BVwG - W101 2132183-1 and W101 2132039-1

From GDPRhub
BVwG - W101 2132183-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(7) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
§ 24 DSG
§ 27 DSG
§ 4 DSG
§ 69 DSG
Decided: 11.09.2020
Published: 29.09.2020
Parties: unknown data subject
Google LLC
National Case Number/Name: W101 2132183-1
European Case Law Identifier: ECLI:AT:BVWG:2020:W101.2132183.1.00
Appeal from: DSB
DSB-D122.471/0007-DSB/2016
Appeal to: Unknown: The BVwG declared that an appeal to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof - VwGH) is possible.
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: Marco Blocher

The Austrian Federal Administrative Court held

a) that an (alleged) change of controllership from Google LLC to Google Ireland Limited does not have an ex tunc effect - Google LLC qualifies as controller for (alleged) data protection violations that took place before the change of controllership

and

b) that Google is allowed to request a data subject exercising their right to access

  • to log into their Google-account to authenticate the data subject and to provide access to their data hat is being processed in the Google account and
  • to use an online form authenticate the data subject regarding all data that is being processed outside the Google account.

English Summary

Facts

Access request and Google's reply

On 30.10.2015, the data subject (user) sent an access request under § 26 DSG 2000 to Google Inc. (now Google LLC) via registered letter, including a copy of his passport. The user requested access to all his data processed by Google Inc. (§ 26 DSG 2000 used to be the Austrian provision for access request prior to 25.05.2018.)

On 22.12.2015, Google Inc. replied, asking the user to log into his Google-Account to access all data processed in the account and additional information on the processing. The user refused to log into his account

For data that could not be accessed from the user's account, Google asked him to use an online form, to make sure that the user would only receive personal data that are truly relating to him (and not some other natural person). The user refused to do so.


Complaint with the DSB and decision

On 01.02.2016, the user filed a complaint against Google Inc. with the Austrian Data Protection Authority (DSB) claiming a violation of his right to access under Article 15 GDPR - inter alia by requesting him to log into his Google account and to use an online form in order to gain access to his data.

On 24.02.2020, in the course of the pending DSB-procedure, Google Inc. communicated again with the user, asking him to log into his Google account for authentication.

On 15.06.2016, that DSB issued its decision that consisted of three rulings:

I) The DSB held, that Google Inc. violated Article 15 GDPR by not providing

  • access to the user's data that has been processed outside the user's Google account;
  • certain information on data recipients and data sources as far as those information cannot be accessed in the user's Google account;
  • information on automated decision making;
  • information on the purpose and the legal basis of the processing and
  • information on data processors.

II) The DSB ordered Google Inc. to provide this missing data/information within 4 weeks.

III) Lastly, the DSB rejected parts of the user's complaint: It held that requesting the user to log into his Google account and asking him to use an online-form in order to authenticate him was in line with Article 12(1) and (2) GDPR.


Google's appeal against the DSB's decision

Google Inc. filed an appeal with the BVwG against ruling I) and II) of the decision of the DSB.

In the course of the pending procedure before the BVwG, Google Inc. stated that it had been renamed to "Google LLC" and that it is no longer controller regarding the processing of personal data of Google users in the EEA and Switzerland. Rather, Google Ireland limited was the controller of such processing.

Further, Google LLC. explained its legal view, that requesting the user to log into his Google account and requesting him to use an online form for all data processed outside the user's Google account was necessary for the identification and authentication of the user.


Users 's complaint appeal the DSB's decision

Against ruling III), the user filed an appeal with the BVwG that was handled in a parallel procedure, stating that it was unlawful to require him to use online tools (Google-account and online form) to access his data.


Dispute

a) Which Google company is the controller under Article 4(7) GDPR regarding the processing of the user's personal data? Google LLC (former Google Inc.) or Google Ireland Limited? Therefore, which company is responsible for handling the user's access request and can be held liable for insufficient compliance with this request?

b) Was it compliant with Article 12 GDPR to request the user

  • to log into his Google account regarding personal data processed in the Google account and
  • to use an online form provided by Google regarding personal data processed outside the Google account

in order to identify and authenticate of the user?


Holding

The BVwG issued two judgments (one on Google's appeal and one on the user's appeal) which contained the following holdings:


Google LLC as contrioller in the relevant time frame

The BVwG held that the (alleged) change of controllership from Google LLC (former Google Inc.) to Google Ireland limited was not relevant for the case at hand: The data subject had sent his acces request on 30.10.2015, Google's last reply was on 24.02.2016. Therefore, this is the time frame in which the (alleged) data protection violation took place. Google claimed that controllership for data of users in the EEA and Switzerland "shifted" from Google LLC to Google Ireland Limited only on 22.01.2019, years after the alleged data protection violation took place.

As a result, the BVwG held that Google LLC is the data controller, as it was determining the purposes and means of the processing of the user's personal data in the relevent time frame.


Use of online tools to provide access in line with Article 12 GDPR

The BVwG upheld the DSB's view in this regard and did not lift ruling III)

The user has a Google account and has not claimed that that he does not have the neccesary computer equipment at home to access this account. As certain data under Article 15(3) and information under Article 15(1) were available in the user's password protected Google account, the user has no right to receive this data and information via letter as well. According to the BVwG, this is in line with recital 63 of the GDPR ("Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data").

As regards data and information that cannot be accessed in the user's Google account, the BVwG held, that Google LLC was entitled to request the user's identification and authentication, especiall in light of recital 57 of the GDPR ("Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller"). There were a multitude of persons with the same name as the user - according to Google LLC there were approximately 3,910,000 search results on www.google.at. Therefore, Google LLC could demonstrate that it is not in a position to identify the user under Article 12(2) GDPR and was entitled to request the provision of additional information necessary to confirm the identity of the user under Article 12(6) GDPR. For this purpose, Google LLC asked the user to log into his Google account and use an online form provided there, but the user refused to.


