BVwG - W176 2247262-1

From GDPRhub
BVwG - W176 2247262-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 57(4) GDPR
Decided: 21.04.2022
Published: 03.06.2022
Parties: anonymous
DSB
National Case Number/Name: W176 2247262-1
European Case Law Identifier: BVWGT_20220421_W176_2247262_1_00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Federal Administrative Court of Austria held that the DSB (Austria) was allowed to reject a complaint as excessive, because the data subject had already lodged 137 other complaints which partially focused on the same subject matter.

English Summary

Facts

The data subject was a former employee of the controller. After having received an allegedly incomplete answer to his access request, the data subject lodged a complaint with the DSB (Austria).

The DSG rejected to handle the complaint under Article 57(4) GDPR - considering it excessive - since there were at least 137 complaints of the data subject registered with the DSB. Moreover, these 137 cases were concerning only two subject matters. The first subject matter was that his son's citisenship was allegedly falsely recorded as Italian instead of German with the Austrian public authorities. The second subject matter was that the controller - his former employer - violated his data protection rights during the employment relationship.

As the data subject was dissatisfied with the rejection but could not afford legal proceedings himself, he applied for legal aid (this means the exemption from court fees) with the BVwG in order to bring a legal action against the DPA's decision.

Holding

The court rejected the application of the data subject because it found that the requirements for legal aid under national law were not met. One of the requirements is that the intended legal action may not appear futile. The court, however, concluded that a legal action against the DSB's decision appears futile, because the DSB rightfully rejected to handle the complaint under Article 57(4) GDPR. The court reasoned that the complaint was excessive, because the data subject had already lodged numerous complaints with the DSB about the same two subject matters (137) and the present complaint was closely linked to these complaints.

Comment

The DSB issued a corresponding decision already three days earlier on 18 April 2022 (W176 2247197-1) regarding the same data subject.

Unfortunately, the court did not mention how many of the 137 complaints related to the subject matter "Citisenship of the son" and how many related to the subject matter "Previous employment". Since the present complaint was only linked to the matter of "Previous employment", the DPA and the court were - in my opinion - not allowed to take the number of previous complaints relating to the topic "Citisenship of the son" into account when assessing the excessiveness of the present complaint under Article 57(4) GDPR. They should have clarified how many complaints related to the topic "Previous employment".

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                                                                                 Postal address:
                                                                       Erdbergstrasse 192 – 196
                                                                                  1030 Vienna
                                                                          Phone: +43 1 601 49-0
                                                                    Fax: + 43 1 711 23-889 15 41

                                                                Email: einlaufstelle@bvwg.gv.at
                                                                             www.bvwg.gv.at

                    DECISIONS D A T U M

                                 2 1 . 0 4 . 2 0 2 2

                            BUSINESS NUMBER





                       W 1 7 6 2 2 4 7 2 6 2 - 1/2 E





                                 DECISION




The Federal Administrative Court decides on the application through the judge Mag. NEWALD

of XXXX on approval of legal aid for filing a complaint against
the decision of the data protection authority of July 21, 2021, Zl. D124.1201, 2020-0.764.578:


a)


The request will not be followed.

b)


The revision is not permitted according to Art. 133 Para. 4 Federal Constitutional Law (B-VG)., - 2 -







                                   Reason:


I. Procedure:


1. In his submission to the data protection authority (hereinafter: DPO) dated

On February 11, 2019, the applicant asserted that the XXXX club had granted him a
inadequate information violated his rights under the GDPR. Because one before him

Information given by this association cannot be inferred which
specific data processed by him, for example in connection with his employment

had been.


2. With a letter to the district court of Innsbruck dated March 2nd, 2021, the DSB (again) suggested that
Appointment of a judicial adult representative for the applicant.


As a reason, she pointed out (with reference to a relevant excerpt from her

File management system) indicates that the applicant had 222
Complaints (namely 137 data protection complaints to the DPO and 83

Complaints to the Federal Administrative Court) pending, whereby it

the core of these complaints is always about the same two sets of topics:

On the one hand, the applicant is of the opinion that the municipality of E. in South Tyrol

His son's personal status, which according to the DSB's official knowledge is in Italian

citizenship, because his son is actually German
citizenship. Also, he is of the opinion that his personal data and this one

son had been misrepresented by various public and private bodies
and lodges privacy complaints in relation thereto. On the other hand, the applicant

who was employed by XXXX from May 1996 and was suspended on October 11, 2017

has been against his former employer, his employees and
other positions with which he had to do professionally by injuring them

of its data protection rights.


Due to his excessive conduct of proceedings before the DSB and the Federal Administrative Court
and the associated risk of costs, the applicant is subject to a serious,

significant risk of his financial security., - 3 -


3. With the decision of May 20, 2020, line XXXX, the District Court of Innsbruck conducted the proceedings
to appoint a judicial adult representative for the applicant.


