BVwG - W176 2245370-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 56: Line 56:
}}
}}


The Federal Administrative Court of Austria confirmed that publishing a message that was not meant for the public but sent by using a reporting function on an evaluation portal did not withstand the weighing of interests of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and thus had to be deleted.  
The Federal Administrative Court of Austria held that a controller which operates a doctor evaluation platform is not allowed under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to publish a request for deletion, by which a doctor requests the deletion of a user's review.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller operates a doctor search and evaluation platform. The data subject is a doctor for skin and veneral diseases.  
The controller operates a doctor search and evaluation platform. The data subject is a doctor for skin and venous diseases.  


In December 2019, the data subject used the reporting function of the platform to request the deletion of a user's review pursuant to [[Article 17 GDPR#1|Article 17(1) GDPR]]. The controller did not remove the disputed review from the platform, but instead published the controller's request for deletion on the platform, arguing that there is a legitimate interest for the publication of this information under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The data subject objected to the publication and lodged a complaint with the Austrian Data Protection Authority (DSB).
In December 2019, the data subject used the reporting function of the platform to request the deletion of a user's review pursuant to [[Article 17 GDPR#1|Article 17(1) GDPR]]. The controller did not remove the disputed review from the platform, but instead published the controller's request for deletion on the platform, arguing that there is a legitimate interest for the publication of this information under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The data subject objected to the publication and lodged a complaint with the Austrian Data Protection Authority (DSB).

Revision as of 14:47, 2 March 2022

BVwG - W176 2245370-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1) GDPR
Article 17(1) GDPR
Article 17(3) GDPR
§ 31 MedienG
§ 9 DSG
Decided: 15.12.2021
Published: 11.02.2022
Parties:
National Case Number/Name: W176 2245370-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W176.2245370.1.00
Appeal from: DSB (Austria)
D124.2129 2021-0.552.326
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: kc

The Federal Administrative Court of Austria held that a controller which operates a doctor evaluation platform is not allowed under Article 6(1)(f) GDPR to publish a request for deletion, by which a doctor requests the deletion of a user's review.

English Summary

Facts

The controller operates a doctor search and evaluation platform. The data subject is a doctor for skin and venous diseases.

In December 2019, the data subject used the reporting function of the platform to request the deletion of a user's review pursuant to Article 17(1) GDPR. The controller did not remove the disputed review from the platform, but instead published the controller's request for deletion on the platform, arguing that there is a legitimate interest for the publication of this information under Article 6(1)(f) GDPR. The data subject objected to the publication and lodged a complaint with the Austrian Data Protection Authority (DSB).

The Austrian Data Protection Authority (DSB) disagreed with the controller's view. It stated that, generally, such evaluation platforms and the associated processing of personal data are covered by the right to freedom of expression in accordance with Article 10 ECHR and Article 11 CFR. It further reasoned that, usually, the added social value created by the evaluation platform or the interests of the broader public outweigh the interests of the data subject, so that the publication of comments by users of this platform can in principle be based on Article 6(1)(f) GDPR. The DSB, however, concluded that, since the data subject used the report function and not the comment function of the page, the use of the data was intended exclusively for the purpose of reporting and, therefore, the data subject did not reasonably have to expect the publication of the data. Consequently, the DSB found that the legitimate interests of the controller or the platform users (i.e. the patients) did not outweigh the legitimate interests of the controller and, therefore, the controller violated the data subject's right to deletion.

The controller appealed this decision.

Holding

The Federal Administrative Court of Austria (Bundesverwaltungsgericht - BVwG) agreed with the position of the DSB. In particular, it confirmed the balancing of interests performed by the DSB. Furthermore, it held that the controller was obliged to delete the published request for deletion under Article 17(1)(d) GDPR and that the controller could not invoke Article 17(3) GDPR, because non of its requirements were met in the case at hand.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

15.12.2021

standard

B-VG Art133 Para.4
DSG §9
GDPR Art17 Para
DSGVO Art17 para.3
GDPR Art6 Para

saying

W176 2245370-1/2E

In the name of the republic!