No violation of Article 15 GDPR

As the user has been provided with certain personal data and information under Article 15 GDPR in his Google account, Google has not violated Article 15 GDPR concerning this data/information.

As regards data that could be accessed by using an online-form, Google LLC was entitled to refuse the user's access request, as he failed to provide information to identify and authenticate him.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
Federal Administrative Court
Decision date
11.09.2020
Business figures
W101 2132183-1
Saying
W101 2132183-1/36E

ON BEHALF OF THE REPUBLIC!

The Bundesverwaltungsgericht (Federal Administrative Court), represented by Dr Christine AMANN, Judge, as President, Mag. Huberta MAITZ-STRASSNIG, expert lay judge, as associate judge, and Dr Michael GOGOLA, expert lay judge, as associate judge, on the appeal brought by Google LLC (as legal successor to Google Inc.), represented by WOLF THEISS Rechtsanwälte GmbH & Co KG, against parts 1 and 2 of the decision of the data protection authority of 15 June 2016, GZ. DSB-D122.471/0007-DSB/2016, was correctly recognised: 
A)
Pursuant to § 28 (2) VwGVG in conjunction with § 24 (1) and (5) DSG as amended, the appeal is granted with the provisos that part 1. concerning the data protection complaint of 1 February 2016 is to be dismissed as unfounded to the extent challenged and part 2. is therefore to be set aside without substitution.
B)
The audit is permissible under Art. 133 para. 4 B-VG.


