BVwG - W176 2244407-1/18E

From GDPRhub
Revision as of 08:43, 28 July 2022 by Mw (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Nam...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W176 2244407-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 15(4) GDPR
§ 4 DSG
Decided: 27.04.2022
Published:
Parties: BF (insured/data subject)
MP (insurer/controller)
National Case Number/Name: W176 2244407-1
European Case Law Identifier:
Appeal from: DSB
D124.2865 2021-0.388. 885
Appeal to: Not appealed
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: MW

The Austrian Federal Adminstrative Court (BVwG) held that the exact method by which an insurer calculated a settlement offer was a trade secret covered by Article 15(4) GDPR and 4(6) DSG; the controller's 200-page response to an access request was complete.

English Summary

Facts

The controller was an insurer, and the data subject was one of its policy holders. In 2012, the data subject subject suffered a whiplash injury in a car accident and was later diagnosed with "post-traumatic depressive adjustment disorder with somatization." In 2014, the data subject filed a claim with the controller for occupational disability; the data subject had been self-employed as a management consultant and energy technician. The controller rejected the claim on the basis that the data subject had not provided adequate proof of disability. On October 28, 2015, the data subject applied to the district court of Wels for a conditional payment order to be issued against the controller. At the time of the DPA's decision, the civil proceedings were suspended. In 2016, the controller offered the data subject a one-time payment of €25,000, which the data subject rejected. The insurance contract between the two parties was terminated in October 2017.

On May 13, 2019, the data subject emailed an access request, requesting specifically the "risk assessment" associated with her contract and the "reserve amount" associated with her disability claim. In a response dated Nobember 27, 2019, the controller asked the data subject for an explanation of what she meant by those terms. On April 26, 2020, the data subject filed a complaint with the Austrian DPA alleging that the controller had violated her right of access and additionally requested all of her personal data processed by the controller. The controller responded that it had answered the data subject's access request to the best of its ability and that the terms she used were not meaningful to the firm. The controller claimed the data subject believed she was entitled to an insurance payout and was abusing data protection law for her benefit in the related civil procedure. As the complaint was the first time the data subject had requested all her personal data, the controller sent a 200-page response including among others her tariff type, the surrender value paid out, her responses on a medical questionaire, and payment history.

The data subject disagreed that this information was comprehensive, insisting that, because the controller had offered her a settlement, it must have calculated a case-related accrual amount. The controller denied this, explaining that accrual amounts were calculated in aggregate, not on a specific, case-by-case basis. On June 7, 2021, the DPA rejected the data subject's complaint because it had responded to her access request with all the information available to it; the missing information she continued to request was never available to the controller. The data subject appealed, requesting an on-site investigation of the data held by the controller.

Holding

The Court rejected the data subject's appeal. It concluded that the data subject's complaint was based on the alleged incompleteness of the controller's response to her access request (missing an assessment of the subject's health and the calculation of the settlement). The Court noted that, in regards to the missing health data, the controller had supplied the data subject with the only information it had, which were the questionaires and medical documents she had personally submitted.

Regarding the calculation of the offered settlement, the Court held that these calculations were trade secrets under the DSG because they were secret, had commercial value, and were protected with appropriate confidentiality measures. Article 15(4) GDPR provides that the right to access is not absolute and that access requests shall not adversely affect the rights and freedoms of others, and Article 4(6) DSG specifically makes exception for business or trade secrets. The DPA held that the controller had in fact provided all the personal data it had on the data subject and was not obliged to share the process by which it assessed this information and calculated the settlement it offered her.

The rejection of the data subject's appeal was deemed final, as the legal situation was sufficiently clear as to not cause any difficulty in interpretation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

04/27/2022

standard

B-VG Art133 Para.4
DSG §4
GDPR Art15

saying

W176 2244407-1/18E

In the name of the republic!

The Federal Administrative Court, through the judge Mag. NEWALD as chairman and the expert lay judge Mag. BOGENDORFER and the expert lay judge Mag. ZIMMER, on Karin NEUSSL's complaint against the decision of the data protection authority of June 7th, 2021, Zl. D124.2865 2021-0.388. 885 (Participating party: XXXX ), for violation of the right to information, after holding a public oral hearing, rightly recognized in closed session:

a)

The complaint is dismissed as unsubstantiated.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision

I. Course of the procedure (including previous history)

1.1. From October 2005 to November 2017, the complainant (hereinafter: BF) was a policyholder with the co-involved party (hereinafter: MP). She had an insurance contract "XXXX" with integrated disability benefits. The main tariff was endowment and life insurance, which included disability insurance.

