BVwG - W137 2255764-1
From GDPRhub
| BVwG - W137 2255764-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 44 GDPR |
| Decided: | 30.06.2023 |
| Published: | 18.08.2023 |
| Parties: | |
| National Case Number/Name: | W137 2255764-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2023:W137.2255764.1.00 |
| Appeal from: | DSB (Austria) 2022-0.298.191 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | RIS (Austria) (in German) |
| Initial Contributor: | mg |
In one of the 101 complaints filed by noyb, an Austrian court confirmed the Austrian DPA’s position that a “risk-based approach” to data transfers is not compatible with Chapter V of the GDPR.
English Summary
Facts
This judgement stems from one of the 101 complaints filed by the NGO noyb in the context of data transfers to the US. The data subject lamented a violation of Chapter V GDPR due to the unlawful transfer of their personal data in lack of a valid legal basis. The controller made use of analytical tools by Google on their website. When visiting such a website, the data subject triggered a transfer of personal data to the US, where Google processes personal data imported from Europe. Data transfers between US and EU were originally based on an Adequacy Decision by the Commision, in turn based on the transatlantic legal framework known as 'Privacy Shield'. Nevertheless, after C-311/18 (“Schrems II”), the Commission’s adequacy decision concerning was invalidated by the CJEU. Consequently, controllers could export data only on the basis of alternative tools guaranteeing an adequate level of protection, such as Standard Contractual Clauses (SSCs).
The Austrian DPA held that SSCs implemented by the controller – the “data exporter” – could not guarantee an adequate level of protection, mainly due to their inability to limit the power of US intelligence agencies to access personal data stored by Google.
The controller appealed the decision. The controller claimed that data transferred were not personal data and that in any case Chapter V GDPR envisages a risk-based approach, which was taken into account by the controller. Finally, the controller also argued that the data subject had no legitimation to bring action, as at the time of the events they were working for the NGO that represented them in the procedure before the DPA.
Holding
The Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) rejected the appeal.
First, the court denied that the fact that the data subject worked with the NGO representing them pursuant to Article 80 GDPR could exclude their legitimation to file a complaint against the controller.
About the qualification of the information transferred as personal data, the court noted that this included: a unique online identifier associated with both the device and the browser used by the data subject, address of the website and pages visited by the data subject and time of the visit, IP-address of the data subject’s device and other pieces of information concerning browser, operating system, language, screen resolution. The court stressed that the combination of these elements could easily lead to the identification a data subject, which is sufficient to qualify data as ‘personal’ within the meaning of the GDPR. Article 4(1) GDPR specifies indeed that data are personal when the can be linked to an identified or identifiable natural person.
Concerning the use of SSCs under Article 46(2)(c) GDPR, the court held that the “risk-based approach” proposed by the controller was not compatible with the GDPR. SSCs in the context of US law and practice were not able to guarantee an adequate level of protection.
Comment
Please clarify that the court DID NOT position itself regarding the question of a "risk-based approach". Under 3.3.6 the court cleary states:
"Aus diesem Grund ist auf den Inhalt dieser Vereinbarung und einen allfälligen risikobasierten Ansatz bei der Beurteilung auch nicht näher einzugehen.
Vielmehr sind jene Teile des angefochtenen Spruchpunktes, die sich – in irriger Annahme, die Standard-Datenschutzklauseln wären am 11.08.2020 eingebunden gewesen – mit dem nicht angemessenen Schutzniveau befassen, ersatzlos zu beheben. Der Vollständigkeit halber ist festzuhalten, dass sich aus der gegenständlichen Entscheidung keine Schlüsse zu den später vereinbarten Standard-Datenschutzklauseln und die Frage eines risikobasierten Ansatzes ableiten lassen."
The court finds that SCCs cannot be entered retractively and, therefore, the court did not need to address the "risk-based approach" issue.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
decision date
06/30/2023
standard
B-VG Art133 Para.4
DSG §1
DSG §24
GDPR Art4
GDPR Art44
GDPR Art5
GDPR Art6
VwGVG §28 paragraph 2
B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934
DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01.01.2014 last changed by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from 01.01.2000 to 31.12.2013
DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009
VwGVG § 28 today VwGVG § 28 valid from 01/01/2019 last amended by Federal Law Gazette I No. 138/2017 VwGVG § 28 valid from 01/01/2014 to 12/31/2018
saying
W137 2255764-1/44E
Written copy of the verbal decision announced on March 10, 2023
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through the judge Mag. Peter HAMMER as chairman and the expert lay judges Mag. Ursula ILLIBAUER and Mag. Martina CHLESTIL as assessors, on the complaint of XXXX, represented by DORDA Rechtsanwälte GmbH, against the decision of the data protection authority of April 22, 2022, GZ . D155.026, 2022-0.298.191, after conducting an oral hearing on January 11, 2023, January 24, 2023 and March 10, 2023, rightly recognised: The Federal Administrative Court, through the judge Mag. Peter HAMMER as chairman and the expert lay judges Mag. Ursula ILLIBAUER and Mag. Martina CHLESTIL as assessors on the complaint by römisch XXXX, represented by DORDA Rechtsanwälte GmbH, against the decision of the data protection authority of April 22, 2022, GZ. D155.026, 2022-0.298.191, rightly recognized after an oral hearing on January 11, 2023, January 24, 2023 and March 10, 2023:
a)
The complaint is dismissed as unfounded in accordance with Section 28 (2) VwGVG in conjunction with Section 44 GDPR as amended with the proviso that clause 2. b) of the contested decision is remedied without replacement. The complaint is rejected as unfounded in accordance with Section 28, Paragraph 2, VwGVG in conjunction with Section 44, GDPR as amended, with the proviso that point 2. b) of the contested decision is remedied without replacement.