Text
Reasons for the decision:
I. Course of proceedings:
 XXXX (= applicant or complainant before the data protection authority and co-defendant before the Federal Administrative Court) filed a data protection complaint on 1 February 2016 against Google Inc. as complainant (= respondent before the data protection authority) on the grounds of an infringement of the right to information. The main grounds of his data protection complaint were as follows:
He had sent his request for information of 30 October 2015 to the complainant by registered mail and attached a copy of her passport as proof of identity. First, he had received a reply in English from the complainant in November 2015. In the complainant's reply of 22 December 2015 in German, he would have received a further response to his request for information. Even in the reply of 22 December 2015, he had not received the information he had requested. 
With the request for information dated 30.10.2015, XXXX requested information on 
	all data processed concerning his person, 
	the information about their origin,
	any recipients or groups of recipients of transmissions (as defined in Article 4 no. 12 DSG 2000),
	the purpose(s) for which the data is used,
	the legal basis(s) for the use of the data,
	any automated individual decision making concerning him, and 
	the specific service providers involved.
The complainant's reply of 22.12.2015 was worded as follows:
"In response to your request for information regarding your personal information, we would like to refer you to Google Inc.'s online resources that Google Inc. makes available to its users to access their personal information. 
These tools are accessible via the account settings (https://www.google.com/settings/datatools). Users can use the Dashboard (https://www.google.com/settings/dashboard) to quickly and easily view a summary of data related to their account, such as emails, contacts, search history and location history. He or she can also use Google Takeout (https://www.google.com/settings/takeout) to download a copy of the data stored in his or her account. 
In the event that the required information is not accessible via the above-mentioned instruments, the user may submit his request to Google Inc. via a web form specially designed for this purpose (https://support.google.com/policies/contact/sar). This is accessible via the Privacy Troubleshooter (https://support.google.com/policies/troubleshooter/2990837?hl=en&rd=2). In order to authenticate the identity of the user, Google Inc. requires the user to log in to their Google Account in order to access the relevant web form.
Please note that in order to ensure that user data is kept secret and that the data is only disclosed directly to the user concerned, Google Inc. can only process requests for information that are made via the user's Google account.
To find information indexed by Google's search engine, you can use Google Search. We hope you understand that Google Inc. cannot simply produce a list of all results (or even printouts) associated with the name ' XXXX ' in response to your request for information. Because there is more than one person named XXXX, Google Inc. is unable to determine whether such information relates to you personally.
In the course of the administrative procedure, the Data Protection Authority requested several written comments from both parties.
By decision of 15.06.2016, GZ. DSB-D122.471/0007-DSB/2016, the data protection authority, on the one hand, partially granted the data protection complaint in part 1. and found in this respect that the complainant (= respondent before the data protection authority) had violated the right to information of the XXXX (= applicant or complainant before the data protection authority) in a total of 7 points and, on the other hand, in part 2. it obliged to provide information within a period of four weeks in case of any other execution in accordance with part 1. (In part 3. of this decision the data protection complaint was dismissed for the rest).
In the following sub-paragraphs of part 1, an infringement of the right to information was established in that the complainant had failed to provide information on
a)	outside the user account of the XXXX to his person by them processed data,
b) 	specific recipients or groups of recipients of transmissions of the data of the XXXX , as far as this is not apparent in the context of an online inspection,
c) 	the concrete origin of the data of the XXXX , as far as this is not evident within the scope of an online inspection,
	(d)	automated individual decision making concerning the XXXX,
	(e)	the purpose(s) for which the data are to be used,
	(f)	the legal basis(s) for the use of the data; and
	(g)the 	service providers specifically involved
was issued.
The data protection authority found the following facts in this decision:
 By letter of 30 October 2015, XXXX had sent a request for information to the complainant, enclosing a copy of her identity card, in which he requested information on all the data processed in the complainant's current database relating to his person. He would also have requested information on the origin of the data, any recipients or groups of recipients of transmissions, the purpose or purposes of the use of the data and the legal basis of the use of the data. In the event that data were processed by computer for the purpose of assessing individual aspects of his person and that this processing would entail legal consequences or would subject him to a decision that would significantly affect him, he would have requested that the logical sequence of the automated decision-making process be explained to him in a generally understandable form. He would also have asked for the names and addresses of all service providers to be disclosed. 
 XXXX would have first received a letter from the complainant dated 18.11.2015, written in English and referring to existing online tools.
By letter of 22 December 2015, the complainant had informed XXXX (in German) that the reply to the request for information referred to the online resources that the complainant had made available to its users in order to access their personal data. XXXX had been informed that the complainant could only process requests for information that were made via the user's Google Account. Google Search can be used to find information indexed by the complainant's search engine. Finally, XXXX had been informed that: "We hope you understand that Google Inc. cannot simply produce a list of all results (or even printouts) related to the name ' XXXX ' in response to your request for information. Because there is more than one person named XXXX, Google Inc. is unable to determine whether such information relates to you personally.
In a letter of the complainant dated 24 February 2016, XXXX (again in German) was informed that he could use the complainant's available online tools to obtain information on the data processed concerning his person. At the same time, he had again been informed that logging in via the account was the only possible form of authentication that the complainant could accept, since the presentation of a passport alone could not ensure that the person requesting information was the actual user of the account.
The complainant would not have asked XXXX to participate in the information procedure, for example by providing further details on the request for information.
 XXXX had an e-mail address, XXXX @gmail.com, which was provided by a service of the complainant, GMail.
It could not be established that XXXX used or was registered with other services of the complainant, such as Google Chrome, You Tube, Google Drive, Google+, etc. 
 XXXX had not made use of the online tools provided by the complainant since the request for information was sent on 30 October 2015.
The complainant provided online tools that account and non-account holders of services provided by the complainant could use. In the case of account holders, the complainant requires them to log on to their account for identification purposes. The online tools would enable users to obtain an overview of the data stored about them in connection with an account, to download this data and to make restrictions and deletions. 
The data protection authority gave the following legal reasons for the statement in part 1 of the above-mentioned decision:
In general, it should be noted that each applicant for information is entitled to individual treatment of his request for information. Each request for information or refusal to provide information must therefore be preceded by an examination of the individual case, possibly with the cooperation of the person requesting information.
In the present case, XXXX received replies which, although addressed personally to him, were largely standardised and made general reference to the possibility of using online tools. In the proceedings before the data protection authority, reference was also made to the complainant's data protection statement. 
However, the complainant overlooked the fact that the request for information clearly also related to data that could not be obtained through online access.
The complainant had also at no time asked XXXX to specify its request for information - which might be too vague for the complainant - or to participate in the information procedure. Only an unsuccessful attempt to ask the person requesting information to cooperate or a failure to comply with the obligation to cooperate could constitute grounds for refusing to provide information.
No other reasons were given to XXXX to justify not providing information until the end of the procedure before the data protection authority. 
The complainant lodged a complaint against parts 1 and 2 of this decision within the prescribed period.
In a letter from the data protection authority dated 08.08.2016, the complaint including the administrative act was forwarded to the Federal Administrative Court.
In a letter dated 13 November 2019, the Federal Administrative Court informed the complainant that in a so-called "old case" (= case already pending before the Federal Administrative Court before 25 May 2018), the new legal situation under the DSGVO and the DSG was applicable and offered him the opportunity to submit a written statement on any changes in the facts of the case within four weeks. By letter of the same day, the party concerned was also given the opportunity to submit written comments on the facts of the case.
