BVwG - W101 2218962-2

From GDPRhub
BVwG - W101 2218962-2
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 6 GDPR
§ 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Decided: 27.06.2022
Published: 11.08.2022
Parties: unknown data subject (complainant before the DSB)
unknown controller (respondent before the DSB)
Austrian Data Protection Authority (Datenschutzbehörde - DSB)
National Case Number/Name: W101 2218962-2
European Case Law Identifier: ECLI:AT:BVWG:2022:W101.2218962.2.00
Appeal from: DSB (Austria)
DSB-D123.357/0001-DSB/2019
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court held that an accountant violated § 1 of the Austrian Data Protection Act (right to privacy) by calculating the claims of the data subject's soon to be ex-wife using unlawfully obtained personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject and his wife were in divorce proceedings. The wife mandated a chartered accountant (controller) to calculate her (future) alimony claims against the data subject. According to the data subject, the controller's report on the alimony claims was partially based on data that was not publicly available, especially data on the financial situation of a private foundation that was one of the data subject's sources of income.

The data subject accused the controller of having obtained this data unlawfully and lodged a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) regarding a violation of § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG) (right to privacy).

Before the DSB, the controller argued that the report on the alimony claims was based on documents provided by the data subject's wife. The data subject contested to have ever handed any information concerning the private foundation to his wife.

The DSB dismissed the complaint, holding that the controller's interests in processing the data to provide a correct report of the alimony claims outweighed the interests of the data data subject. Furthermore the interests of the data subject's wife to have her alimony claims assessed correctly also outweighed the interests of the data data subject.

The data subject appealed the decision, arguing that his wife's economic interest could never outweigh his right to privacy. Also, the controller's interest could not outweigh the data subject's interest, as the data regarding the data subject's private foundation had been obtained in an unlawful manner - i.e. not by sending a request to the private foundation but by obtaining them from the data subject's wife who had not been entitled to share them.

Holding[edit | edit source]

The BVwG upheld the appeal, overturned the DSB's decision and held that the controller had violated the data subject's right to privacy under § 1 DSG. It held that the controller had no legal basis under Article 6 GDPR to even obtain the relevant data from the data subject's wife. The data subject had not consented to his wife sharing the data with anyone and contrary to the DSB's findings, the interests of the data subject outweighed those of the controller and the wife. Furthermore, the BVwG found that the controller had violated Article 5(1)(f) GDPR, although it is not clear from the decision how the BVwG came to this conclusion.

Comment[edit | edit source]

The case is connected to BVwG - W101 2218962-1, where the BVwG ruled on the controller's violation of Article 15 GDPR.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

06/27/2022

standard

B-VG Art133 Para.4
DSG §1
DSG §24
DSG §24 paragraph 1
DSG §24 paragraph 5
DSG §7
GDPR Art4
GDPR Art5
GDPR Art6
VwGVG §28 paragraph 2

saying

W101 2218962-2/19E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Dr. Christine AMANN as chairwoman, the expert lay judge Mag. Viktoria HAIDINGER as assessor and the expert lay judge Mag. Thomas GSCHAAR as assessor on the complaint of the XXXX, represented by: PIATY MÜLLER-MEZIN, SCHÖLLER RAe, against the ruling part 1 of the decision of the data protection authority from April 10th, 2019, GZ. DSB-D123.357/0001-DSB/2019, rightly recognized after an oral hearing:

a)

The complaint is granted in accordance with Section 28 (2) VwGVG in conjunction with Section 24 (1) and (5) DSG as amended and it is determined that the party involved, as the person responsible, has violated the complainant's right to secrecy by storing his personal data worthy of protection in the (Private) report from 16.05.2018 processed.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

On August 22nd, 2018, improved with a letter dated September 25th, 2018 due to a defect rectification order from the data protection authority, Mr. XXXX (= complainant before the Federal Administrative Court and applicant before the data protection authority) brought a data protection complaint against Mr. XXXX as managing director of XXXX GmbH (= involved party before the Federal Administrative Court and respondent before the data protection authority) because his right to secrecy had been violated. He justified his data protection complaint essentially as follows:

The complainant is currently in divorce proceedings and his (still) wife commissioned the party involved to prepare a corresponding expert opinion for the purpose of calculating maintenance. In this report, she stated, among other things, that her calculations were based on a large amount of publicly available information. However, this statement is objectively incorrect, since the data used by the party involved relates, for example, to the annual results of foundations or book values that are not shown or read in any public information source. Therefore, it is obvious that they obtained, researched and/or processed this data in an unlawful way. The party involved informed a third person of the financial figures of the XXXX private foundation and the income accruing to the complainant from this, thereby violating the complainant's right to secrecy under Section 1 (1) DSG.