b)
The revision is permitted in accordance with Article 133, Paragraph 4 of the Federal Constitution. The revision is permitted in accordance with Article 133, Paragraph 4 of the Federal Constitution.
text
Reasons for decision:
I. Procedure: Roman one. Procedure:
1. In a letter dated August 18, 2020, Mr XXXX (= involved party 1 before the Federal Administrative Court and complainant before the data protection authority) lodged a data protection complaint against XXXX (= complainant before the Federal Administrative Court and first respondent before the data protection authority) and XXXX (= involved party 2 before the Federal Administrative Court and second respondent to the data protection authority) for violation of the general principles of data transmission in accordance with Art. 44 GDPR. He justified his data protection complaint as follows: 1. In a letter dated August 18, 2020, Mr. roman XXXX (= involved party 1 before the Federal Administrative Court and complainant before the data protection authority) lodged a data protection complaint against roman XXXX (= complainant before the Federal Administrative Court and first respondent before the data protection authority) and roman XXXX (= involved party 2 before the Federal Administrative Court and second respondent before the data protection authority) for violation of the general principles of data transmission according to Article 44, DSGVO. He justified his privacy complaint as follows:
The complainant visited the website of the first respondent ( XXXX ) on August 11, 2020. "XXXX" is embedded in this. He was logged into his XXXX account, which in turn was linked to his email address. In this process, personal data was transferred from the first respondent to the second respondent - and thus to the USA. The complainant visited the website of the first respondent on August 11, 2020 (Roman XXXX). " Roman XXXX " is embedded in this. He was logged into his Roman XXXX account, which in turn was linked to his email address. In this process, personal data was transferred from the first respondent to the second respondent - and thus to the USA.
Due to the abolition of "Privacy Shield" (adequacy decision pursuant to Art. 45 (1) GDPR) with the judgment of the ECJ of July 16, 2020 (C-311/18), the respondents were not in a position to adequately protect the personal data of the complainant during the transfer to the USA. Due to the abolition of "Privacy Shield" (adequacy decision pursuant to Article 45, (1) GDPR) with the judgment of the ECJ of July 16, 2020 (C-311/18), the respondents were not in a position to adequately protect the personal data of the complainant during the transfer to the USA.
The Respondents essentially argued that the transmitted data could not be classified as "personal data". In addition, a risk-based approach must be used when assessing the transfer. In addition, the complainant acts as an employee of NOYB and the selected representation constellation effectively represents a circumvention construction for a class action right that is not provided for in the Austrian legal system.
2. With partial notification of April 22, 2022, GZ. D155.026, 2022-0.298.191, the data protection authority (DSB) made the following decision after obtaining extensive statements from the parties to the procedure - after temporarily suspending the procedure with a decision of October 2nd, 2020 (see point 1.):
"1. The decision of the data protection authority of October 2, 2020, Zl. D155.026, 2020-0.526.838 will be remedied.
2. The appeal against the first respondent is upheld and it is found that
a) the first respondent, as the person responsible, transmitted the complainant's personal data (these are at least unique user identification numbers, IP address and browser parameters) to the second respondent by implementing the " XXXX " tool on its website at XXXX on August 11, 2020 , the first respondent, as the person responsible, transmitted the complainant's personal data (these are at least unique user identification numbers, IP address and browser parameters) to the second respondent by implementing the " roman XXXX " tool on its website at roman XXXX at least on August 11, 2020 has,
b) the standard data protection clauses that the first respondent has concluded with the second respondent do not offer an adequate level of protection in accordance with Art. 44 GDPR, since the standard data protection clauses that the first respondent has concluded with the second respondent do not offer an adequate level of protection in accordance with Article 44, GDPR, since
i) Second Respondent as a provider of electronic communications services within the meaning of 50 U.S. code § 1881(b)(4) and as such subject to surveillance by U.S. intelligence agencies under 50 U.S. Code § 1881a ("FISA 702"), and the Second Respondent, as a provider of electronic communications services within the meaning of 50 U.S. Code Section 1881 (, b,)(4) and as such subject to surveillance by U.S. intelligence agencies under 50 U.S. Code Section 1881 a, (“FISA 702”), and
ii) the measures taken in addition to the standard data protection clauses referred to in point 2. b) are not effective because they do not eliminate the possibilities for surveillance and access by US intelligence services,
c) In the present case, no other instrument pursuant to Chapter V of the GDPR can be used for the data transfer referred to in point 2.a) and the Respondent therefore does not have an appropriate level of protection in accordance with Art. 44 for the data transfer referred to in point 2.a). GDPR has guaranteed. In the present case, no other instrument pursuant to Chapter 5 of the GDPR can be used for the data transfer referred to in point 2.a) and the Respondent therefore does not have an appropriate level of protection for the data transfer referred to in point 2.a). Article 44, GDPR guaranteed.
3. The complaint against the second respondent because of a violation of the general principles of data transmission pursuant to Article 44 GDPR is dismissed. "The complaint against the second respondent because of a violation of the general principles of data transmission pursuant to Article 44 GDPR is dismissed."