In a letter of 13 December 2019 (received on 16 December 2019), the complainant asserted, inter alia, that she now bears the name "Google LLC" and that in the meantime, as can be seen from the enclosed current data protection declaration (= Enclosure ./1), she was no longer responsible under data protection law for the users of most Google services which are provided to consumers in the European Economic Area and Switzerland. This applies in particular to the search engine and the Google account.
Furthermore, the complainant asserted in this letter that, after receipt of the decision of the data protection authority and despite the appeal in the form of a complaint, she had sent a further reply letter dated 21 September 2016 to XXXX, which took into account the statements of the data protection authority in the contested decision (= Enclosure ./2).
As regards the written form, the complainant argued in particular that: "XXXX's incorrect assertion that online information was not an acceptable means of fulfilling the obligation to provide information could not be accepted, given the clear legal situation. This had also been correctly decided by the data protection authority. The complainant offered all its users a secure system for remote access. However, XXXX had refused all cooperation and access to the complainant's online tools under the previous procedure. The complainant had so far agreed to provide further guidance to help XXXX to access the information to which he was entitled, which was already available through the tools, but could not provide more than the complainant was obliged to do under the law.
As regards the proof of identity of the XXXX, the complainant argued in this letter that: "On the basis of a copy of the passport alone, and in view of the large number of persons with identical names and the possibility of also using other people's names - such as "XXXX" as a pseudonym - no conclusion could be drawn as to the existence of any data processing that would require information. Therefore, the copy of a passport alone does not constitute sufficient proof of identity in the factual context in question. Nor did the sending of correspondence by Google to XXXX's e-mail address show that the complainant had no doubts about the allocation of the user account to him. The reply to the address given by XXXX did not remove the complainant's doubts as to the identity and allocation to a user account. Unfortunately, the provision of an e-mail address belonging to a Google Account is a tactic that unauthorised persons would also use to gain access to external data. The complainant had fulfilled her obligations by requesting access to the Google Account through the XXXX using the access data chosen by him. Without proper authentication, however, no information could be provided in case of doubts as to identity, which would exist in such a case. It is therefore up to XXXX to access his Google Account and view the data or information about him.
In a letter of 3 January 2020, XXXX, as an interested party, submitted written comments, stating in particular that, as a data subject, he was not obliged to cooperate and that he had been identifiable to the complainant. In his statement, XXXX stressed that the current legal situation under the DSGVO did not impose any obligation on information providers to cooperate and further explained that this was the case: Responsible persons were therefore only entitled to ask information applicants to specify their requests for information, but were not entitled to any clarification. Information seekers could therefore insist on being informed of all data processed concerning their person. The complainant's request for information had explicitly asked for information on all data relating to her person. The complainant was therefore under a legal obligation to provide him with complete information, without his having to cooperate in the provision of information. 
In order to identify himself, he stated that Information seekers were also to be regarded as sufficiently identified if they knew the login data (user ID and password) of user accounts or could prove the power of disposal over user accounts (such as e-mail inboxes) in some other way. The complainant is in no doubt that he has power of disposal over the e-mail box "XXXX @gmail.com" stored with the complainant. The information to be provided by the complainant would therefore have to include all data processed in connection with this user account. 
Finally, he claimed that he still considered that his right of access had been infringed because the complainant had still not provided him with written information on the data processed concerning him. 
In a letter of 17 January 2020, the complainant further submitted, inter alia, that since 22 January 2019, Google Ireland Limited was the controller of personal data relating to the use of its services by users habitually resident in the EEA or Switzerland. To this extent, Google LLC is now "no longer the controller in the sense of the DSGVO of the processing activities previously covered by the complaint". This has no influence on the processing of personal data in making available the search results displayed in the Google search engine. The complainant was still responsible for these personal data in accordance with the provisions of the DSGVO.
In a letter from the Federal Administrative Court dated 30 January 2020, the complainant was requested, for further clarification, to submit to the Federal Administrative Court all contractual and other documents indicating "whether Google LLC or Google Ireland Limited is currently responsible for the XXXX information".
In its written observations of 21 February 2020, received on 24 February 2020, the complainant essentially submitted 
As regards the current liability of Google LLC and Google Ireland Limited in respect of the seven sub-paragraphs of the contested part of the first part of the abovementioned decision, which relate to data processing outside the user account, the applicant states that the position of responsibility is differentiated in relation to any processing of personal data relating to the person of XXXX outside his Google account:
	Google Ireland Limited would currently be responsible within the meaning of Art. 4 Z 7 DSGVO for any processing of personal data by XXXX outside the user account, but in connection with the use of a Google service;
during
	Google LLC would currently be responsible within the meaning of Art. 4 Z 7 DSGVO for any processing of personal data of XXXX outside the user account in search results.
An oral hearing had been scheduled at the Federal Administrative Court for 02.04.2020, but this was cancelled again on 27.03.2020 due to corona conditions. 
On 8 July 2020, an oral hearing was then held before the Federal Administrative Court, in which all parties involved in the appeal proceedings took part. 
On the complainant's side, after prior consultation with the presiding judge, XXXX participated as XXXX. He gave the following reason for his presence at the hearing as an informed representative (see p. 4 of the minutes of the hearing): When the complainant received XXXX's request for information of 30.10.2015, he had held the same position as he does today. He recalled that he was well aware that they had received a letter from the XXXX, including the complainant's home address and a copy of her passport. However, given that the events of that time had taken place a long time ago, he might not be able to remember everything in full. At the hearing (on p. 6 of the minutes of the hearing), the informed representative confirmed that he had participated in the drafting of the complainant's reply letter of 22 December 2015 and that the information contained in the reply letter was correct to the best of his knowledge and belief at the time. 
In the file, the informed representative has a power of attorney from "Google LLC", which was issued on 29.06.2020 in Menlo Park, California, by its Managing Member (= supplement to OZ 1/26). 
As regards the question of liability, the presiding judge already stated at the hearing (on p. 3 of the minutes of the hearing) that Google Inc. was responsible for the proceedings concerning the request for information of 30 October 2015 and that Google LLC had entered the proceedings as its legal successor and thus as the current complainant. 
Before the end of the hearing, the presiding judge had closed the evidence proceedings (on p. 11). 
II The Federal Administrative Court considered
1. observations:
The subject of the administrative procedure concerning a possible violation of the right to information is the assessment of whether the request for information of the XXXX of 30.10.2015 was complied with in conformity with the law by the complainant's reply of 22.12.2015 (written in German) - confirmed by a further reply of 24.02.2016.
During the administrative procedure before the data protection authority, Google Inc. was the principal (now the controller) for the processing of personal data of the XXXX . In the meantime, Google LLC has entered the proceedings as the legal successor to Google Inc. and is therefore the complainant.
In its request for information dated 30.10.2015, XXXX requested information on the following seven points:
	all data processed concerning his person, 
	the information on their origin,
	any recipients or groups of recipients of transmissions,
	the purpose(s) for which the data is used,
	the legal basis(s) for the use of the data,
	possible automated individual decision making and 
	concretely consulted service providers.
As a result, the information requested by XXXX concerns his personal data both within and outside his user account with the complainant.
Already with the request for information, the complainant had been provided by XXXX with a copy of her passport as proof of identity. The complainant also knew the e-mail address (" XXXX @gmail.com") and the home address of XXXX. Moreover, there had already been correspondence between the complainant and XXXX using his e-mail address in 2014. 
It is clear that in the run-up to the reply, XXXX was identifiable to the complainant on the basis of the available identity references and previous correspondence, possibly in combination with an appropriate location of the XXXX's computer.
Thus, the complainant was in principle obliged to provide the information requested by XXXX or, in case of impossibility, to provide negative information.