1.2. BF, who works as a management consultant and energy technician on a self-employed basis, suffered a car accident (rear-end collision) on October 3, 2012, from which she suffered a simple whiplash injury to the cervical spine. As a result, a post-traumatic depressive adjustment disorder with somatization occurred as a complication.

1.3. In 2014, the BF submitted an application for benefits to the MP regarding occupational disability, which was rejected by the MP with reference to the fact that the documents submitted to the BF did not result in a comprehensible and immovable occupational profile and that there was no medically objectified proof of an occupational disability in accordance with the conditions.

1.4. On October 28, 2015, the BF applied to the district court of Wels for a conditional payment order to be issued against the MP; the MP subsequently raised an objection to the payment order. The civil court proceedings are currently suspended.

1.5. In 2016, there were numerous comparison talks between MP and BF, which resulted in an offer from MP dated July 26, 2016 for the payment of a one-off capital payment of EUR 25,000. The BF subsequently rejected the settlement offer.

1.6. In October 2017, the MP terminated the insurance contract with the BF (effective November 1, 2017).

1.7. On May 13, 2019, the BF sent the following e-mail to the MP with the subject “Business suspended, data protection”:

"Dear Mr. DI [K.],

Please find enclosed the information that my trade has been reported DOMESTIC since February 2015.

According to the sick note and certificate from Dr. medical [M. P.] from May 2014 (you have them) I was on sick leave until mid-February 2015.

Since February 2015 I have been registered as a job seeker with the job market service. At the same time, my business has been dormant since then.

You are certainly familiar with the corresponding higher regional court rulings: the entire sum insured is then due + premium refund + interest.

Furthermore: On the basis of the data protection law, I request you to send me the following information in writing immediately:

+ what is the risk assessment of my contract with the [MP]

+ how high is the provision amount for my contract.

I take the liberty of making a note of Monday, May 20th, 2019, for your completion!

Regards"

(emphasis added by the court)

1.8. In an email dated June 5th, 2019, the MP announced to the BF that there was still no conditional entitlement to benefits due to occupational disability. However, she is still interested in settling the disputed insurance matter amicably as part of a settlement. The settlement offer of July 26, 2016 will be renewed if there is interest in it. With regard to the inquiry regarding risk assessment/provision amount, the relevant specialist departments were asked to answer.

1.9. In an email dated November 27, 2019, the MP (through the relevant specialist department) asked the BF for an explanation of what they meant by the "risk assessment" or the "reserve amount" of their contract. The contract with BF was terminated on November 1, 2017 because it could no longer be financed due to the two partial payments in the premium-free state.

1.10. When asked again by the BF, the MP informed the latter in an email dated December 10, 2019 that they had processed their request comprehensively and conclusively on the basis of the available data and information. Provisions due to his existing application for the granting of occupational disability benefits do not exist because this claim was rejected; the contract had been canceled in the meantime. In this respect, there is no risk assessment related to any kind of occupational disability risk.

2.1. In a brief dated April 26, 2020 (improved with input dated May 11, 2020), the BF lodged a data protection complaint with the data protection authority (hereinafter: the authority concerned) against the MP due to a violation of their right to information. In summary, she stated that the MP refused to provide information regarding the risk assessment and the provision amount of her contract. She submitted her request on May 13, 2019 and only received an answer on November 21, 2019 (probably meaning: November 27, 2019). In addition, the statements of the MP are completely misguided, especially since the BF submitted an application for benefits due to a car accident in 2012 and its long-term consequences. The premium-free status as well as the two partial payments are completely irrelevant with regard to the insurance's obligation to pay according to the contract conditions and the reasoning in the letter is misleading. In addition, in the summer of 2019, the MP (repeatedly) offered her a severance payment of EUR 25,000, which, in her opinion, was far too low in relation to the obligation to pay.

In addition, she wanted to see all the data stored by the MP, in particular

- The current risk assessment of your contract, as well as its development in the last 10 years

- The current reserve amount of your contract, as well as its course in the last 10 years

She desires to be informed and that an infringement of the law is established.