3. In this context, the data protection authority essentially made the following factual findings:
In any event, the first respondent was the operator of the "XXXX" service in August 2020. “ XXXX ” is an online comparison portal. The first respondent operates the website XXXX for the Austrian market. " Roman XXXX " is an online comparison portal. The first respondent operates the website roman XXXX for the Austrian market
The second respondent developed the XXXX tool. XXXX is a measurement service that enables customers of the second respondent, among other things, to measure traffic characteristics of a website. This also includes measuring the traffic of visitors who visit a specific website. This makes it possible to understand the behavior of website visitors and measure how they interact with a specific website. Specifically, a website operator can create an XXXX account and use a dashboard to view reports on the website. XXXX can also be used to measure and optimize the effectiveness of advertising campaigns that website owners run on XXXX advertising services. The second respondent developed the Roman XXXX tool. Roman XXXX is a measurement service that enables customers of the second respondent to measure traffic properties of a website, among other things. This also includes measuring the traffic of visitors who visit a specific website. This makes it possible to understand the behavior of website visitors and measure how they interact with a specific website. Specifically, a website operator can create a roman XXXX account and use a dashboard to view reports on the website. Likewise, roman XXXX can be used to measure and optimize the effectiveness of advertising campaigns that website owners run on roman XXXX advertising services.
In any case, as of August 11, 2020, the first respondent - as the website operator - made the decision to use the free version of the XXXX tool for its " XXXX " websites. For this purpose, she has installed a JavaScript code ("tag"), which is provided by the second respondent, in the source code of her website. The first respondent used the tool to enable general statistical evaluations of the behavior of website visitors. In any case, the first respondent - as the website operator - made the decision as of August 11, 2020 to use the free version of the tool roman XXXX for her Use " Roman XXXX " websites. For this purpose, she has installed a JavaScript code ("tag"), which is provided by the second respondent, in the source code of her website. The first respondent used the tool to enable general statistical evaluations of the behavior of website visitors.
The Respondents have concluded a contract entitled "Contract Processor Conditions for XXXX Advertising Products". The version of January 1, 2020 of this contract was valid at least on August 11, 2020. The Respondents have concluded a contract entitled "Contract processor conditions for Roman XXXX advertising products". The version of January 1, 2020 of this contract was valid at least on August 11, 2020.
In the course of using the XXXX tool, the option is offered to use an "IP anonymization function". This function was used by the Respondent. As part of the embedding of XXXX on the website, the "anonymizeIP" function was set to "true". However, when the relevant scripts are loaded from XXXX servers, the full IP address of a website visitor is first transmitted to the second respondent. The IP address is only masked in a second step after it has entered the XXXX data collection network. In the course of using the Roman XXXX tool, the option is offered of using an "IP anonymization function". This function was used by the Respondent. As part of the embedding of Roman XXXX on the website, the "anonymizeIP" function was set to "true". When the relevant scripts are loaded from roman XXXX servers, the complete IP address of a website visitor is first transmitted to the second respondent. The IP address is only masked in a second step after it has entered the Roman XXXX data collection network.
The complainant visited the XXXX website on at least 11 August 2020. During the visit he was logged into his XXXX account. A XXXX account is a user account that is used to authenticate the second respondent to various XXXX online services. The complainant visited the Roman XXXX website at least on August 11, 2020. During the visit he was logged into his roman XXXX account. A roman XXXX account is a user account that is used to authenticate the second respondent to various roman XXXX online services.
Insofar as the XXXX tool is implemented on a website, the second respondent has the technical possibility of obtaining information that a specific XXXX account user has visited this website (on which XXXX is implemented), provided that this XXXX account user during of the visit is logged into the XXXX account. If the roman XXXX tool is implemented on a website, the second respondent has the technical possibility of obtaining information that a specific roman XXXX account user of this website (on which roman XXXX is implemented) visited, provided that this roman XXXX account user is logged into the roman XXXX account during the visit.
4. On the basis of these factual findings, the DPA essentially stated the following from a legal point of view:
The data transmitted on August 11, 2020 is personal data, whereby with regard to the second respondent, this is only included in the complaint at issue as the recipient of the transmitted data. The ECJ has declared that the EU-US adequacy decision ("Privacy Shield") is invalid - without maintaining its effect (cf. the judgment of July 16, 2020, C‑311/18 margin number 201 f). The data transmission in question is therefore not covered by Art. 45 GDPR. The data transmitted on August 11, 2020 is personal data, whereby the second respondent is only included in the complaint as the recipient of the transmitted data. The ECJ has declared that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid compare the judgment of July 16, 2020, C‑311/18 Rz 201 f). The data transfer in question is therefore not covered by Article 45, GDPR.
Even the agreed standard data protection clauses (SDK) and other measures taken would not create the required level of protection; a risk-based approach is not provided for in the GDPR. However, as a data importer, the second respondent is not subject to the obligations set out in Chapter V of the GDPR. Even the agreed standard data protection clauses (SDK) and other measures taken would not create the required level of protection; a risk-based approach is not provided for in the GDPR. However, the second respondent as a data importer is not subject to the obligations set out in chapter five of the GDPR.
5. In the complaint against point 3 of the decision, which was raised within the time limit, the complainant essentially submitted:
In the complaint before the data protection authority, no violation of data subject rights was asserted. In addition, the submitted certificate of representation does not cover the acts of representation set and there is also no authority to bring a collective action. Against this background, the original complainant had no legitimacy to bring an action.
In addition, there is an inadmissibility for the data protection authority to establish “alleged violations in the past”.
In terms of content, there was also no personal data, in particular because the data transmitted was at least largely unspecified and, moreover, the necessary functions for linking to the XXXX account of the first instance complainant were not activated at all. In terms of content, there was also no personal data, in particular because the data transmitted was at least largely unspecified and, moreover, the necessary functions for linking to the roman XXXX account of the first instance complainant were not activated at all.
After all, the GDPR only requires an “appropriate level of protection” – which the ECJ has also confirmed. It is imperative that a risk-based approach is chosen. In its decision, the DSB goes well beyond this level of protection.