In a statement dated November 5th, 2018, the party involved in relation to the complainant’s data protection complaint essentially stated the following:

Since the complainant's (still) wife and children are beneficiaries of the foundation, she considers the data protection complaint within the meaning of Art. 6 (1) lit. a, b, c and f GDPR and a request for deletion to be misguided and not very effective. The statement was accompanied by a letter from the legal representative of the party involved to the data protection authority dated August 28, 2017, which stated that the report in question had been prepared on the basis of documents that the complainant's (still) wife had received from the complainant .

In a statement dated March 7, 2019, the complainant denied ever having given his (still) wife any documents relating to the foundation.

With ruling part 1 of the notice of April 10, 2019, GZ. DSB-D123.357/0001-DSB/2019, the data protection authority partially rejected the data protection complaint of August 22, 2018 (regarding the violation of the right to secrecy).

With regard to part 1 of the above decision, the data protection authority essentially made the following findings of fact:

The complainant is in divorce proceedings with his wife. She had commissioned the party involved to prepare an expert opinion on her maintenance and the post-marital division of assets.

The party involved is an auditor and generally sworn and court-certified expert as well as the managing director of XXXX GmbH.

It could not be determined how the party involved connected to the complainant's data processed in the present report - with the exception of the publicly accessible data - namely the economic key figures of the XXXX private foundation such as the income accruing to the complainant, book values of properties of the XXXX private foundation and the annual results of the XXXX private foundation.

The complainant's wife was a beneficiary of the XXXX private foundation.

On the basis of these factual findings, the data protection authority essentially concluded the following in legal terms:

According to Section 1 (1) DSG 2000, everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.

The complainant submits that the collection, storage, transmission, publication and making available of his personal data - namely the economic key figures of the XXXX Foundation such as the income accruing to the complainant, book values of properties of the XXXX private foundation and the annual results of the XXXX private foundation - to third parties regarding the expert opinion in question without any legal basis and therefore violated the complainant's right to secrecy.

Since it was not possible to determine how the party involved got hold of the economic personal data of the complainant - namely the economic key figures of the XXXX Foundation such as the income accruing to the complainant, book values of properties of the XXXX private foundation and the annual results of the XXXX private foundation , the data protection complaint had to be dismissed because of a violation of the right to secrecy due to the collection of the complainant's economic personal data.

In principle, a legitimate interest in maintaining secrecy regarding the personal data of the complainant is to be affirmed, since the key financial figures of the XXXX private foundation and the income accruing to the complainant from them are data of the complainant that are not generally available. Restrictions on this right to secrecy are only permissible under the conditions specified in Section 1 (2) DSG; in the present case, the processing was not carried out in the vital interests of the complainant and there is no doubt that there was no consent to the processing within the scope of the present report. Therefore, it should be checked whether overriding legitimate interests of the party involved or of another party, i.e. in particular the wife of the complainant, would justify the processing by the party involved. In the case of a balancing of interests to be carried out in accordance with Section 1 (2) DSG, the interests of the party involved, namely their obligation to the faultless fulfillment of the contract towards the complainant's wife, would outweigh the complainant's interests in secrecy. However, the interests of the complainant's wife weighed even more heavily than the interests of the party involved because she was in divorce proceedings with the complainant. As a result, the processing of the complainant's personal data was lawful due to the existence of overriding legitimate interests of the party involved and the complainant's wife. There is therefore no violation of the right to secrecy. At this point, it should also be pointed out that the complainant's wife, as a beneficiary of the XXXX private foundation, has a right to information against it. For example, Section 30 (1) of the Private Foundation Act (PSG) stipulates that a beneficiary of the private foundation can also obtain information about the fulfillment of the purpose of the foundation and inspect the annual financial statements, the management report, the audit report, the books, the foundation deed and in request the supplementary foundation deed. It follows from this that the complainant's wife has a legal right under Section 30 PSG to know the key financial figures of the XXXX private foundation.