In its reply of 22.12.2015, XXXX was referred in a first step to the access to the online tools provided by the complainant in relation to its user account. In a second step, XXXX was asked to specify its request for information regarding all requested information that could not be accessed via the aforementioned online tools via a web form specifically provided for this purpose, specifically via (https://support.google.com/policies/contact/sar). This means that all personal data of XXXX - both inside and outside the user account - that could not be accessed via the online tools were included in this request for clarification by the complainant. 
With regard to this data, in order to authenticate the identity of XXXX as a user, the complainant has requested that the user log in to his user account in order to access the relevant web form. 
Furthermore, it is clear that XXXX did not comply with the complainant's request for clarification, although he could have done so in principle as the holder of a user account with the complainant. 
For these reasons, it must be concluded that it is decisive,
	that XXXX has been referred to his user account for access to the online tools, insofar as the requested information has been received in this regard, and
	that, for all data not accessible via this link, he was asked by the complainant to specify his request for information in a further step, which he did not comply with; in this respect, XXXX subsequently did not receive any further information from the complainant in accordance with the law.
2. assessment of evidence:
The findings on the relevant facts are set out in the administrative act, the complaint and the judicial act. 
 In several written statements, XXXX made a claim both before the data protection authority and before the Federal Administrative Court (see also his statements in the hearing on p. 9f of the minutes of the hearing), 
(a)	that for the complainant there was no doubt whatsoever as to the allocation of the user account to his person and therefore no need for any further identification; and
	(b)	that he was not obliged to be referred to online tools provided by the complainant in order to obtain information at his own expense
On the basis of the existing identity references and the previous correspondence, XXXX was identifiable for the complainant - possibly in connection with a location of XXXX's computer - in the run-up to the reply, so that the argument of XXXX ad (a) can only be accepted.
All statements made at the hearing by the informed representative of the complainant to the effect that XXXX could not be identified either by the identity cards submitted or by additional internal organisational measures or other indications given to the complainant in the run-up to the reply are unrealistic and therefore lack credibility in view of the complainant's large organisational structure and its possibilities.
As a consequence of this, the complainant, as the provider of information, was at that time - as stated above - in principle obliged to provide either the requested information or, where appropriate, negative information.
The complainant complied with this obligation within the limits of her possibilities in her reply of 22.12.2015 - confirmed by that of 24.02.2016 - also in concrete terms by taking the two steps identified. 
The reason given for the reference to access to online tools in this reply was literally "to quickly and easily consult a summary of the data related to the account". Furthermore, the complainant XXXX provided detailed information on how he can access his personal data in the user account itself (...). The informed representative of the complainant even offered to "communicate directly with XXXX in order to carry it out if necessary through the online tools" (see p. 8 of the minutes of the hearing).
Taking this into account, it is clear to the Senate that XXXX would have been able to access the online tools of his user account and that he had no access problem. Contrary to his submission ad (b), XXXX was therefore obliged to have himself referred to the complainant's online tools for his user account, but of course only with regard to those personal data that could be accessed there.
With regard to the above finding that the complainant's request for clarification covered all personal data of the XXXX that were not accessible in the online tools for the user account, the following considerations remain to be stressed: 
The complainant had already argued in several written submissions, which was repeated in the hearing on p. 6, that the Commission did not, in principle, make automated individual decisions. On this basis, the presiding judge expressly asked the informed representative of the complainant (see p. 6f of the minutes of the hearing) why the complainant had not (already) given negative information to XXXX in her reply regarding possible automated individual decisions within the user account. The informed representative subsequently replied that the sentence in the first paragraph of the second page of the reply letter ("In the event that the required information is not accessible via the above-mentioned tools, the user may submit his request to Google Inc. via a web form specifically provided for this purpose.") is understood by him to mean "that we have requested a general clarification for everything that we were unable to provide via our online tools". The informed representative also expressly answered in the affirmative to the further question of the presiding judge as to whether the request for clarification in the reply letter thus also referred to automated individual decisions (within and outside a user account) (see above p. 7 of the minutes of the hearing).
The statement to the contrary made at the hearing by the representative of the authorities (on page 8 below of the minutes of the hearing) is refuted in view of the clear wording of the quoted sentence, which was also confirmed by the informed representative at the hearing. 
The reason for the request for clarification - namely the protection of other persons known as " XXXX " - was already mentioned by the complainant in her reply (see penultimate paragraph on p. 2, cited in the course of the procedure on p. 3). 
The above findings are moreover based on the informed representative's reply to the presiding judge's further question on p. 7 below as to whether the complainant would have been able to provide XXXX with all the information it requested if XXXX had clarified its request for information (concerning the data not visible in the online tools) by means of the web form provided, with further information on the requested data. This answer was essentially as follows: "This hypothetical question is difficult to answer, as it depends in particular on what additional information would have been provided by XXXX (in response to a more precise request for information via the web form). We did not even know which services were involved. (...) The point is that we took the case extremely seriously. It did not go into a black box and no automated reply went out, I consulted with a colleague and together we came to the conclusion that we could do no more than we did (in the reply). (...) As far as I know, we have never received any details in the form of a request for information via the XXXX web form.
On the basis of all these considerations, the Senate has reached the above conclusions.
The complainant's further reply of 21 September 2016, which was sent after receipt of the above-mentioned decision of the data protection authority, is not relevant to this result, which is why no findings were made in this regard.
3. legal assessment:
3.1 According to § 6 BVwGG, the Federal Administrative Court decides by single judges, unless federal or Land laws provide for a decision by senates. 
Pursuant to Section 27 (1) DSG, the Federal Administrative Court decides through the Senate on appeals against notices, on breaches of the duty to inform pursuant to Section 24 (7) and of the data protection authority's duty to take decisions. Pursuant to the first sentence of Section 27(2) of the DSG, the Senate is composed of a chairman and one expert lay judge each from among the employers and the employees. The present case therefore falls within the competence of the Senate. 
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (section 1 leg.cit.). Pursuant to Article 58(2) of the VwGVG, conflicting provisions already announced at the time of entry into force of this federal act shall remain in force.
Pursuant to Article 17 of the Administrative Procedure Act (VwGVG), unless otherwise provided for in this Federal Act, the procedure on complaints pursuant to Article 130(1) of the Federal Constitution Act (B-VG) shall be governed by the provisions of the Administrative Procedure Act (AVG), with the exception of Articles 1 to 5 and Part IV, the provisions of the Federal Fiscal Code (Bundesabgabenordnung - BAO), Federal Law Gazette No 194/1961, the Agricultural Procedure Act (Agrarverfahrensgesetz - AgrVG), Federal Law Gazette No 245/1961, and the provisions of the Federal Law on the Supervision of Agricultural Procedures (Agrarverfahrensgesetz - AgrVG). No. 173/1950, and the Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29/1984, and, moreover, to apply mutatis mutandis those procedural provisions in federal or Land laws which the authority has applied or would have had to apply in the proceedings before the administrative court. 
3.2 Under Article 28(1) of the VwGVG, the Administrative Court must settle the case by way of a decision, unless the complaint is to be rejected or the proceedings discontinued. 
Pursuant to Article 28(2) of the VwGVG, the Administrative Court must decide on complaints under Article 130(1)(1) of the Federal Constitution if the relevant facts have been established or if the establishment of the relevant facts by the Administrative Court itself is in the interest of speed or entails a considerable reduction in costs.
Pursuant to § 31 (1) VwGVG, decisions and orders are made by way of a resolution, unless a ruling is required. 
3.3. on A) 
3.3.1 Section 69 (4) of the DSG does not contain any transitional provisions regarding the pending proceedings in data protection matters before the Federal Administrative Court. Thus, the legal situation applicable is that in force at the time the Senate passed its resolution (cf. VwGH of 19 February 2018, Ra 2015/07/0074; VwGH of 22 February 2018, Ra 2017/22/0125; and many others).    
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (basic data protection regulation) OJ L 119 of 4 May 2016, hereinafter referred to as "the Regulation": DSGVO, should read as follows
Article 4
Definitions