In the file submission, the authority concerned pointed out that the GDPR does not recognize a risk-based approach and that the data processing in question is associated with a very high risk for the data subject anyway. This data is also sufficiently individualized to create a unique profile of the browser, which is sufficient for the classification as "personal".
6. In a letter dated December 14, 2022, the involved party 1 submitted an application for a deadline to the Administrative Court.
With a procedural order of December 20, 2022, the Administrative Court requested the Federal Administrative Court to issue the decision within three months and to submit an original, transcript or copy of the same as well as a copy of the proof of the service of the decision to the complainant to the Administrative Court or to state why a There is no breach of the duty to make a decision.
7. On January 11, 2023, January 24, 2023 and March 10, 2023, the Federal Administrative Court - after obtaining or receiving further statements and replies from the parties to the proceedings - conducted an oral hearing in the presence of the complainant, his legal representative, the involved parties, their legal representatives and one representative of the authority concerned. In this context, the complaints of all parties to the procedure against the partial decision of April 22, 2022 were combined for joint conduct of the procedure.
The decision of the Federal Administrative Court in question was then announced orally.
After the oral pronouncement, the representative of the parties to the proceedings requested that the decision be made out in writing. This was noted in the negotiation protocol.
II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:
1. Findings:
1.1. In any event, the complainant was the operator of the "XXXX" service in August 2020. “ XXXX ” is an online comparison portal. It operates the website XXXX 1.1 for the Austrian market. In any event, the complainant was the operator of the “ Roman XXXX ” service in August 2020. " Roman XXXX " is an online comparison portal. It operates the website roman XXXX for the Austrian market
The involved party 2 has developed the tool XXXX. XXXX is a measurement service that enables customers of the second respondent to measure traffic characteristics, among other things. This also includes measuring the traffic of visitors who visit a specific website. This makes it possible to understand the behavior of website visitors and measure how they interact with a specific website. Specifically, a website operator can create an XXXX account and use a dashboard to view reports on the website. Likewise, XXXX can be used to measure and optimize the effectiveness of advertising campaigns that website owners run on XXXX advertising services. The involved party 2 developed the tool roman XXXX. Roman XXXX is a measurement service that enables customers of the second respondent, among other things, to measure traffic properties. This also includes measuring the traffic of visitors who visit a specific website. This makes it possible to understand the behavior of website visitors and measure how they interact with a specific website. Specifically, a website operator can create a roman XXXX account and use a dashboard to view reports on the website. Likewise, roman XXXX can be used to measure and optimize the effectiveness of advertising campaigns that website owners run on roman XXXX advertising services.
In any case, as of August 11, 2020, the complainant - as the website operator - made the decision to use the free version of the XXXX tool for its "XXXX" websites. For this purpose, it has installed a JavaScript code ("tag"), which is provided by the involved party 2, in the source code of its website. The complainant used the tool to enable general statistical evaluations of the behavior of website visitors. In any case, the complainant - as the website operator - made the decision as of August 11, 2020 to use the free version of the tool roman XXXX for her Use " Roman XXXX " websites. For this purpose, it has installed a JavaScript code ("tag"), which is provided by the involved party 2, in the source code of its website. The complainant used the tool to enable general statistical evaluations of the behavior of website visitors.
The complainant and the involved party 2 have concluded a contract entitled "Contract processor conditions for XXXX advertising products". This contract was valid in the version of January 1, 2020 at least on August 11, 2020. The complainant and the involved party 2 have concluded a contract entitled "Contract processor conditions for roman XXXX advertising products". The version of January 1, 2020 of this contract was valid at least on August 11, 2020.
In the course of using the XXXX tool, the option is offered to use an "IP anonymization function". This function was also used. As part of the embedding of XXXX on the website, the "anonymizeIP" function was set to "true". When loading the relevant scripts from XXXX servers, however, the complete IP address of a website visitor is first transmitted to the party 2 involved. The IP address is only masked in a second step after it has entered the XXXX data collection network. In the course of using the Roman XXXX tool, the option is offered of using an "IP anonymization function". This function was also used. As part of the embedding of Roman XXXX on the website, the "anonymizeIP" function was set to "true". When loading the relevant scripts from roman XXXX servers, however, the full IP address of a website visitor is first transmitted to the party 2 involved. The IP address is only masked in a second step after it has entered the Roman XXXX data collection network.
1.2. The involved party 1 visited the website XXXX at at least on August 11, 2020. During the visit she was logged into her (personal) XXXX account. A XXXX account is a user account that is used to authenticate the involved party 2 to various XXXX online services.1.2. The involved party 1 visited the website roman XXXX at at least on August 11, 2020. During the visit she was logged into her (personal) roman XXXX account. A roman XXXX account is a user account that is used to authenticate the involved party 2 to various roman XXXX online services.
Insofar as the XXXX tool is implemented on a website, the involved party 2 has the technical possibility of obtaining information that a specific XXXX account user has visited this website (on which XXXX is implemented), provided that this XXXX account user is logged into the XXXX account during the visit. If the roman XXXX tool is implemented on a website, the involved party 2 has the technical possibility of obtaining the information that a specific roman XXXX account user has visited this website (on the roman XXXX is implemented), provided that this roman XXXX account user is logged into the roman XXXX account during the visit.
