited therein; ECJ March 25, 2021, C-591/16 P (Lundbeck v Commission), para. 156; ECJ March 25, 2021, C-601/16 P (Arrow Group and Arrow Generics v Commission), para. 97).

The ECJ also ruled in the Meta Platforms Inc. case that, according to Art. 5 GDPR, the controller bears the burden of proof that the data is collected for specified,

clear and legitimate purposes and is processed lawfully, in good faith

and in a manner that is understandable to the data subject (ECJ

July 4, 2023, C-252/21 (Meta Platforms Inc.), para. 95). The

principles, prohibitions and obligations provided for in the GDPR are aimed in particular at controllers. According to Recital 74 of the GDPR, their

responsibility and liability extends to

any processing of personal data carried out by them or on their behalf.

In this context, they must not only take appropriate and effective measures,
but they must also be able to demonstrate that their processing activities are in line

with the GDPR and that the measures they have taken to ensure this compliance are also effective. It is this liability that forms the basis for imposing a fine on the controller under Art. 83 GDPR in the event of one of the violations listed in Art. 83 (4) to (6) GDPR (ECJ 5.12.2023, C-807/21 (Deutsche Wohnen

SE), para. 38).

The authority concerned must therefore agree that the BF was in any case obliged to inquire about the relevant provisions of the GDPR (here in

context of the operation of a video surveillance system in front of a business premises).

In principle, according to Section 5 Paragraph 1 Sentence 1 of the Administrative Offenses Act, negligent conduct is sufficient to make the offense punishable. The applicable provisions of the GDPR do not stipulate anything different. For - 29 -

disobedience offenses, Section 5 Paragraph 1 Sentence 2 of the Administrative Offenses Act provides for the rebuttable presumption of negligent commission. Therefore, the accused who is accused of a disobedience offense must make it credible that he is not at fault for violating the relevant administrative regulation (VwGH 30.10.1991, 91/09/0132). However, this provision does not apply if - as in the present case - the administrative offense is punishable by a fine of more than EUR 50,000 (Section 5 Paragraph 1a of the Administrative Offenses Act).

During the course of the proceedings, there were no indications that the BF was not at fault for violating the administrative regulations applicable in the present case. The fact that the BF denied any intent in the oral hearing and stated that he did not know how to label a video surveillance system in accordance with the law does not change this. Even ignorance of a legal regulation can only be considered to be without fault if someone was unaware of the administrative regulation despite exercising the care required by their circumstances; even good faith does not constitute a reason for excluding liability in this context if it is the party's responsibility to familiarize themselves with the relevant regulations (VwGH April 27, 1993, 90/04/0358). The BF is obliged to make such enquiries if he was not clear about the legal situation (VwGH 25.06.2013, 2013/09/0022). The authority concerned is right if it believes that the statements made by the BF during the hearing that he assumed that pixelation software was expensive indicate that the BF did not comply with his obligation to make enquiries and that it would have been reasonable for the BF to find out more about the permissibility of using video cameras. With regard to the public display of the dog owner's photograph, the Senate hearing the case is in no doubt that the BF seriously considered it possible and accepted that he would violate the provisions of data protection law by publicly denouncing an identifiable person and that he therefore acted intentionally. Thus, on the subjective side of the offense - as assumed by the authority concerned - there is fault in the form of intent on the part of the BF with regard to the public display of the dog owner's photograph and negligence with regard to the other violations.

On the assessment of the penalty:

The assessment of the penalty within a statutory penalty range is a

discretionary decision that must be made according to the criteria set by the legislator in Section 19 of the Administrative Penalty Act (VwGH 05.09.2013, 2013/09/0106). - 30 -

The basis for determining the penalty is the importance of the legal interest protected under administrative criminal law and the intensity of its impairment by the offense (Section 19 Paragraph 1 of the Administrative Penalty Act). In addition, the aggravating and mitigating factors that come into consideration must be weighed against each other. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to

35 of the German Criminal Code are to be applied mutatis mutandis.

Such considerations are also relevant when applying Article 83 of the GDPR:

According to Article 83 (5) (a) of the GDPR, in the event of violations of the principles for

processing, including the conditions for consent, pursuant to Articles 5, 6, 7 and 9 of the GDPR, in accordance with Article 83 (2) of the GDPR, fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year, whichever is higher, can be imposed.

According to Article 83 (1) of the GDPR, each supervisory authority must ensure that the imposition of fines is effective, proportionate and dissuasive in each individual case. Article 83

Paragraph 2 of the GDPR lists assessment criteria that must be duly taken into account in each individual case when deciding on the imposition of a fine and its amount. The relevant factors are in particular the type, severity and duration of the violation, the number of people affected by the processing, the extent of the damage, the category of personal data affected, the company's efforts to limit the damage, the type and extent of cooperation with the data protection authorities and the degree of responsibility.