The Federal Administrative Court, through the judge Mag. NEWALD as chairman and the expert lay judge Mag. BOGENDORFER and the expert lay judge Mag. ZIMMER as owner or as assessor, on the complaint of XXXX against the decision of the data protection authority of 06.07.2021, Zl. D124. 2129 2021-0.552.326 (participating party: XXXX ), for violation of the right to erasure, rightly recognized in closed session:

a)

The complaint is dismissed as unsubstantiated.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision

I. Procedure

1. With a submission dated February 18th, 2020, improved on April 20th, 2020, the now involved party (hereinafter: MP) filed a complaint against the now complainant (respondent before the data protection authority, hereinafter: BF) to the data protection authority (hereinafter: prosecuted authority), which justified it as follows:

The BF (which operates a doctor search and evaluation portal) published an e-mail communication intended exclusively for them by the mP (a specialist in skin and venereal diseases) without their knowledge and will. This gave the impression that it was an answer to an experience report intended for publication by the mP, which was not the case. The mP had submitted written objections several times and requested the deletion of this text, which was not intended for publication. However, this wish was not complied with.

2. In its statement of June 15, 2021, the BF, which was represented in a friendly manner, summarized that there was an entry on the MP on the portal it operated and that a user had published an experience report on this. The mP used the reporting function on the portal and complained about the field report on December 23, 2019. The published experience report is subjective, but permissible. The facts described are essentially confirmed by the mP, even if the view of the facts and their subjective assessment differ. The statements of the mP are informative and would help the reader to better assess the facts described.

The BF did not remove the disputed experience report from the portal, but published the MP's view as a supplement to the experience report. This text can currently be viewed online on the portal.

The operation of the portal is protected by the fundamental right to freedom of expression and information in accordance with Article 10 of the ECHR. The processing and presentation of the doctors' data on the portal serves the public exchange of opinions and therefore does not require the doctors' consent. The publication of the point of view of the mP does not interfere with their rights either. Rather, it is not only in the interest of the public, but also in their interest, since it reflects their view of the user's experience report. In addition, it is not a private communication, but a report on the doctor's opinion on a public report.

The report was truthful and did not expose the MPs in any way. Since the mP had commented on a topic that had been published in a permissible manner and was in the public interest and did not affect her private sphere, the publication did not infringe on her rights.

A right to erasure is also opposed by the fact that the processing in question serves to exercise the right to freedom of expression and information within the meaning of Article 17 (3) (a) of the General Data Protection Regulation (GDPR). Furthermore, the processing is required to assert, exercise and defend legal claims in connection with quality assurance on the portal operated by BF (in particular in connection with reports of abuse) (Art. 17 Para. 3 lit. e GDPR).

The questioning of the managing director of BF is also offered.

3. The mP responded - according to the results of the investigation, according to the parties - in a brief dated August 31, 2020, that they considered the publication of a user report on the entry regarding their person to be incorrect and damaging to business. Allegations have been made that suggest illegal action on the part of the mP.

She also does not understand the relevant case law to the effect that all data or the assertion of doctors' requests for deletion may be published. Likewise, the justification for the request for deletion was not information about the medical service of the mP.

4. With the contested decision, the relevant authority upheld the data protection complaint and found that the BF had violated the mP's right to deletion by refusing to respond to the BF's request of January 16, 2021 for the deletion of the data by the BF on their Webpage XXXX to correspond to the published comment (paragraph 1.) At the same time, she instructed the BF to delete the data mentioned in clause 1. within a period of two weeks with other execution (paragraph 2.).

In the justification for the decision, the authority concerned initially made the following findings of fact:

The MP practices as a registered specialist for skin and venereal diseases in XXXX and is a member of the Medical Association XXXX.

BF operates a doctor search and rating portal under the XXXX domain. The professional address, telephone number, office hours, diplomas and certificates as well as the name of the MP would be published on the XXXX website in the form of a doctor profile.

Patients could use an evaluation scale (1 point = lowest satisfaction, 5 points = highest satisfaction) to evaluate a doctor's visit overall, with a detailed evaluation (with regard to empathy, trust, treatment, service offer, practice equipment, care in the practice, waiting time in the waiting room and waiting time for an appointment) is possible. In addition, patients could write a short report on their experience in the form of a free text field.

The BF have implemented various protective mechanisms to counteract the submission of irrelevant testimonials. Next to each experience report there is a "flag symbol" so that doctors can report it and the report will be removed from the doctor profile by the BF after appropriate verification if it violates their terms and conditions. Doctors also have the opportunity to comment on experience reports.

The following passages can be found in the General Terms and Conditions published on the BF website (formatting not reproduced 1:1):

"7. quality control

- […]

- For reasons of quality assurance, the users/members of XXXX are also requested to report all suspicious content that does not comply with the terms and conditions and guidelines under "Contact" (topic: "Report Abuse") or via the "Report Abuse" link on the medical side themselves to report immediately to the operator.