For the purposes of this Regulation
1) "personal data" shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an on-line identification or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2.-6. (…)
(7) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller or for the specific criteria for his or her designation in accordance with Union law or the law of the Member States
8.-26. (…).

Article 11 
processing operations for which identification of the data subject is not necessary

Where the purposes for which a controller processes personal data do not or no longer require the identification of the data subject by the controller, the controller shall not be obliged to keep, obtain or process additional information to identify the data subject for the sole purpose of complying with this Regulation.
2. In cases referred to in paragraph 1 of this Article, where the responsible person can demonstrate that he is not able to identify the data subject, he shall inform the data subject thereof, where possible. In such cases, Articles 15 to 20 shall not apply unless the data subject provides, for the purpose of exercising his or her rights under those Articles, additional information enabling the data subject to be identified.

Article 12 
transparent information, communication and procedures for exercising the rights of the data subject

1. The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and with all the notifications referred to in Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, comprehensible and easily accessible form, in clear and simple language, in particular information specifically aimed at children. The information shall be provided in writing or in any other form, including, where appropriate, by electronic means. If requested by the data subject, the information may be given orally, provided that the identity of the data subject has been established in some other form.
2. The controller shall facilitate the exercise of the rights of the data subject pursuant to Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his rights pursuant to Articles 15 to 22 only if he establishes that he is unable to identify the data subject.
(3) - (5) (…)
6. Without prejudice to Article 11, where the responsible person has reasonable doubts as to the identity of the natural person making the request in accordance with Articles 15 to 21, he may request any additional information necessary to confirm the identity of the data subject.
(7) (…).