2.2. At the request of the authority concerned, the MP issued a statement on June 30th, 2020 through its legal representative, in which it summarized the following: It was incomprehensible to it which information was still missing from the point of view of the BF. The MP had conducted extensive correspondence with the BF and provided her with the requested information as far as possible. The terms used by BF are not commonly used in the MP company; the BF did not specify or explain its request in more detail despite an explicit request. The information requested by the BF is also not subject to the GDPR, especially since it is not personal data. A corresponding right to information does not exist. In addition, it should be pointed out that BF is trying to exploit the right to information for any non-data protection goals. In fact, she is concerned with things that have nothing to do with data protection law: she believes that she is entitled to an insurance benefit. From the point of view of the MP, this claim does not exist. In any case, this difference of opinion should not be carried out before the data protection authority. It is not clear where a data protection breach should lie. The BF mentioned for the first time in the complaint to the data protection authority that they would like all data processed by the MP to be disclosed. Against this background, the MP would send the BF corresponding information, so that the complaint would be irrelevant at least according to Section 24 (6) DSG.

2.3. On June 30th, 2020, the MP issued the BF with a corresponding data protection information, which consisted of almost 200 pages and essentially contained the following information:

- A data sheet on BF customer data (identity data, activity performed, gender, telephone number), contract data from BF (tariff and type of insurance, sums insured, originally agreed premium sum up to the end of the term, premium, premium payment period, premium dynamics, fund investment, premiums paid, surrender value paid out) , further information on the BF (health questions: "Yes"; telephone notes: "Yes"; written explanations of the benefit test: "Yes"; self-declaration by the insured person with attachments: "Yes"; e-mail correspondence: "Yes"; medical documents: "Yes" ; Financial documents: "Yes"), payment or account data of the BF (payment method, SEPA mandate) as well as information on the person entitled to beneficiaries in the event of the death of the BF;

- A 24-page data sheet filled out by the BF on the "Information and declarations on occupational disability" together with comprehensive attached documents: A) Proof of occupations exercised; B) proof of income; C) curriculum vitae – professional career; D) Job references and further training, important training certificates, further training during and after your studies; F) Disability due to a car accident (includes, among other things, the accident report, medical referrals to a physiotherapist and numerous medical reports);

- a neurological-psychiatric report (obtained from the Labor and Social Court) and a (similar) accident-surgical-orthopaedic report on the state of health of the BF.

2.4 In its statement of August 5th, 2020, the BF stated that the MP had again not provided the requested data. Since the BF had submitted an application for disability, a risk assessment had to be available. In addition, some of the information sent was wrong because the contract provided for EUR 8,400 per year and the surrender value had not been paid out (she had neither applied for it nor received it). In addition, she is self-employed and not in marketing management. In addition, the MP had demonstrably received numerous other data via email (dormant trade license, diagnosis and finding "vertical strain", etc.). The available information is therefore grossly incorrect, grossly incomplete and repeatedly does not answer the request.

2.5. In a letter dated August 25, 2020, the BF additionally submitted (replicating the MP's statement of June 30, 2020) that the level of the risk assessment and the directly related provision amount for her contract clearly related to her person and was therefore personal data. It should be noted that on June 3rd, 2019, the MP repeatedly expressed a very great interest in a settlement. In order to be able to agree on this appropriately, the required current data are required for the BF.

2.6. In a letter dated August 21, 2020, the relevant authority sent the MP the submission of the BF of August 5, 2020 and announced that the BF was now claiming that the information was incomplete. Within the meaning of Section 24 (6) DSG, the object of the complaint is no longer the non-disclosure of the information, but the alleged incompleteness of the information. Furthermore, the authority concerned asked the MP to answer questions regarding a possible risk assessment of the BF, health data of the BF and a dormant trade license.

2.7. In its statement of August 14, 2020, the MP stated that it had no knowledge of what the BF meant by "risk assessment". The term “risk assessment” is not commonly used in your company. All processed data relating to the BF had been disclosed. In particular, all information in connection with the health data of the BF was disclosed. In addition, as already mentioned, it is obvious that BF is trying to exploit its right to information for any non-data protection purposes. She believes she is entitled to an insurance claim. From the point of view of the MP, the claim does not exist. For this reason, the BF felt compelled to take action against the MP before the data protection authority. In fact, their complaint had no data protection basis at all, but represented pure harassment. Regarding the dormant trade license of the BF, it should be noted that such a license is stored in the MP database. However, this only contained the name of the BF as personal data; With regard to the current request from the BF, this had already been sent to the BF.