4. As a result, the DSB with a decision dated July 15, 2020 initiated the procedure for the

Data protection complaint until the decision in the procedure for the appointment of a court
adult representative.


5. With the decision of August 7th, 2020, line XXXX, the regional court Innsbruck gave the appeal of the

Applicant against the decision cited under point 4. Consequence and rescinded it.

Basically, it stated that on the basis of the current situation

both in relation to the financial situation of the applicant and the threatened ones

Disadvantages the initiation of the appointment procedure is disproportionate. A sole
Third party interests are never a reason to appoint an adult representative. The load

justify the authority through constant submissions and the interests of the opposing party

therefore no order, whereby in the present case it is added that the DSB is too
excessive procedural conduct by not treating obviously malicious or

could encounter hopeless complaints.


6. With a decision dated November 16, 2020, the DSB revoked the suspension decision dated July 15, 2020
and continued the process.


7. Delivered to the applicant by decision of July 21, 2021, Zl. D124.1201, 2020-0.764.578
on July 29, 2021, the DSB refused to deal with the complaint. Reasoning she led

assumes that the applicant submitted his first complaint to the DSB on 06/14/2018

and since then – as can be seen from research in the ELAK file management system
result - more than 200 (decision) complaints to the DSB and the Federal Administrative Court

have made pending.


It is therefore in the present case of a "frequent repetition" within the meaning of Article 57(4) GDPR
and consequently from an excessive use of the right of appeal under this

determination to go out.


8. In a letter dated August 23, 2021, the applicant requested that the
to grant legal aid for filing a complaint against this decision,

essentially stating the following:


He was undoubtedly not in a position to pay the costs for the impairment of the necessary
To deny maintenance., - 4 -


In addition, the procedure is not hopeless, which is also evident from the decision of the
Provincial Court Innsbruck Zl. XXXX result. The DSB is involved in identity fraud

concerning his underage son and the family structure. In Austria and Italy

It is about the violation of constitutionally guaranteed basic and
Freedom rights with regard to his person and the person of his son.


9. As a result, the DSB submitted the application for legal aid to the Federal Administrative Court

Connection of related administrative documents (in electronic form).

II. The Federal Administrative Court considered:


1. Findings:


1.1. On the one hand, the legal assessment is based on the facts presented under point I
based on.


1.2. On the other hand, the following is stated:


1.2.1. The applicant submitted his first data protection complaint to the DPO on
06/14/2018 on. Since then, at the time when that decision was issued, he brought his

Fighter who seeks legal aid, at least 137 initial applications

at the DSB.

1.2.2. The core of all these data protection complaints are the following two sets of topics:

one was related to what the applicant believed to be incorrect
Determination of his son's personnel status his personal data and this one

son has been misrepresented by various public and private bodies. To the

others would have the association XXXX , the applicant’s former employer, who hired him in 2017
suspended his employees and other positions with which he worked during his work

had to do professionally for the named employer violated his data protection rights.


2. Evidence assessment:

2.1. The statements on point 1.1. arise from the harmless

administrative records.


2.2.1.The statement on point 1.2.1.is based on the comprehensible, on an excerpt from
statements based on the DSB's file management system at their suggestion

Initiating a process to appoint an adult representative. Also presented neither

the courts that have become active in this procedure nor the applicant in, - 5 -


the proceedings at hand the high number of those brought by him to the DSB
Privacy complaints denied.


2.2.2. The statements on point 1.2.2. also rely on the plausible ones

Statements by the DSB in the suggestion mentioned and the fact that this was not done by
the courts cited nor denied by the applicant in the present proceedings

was asked. Rather, the assumption is confirmed by the fact that the

Applicant who makes submissions in the present data protection complaint that
is to be attributed to the second group of topics mentioned, to justify the

Legal aid application essentially refers to circumstances that are part of the first

subject area.

3. Legal assessment:


3.1. to A)


3.1.1. Pursuant to Section 8a (1) VwGVG, a party is to the extent required by federal or state law
unless otherwise specified, to grant legal aid, insofar as this is based on Art. 6 para

1 of the Convention for the Protection of Human Rights and Fundamental Freedoms or Article 47 of the

Charter of Fundamental Rights of the European Union, is required, the party is unable to
Costs by conducting the procedure without affecting the necessary maintenance

deny, and the intended legal prosecution or legal defense not so obviously
willful or hopeless.


The prerequisite for the approval of legal aid is therefore that the intended

Legal prosecution does not seem hopeless.

The applicant wishes to obtain legal aid to appeal against the refusal

to raise his data protection complaint in accordance with Article 57 (4) GDPR.


Art. 57 Para. 4 GDPR standardizes that the supervisory authority in the case of manifestly unfounded
or – especially in the case of frequent repetition – excessive requests

charge or refuse a reasonable fee based on administrative costs

may act on the application.