1.3. In the transaction at issue between the browser of the involved party 1 and XXXX / on August 11, 2020, at 01:26:21.206 CET, unique user identification numbers were processed at least in the XXXX cookies. As a result, these identification numbers were sent on August 11, 2020, at 01:26:23.795 CET to https:// XXXX /collect and thus to the second respondent.1.3. In the transaction at issue between the browser of the involved party 1 and roman XXXX / on August 11, 2020, at 01:26:21.206 CET, unique user identification numbers were processed at least in the cookies roman XXXX. As a result, these identification numbers were sent to https:// roman XXXX /collect on August 11, 2020, at 01:26:23.795 CET and thus to the second respondent.
In addition, the following information (parameters) was also sent to the second respondent via the complainant's browser in the course of requests to https:// XXXX /collect (excerpt from the HAR file, XXXX : In addition, the following Information (parameters) transmitted to the second respondent via the complainant's browser in the course of requests to https:// roman XXXX /collect (excerpt from the HAR file, roman XXXX:
general
XXXX Roman XXXX
headers
XXXX Roman XXXX
Size
XXXX Roman XXXX
1.4. Due to the abolition of "Privacy Shield" with the judgment of the ECJ of July 16, 2020 (C-311/18), which took place ex tunc and without a transition period, there were no agreements between the complainant and the involved party 2 from July 17, 2020 at least integrated data protection clauses.
Corresponding changes to the order data processing conditions (DTPS) were drawn up immediately, but only came into force on August 12th, 2020. When visiting the website on August 11th, 2020, no standard data protection clauses (in the sense of the implementation decision of the European Commission 2010/87/EU of February 5th, 2010 on standard contractual clauses for the transmission of personal data to processors in third countries according to Directive 95/46/EC of the European Parliament and Council).”
2. Evidence assessment:
The findings on the relevant facts result from the administrative act, the complaint and the court act. The findings regarding the activities of the parties involved and their interaction are taken from the contested decision and are otherwise undisputed. The same applies to the complainant's visit to the website and the data transmission that took place in the process - as far as its technical content (but not its legal qualification) is concerned.
The data transmitted was already identified in the contested decision by the data protection authority and originates from the HAR file included in the administrative file. In the appeal proceedings, these findings were not contested by any party to the proceedings.
The findings on the functioning and (possible) tasks of XXXX result from the files, in particular the documents that the involved party 2 brought into the process itself. The findings on the functionality and (possible) tasks of roman XXXX result from the files , in particular the documents that the involved party 2 himself brought into the proceedings.
The findings regarding the judgment of the ECJ on number C-311/18 result from this and are also undisputed. It is also undisputed that the standard data protection clauses were not agreed until August 12, 2020. The retrospective entry into force intended by the contractual partners is inadmissible in the present administrative context. It is therefore clear that no standard data protection clauses were included in the agreement between the complainant and the second party involved from July 17, 2020 to August 11, 2020.
3. Legal assessment:
3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to illegality.3.1. According to Article 130, paragraph one, number one, B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to illegality.
According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates. According to Paragraph 6, BVwGG, the Federal Administrative Court decides through single judges, unless federal or state laws provide for a decision by senates.
According to Section 27 (1) DSG, the Federal Administrative Court through the Senate decides on complaints against decisions due to a violation of the obligation to inform
Section 24 (7) leg.cit. and the duty of the data protection authority to make a decision. In accordance with Section 27 (2) first sentence DSG, the Senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees. The Senate is therefore responsible in this case. Paragraph 24, paragraph 7, leg.cit. and the duty of the data protection authority to make a decision. According to paragraph 27, paragraph 2, first sentence DSG, the senate consists of a chairman and one competent lay judge each from the circle of employers and from the circle of employees. In this case, the Senate is responsible.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force. roman one 2013/122, regulated (paragraph one, leg.cit.). Pursuant to Section 58, Paragraph 2, VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.
According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws, which the authority applied or should have applied in the procedure preceding the procedure before the administrative court. According to paragraph 17, APA, unless otherwise specified in this federal law, the procedure for complaints according to Article 130, paragraph one, B-VG the provisions of the AVG with the exception of paragraphs one to 5 and Roman Part IV, the provisions of the Federal Tax Code - BAO, Federal Law Gazette No. 194 from 1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173 from 1950, , and the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29 from 1984, and otherwise apply those procedural provisions in federal or state laws mutatis mutandis which the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.
3.2. Pursuant to Section 31 (1) VwGVG, the decisions and orders are made by way of a resolution, insofar as no knowledge is to be made.3.2. According to paragraph 31, paragraph one, VwGVG, the decisions and orders are made by resolution, unless a knowledge is to be made.
Pursuant to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued. According to paragraph 28, paragraph one, VwGVG, the administrative court has to settle the legal matter by cognizance, unless the complaint is to be rejected or the proceedings are to be discontinued.
According to § 28 para. 2 VwGVG, the administrative court has to decide on complaints itself if the relevant facts have been established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings. According to paragraph 28, paragraph 2, VwGVG, the administrative court has to decide on the matter itself if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.
3.3. to A)
3.3.1. The relevant provisions of the GDPR
Article 4
definitions
For the purposes of this Regulation, the term means:
1. "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "Processing" means any process carried out with or without the help of automated processes or any such series of processes in connection with personal data, such as collection, recording, organisation, ordering, storage, adaptation or modification, reading out, querying, use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction;
3rd-6th (...)
7. "Responsible person" means the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States;
8-26 (...)
Article 5
Principles for the processing of personal data
(1) Personal data must
a) processed lawfully, fairly and in a manner that is transparent to the data subject ("lawfulness, fair processing, transparency");
b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");
c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");
d) accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay ("accuracy");
e) stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored for a longer period to the extent that the personal data are exclusively for archiving purposes in the public interest or for scientific and historical research purposes, subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject or processed for statistical purposes in accordance with Article 89(1) ("storage limitation");
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality");
(2) The person responsible is responsible for compliance with paragraph 1 and must be able to prove compliance with it (“accountability”).
