BVwG - W101 2132183-1 and W101 2132039-1: Difference between revisions
| Line 59: | Line 59: | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status=Unknown | |Appeal_To_Status=Unknown: The BVwG declared that an appeal to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof - VwGH) is possible. | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
| Line 87: | Line 87: | ||
For data that could not be accessed from the user's account, Google asked him to use an online form, to make sure that the user would only receive personal data that are truly relating to him (and not some other natural person). The user refused to do so. | For data that could not be accessed from the user's account, Google asked him to use an online form, to make sure that the user would only receive personal data that are truly relating to him (and not some other natural person). The user refused to do so. | ||
<br /> | |||
====Complaint with the DSB and decision==== | ====Complaint with the DSB and decision==== | ||
| Line 106: | Line 108: | ||
'''III)''' Lastly, the DSB rejected parts of the user's complaint: It held that requesting the user to log into his Google account and asking him to use an online-form in order to authenticate him was in line with Article 12(1) and (2) GDPR. | '''III)''' Lastly, the DSB rejected parts of the user's complaint: It held that requesting the user to log into his Google account and asking him to use an online-form in order to authenticate him was in line with Article 12(1) and (2) GDPR. | ||
<br /> | |||
====Google's appeal against the DSB's decision==== | ====Google's appeal against the DSB's decision==== | ||
| Line 113: | Line 117: | ||
Further, Google LLC. explained its legal view, that requesting the user to log into his Google account and requesting him to use an online form for all data processed outside the user's Google account was neccessary for the identification and authentication of the user. | Further, Google LLC. explained its legal view, that requesting the user to log into his Google account and requesting him to use an online form for all data processed outside the user's Google account was neccessary for the identification and authentication of the user. | ||
<br /> | |||
====Users 's complaint appeal the DSB's decision==== | ====Users 's complaint appeal the DSB's decision==== | ||
Against ruling III), the user filed an appeal with the BVwG that was handled in a parallel procedure, stating that it was unlawful to require him to use online tools (Google-account and online form) to access his data. | Against ruling III), the user filed an appeal with the BVwG that was handled in a parallel procedure, stating that it was unlawful to require him to use online tools (Google-account and online form) to access his data. | ||
<br /> | |||
===Dispute=== | ===Dispute=== | ||
| Line 126: | Line 134: | ||
in order to identify and authenticate of the user? | in order to identify and authenticate of the user? | ||
<br /> | |||
===Holding=== | ===Holding=== | ||
The BVwG issued two judgments | The BVwG issued two judgments (one on Google's appeal and one on the user's appeal) which contained the following holdings: | ||
<br /> | |||
==== | ====Google LLC as contrioller in the relevant time frame==== | ||
The BVwG held that the (alleged) change of controllership from Google LLC (former Google Inc.) to Google Ireland limited was not relevant for the case at hand: The data subject had sent his acces request on 30.10.2015, Google's last reply was on 24.02.2016. Therefore, this is the time frame in which the (alleged) data protection violation took place. Google claimed that controllership for data of users in the EEA and Switzerland "shifted" from Google LLC to Google Ireland Limited only on 22.01.2019, years after the alleged data protection violation took place. | The BVwG held that the (alleged) change of controllership from Google LLC (former Google Inc.) to Google Ireland limited was not relevant for the case at hand: The data subject had sent his acces request on 30.10.2015, Google's last reply was on 24.02.2016. Therefore, this is the time frame in which the (alleged) data protection violation took place. Google claimed that controllership for data of users in the EEA and Switzerland "shifted" from Google LLC to Google Ireland Limited only on 22.01.2019, years after the alleged data protection violation took place. | ||
As a result, the BVwG held that Google LLC is the data controller, as it was determining the purposes and means of the processing of the user's personal data in the relevent time frame. | As a result, the BVwG held that Google LLC is the data controller, as it was determining the purposes and means of the processing of the user's personal data in the relevent time frame. | ||
==== Use of online tools to provide access | <br /> | ||