- Reports received are checked and processed by the operator according to the available resources. If it turns out that the data provided does not correspond to the terms and conditions or the legal provisions, it is at the discretion of the operator, without prejudice to other rights, to change or remove inadmissible data without further notification.

- Users/members who do not behave in accordance with XXXX's terms and conditions, in particular in the case of intentional false reports and misuse of the quality assurance system, or disregard legal provisions, can be sanctioned by the operator. Without prejudice to other rights of the operator, the sanctions can range from a warning to a temporary blocking of the member profile to a permanent blocking of the member profile and access to a specific IP address. As a result, all content and profiles associated with these users/members can be deleted at XXXX without further notification and without any right to recovery. The type and scope of the respective sanctions are at the discretion of the operator.

- In any case, the operator reserves the right to take legal action in the event of intentional false reports and misuse of the quality assurance system.

- XXXX has the right, but not the obligation, to check the data posted by users/members, in particular whether they comply with the terms and conditions and the relevant legal provisions. In any case, the operator is entitled to delete or change data (e.g. to make it anonymous or to comment) without stating reasons and without further notification.”

Furthermore, the following explanations can be found on the website under “FAQ for doctors”:
"Comment function

Irrespective of whether patients express praise or constructive criticism in their experience reports - doctors always have the opportunity to comment on the entries, to say thank you for the feedback and / or to express their personal opinion. For this purpose, the comment function is available for each evaluation (see the "Comment as a doctor" button). In addition, texts can also be sent to us via our contact form (provided that the field report in question is referenced and the text length is a maximum of 4000 characters). The comment is then marked as a response from the doctor and displayed under the respective experience report. The aim is a topic-related (not personal) clarification of open questions or statements made in the room. These comments must be written in accordance with the professional and professional law for doctors and are also bound by our terms and conditions.

"Report review" function

If false statements of fact are (knowingly) made in an experience report, rumors are spread from "hearsay" or insults or similar are pronounced, there is an option to report abuse via a button next to each experience report or to inform us about this via the contact form (important here is the reference to the doctor concerned and the experience report). In this case, we will consult with the registered user who is responsible for it and who published the field report. After a careful examination, the appropriate measures are then taken, which, for example, include the irrevocable deletion of the false factual allegations in the event of an objection to our terms and conditions.

There is an entry on the MP on the XXXX portal. A user published an experience report for this entry with the following content:

On December 23, 2019, the MP used the reporting function on the BF portal and complained about the experience report, requesting the BF to delete the post.

As a result, the BF supplemented the field report on the MPs on the XXXX portal with parts of their complaints. Excerpts from this supplement are as follows:

On January 16th, 2020, the mP submitted an application for deletion to the BF, for which they used the "Application according to Art. 17 DSGVO for deletion" available on the website of the authority concerned and sent the following letter in the attachment (formatting not adopted 1:1 ):

"Excerpts of an e-mail communication intended exclusively for this company were published by XXXX on the platform of the same name without my knowledge and, after this fact became known, against my express will.

This text was published following a patient comment beginning with the following:

XXXX , as the patient writes …

This gives the misleading impression that this is a reply to the comment that I intended to publish, which is not the case.

I have objected several times in writing (personally and also through the legal department of the XXXX Medical Association) and requested the deletion of this text, which was not intended for publication. This wish was not fulfilled.

I expressly declare again that this e-mail is intended solely for internal use to clarify the facts of the company XXXX.

This can be clearly seen from the fact that the email begins with the words:

Dear company.....

This text is not a "DOCTOR'S ANSWER", which is intended for publication.

The publication made by XXXX was against my will and violates several legal provisions.”

The BF did not remove the objected contribution and the mP replied as follows (representation as in the contested decision):

The BF did not comply with the mP's request for deletion until the end of the procedure.

In order to evaluate the evidence, it was noted that the findings made were based on the undisputed submissions of the mP, the statement of the BF of October 30, 2020 and a search she carried out on the XXXX website (accessed on July 6, 2021).

In legal terms, the relevant authority essentially stated the following:

In its notification of January 15, 2019, Zl. DSB-D123.527/0004-DSB/2018, it had already dealt extensively with a doctor rating platform - among other things with regard to protection against unobjective ratings - and came to the conclusion that that the evaluation platform and the associated processing of personal data are covered by the right to freedom of expression in accordance with Art. 10 ECHR and Art. 11 GRC and that the social added value created by the evaluation platform or the interests of the broader public also outweigh the data protection interests of those affected so that the publication of comments by users of this platform can in principle be based on the provision of Article 6 (1) (f) GDPR.