Article 6
lawfulness of processing
(1) The processing is only lawful if at least one of the following conditions is met:
a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to protect vital interests of the data subject or another natural person;
e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;
f) processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.
2. Member States may maintain or introduce more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure a lawful and to ensure fair processing, including for other specific processing situations in accordance with Chapter IX. (2) Member States may retain more specific provisions adapting the application of the provisions of this Regulation in relation to processing to comply with paragraph 1 letters c and e or introduce them by specifying specific requirements for processing and other measures to ensure lawful and fair processing, including for other specific processing situations pursuant to Chapter Roman IX.
(3) The legal basis for the processing pursuant to paragraph 1 letters c and e is determined by
a) Union law or
b) the law of the Member States to which the controller is subject.
The purpose of the processing must be specified in this legal basis or, with regard to the processing referred to in paragraph 1 letter e, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to Chapter IX. Union or Member State law must pursue an objective of public interest and be proportionate to the legitimate purpose pursued. The purpose of the processing must be set out in that legal basis or, as regards the processing referred to in paragraph 1(e), for the performance of a task be necessary, which is in the public interest or in the exercise of official authority that has been transferred to the person responsible. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to chapter roman IX. Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.
(4) If the processing for a purpose other than that for which the personal data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, is a necessary and proportionate measure to protection of the objectives referred to in Article 23(1), the controller shall, in order to determine whether the processing for another purpose is compatible with the one for which the personal data were originally collected, take into account, among other things
a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing,
b) the context in which the personal data was collected, in particular with regard to the relationship between the data subject and the person responsible,
c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offenses are processed pursuant to Article 10,
d) the possible consequences of the intended further processing for the data subjects,
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Article 44
General principles of data transfer
Any transfer of personal data that is already being processed or that is to be processed after its transfer to a third country or an international organization is only permitted if the controller and the processor comply with the conditions set out in this chapter and also comply with the other provisions of this Regulation ; this also applies to any onward transmission of personal data by the third country or international organization in question to another third country or international organization. All the provisions of this Chapter shall be applied to ensure that the level of protection for individuals afforded by this Regulation is not undermined.
3.3.2. The relevant provisions of the DSG
article 1
(constitutional provision)
fundamental right to data protection
§ 1. (1) (...)paragraph one, (1) (...)
(2) Insofar as personal data is not used in the vital interests of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time provide for appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal. (2) Insofar as personal data is not used in the vital interests of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210 of 1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time provide for appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.
(3) Everyone has, insofar as he/she has personal data for automated processing or for processing manually, ie. files managed without automation support, in accordance with statutory provisions
1. The right to information about who processes which data about him, where the data comes from and what it is used for, in particular to whom it is transmitted;
2. the right to rectification of inaccurate data and the right to erasure of inadmissibly processed data.
(4) Restrictions on the rights under paragraph 3 are only permitted under the conditions specified in paragraph 2. (4) Restrictions on the rights under paragraph 3 are only permitted under the conditions specified in paragraph 2.
Complaint to the data protection authority
Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2 1st main part.Paragraph 24, (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or paragraph one, or article 2, main part 1.
(2) The complaint must contain:
1. the designation of the right deemed to have been infringed,
2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent party),
3. the facts from which the infringement is derived,
4. the grounds on which the allegation of illegality is based,
5. the desire to determine the alleged infringement and
6. the information required to assess whether the complaint was filed in a timely manner.
(3) A complaint may be accompanied by the application on which it is based and any response by the respondent. The data protection authority shall provide further assistance in the event of a complaint at the request of the data subject.
(4) The right to have a complaint dealt with shall lapse if the intervener does not file it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints are to be rejected.
(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sphere, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.
(6) Until the proceedings before the data protection authority have been concluded, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (Section 13(8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be taken into account. (6) A respondent can subsequently eliminate the alleged infringement by complying with the complainant's requests until the end of the procedure before the data protection authority. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (paragraph 13, paragraph 8, AVG), the withdrawal of the original complaint and the simultaneous filing of a new complaint must be assumed. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be considered.
(7) The complainant will be informed by the data protection authority about the status and the result of the investigation within three months of filing the complaint.
(8) Any data subject may appeal to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or the outcome of the complaint within three months.
(9) The data protection authority can - if necessary - involve official experts in the procedure.
(10) The following are not included in the decision period according to Section 73 AVG: (10) The following are not included in the decision period according to Section 73, AVG:
1. the time during which the proceedings are suspended until the final decision on a preliminary question;
2. the time during a procedure according to Art. 56, 60 and 63 DSGVO.2. the time during a procedure according to Articles 56, 60 and 63 GDPR.
3.3.3. On the representation of XXXX by NOYB in the proceedings before the DSB and the Federal Administrative Court as well as on the admissibility of the data protection complaint of August 18th, 2020 (legal status of complaint)3.3.3. On the representation of roman XXXX by NOYB in the proceedings before the DSB and the Federal Administrative Court as well as on the admissibility of the data protection complaint of August 18th, 2020 (delegation of complaint)
Pursuant to Art. 80 (1) GDPR, a data subject has the right to contact a body, organization or non-profit association duly constituted under the law of a Member State, whose statutory objectives are in the public interest and which are in the field of rights protection and freedoms of data subjects in relation to the protection of their personal data, to authorize them to lodge a complaint on their behalf, to exercise on their behalf the rights referred to in Articles 77, 78 and 79 and the right to compensation under Article 82 in Pursuant to Article 80, (1) GDPR, a data subject has the right to object to a non-profit-making body, organization or association duly constituted under the law of a Member State, whose statutory objectives are in the public interest and which operates in the field of protection of the rights and freedoms of data subjects with regard to the protection of their personal data, to authorize to submit a complaint on their behalf, on their behalf the reasons referred to in Articles 77, 78 and exercise the rights referred to in Article 79 and the right to compensation under Article 82 where provided for in the law of the Member States.