2.8. In a further statement (dated October 21, 2020), the MP stated in response to a question from the authority concerned that it had not carried out an assessment of the specific insurance risk of the BF or their state of health. If the word provisions was mentioned in the previous correspondence with the BF, this has a completely different background. As an insurance company, MP is obliged to set up actuarial reserves for claims that have not been processed; this in order to make provision for any performance obligations that may arise at a later date. However, an individual provision amount is not formed for each individual policyholder. Rather, an abstract calculation is carried out - independently of the individual policyholders. The calculation made in this way does not refer to a specific person and therefore has no personal reference. The information requested by the BF simply never existed. No provisions relating to the BF were created.

2.9. As a result, there was further correspondence between the BF and the MP before the relevant authority (statements by the BF from October 4th, 2020 and February 26th, 2021 and statement by the MP from January 21st, 2021).

2.10. On April 12, 2021, the MP - represented by B. S. (head of department for existing and new business), B. S. (expert for customer service, product development and BU performance testing) and R. S. (assistant to the branch manager in Austria and data protection officer) in the presence of their legal representative before the relevant authority per video conference, and stated – summarized to the essentials – the following:

Asked whether an assessment of the health status of the BF had taken place, the MP stated that when an insurance contract was taken out, an assessment of the health status of the policyholder was carried out in order to assess whether the contract was acceptable under normal conditions. For this purpose, a risk assessment is carried out with questions to be answered by the applicant. On the basis of this result, the contract is accepted on normal or special terms. Such an assessment was also made at BF; To this end, the BF filled out a health form, which she was also given information on on June 30, 2020. Since BF answered no to all questions at the time, the contract was concluded under normal conditions. A related assessment of the state of health was not saved.

When asked, the MP also stated that as part of the benefit case review – as was the case with the BF – an assessment of the policyholder’s state of health was also carried out. In the case of the BF, the result was communicated to the BF as part of the refusal of services.

With regard to the “provisions”, the MP stated that the balance sheet department automatically calculates the provisions once a year for recognized insurance claims. In the specific case, settlement negotiations with the BF were pending. In order to get a feeling and to determine the potential damage in the event of a claim, an employee has an insurance tool (database based on Excel) by entering the parameters "insured pension", "duration", "potential entry age" and "gender". calculation performed. No personal data was given in the tool. The result of the tool was not saved, but was only communicated to the BF by telephone (as part of settlement negotiations). In addition, it should be noted that in the case of the BF it is a question of a canceled insurance contract; there are therefore no services and therefore no more totals and evaluations. The "provision amount" that the BF is addressing can therefore no longer be generated.

2.11. In its statement of April 22, 2021, the BF summarized the transcript of the hearing of April 12, 2020, that there were clear contradictions in the statements of the MP: In the statement of October 21, 2020, the MP stated that the BF had not carried out an assessment of the state of health of the BF to have; During the interrogation, however, she stated that she had carried out an assessment of her state of health. Regarding the "reserve amount" it should be noted that the term "actuarial reserves for outstanding insurance claims" alone carries a personal reference due to the word "insurance cases". Logic suggests that an insured event is always individual. Consequently, a case-related accrual sum was also stored at the MP via the BF, which was to be disclosed. In the case of the BF, there must be a reserve sum at the MP that covers the settlement offer, especially since the MP continued to express its interest in the settlement in writing in 2019. Consequently, the case-related accrual amount should still be able to be generated; it is the basis for comparative offers. In addition, she was informed of the individual provision amount for her contract in the course of a telephone conversation with an employee on July 22, 2016; consequently, the MP must have saved individual accrual amounts.

2.12. With a brief dated May 2, 2021, the MP initially complied with the request of the relevant authority to send a screenshot of the insurance tool mentioned during the interrogation on April 12, 2020. In addition, she again emphasized that her company did not set up any separate provisions for individual policyholders or specific insurance contracts. The provisions would be calculated abstractly - detached from the individual policyholder; there is therefore a clear lack of relevant personal reference. If the BF further believes that an individual provision amount was communicated to it, the following should be noted: The BF contacted an employee twice by telephone and wanted to know what insurance benefit they would receive on the reference date of the respective telephone call if the insured event occurred. For this purpose, the employee made a calculation using an Excel tool and informed the BF of the result on the phone. The tool was then closed without saving the result.