In the complaint lodged against part 1 of this decision within the time limit, the complainant essentially submitted:

The data protection authority's view that the interest in the fulfillment of a contract for work (commission from the complainant's wife to the party involved to prepare the expert opinion in question) outweighs the interest in secrecy is completely wrong. The right to data protection is a constitutionally guaranteed right, while the interest in the correct fulfillment of a work contract relates exclusively to a purely economic interest. Such an interest can never outweigh a fundamental right.

In addition, there was no interest on the part of the party involved (= wife of the complainant) that would outweigh the interests of the complainant. It may be true that the client of the party involved has an interest in receiving certain key figures to quantify their claim. However, this cannot mean that this would be obtained in violation of a constitutionally guaranteed right. The party involved did not even claim that their client had obtained this data lawfully. Your client should therefore have gone the "official route" and asked the XXXX private foundation for the relevant key figures. Since she obviously did not do this, there is no reason to unlawfully receive and process the relevant data while eliminating the right to secrecy. You could therefore have no interest in the data being processed if you were to obtain them in a legally correct manner.

After all, according to the settled case law of the civil courts, a private expert opinion merely represents a private document that exclusively reflects the opinion of its author, i.e. the party involved. This document is therefore not suitable evidence for quantifying any claims in divorce proceedings.

The complainant thus submitted the applications that the Federal Administrative Court should

1. Agree with his complaint and amend part 1 of the contested decision in such a way that, in granting the complaint, it is established that the party involved violated the complainant’s fundamental right to data protection; and

2. If necessary, correct part 1 of the contested decision and refer the matter back to the data protection authority for a new decision.

With a letter from the data protection authority dated May 21, 2019, the complaint against part 1 of the contested decision, including the administrative act, was sent to the Federal Administrative Court.

On April 27, 2022, an oral hearing took place before the Federal Administrative Court, in which all parties involved in the complaint proceedings took part and in which the (still) wife of the complainant was questioned as a witness.

II. The Federal Administrative Court considered:

1. Findings:

The applicant moved out of the marital home XXXX in April 2015, but left personal documents and things there for more than a year. It wasn't until the summer of 2016 that he cleared out most of the things that belonged to him from this apartment.

Since the complainant's move out, both spouses have been trying and meeting in this regard to reach an amicable solution or divorce. Disputed divorce proceedings between the (still) married couple are currently underway at a civil court in Graz.

At the request of the (still) wife, the party involved, acting as a trustee, prepared an expert opinion dated May 16, 2018 on any maintenance claims against the complainant. The involved party comes to the conclusion that the assessment basis for the maintenance claim of the (still) wife amounts to EUR XXXX million annually and that her claim to pro rata marital savings after the dissolution of the marriage amounts to EUR XXXX to XXXX million. On the basis of this assessment basis, the party involved arrives at a monthly maintenance claim in the amount of EUR XXXX for the (still) wife.

The complainant then asserted in his data protection complaint dated August 22, 2018, improved in a letter dated September 25, 2018, based on a defect rectification order from the data protection authority, that he was in his right from the involved party through the processing of his sensitive personal data in the expert opinion of May 16, 2018 breached for secrecy.

In this report, the complainant's personal data was processed by the party involved, a small part of which was publicly accessible, but which was mostly handed over by the (still) wife. The complainant’s personal data worthy of protection, which was not publicly accessible, was specifically processed by the party involved under the following points of the report (only mentioned here to the extent that it is necessary for understanding):

14. At this point, the results of the XXXX private foundation are listed numerically, which can only be read in estimated form from the annual financial statements for 2015, 2016 and for 2017.

16. For the "relevant years" the applicant's net income is given ad personam.

24. Among other things, the Complainant's assets as of the reference date are listed as follows:

– XXXX properties (apartments) with a total value in the millions;

– Value of the complainant's share in the law firm with the specific figure EUR XXXX;

– a securities account and account with XXXX also worth millions;

26. The complainant's assets in the XXXX private foundation are listed here, also in the millions (from an annual financial statement of the private foundation).

In November 2015, in the presence of XXXX, there was a meeting between the (still) wife and the party involved. She then sent various documents from the complainant to the party involved. In any case, one of these transmissions must have taken place in January 2018, because parts of the transmitted data have only existed since the end of 2017, these are in particular the 2016 annual financial statements of the XXXX private foundation and the value of EUR XXXX of the complainant's share in the law firm - a value , which must come from the complainant's tax return.