The criteria listed apply to NOYB indisputably. For the Federal Administrative Court (like before for the DSB) there are no doubts about a valid power of attorney in the first instance proceedings. The above provision cannot be assumed to mean that a person – like party 1 involved in the present proceedings – should not be represented by a relevant active non-profit association because they themselves work in a managerial capacity.
Even the fact that Austria has not provided for any collective action (Art. 80 (2) GDPR) in this context cannot mean that employees/members of such an association are not allowed to submit individual data protection complaints in the event of suspected data protection violations in the course of their personal activities. Rather, a right to sue pursuant to Art. 80 (2) GDPR would also go significantly further because it would be "independent of an order from the data subject". cannot prevent employees/members of such an association from filing individual data protection complaints in the event of suspected data protection violations in the course of their personal activities. Rather, a right to sue under Article 80, (2) GDPR would also go much further because it would be "independent of an order from the data subject".
For the sake of completeness, it should be noted that the GDPR in connection with the "data subject" does not refer to their motive for an activity that is ultimately relevant under data protection law.
Against this background, the actions of the complainant and NOYB are legally covered without any doubt.
For the Federal Administrative Court - as before for the DSB - there are no doubts about a legally valid power of attorney. The statements in this regard in the contested decision (and the file submission) could not be countered conclusively in the present complaint.
3.3.4. On the determination competence of the data protection authority:
According to the case law of the VwGH and the BVwG, the data protection authority has the power to determine violations of the right to secrecy in complaint proceedings (according to the BVwG’s decision of May 20, 2021, Zl. W214 222 6349-1/12E; implicitly the decision of the Administrative Court of February 23, 2021, Ra 2019/04/0054, in which it dealt with the determination of a past breach of confidentiality without addressing the lack of jurisdiction of the authority concerned).
There are no objective reasons not to use the determination competence according to Art. 58 Para. 6 DSGVO in conjunction with § 24 Para. 2 Z 5 DSGVO and Para. a violation of the law in the past - namely a data transfer to the USA - is complained about and the right of appeal according to § 24 paragraph 1 DSG - as well as Art. 77 paragraph 1 DSGVO - is generally linked to a violation of the DSGVO. There are no factual ones Reasons not to use the determination competence according to Article 58, Paragraph 6, GDPR in conjunction with Paragraph 24, Paragraph 2, Number 5, GDPR and Paragraph 5, DSG for the determination of a violation of Article 44, GDPR, since in the present case u.a. a violation of the law in the past - namely a data transfer to the USA - is complained about and the right of appeal according to paragraph 24, paragraph one, DSG - as well as article 77, paragraph one, GDPR - is generally linked to a violation of the GDPR.
If the verdict of a decision in a complaint procedure could only contain instructions according to Art. 58 Para. 2 DSGVO, there would be no room for § 24 Para. 2 Z 5 and 24 Para. 5 DSG. If the verdict of a decision in a complaint procedure namely could only contain instructions according to article 58, paragraph 2, GDPR, there would be no room for paragraph 24, paragraph 2, number 5 and 24 paragraph 5, DSG.
Contrary to the opinion of the Respondents, Section 24 (6) DSG does not come into question for the subject of the complaint relevant here, since data transmission in the past has been criticized. In other words: The alleged unlawfulness (here: incompatibility with Art. 44 GDPR) of a data transfer that has already been completed is not accessible to a procedure conclusion in accordance with Section 24 (6) DSG relevant object of the complaint is not considered, since data transmission in the past is being complained about. In other words: The alleged unlawfulness (here: incompatibility with Article 44, GDPR) of a data transfer that has already been completed is not accessible to a procedure conclusion in accordance with Article 24, Paragraph 6, DSG.
These statements – which were already part of the contested decision – were not countered convincingly in the present complaint. In particular, the development of data protection law speaks against updating any older restrictive rulings of the VwGH to the current legal situation. In addition, the Federal Administrative Court has repeatedly confirmed the relevant test standard.
3.3.5. Regarding the question of the personal reference of the data transmitted on August 11th, 2020:
The material scope of Article 2 no. 1 GDPR fundamentally requires that "personal data" be processed. The material scope of Article 2, number one, GDPR fundamentally requires that "personal data" be processed.
According to the legal definition of Art. 4 Z 1 GDPR, “personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified". According to the legal definition of Article 4, paragraph one, GDPR, "personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of that natural person can be identified”.
As can be seen from the factual findings, the respondent - as the operator of the website - implemented the XXXX tool on its website. As a result of this implementation - i.e. triggered by the JavaScript code executed when visiting the website - at least the following information was transmitted from the complainant's browser, who visited the website XXXX, to the server of the second respondent: As can be seen from the findings of the facts, the first respondent - as Website operator – implemented the roman XXXX tool on their website. As a result of this implementation - i.e. triggered by the JavaScript code executed when visiting the website - at least the following information was transmitted from the complainant's browser, who visited the Roman XXXX website, to the servers of the second respondent:
- Unique online identifiers that identify both the Complainant's browser or device and the First Respondent (through the XXXX Account ID of the First Respondent as the website operator); Unique online identifiers, which identify both the browser or device of the complainant and the respondent (through the Roman XXXX account ID of the respondent as the website operator);
- the address and HTML title of the website and the sub-pages visited by the complainant;
- Information about the browser, operating system, screen resolution, language selection and date and time of the website visit;
- the IP address of the device used by the complainant.