2.13. In its statement of May 30, 2021, the BF summarized that the amount that an employee had told her on the phone was clearly and unmistakably the (accounting law) provision amount. If the authority concerned were to inspect the MP database, the reserves for the individual insurance contracts would result from a corresponding tracing of the balance sheet provision amount. The MP had to provide information about the amount of the provision under accounting law, which can be traced back to the BF contract. She asked the authority to inspect the MP's data system on site, in particular to determine the accounting provisions from 2012 to 2021, including tracing back to the respective contract.

1.2.14. With the contested decision, the authority concerned dismissed the data protection complaint of the BF as unfounded.

As a reason, she stated in summary that the BF had been given comprehensive data information, which also contained her stored health data. An assessment of the BF's state of health had not taken place or had not been saved in the MP's data record. With regard to the provision amounts, it should be noted that these are calculated abstractly. These were not assigned to a specific person and were in no way assigned to BF in the present case. According to the GDPR and the DSG, there is no right to ascertain that the data may have been disclosed outside of the standard period pursuant to Art. 12 (3) GDPR. Accordingly, the BF was no longer complained, especially since the missing documents or information were either made available in full or they were never available at the MP.

3.1. The complaint of the BF is directed against this decision with the request for "modification of the decision due to existing procedural errors, contradictions/errors and clarification of these contradictions/errors through the determination of the facts (inspection) directly on site at the MP by the DSB or the Federal Administrative Court".

In it, the BF summarized that it was complaining because the data information was still incomplete.

The assessment of the state of health by the MP at the time the insured event occurred was not disclosed, although it was conclusive that this was available and stored. The MP had requested and saved health data from the BF at the time the insured event occurred (filling out a 25-page health form). Since the MP had to assess the due date for disability benefits, it is conclusive that the MP also assessed and saved the state of health of the BF at the time the insured event occurred.

Regarding the amount of the provision, it should be noted again that it follows from the logic that the “amount of provision for recognized insurance CASES” refers specifically to a policyholder. The term "insured event" implies a reference to a policyholder. There must therefore be a reference to a policyholder or the total reserve amount must be made up of individual reserve amounts for individually recognized insurance claims and consequently be traceable to a policyholder.

3.2. In a letter dated July 6, 2021, the authority concerned submitted the complaint, including the electronic administrative file, to the Federal Administrative Court and requested that the complaint be dismissed. In addition, the authority concerned stated that, to their knowledge, it is quite common in the insurance industry - contrary to the opinion of the BF - to calculate average reserve amounts. The fact that a clerk at the MP processed an insurance claim and carried out some kind of assessment with mental effort is not relevant from a data protection perspective. During the investigation, there were no indications that the MP had actually saved such an assessment in relation to the BF.

3.3. On February 21, 2022, a public oral hearing took place before the Federal Administrative Court, in which the BF, the MP (for whom BS and GK participated in addition to their legal representative) and the authority concerned were questioned as parties and further documents were presented.

3.4. With a brief dated February 22, 2022, the authority concerned submitted the administrative act Zl. D124.2440 (related to the procedure before this until August 21, 2020) electronically.

3.5. With a brief dated March 7th, 2021, the MP submitted notes that had been made about telephone calls with the BF in relation to the relevant court request in the complaint hearing, as well as the letter with which the insurance benefit requested by the BF was rejected, whereby she applied to exclude the mentioned documents from the file inspection. As a reason, she essentially stated that there was no right to information if the person concerned acted in an abusive manner. This is the case, since the BF is pursuing irrelevant goals with its application, since it aims to obtain evidence for a civil trial. The MP disclosed all the data covered by its duty to provide information. The additional request of the BF does not fall under their right to information. Against this background, the MP has a legitimate interest in the BF not gaining access to documents to which it is not entitled by way of inspecting the files.

3.6. With pleadings dated March 3rd, 7th, 8th and 22nd, 2022, the BF submitted documents in accordance with court orders in the complaint hearing (file memo about a telephone conversation with G.K. and an overview of the telephone calls that she had had with employees of the MP) before.