The (still) wife knew, on the one hand, that these were documents of her husband or the complainant and, on the other hand, that she only owed it to his careless handling as a computer layman that she had come into possession of these documents at all. At the time the said documents of the complainant were sent to the intervening party, the (ex)wife knew or should have known that the complainant did not (did not) consent to the processing of his personal data in these documents.

The party involved processed the personal data of the complainant in the expert opinion of May 16, 2018 in the belief that his client - the (still) wife - was lawfully in possession of the documents she had sent (the complainant), but did not check this in any way . However, as the person responsible within the meaning of the GDPR, the party involved was obliged to ensure the legality of the information it processed with the personal data of the complainant before processing.

It is therefore decisive that the complainant's right to secrecy was violated by the party involved as (sole) responsible through the processing of his (not publicly accessible) personal data worthy of protection in the expert opinion of May 16, 2018.

2. Evidence assessment:

The findings on the relevant facts result in particular from the taking of evidence in the oral hearing on April 27, 2022 and are based on the following considerations:

The (still) wife already had access to the complainant's computer while they were living together in the apartment at the address given and she had often sent e-mails from the e-mail address XXXX on his instructions. After moving out of the apartment, the complainant, as a so-called "computer layman", did not bother that his (still) wife was blocked from this access. After the computer broke down and was subsequently picked up by a law firm employee, the (still) wife still had access to the complainant's e-mail traffic via an I-Pad that had been made available to her under the E -Mail address. Such carelessness in dealing with one's own e-mail address can certainly be described as a breach of care. Due to these considerations, the above statements refer to the complainant's "careless handling" of his computer data.

Both from the statements of the (still) wife, who had been questioned as a witness at the hearing, and those of the complainant himself at the hearing, it could be concluded that the (still) wife only thanks to the complainant’s careless handling as a computer layperson in possession received the documents, which it then transmitted to the party involved, and that it should have known or should have known at the time of this transmission that the complainant did not (did not) consent to the processing of his personal data in these documents. .

The complainant was able to credibly argue that, as a computer layman, he did not know until January 2018 that his (still) wife still had access to his e-mail traffic at the stated address in the apartment. During the negotiation, he presented an e-mail exchange between his (former) law firm partner and the responsible tax advisor for the law firm (= Enclosure No. 1 of the negotiation protocol).

The fact that the annual financial statements of the XXXX private foundation are not publicly accessible is evident both from the excerpt from the company register (= Appendix No. 2 to the minutes of the hearing) and the relevant statement by the party involved in response to the relevant question from the legal representative of the complainant (see p. 22 of the minutes of the hearing). .

The fact that the specific number of XXXX properties (apartments) is not publicly accessible results from the land register itself, in which one is not allowed to search for a name in all the land register entries therein.

The (still) wife testified several times in court that, with the consent of her husband (= complainant), she had access to his data on the computer, including the personal data of the complainant, which she subsequently transmitted to the party involved (see e.g. p. 9 of the minutes of the hearing, the witness’s first response to the judge’s question in this regard, consistent in content before the civil court in Graz in the disputed divorce proceedings, p. 6 of the minutes of the hearing of November 17th, 2020, Zl. 9). These statements to the contrary by the (still) wife are to be qualified as purely protective claims on the basis of the above statements.

Since the complainant did not give his consent to the processing of his personal data and therefore the (still) wife was not lawfully in possession of these documents, the party involved unlawfully used the data transmitted to her by the complainant in the report of May 16, 2018 processed. The party involved, as the sole responsible chartered accountant, in particular failed to check the legality of the data processed by him in the report, which is why he also failed to meet his accountability under the GDPR.

The party involved prepared the report at a time when both (still) married couples were interested in an amicable solution. With the results of the expert opinion stated in the third paragraph above, which amounted to a considerable amount of millions, it should have been clear to the party involved as the expert that an amicable solution or divorce is no longer possible for the complainant. As stated above in the second paragraph of the findings, disputed divorce proceedings between the (still) married couple are currently underway in Graz.

The other findings also result from the various statements made by the parties present and the witness at the hearing.