The BVwG held that | |||
====Use of online tools to provide access in line with Article 12 GDPR==== | |||
The BVwG upheld the DSB's view in this regard and did not lift ruling III) | |||
The user has a Google account and has not claimed that that he does not have the neccesary computer equipment at home to access this account. As certain data under Article 15(3) and information under Article 15(1) were available in the user's password protected Google account, the user has no right to receive this data and information via letter as well. According to the BVwG, this is in line with recital 63 of the GDPR ("''Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data''"). | |||
As regards data and information that cannot be accessed in the user's Google account, the BVwG held, that Google LLC was entitled to request the user's identification and authentication, especiall in light of recital 57 of the GDPR ("''Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller''"). There were a multitude of persons with the same name as the user - according to Google LLC there were approximately 3,910,000 search results on www.google.at. Therefore, Google LLC could demonstrate that it is not in a position to identify the user under Article 12(2) GDPR and was entitled to request the provision of additional information necessary to confirm the identity of the user under Article 12(6) GDPR. For this purpose, Google LLC asked the user to log into his Google account and use an online form provided there, but the user refused to. | |||
<br /> | |||
==== No violation of Article 15 GDPR ==== | |||
As the user has been provided with certain personal data and information under Article 15 GDPR in his Google account, Google has not violated Article 15 GDPR with regards to this data/information. | |||
As regards data that could be accessed by using an online-form, Google LLC was entitled to refuse the user's access request, as he failed to provide information to identify and authenticate him. | |||
==Comment== | ==Comment== | ||
Revision as of 13:14, 14 October 2020
| BVwG - W101 2132183-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(1) GDPR Article 4(7) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 15(1) GDPR Article 15(3) GDPR § 24 DSG § 27 DSG § 4 DSG § 69 DSG |
| Decided: | 11.09.2020 |
| Published: | 29.09.2020 |
| Parties: | unknown data subject Google LLC |
| National Case Number/Name: | W101 2132183-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2020:W101.2132183.1.00 |
| Appeal from: | DSB DSB-D122.471/0007-DSB/2016 |
| Appeal to: | Unknown: The BVwG declared that an appeal to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof - VwGH) is possible. |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (in German) |
| Initial Contributor: | Marco Blocher |
The Austrian Federal Administrative Court held
a) that an (alleged) change of controllership from Google LLC to Google Ireland Limited does not have an ex-tunc effect - Google LLC qualifies as controller for (alleged) data protection violations that took place before the change of controllership
and
b) that Google is allowed to request a data subject exercising their right to access
- to log into their Google-account to authenticate the data subject and to provide access to their data hat is being processed in the Google account and
- to use an online form authenticate the data subject regarding all data that is being processed outside the Google account.
English Summary
Facts
Access request and Google's reply
On 30.10.2015, the data subject (user) sent an access request under § 26 DSG 2000 to Google Inc. (now Google LLC) via registered letter, including a copy of his passport. The user requested access to all his data processed by Google Inc. (§ 26 DSG 2000 used to be the Austrian provsion for access request prior to 25.05.2018.)
On 22.12.2015, Google Inc. replied, asking the user to log into his Google-Account to access all data procssed in the account and additional information on the processing. The user refused to log into his account
For data that could not be accessed from the user's account, Google asked him to use an online form, to make sure that the user would only receive personal data that are truly relating to him (and not some other natural person). The user refused to do so.
Complaint with the DSB and decision
On 01.02.2016, the user filed a complaint against Google Inc. with the Austrian Data Protection Authority (DSB) claiming a violation of his right to access under Article 15 GDPR - i.a. by requesting him to log into his Google account and to use an online form in order to gain acces to his data.
On 24.02.2020, in the course of the pending DSB-procedure, Google Inc. communicated again with the user, asking him to log into his Google account for authentication.