On the other hand, she submitted requests for "complete information" about the "risk assessment - and how it was specifically calculated - of my personal case"; the "individual assessment according to the [negotiation] protocol of February 21, 2022, page 13, [d]the result of the same, its interpretation and the concrete, step-by-step procedure for how this individual assessment is made", of the CURRENT risk, based on [their] entire contract”; "the respective provision amount in the balance sheet, traceable to [their] insured event, for the financial years 2010-2021"; "The step-by-step documentation and all documents, which personal documents / data were included in the performance review and how the specific personal rejection of performance came about step by step"; the personal data, assessments and documentation from the underwriting”; the internal decision template, the disposition form, the comments and conclusions on the refusal of benefits related to [her] person; the assessment of [her] state of health as part of the benefit check on the occasion of the insured event asserted on 03.10.2012”; "the CURRENT probability of occurrence [of your] risk of my asserted insured event, i.e. the probability that the service will have to be provided (estimate of current and future risk)"; the provision on the balance sheet generated for [her] as policyholder, EACH for the financial years 2010 – 2021”; the categories 'health questions', 'telephone notes' and 'written explanations for the benefit check' from 'data insured person' as well as the exact calculation of the cash values for [their] pending benefit case from the MATHEMATICS DEPARTMENT".

II. The Federal Administrative Court considered:

1. Findings:

The decision is based on the facts presented under point I.

2. Evaluation of Evidence

The findings result from the content of the administrative documents from the authority responsible for the Zlen. D124.2440 and D124.2865, the complaint and the content of the relevant procedural file of the Federal Administrative Court.

3. Legal Assessment

3.1. To dismiss the complaint

3.1.1. In accordance with Art. 15 Para. 1 GDPR, the data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, you have the right to information about this personal data or the following information:

a) the processing purposes;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed;

d) if possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

e) the existence of a right to correction or deletion of the personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing;

f) the existence of a right of appeal to a supervisory authority;

g) if the personal data are not collected from the data subject, all available information about the origin of the data;

f) the existence of automated decision-making including profiling in accordance with Article 22 (1) and (4) and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

In accordance with Art. 15 Para. 3 GDPR, the person responsible provides a copy of the personal data that are the subject of the processing.

According to Art. 15 Para. 4 GDPR, the right to receive a copy pursuant to Paragraph 1b must not affect the rights and freedoms of other persons.

Recital 63 of the GDPR reads:

"A data subject should have a right of access to personal data relating to him or her that has been collected and be able to exercise this right easily and at reasonable intervals in order to be aware of the processing and to be able to verify the lawfulness of it. This includes the right of data subjects to information about their own health-related data, such as data in their patient files that contain information such as diagnoses, examination results, findings of the treating physicians and information on treatments or interventions. Every data subject should therefore have the right to know and be informed, in particular for what purposes the personal data is processed and, if possible, how long it will be stored, who the recipients of the personal data are, the logic behind the automatic processing of personal data Data takes place and what the consequences of such processing may be, at least in cases where the processing is based on profiling. Wherever possible, the controller should be able to provide remote access to a secure system that would allow the data subject direct access to their personal data. This right should not affect the rights and freedoms of others, such as trade secrets or intellectual property rights, and in particular copyright in software. However, this must not result in the data subject being denied any information. If the controller processes a large amount of information about the data subject, it should be able to require the data subject to specify what information or processing operations their request for access relates to before providing it."

According to § 4 Para. 6 DSG, the right of the data subject to information pursuant to Art. 15 GDPR does not generally apply to a person responsible, notwithstanding other legal restrictions, if the provision of this information jeopardizes a business or trade secret of the person responsible or third parties would.

The right to protection of personal data is not an absolute right, but must be balanced against other fundamental rights that the GDPR is intended to protect, while respecting the principle of proportionality. Accordingly, when applying the GDPR, the right to the protection of personal data, which is particularly protected by the GDPR, is compared to all other freedoms and principles enshrined in the Charter of Fundamental Rights of the European Union and in the European Treaties, such as respect for private life, communication , freedom of expression and entrepreneurial freedom. Accordingly, the GDPR either provides for direct restrictions on the fundamental right to data protection and the associated rights of data subjects, or enables the national legislature of the Member States to restrict the rights and obligations standardized in Articles 12-22 through the opening clause in Article 23 GDPR.

Restrictions on the right to information under Art. 15 GDPR result in particular from the express provision in Art. 15 (4) GDPR that the right to receive a copy of the categories of personal data being processed must not impair the rights and freedoms of other persons , the case law of the ECJ quoted below as well as for Austrian law from various national legal provisions, in particular from § 4 Para. 6 DSG, according to which the provision of information (as a rule) may not endanger any business and trade secrets of the person responsible or third parties ( see for the whole: Knyrim/Willheim, The right to information under data protection law as only a limited means of obtaining evidence for the enforcement of civil claims, RdW 2021/600).