For the sake of completeness, it should be mentioned that the complainant or his legal representative presented several decisions of the civil courts (up to the Supreme Court) in the course of the hearing, according to which the (still) wife does not have a "beneficiary" position in the XXXX private foundation . Since the competent senate has determined the relevant facts according to the above findings (and judged them differently from the data protection authority), this evidence is of no importance in the present complaint proceedings.

3. Legal assessment:

3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to illegality.

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.

Pursuant to Section 27 (1) DSG, the Federal Administrative Court decides through the Senate on complaints against decisions due to violation of the duty to inform pursuant to Section 24 (7) leg. cit. and the duty of the data protection authority to make a decision. In accordance with Section 27 (2) first sentence DSG, the Senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees.

In this case, the Senate is responsible.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

3.2. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders are made by way of a resolution, unless a finding is to be made.

Pursuant to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued.

According to § 28 para. 2 VwGVG, the administrative court has to decide on the matter itself if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.

3.3. to A)

3.3.1. Applicable Law

3.3.1.1. The relevant provisions of the GDPR

Article 4

definitions

For the purposes of this Regulation, the term means:

1. "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. "Processing" means any process carried out with or without the help of automated processes or any such series of processes in connection with personal data, such as collection, recording, organisation, ordering, storage, adaptation or modification, reading out, querying, use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction;

3rd - 6th (…)

7. "Responsible person" means the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States;

8th - 9th (…)

10. "Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data ;

11. "Consent" of the data subject means any voluntary, informed and unequivocal expression of will in the specific case, in the form of a declaration or other clear affirmative action, with which the data subject indicates that they are consenting to the processing of data concerning them agrees to personal data;

12.- 26. (…)

Article 5

Principles for the processing of personal data

(1) Personal data must

a) processed lawfully, fairly and in a manner that is transparent to the data subject ("lawfulness, fair processing, transparency");

b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");

c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");

d) accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay ("accuracy");

e) stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored for a longer period to the extent that the personal data are used exclusively for archiving purposes in the public interest or for scientific and historical research purposes, subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject, or processed for statistical purposes in accordance with Article 89(1) ("storage limitation");

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality");

(2) The person responsible is responsible for compliance with paragraph 1 and must be able to prove compliance with it (“accountability”).

Article 6

lawfulness of processing

(1) The processing is only lawful if at least one of the following conditions is met:
a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;

f) processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.

2. Member States may maintain or introduce more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure a lawful and to ensure fair processing, including for other special processing situations as set out in Chapter IX.

(3) The legal basis for the processing pursuant to paragraph 1 letters c and e is determined by

a) Union law or

b) the law of the Member States to which the controller is subject.

The purpose of the processing must be specified in this legal basis or, with regard to the processing referred to in paragraph 1 letter e, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to Chapter IX. Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.

(4) If the processing for a purpose other than that for which the personal data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, is a necessary and proportionate measure to protection of the objectives referred to in Article 23(1), the controller shall, in order to determine whether the processing for another purpose is compatible with the one for which the personal data were originally collected, take into account, among other things

a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing,

b) the context in which the personal data was collected, in particular with regard to the relationship between the data subject and the person responsible,

c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offenses are processed pursuant to Article 10,

d) the possible consequences of the intended further processing for the data subjects,

e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

3.3.1.2. The relevant provisions of the DSG

Article 7
Consent Conditions

(1) If the processing is based on consent, the person responsible must be able to prove that the data subject has consented to the processing of their personal data.

(2) If the data subject's consent is given in the form of a written statement which also concerns other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it is clearly distinguishable from the other matters is. Parts of the declaration are not binding if they constitute a violation of this regulation.

(3) The data subject has the right to revoke their consent at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation. The data subject will be informed of this before consent is given. Withdrawing consent must be as simple as giving consent.

(4) When assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data, which are not required for the performance of the contract.

article 1

(constitutional provision)

fundamental right to data protection

§ 1. (1) Everyone has the right to confidentiality of their personal data, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data are not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.

(2) Insofar as personal data is not used in the vital interests of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time provide for appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.

(...)

Complaint to the data protection authority

Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2, Part 1.

(2) The complaint must contain:

1. the designation of the right deemed to have been infringed,

2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent party),

3. the facts from which the infringement is derived,

4. the grounds on which the allegation of illegality is based,

5. the desire to determine the alleged infringement and

6. the information required to assess whether the complaint was filed in a timely manner.