On the other hand, the parts of an e-mail published by the BF, which the mP wrote in the course of reporting a contribution, should be viewed differently. As can be seen from the findings, a distinction is made between a "report" and a "comment function" and the mP - as also stated by the BF itself in its statement - used the "report function". According to the information published by the BF on the website, this serves to educate and review the reports of the patients; therefore, the use of the data was intended exclusively for this purpose and the mP did not reasonably have to expect publication. In addition, the phrase "XXXX has sent XXXX a comment on the matter" gives the impression that the mP - despite using the reporting function - used the comment function.

If the BF thinks that the private message is in the public interest, since it allows a better representation of the overall context and is therefore also in the interest of the mP itself, she fails to recognize that the mildest means should always be used when weighing up the interests.

Based on the balancing of interests carried out, it follows that there is a violation of the mP's right to deletion, since the legitimate interests of the BF or the portal users (i.e. the patients) do not outweigh impairments of the legitimate interests of the mP.

As far as the BF is of the opinion that the exceptional circumstances regarding assertion. exercise or defense of legal claims, also in connection with the quality assurance on their portal, she should be countered that the aim of the stated facts is to avoid being unable to assert a legal claim in court, in administrative proceedings or out of court, or to defend the position is weakened because this is not possible without the processing (especially the disclosure in the process) of another person's sensitive data. However, the assertion, exercise or defense of legal claims is clearly not available.

Due to the absence of a corresponding exception, the processing of personal data (specifically the publication of parts of the e-mail correspondence) is therefore unlawful and the requirements of Article 17 (1) (d) GDPR are met.

According to Article 58 (2) (c) GDPR, the BF was also to be instructed to delete the comment in accordance with Article 17 GDPR, with a period of two weeks appearing appropriate in order to comply with the performance mandate.

5. The BF lodged a complaint against this decision with the Federal Administrative Court in due time and stated the following in summary:

Despite corresponding submissions by the BF and despite corresponding offers of evidence, in particular the questioning of the managing director of the BF, the authority concerned did not conduct any inquiries to the effect that the publication by the BF that is the subject of the proceedings is the processing of data from a media company for journalistic purposes. If she had taken the appropriate investigative steps, she would have affirmed the applicability of Art. 10 EMRK and Art. 11 GRC (due to the existence of a processing of data from a media company for journalistic purposes), as well as the data protection media privilege according to § 9 Data Protection Act (DSG) and the data protection complaint of the MP rejected.

Furthermore, there is only a right to erasure if there is a reason for erasure in accordance with Art. 17 Para. 1 GDPR and no exception under Para. 3 applies. However, the authority concerned did not check whether there was any reason for deletion at all, but apparently wrongly assumed that there was an unconditional right to deletion.

Finally, the authority concerned does not distinguish between the deletion of the data in question (content of the complaint about the experience report by the mP), which was also reproduced by the BF (largely unchanged) on the XXXX portal, and the omission of publication. The deletion of data includes the complete physical deletion in the sense of an irreversible, non-reconstructible rendering illegible (reference to OGH April 15, 2010, 6 Ob 41/10p, jusIT 2010/69); however, this was clearly not the intention of the mP: she wanted her complaint to be examined and complied with and not for it to be deleted by the BF. The mP is therefore obviously only striving for the omission of publication and not for deletion. The question of whether BF is entitled to publish the complaint on the XXXX portal is not a question of data protection law, but a question that falls within the jurisdiction of the civil courts.

To prove that BF is to be qualified as the media owner as well as a media support service and that there is considerable public interest in transparent and critical reporting on medical services, the questioning of the managing director of BF is requested.

6. On August 2nd, 2021, the authority concerned submitted the complaint together with the related administrative documents in electronic form. She commented on the complaint to the extent that she stated that BF was not a media company or media service in accordance with Section 9 (1) DSG and it could not be assumed that the publication of information regarding doctor search portals constituted journalistic activity, even if it was this is supplemented by additional information such as ratings and field reports; this in particular because the required minimum of journalistic, scientific, artistic or literary processing is missing.

II. The Federal Administrative Court considered:

1. Findings

The Federal Administrative Court bases its decision on the same facts as the competent authority assumed.

2. Evaluation of Evidence

The findings result from the submitted administrative documents and are not disputed between the parties to the procedure.