On 15.06.2016, that DSB issued its decision that consisted of three rulings:
I) The DSB held, that Google Inc. violated Article 15 GDPR by not providing
- access to the user's data that has been processed outside the user's Google account;
- certain information on data recipients and data sources as far as those information cannot be accesseed in the user's Google account;
- information on automated decision making;
- information on the purpose and the legal basis of the processing and
- information on data processors.
II) The DSB ordered Google Inc. to provide these missing data/information within 4 weeks.
III) Lastly, the DSB rejected parts of the user's complaint: It held that requesting the user to log into his Google account and asking him to use an online-form in order to authenticate him was in line with Article 12(1) and (2) GDPR.
Google's appeal against the DSB's decision
Google Inc. filed an appeal with the BVwG against ruling I) and II) of the decision of the DSB.
In the course of the pending procedure before the BVwG, Google Inc. stated that it had been renamed to "Google LLC" and that it is no longer controller regarding the processing of personal data of Google users in the EEA and Switzerland. Rather, Google Ireland limited was the controller of such processing.
Further, Google LLC. explained its legal view, that requesting the user to log into his Google account and requesting him to use an online form for all data processed outside the user's Google account was neccessary for the identification and authentication of the user.
Users 's complaint appeal the DSB's decision
Against ruling III), the user filed an appeal with the BVwG that was handled in a parallel procedure, stating that it was unlawful to require him to use online tools (Google-account and online form) to access his data.
Dispute
a) Which Google company is the controller under Article 4(7) GDPR regarding the processing of the user's personal data? Google LLC (former Google Inc.) or Google Ireland Limited? Therefore, which company is responsible for handling the user's access request and can be held liable for insufficiant compliance with this request?
b) Was it compliant with Article 12 GDPR to request the user
- to log into his Google account regarding personal data processed in the Google account and
- to use an online form provided by Google regarding personal data processed outside the Google account
in order to identify and authenticate of the user?
Holding
The BVwG issued two judgments (one on Google's appeal and one on the user's appeal) which contained the following holdings:
Google LLC as contrioller in the relevant time frame
The BVwG held that the (alleged) change of controllership from Google LLC (former Google Inc.) to Google Ireland limited was not relevant for the case at hand: The data subject had sent his acces request on 30.10.2015, Google's last reply was on 24.02.2016. Therefore, this is the time frame in which the (alleged) data protection violation took place. Google claimed that controllership for data of users in the EEA and Switzerland "shifted" from Google LLC to Google Ireland Limited only on 22.01.2019, years after the alleged data protection violation took place.
As a result, the BVwG held that Google LLC is the data controller, as it was determining the purposes and means of the processing of the user's personal data in the relevent time frame.
Use of online tools to provide access in line with Article 12 GDPR
The BVwG upheld the DSB's view in this regard and did not lift ruling III)
The user has a Google account and has not claimed that that he does not have the neccesary computer equipment at home to access this account. As certain data under Article 15(3) and information under Article 15(1) were available in the user's password protected Google account, the user has no right to receive this data and information via letter as well. According to the BVwG, this is in line with recital 63 of the GDPR ("Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data").
As regards data and information that cannot be accessed in the user's Google account, the BVwG held, that Google LLC was entitled to request the user's identification and authentication, especiall in light of recital 57 of the GDPR ("Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller"). There were a multitude of persons with the same name as the user - according to Google LLC there were approximately 3,910,000 search results on www.google.at. Therefore, Google LLC could demonstrate that it is not in a position to identify the user under Article 12(2) GDPR and was entitled to request the provision of additional information necessary to confirm the identity of the user under Article 12(6) GDPR. For this purpose, Google LLC asked the user to log into his Google account and use an online form provided there, but the user refused to.
No violation of Article 15 GDPR
As the user has been provided with certain personal data and information under Article 15 GDPR in his Google account, Google has not violated Article 15 GDPR with regards to this data/information.
As regards data that could be accessed by using an online-form, Google LLC was entitled to refuse the user's access request, as he failed to provide information to identify and authenticate him.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