Article 15 
Right of access of the data subject

1.    The data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed; if this is the case, he or she shall have the right to be informed of such personal data and to receive the following information:
(a) the processing purposes;
(b) the categories of personal data processed
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
(d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining that duration;
(e) the existence of a right to rectify or erase personal data concerning him or her or to have it processed by the controller, or a right to object to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) if the personal data are not collected from the data subject, all available information on the origin of the data;
(h) the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in those cases, relevant information about the logic involved and the scope and intended impact of such processing on the data subject
(2) (…)
3. The controller shall provide a copy of the personal data being processed. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be provided in a standard electronic format, unless the data subject indicates otherwise.
(4) (…).
3.3.2 Responsibility
In accordance with the subject matter of these administrative proceedings established in the facts above, the administrative proceedings relate to a period of time between the receipt of the request for information on 30.10.2015 and the repeated reply letter of 24.02.2016. The contracting authority (now the responsible party) was Google Inc. as the respondent before the data protection authority during this period.
In the meantime, Google has undergone an organisational or corporate change. Since 22.01.2019, Google Ireland Limited has been the data controller for users who are habitually resident in the European Economic Area or Switzerland, according to the current Google data protection declaration.
In the hearing before the Federal Administrative Court (see p. 3 and p. 10 below of the minutes of the hearing), the data protection authority took the view that - due to the organisational or corporate change within Google - Google Inc. (now Google LLC), but Google Ireland Limited was competent to provide the information in question to XXXX. In several written submissions to the Federal Administrative Court (as well as to the data protection authority, see annex to the minutes of the hearing), the complainant also argued in a similar direction, but not with the same clarity as the data protection authority.
The liability of a person is inseparably linked to the act itself, which at best constitutes a data protection violation. This is because, according to the administrative criminal proceedings under the DSGVO, (administrative) criminal prosecution can only take place if a crime can be attributed to a natural person as the perpetrator - even in the case of a legal entity, as the Administrative Court explained in detail in its ruling of 12 May 2020, Ro 2019/04/0229. Consequently, the question of liability also relates exclusively to the period (here: receipt of the request for information from 30.10.2015 to 24.02.2016) in which the act of a possible data protection violation was committed.
With this interpretation, the Senate follows the remarks of the Administrative Court in the said ruling.
Any other interpretation - including the above-mentioned interpretation by the data protection authority - would lead to the absurd result that a legal person as the responsible party (perpetrator) could evade its responsibility for the act of a data protection violation (in administrative criminal proceedings its criminal prosecution) by subsequently changing its organisational or corporate structure.
In accordance with the rules of civil law applicable in the event of a transfer of undertakings, Google LLC, as successor in title to Google Inc. 
In this context, it should not be left unmentioned that, for example, the European Court of Justice also ruled in a preliminary ruling procedure under Art. 267 TFEU that "Google LLC" was the "legal successor of Google Inc." (see ECJ of 24 September 2019 in Case C-507/17).
Although it is not covered by the subject matter of the complaint procedure, it should be mentioned for the sake of completeness that (administrative) criminal prosecution is excluded for acts of data protection infringement committed before the DSGVO entered into force on 25 May 2018. Until the entry into force of the DSGVO and its (direct applicability) and the DSG, legal persons were not subject to direct criminal liability and sanctions for violations of the DSG 2000 by natural persons attributable to them, as the Administrative Court expressly stated in the aforementioned ruling of 12 May 2020, margin no. 12.
For these reasons, the complainant, as a legal person, is a controller as defined in Article 4 (7) DSGVO, because it alone had to decide (during the period of the offence) on the purposes and means of processing personal data (of the XXXX ).
3.3.3 Right of access
According to Art. 15 para. 1 DPA, the data subject ( XXXX ) has the right to obtain confirmation from the controller as to whether personal data relating to him/her are being processed; if this is the case, he/she has the right to be informed of this personal data and to receive information in accordance with letters a) to h).
3.3.3.1 Identifiability in advance of the reply
According to the definition in Art. 4 No. 1 DPA, personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is deemed to be any natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
According to Ehmann/Selmayr (Ed., Datenschutz-Grundverordnung, 2nd edition, 2018, Art. 4 margin no. 16), this definition is to be understood in a meaningful way analogous to Art. 2 c and Art. 9 of Directive 202/58/EC, i.e. as a sequence of determinations of the geographical location and time of a device or person. Such a sequence of coordinates is already unambiguous at relatively high resolution and can thus serve to identify an individual. In addition to such dynamic location data, more static information, such as residential or office addresses, or other geographical information could also help to identify the person concerned.
It is clear from recital (64) that the data controller should use all reasonable means to verify the identity of a data subject seeking information, in particular in the context of on-line services and in the case of on-line identifiers.
On the question of identifiability, reference should also be made to the case law of the Administrative Court, according to which the identity of a data subject may also be clear from the situation. This can be the case, for example, if the contracting authority (note: now responsible) - without doubting the identity of the person concerned - has already agreed to a longer correspondence with the person concerned after an immediately preceding legal dispute (VwGH v. 04.07.2016, Ra 2016/04/0014; see also BVwG v. 27.05.2020, Zl. W214 2228346-1/16E). 
In the light of the above, it has already been established above that, in the run-up to reply XXXX, the complainant was identifiable as a data subject for the complainant on the basis of the existing identity references and previous correspondence in 2014, possibly in combination with an appropriate location of the data subject's computer.
3.3.3.2 Reference to inspection of the online tools versus written form regarding personal data within the user account
As already stated above, the complainant XXXX referred, in a first step, to the access to the online tools provided by her to the user account.
The reference to the access to the online tools of the user account has already been assessed as legal by the data protection authority in the notification with regard to the personal data accessible there.
In its statement of 3 January 2020, XXXX, as a co-involved party, argued that even after the DSGVO was in force, there was a right to written information (cf. Article 15 (3) DSGVO). Only if the party requesting the information submitted requests for information electronically would information have to be provided in a standard electronic format. Even in this case, however, information seekers can demand that information be provided in writing. Referring to online tools would contradict the wording of the DSGVO in the absence of an electronic application.
It is true that this opinion is held in the literature, including Ehmann (in Ehmann/Selmayr, Hrsg, Datenschutz-Grundverordnung, 2nd edition, 2018, Art. 15 Rz 32) to which XXXX also referred. From the point of view of the recognising senate, however, this must be countered in several respects: 
First of all, the requirement of electronic attachment as defined in Art. 15 (3) DSGVO (argument: "If the person concerned submits the application electronically, ...") can only apply to those attachments that were or will be made after the DSGVO came into force on 25 May 2018, which is not the case here because the request for information was submitted on 30 October 2015.