In addition, according to Section 19 Paragraph 2 of the Criminal Penalty Act, the accused's income and assets must also be taken into account when determining fines (Section 19 Paragraph 2 of the Criminal Penalty Act).

In the appeal proceedings, the BF provided current information on his income and assets, which is why these and the considerations for determining the penalty are used as a basis.

The importance of the legal interest protected under administrative criminal law is fundamentally to be assessed in

itself and not in relation to the conflicting protection of another legal interest in the specific individual case (VwGH July 11, 2022, Ra 2021/04/0007; further Kuderer, ZVG 2023, p. 87ff). The importance of the protected legal interest is also expressed in the level of the statutory penalty (VwGH December 18, 2018, Ra 2016/04/0148; VwGH October 7, 2021, Ra 2020/05/0232; VwGH February 13, 2023, Ra 2022/02/0117). The Administrative Court classifies road safety as a legal interest of - 31 -

significant importance

3
(VwGH 13.02.2023, Ra 2022/02/0117; Fister in Lewisch/Fister/Weilguni (ed.), VStG , § 45,

para. 3).

Since the penalty under Art. 83 GDPR is very

high with a maximum penalty of EUR 20,000,000, the importance of the protected legal interest should in any case not be classified as low.

The DSB considered the type, duration and severity of the violations as aggravating factors, namely

the several months of the unlawful operation of the video surveillance system and

the public denunciation of the dog owner by hanging up the excerpt from the surveillance material.

The authority concerned considered that the BF had not yet committed any violations of the DSG or GDPR and that the accused had fulfilled his duty to cooperate in clarifying the facts. No further mitigating circumstances had become apparent up to the time of the decision of the authority concerned. It should be noted that the Federal Administrative Court must also exercise discretion when setting the fine. Wessely states the following in Raschauer/Wessely (ed.), Commentary on the Administrative Penal Code (2023), § 19, marginal no. 26: “When making its decision, the Administrative Court must not only examine the exercise of discretion by the administrative penal authority, but must exercise discretion itself and determine a new sentence (VwGH 31.1.2012, 2009/05/0123). This is particularly the case if the guilty verdict is changed. This applies in the case of partial grant of the appeal (VwGH 27.5.2008, 2007/05/0235), for example by reducing the period of the offence (VwGH 22.4.2010,

2007/07/0015; 21.2.2012, 2010/11/0245), if the notices are removed due to

they have been cancelled in the meantime (VwGH 27.5.2008, 2007/05/0235) or

other mitigating circumstances arise (VwGH 22.4.1998, 97/03/0353), i.e. in cases of a qualitative

or quantitative reduction in the charge, the sentence should also be reduced. However, this is

not mandatory. For example, there is no need for a reduction if the Administrative Court assesses the detrimental effect of the act to be higher than the administrative authority or if the economic situation of the accused has improved in the meantime (VwGH

May 27, 2008, 2007/05/0235; February 23, 2022, Ra 2020/17/0024; March 29, 2022, Ro 2020/02/0003); such a procedure, however, requires appropriate justification (VwGH April 22, 1998,

97/03/0353).“ - 32 -

As far as the aggravating circumstances are concerned, the authority concerned is right that the

duration of the act and in particular the public denunciation of the dog owner

have an aggravating effect.

In its sentencing decision, the authority concerned correctly considered it a mitigating factor that the BF had participated in the proceedings before the DSB. Another mitigating factor, in the opinion of the sentencing senate, is that the BF regrets the violations of the law that he has committed. Another mitigating factor is that the BF assumed, based on training from the Lower Austrian State Criminal Police Office, that the attachment of pictograms for identification purposes was sufficient. It should also be noted that the website of the authority concerned contains the sentence "Video surveillance is clearly visible through suitable labeling (e.g. signs, stickers)." which only provides very vague information on the labeling requirement for video surveillance systems (see https://www.dsb.gv.at/download-
links/fragen-und-antworten.html#Stationaere_Videoueberwachung, accessed on November 29, 2024).Against this background, the fault of the BF, who is not familiar with the law, is to be regarded as minor in terms of

violating the duty to provide information.

There are no special factors that would make a higher penalty appear necessary for special preventive reasons. In particular, from the point of view of the Senate, the imposition of a higher penalty is not necessary to deter the BF from committing

similar administrative offenses in the future. From a general preventive point of view, the

reduced penalty is also to be regarded as sufficient to deter others from committing similar

administrative offenses.