(3) A complaint may be accompanied by the application on which it is based and any response by the respondent. The data protection authority shall provide further assistance in the event of a complaint at the request of the data subject.

(4) The right to have a complaint dealt with shall lapse if the intervener does not file it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints are to be rejected.

(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sphere, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.

(6) Until the proceedings before the data protection authority have been concluded, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (Section 13(8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be considered.

(7) The complainant will be informed by the data protection authority about the status and the result of the investigation within three months of filing the complaint.

(8) Any data subject may appeal to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or the outcome of the complaint within three months.

(9) The data protection authority can - if necessary - involve official experts in the procedure.

(10) The decision period according to § 73 AVG does not include:

1. the time during which the proceedings are suspended until the final decision on a preliminary question;

2. the time during a procedure according to Art. 56, 60 and 63 DSGVO.

3.3.2. According to the constitutional provision of § 1 Para. 1 DSG, everyone has the right to confidentiality of personal data concerning him/her, in particular with regard to respect for private and family life, insofar as there is a legitimate interest in confidentiality. In this context, personal data worthy of protection is not only to be understood as easily recognizable personal information, such as a person's name, gender, address or place of residence, but also, for example, value judgments and thus personal information per se. All personal data - i.e. both automatically and manually processed data - must be kept secret if there is a legitimate interest in secrecy or processing of this data is not permitted.

The central starting point as to whether a fundamental right claim exists at all according to § 1 Para. 1 DSG is the existence of "worthy of protection" interests. A weighing of interests must be carried out when examining them. In particular, the principle of legality under data protection law must be taken into account here.

The involved party, as solely responsible within the meaning of Art. 4 Z 7 DSGVO, prepared a (private) report for his client – the (still) wife of the complainant – on May 16, 2018 in order to document their possible future maintenance claims against the complainant. This was the only purpose of this expert opinion, namely - as already mentioned - at a time when both (still) married couples were interested in an amicable solution or divorce.

The (still) wife, as the transmitter of most of the complainant's personal data, which was then processed by the party involved in the report, is in the given case constellation a "third party" within the meaning of Art. 4 Z 10 DSGVO.

According to Article 6 Paragraph 1 Letter a) GDPR, the processing of personal data is lawful if the person concerned has given their consent to the processing of their personal data for one or more specific purposes.

In the event of consent, the person responsible must be able to prove in accordance with Art. 7 Para. 1 DSGVO that the person concerned has consented to the processing of their personal data. In this regard, recital (42) expressly states:

"Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has consented to the processing operation. In particular when giving a written statement on another matter, safeguards should ensure that the data subject knows that and to what extent consent is given. (...) In order to be able to give informed consent, the data subject should at least know who the controller is and for what purposes their personal data are to be processed. Consent should only be assumed to exist if they have a real or free choice and are therefore able to withhold or withdraw consent without suffering detriment." (See also Guidelines 05 /2020 V 1.1, margin nos. 90 and 111; Kastelitz in Knyrim, DatKomm Art.

With regard to the provision of Article 7 (1) GDPR, "consent" is generally emphasized:

"Consent should be given by a clear affirmative action, giving freely, specifically, in an informed manner and unequivocally, that the data subject consents to the processing of personal data concerning him/her. (…) Silence, ticked boxes or inaction on the part of the data subject should therefore not constitute consent. Consent should cover all processing operations carried out for the same purpose (…). (...)"

It is concretely established that the involved party as the controller did not obtain the complainant's consent prior to the processing of his data, therefore, according to the above considerations on the provisions of Article 6(1)(a) and Article 7(1)(a) and Article 7(1) 1 GDPR, no consent was given by the complainant to the processing of his personal data in the expert opinion of May 16, 2018.

Furthermore, it must be checked whether the processing in question is (or was) necessary in accordance with Art of the data subject, which require the protection of personal data, prevail.

Regarding this provision, recital (47) specifically states:

"The lawfulness of processing may be based on the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or a third party, provided the interests or fundamental rights and freedoms of the data subject do not prevail; in doing so, the reasonable expectations of the data subject based on their relationship with the controller shall be taken into account. (...) In particular, when personal data is processed in situations in which a data subject need not reasonably expect further processing, the interests and fundamental rights of the data subject could outweigh the interests of the controller. (...)" (cf. also Jahnel, commentary on the General Data Protection Regulation Art. 6 GDPR, margin no. 79 [status 1.12.2020, rdb.at]; Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6. GDPR, margin no. 49 to 55 [as of May 7, 2020, rdb.at]).