No right to information according to Art. 15 GDPR due to lack of personal reference, for example in the case of abstract legal analyses:

The ECJ has limited the right to information under the Data Protection Directive 95/46/EC if the data subject's request for information relates to a purely legal analysis that is not related to the personal data of the data subject (see ECJ July 7, 2014, C-141/12 and C-372/12, Y.S. and Minister voor Immigratie, Integratie en Asiel, paragraph 38 ff, in particular paragraph 46 f on Article 12 lit a of Directive 95/46).

In this regard, the ECJ (in RZ 46) states: "If the person's right of access were therefore extended to this legal analysis, this would in fact not serve the purpose of this directive, the protection of the privacy of this applicant in the processing of him the data concerned, but with the aim of guaranteeing him a right of access to administrative documents, to which Directive 95/46 is not directed."

There are no indications that the present case is different and that analyzes by the MP - on risk assessments or provision amounts - were carried out individually and not only, as the MP explained several times, on the basis of average values abstractly and detached from the individual policyholder.

In addition, the right to information under EG 63 can be restricted in any case if the asserted right to information affects “the rights and freedoms of other persons”, but this must not lead to the person concerned being denied any information. This refers "roughly" to trade secrets, but does not exclude the defense against the impairment of other rights.

Protection of company and business secrets as a restriction of the right to information:

According to Art. 15 Para. 4 GDPR, the right to receive a copy pursuant to Art. 15 Para. 3 GDPR must not impair the rights and freedoms of other persons. Art 15 para. 4 GDPR is intended to protect the private sphere as well as business and trade secrets or intellectual property rights (in particular copyright in software) of the person responsible or a third party, whereby the protection of legitimate self-interests and rights and freedoms of others must not lead to the right to information is simply denied. Even if the obligation to protect the rights and freedoms of third parties, including the person responsible, is expressly regulated in Art. 15 (4) GDPR only with regard to the obligation to provide a copy, it applies to the entire scope of Art 15 GDPR. On the one hand, this results from the principle of proportionality, which must be observed in general, and, for Austria, from national, non-statutory restrictions enacted on the basis of the opening clause of Art. 23 GDPR. According to § 4 Para. 6 DSG, the data subject has no right to information in accordance with Art. 15 DSGVO, notwithstanding other legal restrictions, if the provision of this information would jeopardize a business or trade secret of the person responsible or third parties. Thus, the obligation to weigh up interests relates to the entire provision of information (cf. again Knyrim/Willheim, RdW 2021/600 p. 754; see also Jahnel, comment on GDPR Art. 15 GDPR margin nos. 37-46 [as of December 1, 2020, rdb.at]).

The insertion "usually" in § 4 Para. 6 DSG is to be understood in such a way that this exception does not create an absolute right of refusal, but that the person responsible has to carefully weigh up in each individual case to what extent the provision of information actually violates a business and trade secret.

Neither Art. 15 Para. 4 GDPR nor § 4 Para. 6 DSG specify the concept of business and trade secrets. § 4 para. 6 DSG was decided on the basis of an amendment to the initiative application IA 189/A 26th GP (Federal Law Gazette I 2018/24). It is clear from the justification for the amendment that the term is not to be restricted to a narrow understanding of trade and business secrets: "The wording makes it clear that both trade and business secrets themselves and other data, if information about this data a business and trade secret would be endangered, are excluded from the right to information." In accordance with the principle of the unity of the legal system, Section 26b of the UWG, which implements Art. 2 Z 1 of the Directive on the Protection of Secrets (EU) 2016/943, can be used for the concept of trade and business secrets. Accordingly, a trade secret is information which is secret because it is not generally known, neither in its entirety nor in the precise arrangement and composition of its parts, nor is it readily accessible to those in the circles usually dealing with this type of information and is of commercial value because it is secret, and is the subject of general confidentiality measures appropriate to the circumstances by the person exercising the lawful power of disposal over this information (cf. again Knyrim/Willheim, RdW 2021/600 p. p. 754; see also e.g Thiele/Wagner, practical commentary on the Data Protection Act [DSG] § 4 [as of January 1st, 2020, rdb.at] margin nos. 56 – 62).

A company or business secret is therefore present if it is information that is secret, has commercial value and is protected by appropriate confidentiality measures.