3. Legal Assessment

3.1. To dismiss the complaint

3.1.1.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts recognize complaints against the decision of an administrative authority due to illegality.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.).

According to § 17 VwGVG, unless otherwise specified in this Federal Act, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV as well as others are more detailed on the procedure for complaints pursuant to Art. 130 Para. 1 B-VG apply the aforementioned laws (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws which the authority applied or should have applied in the proceedings before the administrative court.

According to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding the complaint, unless the complaint is to be dismissed or the proceedings are to be discontinued.

3.1.1.2. According to Art. 6 Para. 1 GDPR, processing is only lawful if at least one of the following conditions is met:

a) The data subject has given their consent to the processing of their personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;

f) processing is necessary to protect the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.

According to Art. 17 Para. 1 GDPR, the data subject has the right to demand that the person responsible delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:

a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

b) The data subject withdraws their consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing.

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).

d) The personal data have been processed unlawfully.

e) The erasure of the personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

f) The personal data have been collected in relation to information society services offered pursuant to Article 8(1).

According to Art. 17 GDPR, paragraph 1 leg. cit. not insofar as the processing is necessary

a) to exercise the right to freedom of expression and information;

b) to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller ;

c) for reasons of public interest in the field of public health in accordance with Article 9 paragraph 2 letters h and i and Article 9 paragraph 3;

d) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 paragraph 1, insofar as the law referred to in paragraph 1 is likely to render impossible or seriously impair the attainment of the objectives of this processing, or

e) to assert, exercise or defend legal claims.

According to Section 9 (1) DSG, the processing of personal data by media owners, publishers, media employees and employees of a media company or media service within the meaning of the Media Act (MedienG) for journalistic purposes of the media company or media service is subject to the provisions of the DSG and Chapter II of the GDPR ( Principles), III (Rights of the data subject), IV (Controllers and processors), V (Transfer of personal data to third countries or to international organisations), VI (Independent supervisory authorities), VII (Cooperation and consistency) and IX (Regulations for special processing situations ) no use. When exercising its powers vis-à-vis the persons named in the first sentence, the data protection authority must observe the protection of editorial secrecy (§ 31 MedienG).

3.1.2. The adjudicating senate of the Federal Administrative Court came to the conclusion that the complaint was not justified for the following reasons:

As it should be noted in advance with regard to the complaint's reference to the "media privilege" of Section 9 (1) DSG, the requirements of this provision are not met insofar as rating platforms do not fall under the term "journalistic purposes" (cf. e.g. Jahnel, Commentary on the GDPR, Art.85, margin no. 18). It should be noted that the competence of the relevant authority is not disputed by the BF anyway.

Contrary to the complaint, it cannot be said that the authority concerned did not check whether there was any reason for deletion at all. Rather, this is clearly based on the facts of Art. 17 (1) lit. d GDPR ("The personal data was unlawfully processed"), especially since it carries out a weighing of interests within the meaning of Art. 6 (1) lit. f GDPR. The Senate also shares the assessment that in such a weighing of interests, the interests of the mP, which did not have to reckon with a reporting function offered on the website operated by the BF being published as a comment on a user's contribution, prevail; because it is contrary to the principle of good faith to publish this data without the consent of the person concerned when using the reporting function, which is clearly not intended to publish the information provided there. Consequently, there is also no exception in accordance with Article 17 (3) (a) GDPR.

Insofar as the complaint finally argues that the mP is obviously only striving for the omission of publication and not deletion, this cannot be followed with regard to the statements by the mP presented above, from which it can be clearly inferred that they want the data in question to be deleted will.

Since the contested decision cannot be accused of illegality, the complaint was dismissed as unfounded.

3.1.3. It was possible to refrain from questioning the managing director of BF as a testimony, since the results would not change even if the topics of evidence that are to be proven by his questioning were taken as a basis: On the one hand, the requirements of Section 9 (1) DSG are met, as explained above notwithstanding BF's qualification as a media company or media service; On the other hand, the fact that the public has a considerable interest in transparent and critical reporting on medical services, which is not disputed by the deciding Senate, does not mean that the concrete processing of the relevant MP data by the BF would be deemed lawful.

3.1.4. According to § 24 para. 4 VwGVG, an oral hearing could not be held.

3.2. On the inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

The revision is inadmissible because no legal question within the meaning of Art. 133 Para. 4 B-VG had to be assessed that is of fundamental importance.