In the absence of the complainant's consent, the involved party, as the person responsible, should not have disclosed the documents with his personal data by way of transmission by the (still) wife as a third party. Even if the (still) wife, as a third party, is not generally denied a legitimate interest in the documentation of her possible future maintenance claims, that of the complainant prevails in the weighing of interests to be carried out here, for the following reason: The over 80-year-old complainant as a computer layman has didn't know at all that his (still) wife still had access to his e-mail address XXXX after he moved out - especially at the turn of the year 2017 to 2018; this also taking into account his careless handling of his e-mail address in this regard. Therefore, the complainant, as the person concerned, did not have to expect that the party involved would process his personal data in the report of May 16, 2018.

With reference to the last quoted sentence of recital (47), it is therefore clear as a result of the balancing of interests between (the party involved or) the third party and the complainant that in the given case constellation the interests of the complainant prevail because those processed by him Data are more worthy of protection either because of his personal income situation or - regarding the XXXX private foundation - because of the trade secret.

From this it follows that, according to Art. 6 Para. 1 GDPR, none of the conditions contained therein are (or have been) fulfilled and the processing of the complainant’s personal data in question can therefore be described as unlawful.

A principle for the processing of personal data according to Article 5 Paragraph 1 lit good faith, transparency").

Recital (39) to this provision states:

“Any processing of personal data should be lawful and fair. There should be transparency for natural persons as to whether personal data relating to them is being collected, used, viewed or otherwise processed and to what extent the personal data is being processed and will be processed in the future. The principle of transparency requires that all information and communications relating to the processing of that personal data are easily accessible and understandable and that they are expressed in clear and plain language. This principle concerns in particular the information on the identity of the person responsible and the purposes of the processing and other information that ensure fair and transparent processing with regard to the data subjects, as well as their right to obtain confirmation and information about which ones concern them personal data are processed. (...)" (cf. also Jahnel, commentary on the General Data Protection Regulation Art. 5 GDPR, margin nos. 8 to 15 [status 1.12.2020, rdb.at]; Hötzendorfer/ Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR, Margin nos. 11 to 19 [as of May 7, 2020, rdb.at]).

Taking these considerations into account, it should also be noted for the present case that, according to this GDPR provision, the principles of fair processing and transparency were violated in addition to legality.

As a further principle for the processing of personal data, Art. 5 (1) lit. f) provides that personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through appropriate technical and organizational measures (“Integrity and Confidentiality”).

Regarding this principle, recitals (39) state:

"(...) Personal data should be processed in a manner that ensures their security and confidentiality, including that unauthorized persons do not have access to the data and cannot use the data or the equipment with which they are processed." (cf. also Jahnel, commentary on the General Data Protection Regulation Art. 5 GDPR, margin nos. 51 and 52 [as of December 1st, 2020, rdb.at]; Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR, margin nos. 54 to 56 [as of May 7, 2020, rdb.at]).

Even if the party involved, as the responsible party, has made every effort to treat everything very confidentially by even handling the case itself and without involving other employees, this was not sufficient in terms of the principle of integrity and confidentiality to ensure an appropriate to ensure the security of the complainant's personal data.

Pursuant to Article 5(2), the controller is responsible for compliance with paragraph 1 and must be able to demonstrate compliance ("accountability").

For these reasons, the party involved, as the person responsible, has also not complied with the principles according to lit. a) and f) of Article 5 Paragraph 1 and accordingly has not been able to prove compliance with them.

For the reasons set out, the competent Senate, unlike the data protection authority, comes to the decisive conclusion that the complainant is entitled by the party involved as (sole) responsible through the processing of his personal data worthy of protection in the expert opinion of May 16, 2018 with personal data secrecy was violated.

Since the contested decision is illegal within the meaning of Art. 130 Para. 1 Z 1 B-VG for these reasons, the complaint raised against it according to § 28 Para. 2 VwGVG in conjunction with § 24 Para that the party involved, as the person responsible, violated the complainant's right to secrecy by processing his personal data worthy of protection in the (private) report of May 16, 2018.

3.4. Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The present decision neither deviates from the previous case law of the Administrative Court, nor is there any case law; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be solved.