Company-internal information about ongoing legal disputes are also covered by the concept of trade secrets because they are only known to a limited group of people within the company, including consultants who are sworn to secrecy. It also has commercial value as it can influence the outcome of litigation and is usually kept confidential by restricting access to this information to those representatives and advisers directly involved in the litigation who are sworn to confidentiality. The business and trade secrets covered by the right to information therefore also include the internal exchange of considerations and strategies in connection with a legal dispute. This applies in particular if it is a legal dispute with an executive and/or a shareholder. For example, it must be possible for executives in companies to exchange strategies in relation to disputes with (former) shareholders and to make (digital) notes about them without the opposing party abusing data protection law to force knowledge of confidential discussions. In general, it can be assumed that there is no right to information under Article 15 GDPR with regard to data whose disclosure in an ongoing legal dispute could jeopardize the position of the person obliged to provide information (cf. again: Knyrim/Willheim, RdW 2021/600 p. 754 – 755)

3.1.2. In the present case, the BF justified in its complaint to the administrative court regarding the inadequacy of the information provided by the MP with the failure to provide information on the assessment of their state of health at the time the claim for benefits was asserted and the failure to provide information on (accounting) provisions which, in their opinion, were in the database of the MP individually related to the individual policyholders - and thus also related to them - are stored or at least can be individually traced back to them - and thus also to them.

The MP provided the BF with comprehensive (almost 200 pages) data information, which included the 24-page questionnaire completed by the BF on (among other things) her state of health, numerous medical findings and two medical expert opinions obtained in court. It can also be seen from the administrative act that the MP justified the rejection of the entitlement to benefits to the BF (see letter from the MP to the BF of 08/26/2014).

Other internal documents (such as internal correspondence or notes), from which internal decision-making processes of the MP in the performance test or in the assessment of the professional profile or the state of health of the BF can be seen, are not included in the right to information according to Art. 15 DSGVO:

As shown in detail above, the right to information is also subject to restrictions: a company is usually entitled to refuse to provide information if it would endanger company or business secrets by providing information. A trade or business secret exists when the information is secret, has commercial value and is protected by appropriate confidentiality measures. Internal company procedures or notes that document the MP's internal decision-making regarding the benefit case review in the case of the BF are in any case covered by this definition, especially since they are only accessible to a limited group of people and are of commercial value insofar as they document internal business processes and for the MPs are obviously important in the (currently dormant) civil process.

However, this does not only apply to the documents that relate to the internal decision-making processes of the MP in the performance review, but must also apply in the same way to information about provisions that - as the BF suspects - specifically in relation to possible benefits in connection with the BF claimed insured event would be made.

Since this type of information cannot be included in the right to information under Art. 15 GDPR, it can remain undecided whether the MP has the relevant data.

For the present case, the following results:

The MP gave the BF comprehensive data information, which contained information on the BF's insurance contract and a large number of other data on the BF (health data, data on the occupational profile of the BF, etc.) and sent this to the BF together with a large number of enclosures.

Furthermore, it is sufficiently clear from the information provided by the BF that the aim of their request for information under data protection law is to obtain information for the purpose of obtaining benefits from the MP from the occupational disability insurance against the background of the (currently suspended) proceedings before the Wels District Court (see, for example, E -Mail from the BF to the relevant authority dated August 25th, 2020, in which the BF explained that they needed the required data in order to be able to agree on a comparison with the MP; the statements or questions of the BF on page 24 of the VHS /BVwG of February 21, 2022; as well as the requests from the BF for complete information presented above under point I.3.6.).

It is therefore sufficiently clear from the statements of the BF that she would like to receive information from the MP regarding her insurance contract, which can be of help to her in the aforementioned proceedings before the Wels District Court or when agreeing a settlement with the MP. The MP's refusal to provide further information (on risk assessment and provision amount) in addition to the information already provided is covered by Art. 12 Para. 5 GDPR in conjunction with its ErwGr. 63, the et al. also protects business and trade secrets.

The complaint of the BF is therefore not justified, which is why the decision had to be made in accordance with the verdict.

Furthermore, for the reasons presented, neither the BF's application for "inspection directly on site at the MP" nor theirs under point I.3.6. comply with the requests presented.

3.2. The statement that the revision is inadmissible is based on the fact that the legal situation is sufficiently clear and does not cause any difficulties in interpretation.