Even the specification of the period of the offence relating to the act under point I of the

penalty decision in the sense that the start of the video surveillance was determined to be September 2023 cannot lead to an increase in the sentence, since the DSB in its decision already assumed an "uncertainable period" spanning several months during which data had been processed unlawfully.

Finally, when re-determining the sentence, it had to be taken into account that the BF suffered damage of around EUR 20,000 as a result of the

explosion caused by unknown perpetrators in his tobacco shop - presumably not covered by his insurance - which significantly worsened his income and assets. - 33 -

In order to adequately take into account the previously explained, quite significant, elimination of aggravating circumstances

or the addition of another mitigating factor,

the penalty had to be reduced to a total of EUR 750.

If a fine is imposed, then, in accordance with Section 16 Paragraph 1 of the Administrative Penalty Act, a substitute prison sentence must also be imposed in the event of

its uncollectability. The substitute prison sentence may not exceed the

maximum prison sentence threatened for the administrative offence and, if

no prison sentence is threatened and nothing else is specified, two weeks. A substitute prison sentence of more than six weeks is not permitted. The

substitute prison sentence is to be imposed without consideration of Section 12 of the Administrative Penalty Act in accordance with the

rules for determining the sentence.

With regard to the assessment of alternative prison sentences, the Administrative Court ruled that the

length of the alternative prison sentence is to be assessed in accordance with the offender's guilt, taking into account the

aggravating and mitigating factors; however - as in the present case - the personal circumstances and the economic

capacity of the offender are only relevant when assessing the fine, but not when assessing the alternative prison sentence (VwGH 28.05.2013, 2012/17/0567).

Referring to the statements made by the DSB in the appeal hearing, according to which, according to the case law of the Administrative Court, there is no entitlement to be punished only with the minimum sentence in the case of unfavorable income and asset circumstances, it should be pointed out that Art. 83 Para. 2 GDPR, which is applicable in the present case, does not provide for a minimum sentence at all.

Since the fine was adjusted, the alternative prison sentence also had to be adjusted and reduced to 45

hours.

The fine calculated by the Federal Administrative Court appears to be appropriate to the offense and guilt

and is at the lower end of the available penalty range. As stated, there is no scope for a

further reduction of the sanction. An (even) lower

amount in the present case would no longer meet the criteria for a

fine set out in Art. 83 Para. 1 GDPR, according to which it must be effective, proportionate and deterrent in each individual case.

Regarding the costs of the administrative penal proceedings and the appeal proceedings:

According to Section 64 Paragraph 1 of the Administrative Penalty Act, the penal decision must state that the person punished must make a contribution

to the costs of the criminal proceedings. According to Section 64 Paragraph 2 of the Administrative Penalty Act, this contribution for the first instance proceedings is to be calculated at 10% of the penalty imposed, but at least at 10 euros. The contribution to the costs is therefore EUR 75.

Result:

For the reasons stated above, the appeal regarding the ruling on the penalty imposed was partially upheld.

The costs of the appeal proceedings before the Federal Administrative Court were not to be imposed on the BF

according to Section 52 Paragraph 8 of the Administrative Court Act, because his appeal was partially upheld.

On the inadmissibility of the appeal:

According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133 Paragraph 4 B-VG. The

ruling must be briefly justified.

The appeal is not admissible in accordance with Article 133 Paragraph 4 B-VG because the decision is based on the

cited uniform case law or the clear and unambiguous legal situation (on the

inadmissibility of the appeal in the case of a clear legal situation, see VwGH May 15, 2019, Ro 2019/01/0006;

VwGH March 3, 2023, Ra 2022/10/0094).

A legal question of fundamental importance in connection with the assessment of evidence only arises if the administrative court has carried out the assessment of evidence in the individual case in an unacceptable manner that compromises legal certainty (VwGH March 11, 2021, Ra 2021/18/0059) and thus there is a blatant misjudgment (VwGH June 16, 2021, Ra 2021/01/0106). However, this is not the case here. The assessment of the penalty is a discretionary decision that must be made by the administrative court taking into account all sentencing criteria (VwGH June 18, 2014, Ro 2014/09/0043). Since the exercise of discretion in this case was carried out in accordance with the law, there is no legal question of fundamental importance. Payment information

You must pay the total amount of EUR 825.00 (fine, costs of the administrative

proceedings) within two weeks into the account of the Federal Administrative Court (BVwG) with - 35 -

IBAN AT84 0100 0000 0501 0167 (BIC BUNDATWW) stating the procedure number

free of charge for the recipient. In the event of default, it must be expected that the

amount will be collected by force after a reminder has been issued.