A recital in recital (59) explicitly states that the responsible person should also ensure that applications can be made electronically, in particular where personal data are processed electronically. This implies, according to one interpretation of the text, that applications may, but need not, be made electronically.
When writing the passages in margin no. 32 ("Indirectly, it follows that copies must also be made available in the case of an 'application on paper'"), Ehmann as author obviously had (older) persons in mind who have no computer access at all. In the last sentence of Rz 32 - also quoted by XXXX - Ehmann writes that the exercise of the right of access only makes sense for the person concerned if he receives the copies in a form "which enables him to read and evaluate the copies on the basis of his technical and other possibilities".
 XXXX is computer savvy and has computer equipment at home; he also did not dispute in the hearing that, due to his computer equipment, he basically has the possibility to have access to the online tools of his user account.
In this context, it should also be noted that recital (63) explicitly mentions Where possible, the data controller should be able to provide remote access to a secure system which would give the data subject direct access to his personal data.
It follows from these considerations in the present case that XXXX, as the holder of a user account with the complainant, had the opportunity to inspect the online tools, and in this respect he is not entitled to receive, in addition to this type of information, additional information in written form about the personal data within his user account. Therefore XXXX must be referred to the inspection of the online tools with regard to these personal data.
3.3.3.3 Request for clarification and impossibility of further identification regarding other data inside and outside the user account
The right of access in itself does not take absolute precedence over the rights and freedoms of other persons, but respect for the rights and freedoms of others must not lead to a data subject being denied any information. In other words, it is a practical concordance between the fundamental rights of a data subject and the fundamental rights of the person responsible or of third parties whose legal positions are affected (cf. Ehmann in Ehmann/Selmayr, ed., Datenschutz-Grundverordnung, 2nd edition 2018, Art. 15 Rz 10 and 36).
Art. 15 DSGVO itself does not contain any statement as to whether and in what way a data subject must contribute to facilitating the fulfilment of the duty of disclosure by providing the responsible party with information of his own. From this it can be concluded that, from the point of departure, it is solely the responsibility of the data controller how he or she fulfils the legal requirements for information. In any case, a general duty of cooperation of a data subject does not arise from this provision. In order to establish a practical concordance in the above sense, the overall situation of a responsible person must be taken into account, even if there is in principle no obligation of a data subject to cooperate. 
The international company Google LLC (the complainant) processes an exorbitantly large amount of data on data subjects because there is hardly a larger data processor than it exists on the world market. In view of the overall situation of the complainant as the person responsible for such a large amount of data, the following recital (63) in the last sentence applies here: 
Where the controller processes a large amount of information relating to the data subject, he should be able to require the data subject to specify to which information or which processing operations his request for information relates before providing him with it.
Referring to this recital, Ehmann states that only in this case can a responsible person demand a specification of a request for information (Ehmann in Ehmann/Selmayr, ed., Datenschutz-Grundverordnung, 2nd edition, 2018, Art. 15 Rz 24). This did not restrict the right to information, but was merely intended to avoid the person responsible having to make unnecessary efforts.
Feiler/Fórgo also refer to the last sentence in recital (63) and even say at this point that the data subject is under an obligation to clarify this (Feiler/Fórgo, EU Data Protection Basic Regulation, 2017, Art. 15 margin no. 1).
During the hearing, the complainant made it clear that some of the information requested by XXXX, such as the automated individual decisions, could not be provided without further clarification by XXXX.
The reason for the request for clarification - namely the protection of other persons known as " XXXX " - was mentioned by the complainant several times during the ongoing procedure, even in the reply itself. As the person responsible for the processing of data, the complainant is obliged under Article 15 DSGVO to protect other persons whose legal positions may be affected by keeping their data confidential. Since the complainant is responsible for processing an exorbitantly large amount of data, she must protect all the more other persons with the same name.
When weighing up the interests, therefore, the requirement to keep data of other persons with the same name confidential - the complainant speaks of about 3,910,000 search hits at www.google.at as of 10 December 2019 - is much more important than the individual right of the XXXX to be informed of all the requested information about his data.
For the purposes of further clarification, the complainant has requested (in a second step) that, in order to authenticate his identity in the wake of XXXX - in accordance with the requirements of Article 12 paragraph 6 DSGVO - he should log on to his user account in order to access the corresponding web form and fill in this form with further information on information still required. 
However, XXXX did not comply with this request for or obligation to specify this, as has already been said several times. 
For the data in question, account should also be taken of the last sentence in recital 57, which states that "identification should include the digital identification of a data subject, for example by means of authentication procedures using roughly the same credentials as those used by the data subject to register for the on-line service provided by the data controller". 
It is precisely through such an authentication procedure that the complainant has asked XXXX for further clarification. However, since the latter had not complied with this request, it was not possible to establish a personal link between the complainant's data and him for further information.
Subsequently, the complainant, as the person responsible pursuant to Art. 12 Para. 2 DSGVO, demonstrated that she was not in a position to (further) identify XXXX with regard to all other data of XXXX that cannot be viewed via the online tools. 
Therefore, pursuant to Art. 11 para. 2 last sentence in conjunction with Art. 12 para. 2 DSGVO, Art. 15 DSGVO does not apply to the relevant data of XXXX. Under these circumstances, the complainant was not obliged to provide XXXX with information on these data.
3.3.4 It follows from all of the above that XXXX has received from the complainant part of the information requested, namely his personal data within the user account by enabling access to the online tools made available, and has refused to provide further information in the absence of any other means of identification by XXXX.
Since the contested parts of the above-mentioned decision are unlawful on these grounds within the meaning of Article 130(1)(1) of the Federal Constitution, the appeal lodged against them was unlawful under Paragraph 28(2) of the VwGVG in conjunction with Paragraph 24(1) and (1) and (2) of the B-VG. 5 DSG as amended, with the provisos that part 1. of the ruling concerning the data protection complaint of 1 February 2016 was dismissed as unfounded to the extent challenged and part 2. was therefore to be set aside without substitution. 
3.4 B) Admissibility of the appeal:
Pursuant to § 25a (1) VwGG, the Administrative Court must state in its ruling or order whether the appeal is admissible under Article 133 (4) B-VG. The statement must briefly state the reasons for the ruling. 
The appeal is admissible under Art. 133 (4) B-VG, because the decision depends on the solution of a legal question of fundamental importance. The largely missing case law of the Administrative Court on the legal situation under the DSG and the DSGVO (here: Articles 11 and 15), which has been in force since 25 May 2018, is of great significance in this context.
European Case Law Identifier
ECLI:AT:BVWG:2020:W101.2132183.1.00