The data protection authority has dealt with these criteria in detail (pages 26ff of the contested decision) and assumes that the transmitted data is personal. The Federal Administrative Court shares these considerations, especially since it is sufficient for the personal reference within the meaning of the clear wording of Art. 4 Z 1 DSGVO if the establishment of this reference is (only) possible. It is not necessary for the data to actually be related to a person. In this respect, it is irrelevant if the parties involved claim that certain settings were not activated at all. This also applies to the submitted affidavit of January 20, 2023, which, however, also clearly confirms that XXXX fundamentally enables the creation of a personal reference. The fact that XXXX is fundamentally suitable as an instrument for establishing a link to a person (to the extent that this is necessary within the framework of the GDPR) results from the undisputed purpose of use - namely the structured collection of information about visitors to a website. In addition, it was clearly established in the evidence process that the corresponding settings are even provided in a standardized way ("opt out"). The data protection authority has dealt with these criteria in detail (pages 26ff of the contested decision) and assumes that the transmitted data is personal. The Federal Administrative Court shares these considerations, especially since it is sufficient for the personal reference within the meaning of the clear wording of Article 4, Number One, GDPR if the establishment of this reference is (only) possible. It is not necessary for the data to actually be related to a person. In this respect, it is irrelevant if the parties involved claim that certain settings were not activated at all. This also applies to the submitted affidavit of January 20, 2023, which, however, also clearly confirms that Roman XXXX allows the creation of a personal reference in principle. The fact that roman XXXX is basically suitable as a tool to create a link to a person (to the extent that this is necessary within the framework of the GDPR) results from the undisputed purpose of use - namely the structured collection of information about visitors to a website. In addition, it was clearly established in the evidence process that the corresponding settings are even provided in a standardized way ("opt out").
With regard to the online identifiers, it should be noted that the cookies in question contain XXXX unique XXXX identification numbers and were stored on the complainant's end device or browser. As stated, it is possible for certain entities - here for example the involved parties - to use these identification numbers to distinguish website visitors and also to obtain information as to whether it is a new or a returning website visitor from XXXX. This identifiability increases when combined with other elements, such as browser data or the IP address. With regard to the online identifiers, it should be noted that the cookies in question contain roman XXXX unique roman XXXX identification numbers and were stored on the complainant's end device or browser. As noted, it is possible for certain entities - here, for example, the parties involved - to use these identification numbers to distinguish between website visitors and also to obtain information as to whether they are new or returning website visitors from roman XXXX. This identifiability increases when combined with other elements, such as browser data or the IP address.
The arguments of the Respondents regarding the "IP address anonymization function" can be left open, since the full IP address is processed on the XXXX server for a certain - albeit very short - period of time. This short data processing period is sufficient for the facts of Art. 4 Z 2 DSGVO to be fulfilled. The arguments of the respondents regarding the "anonymization function of the IP address" can be left open, since the full IP address is at least for a certain - if also very short - period of time on the server of roman XXXX is processed. This short data processing period is sufficient for the facts of Article 4, paragraph 2, GDPR to be fulfilled.
Overall, it is therefore clear that the information transmitted due to the installation of XXXX on the XXXX website qualifies as personal data within the meaning of the GDPR personal data within the meaning of the GDPR are to be qualified.
For the sake of completeness, it should be noted that, based on the above statements, the procedural defects complained about in the contested decision - in particular with regard to the involvement of an expert to assess this (legal) question - have proven to be incomprehensible for the Federal Administrative Court.
3.3.6. On the issue of applicable standard data protection clauses and a risk-based approach to assessment:
As stated above, the retrospective agreement of standard data protection clauses (Art. 46 Z 2 lit c GDPR) is not permissible in the present administrative context. This means that these could only take effect from the day of the agreement, August 12th, 2020, and are only included from this date. As already stated above, the retrospective agreement of standard data protection clauses (Article 46, number 2, litera c, DSGVO ) not permitted in the present administrative context. This means that these could only take effect from the day of the agreement, August 12th, 2020, and are only included from this date.
At the relevant point in time - August 11th, 2020 - "Privacy Shield" was already in force and the standard data protection clauses were not yet included. Thus, there was no data protection agreement between the complainant and the second party involved.
For this reason, the content of this agreement and any risk-based approach in the assessment does not need to be discussed in detail.
Rather, those parts of the contested point of the ruling that - in the erroneous assumption that the standard data protection clauses were included on August 11, 2020 - deal with the inadequate level of protection are to be remedied without replacement. For the sake of completeness, it should be noted that the present decision does not allow any conclusions to be drawn about the standard data protection clauses agreed later and the question of a risk-based approach.
Regarding B) Admissibility of the revision:
Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified. According to paragraph 25 a, paragraph one, VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is permissible according to article 133, paragraph 4, B-VG. The statement must be briefly justified.
The revision is permissible according to Art. 133 Para. 4 B-VG because the decision depends on the solution of a legal question - the definition of personal data - which is of fundamental importance. Sufficient case law from the Administrative Court is not available on this question, especially against the background of the current legal situation. The revision is permissible according to Article 133, paragraph 4, B-VG because the decision depends on the solution of a legal question - the definition of personal data , which is of fundamental importance. Sufficient case law from the Administrative Court is not available on this question, especially against the background of the current legal situation.