In the scientific literature, the following is stated on Art. 57 Para. 4 GDPR (cf.

already BVwG 03.11.2020, W214 2233563-1/4E):

"In the case of manifestly unfounded or excessive requests, an exception to the
The persons concerned are exempt from charges, however, the charge may only be made on - 6 -


based on administrative costs. The fee may not
Administrative burden of processing exceed, since it is not a

abuse fee, but a processing fee.


In these cases, the supervisory authority can also refuse to act on the basis of the request
will. In this case, the supervisory authority bears the burden of proof to the obvious

unfounded or excessive nature of the request. However, a refusal does not mean

that the supervisory authority may simply ignore a request. She can only refuse
to work on the content. At least in the case of obviously unfounded inquiries

according to § 13 para. 3 AVG an order for improvement has to be issued. After fruitless expiration

of the deadline to be set by the DSB for the improvement, the request can be made by resolution
be rejected. Inquiries in the sense of applications where no individual

The applicant is entitled to a service from the supervisory authority (e.g. general

Consulting services) can be rejected without further ado, since in such cases paragraph 4
does not apply" (Wlk-Rosenstingl in Knyrim, DatKomm Art. 57 DSGVO status

01.10.2018, rdb.at).


In the following, literature on excessiveness is cited, which is based on Art. 57 Para.4 GDPR, but partly
also to the almost word-identical provision of Art. 12 para.

5 GDPR refers to:

In particular, on the question of excessiveness, the following is stated:


The supervisory authority can only reject applications if they are manifestly unfounded

or are disproportionate, with the volume of applications playing an important role (Nguyen
in Gola, DS-GVO, 2nd edition, Art 57 Rz 22).


The frequent repetition of the application is only considered excessive within the meaning of the norm [Art. 12 para.

5 p.2] if this is done without a legitimate reason. Hence this one
Case group considered if the applicant despite lawful information

or rejection by the person responsible submits further (almost) identical applications

the use of the word "in particular" also shows the legislator that he
would also like to have other forms of excessive requests covered. are conceivable

for example, abusive applications, solely with the aim of those responsible

to harass ((Heckmann/Paschke in Ehmann/Selmayr, General Data Protection Regulation,
2nd edition, Art. 12 margin no. 43).


Examples are: - 7 -


- Troublemakers who ask nonsensical or the same questions over and over again, so that
the activities of the supervisory authority are severely impaired or even paralyzed

(Selmayr in Ehmann/Selmayr, General Data Protection Regulation, 2nd edition, Art. 57 margin no. 24)


- An application is not excessive because it requires a lot of processing
triggers. Rather, what is required is abusive behavior on the part of the applicant.

[Art. 12] Paragraph 5 Sentence 2 Alt. 2 cites the frequent repetition of the application as an example of this.

Also, for example, the vexatious assertion of a right of the person concerned with the aim of
Damaging those responsible falls under [Art. 12] para. 4 sentence 2 alt. 2 (Bäcker in

Kühling/Buchner, DS-GVO • BDSG, 2nd edition, Art. 12 margin no. 37).


- Excessive character is executed, if processing of inquiries
significantly exceeds the average amount of work and time required for comparable cases

and in addition the increased effort on an excessive abundance of insubstantial or

is due to excessive explanations; it is not enough that a BF multiple times
makes representations in comparable cases or that he keeps coming back at regular intervals

lodges a complaint against a specific data processing; only the high expenditure of time

of processing or a comparatively banal legal assessment
no classification as excessive (Polenz in Simitis|Hornung|Spiecker [ed.] data protection law,

DSGVO with BDSG, Art. 57 Rz 58).

- At least abusive behavior on the part of the

applicant. In addition to the filling up of applications, there is probably also a harassment

Prohibition under the provision that aims to prevent applications that only serve the purpose
To impose additional effort and thus damage on those responsible, which is not the case in terms of content

is justified. (Steinbach for Webersohn & Scholz External data protection, WS data protection

GmbH, https://webersohnundscholtz.de/auskunftsverweigerungsrecht-dsgvo/ from
05.04.2019)


- Excessive application exudes the "smell of abuse of rights". With such a

Application is not rudimentarily recognizable what the service required by the person responsible
contribute to the realization of the fundamental right to data protection. The referral of

Those responsible with the application can - from a data protection-sensitive perspective

Considered - do not produce an achievement that is in any way advantageous for the person concerned
would be. The assessment of an application as excessive is only considered in exceptional cases (The

Bavarian State Commissioner for Data Protection, https://www.datenschutz-
bayern.de/datenschutzreform2018/AP_ExzessiveAntraege.pdf), - 8 -


3.1.2. Against this background, the deciding judge of the
Federal Administrative Court assumes that the DSB cannot be challenged,

if it assumes that the facts of the case of excessive use of the

right of appeal is fulfilled.

As established, the applicant has a high number of at the DSB

Pending data protection complaints, all of which essentially relate to the two set out

have thematic complexes as their content.

In the present data protection complaint, the applicant makes

Data breaches by the XXXX in connection with his previous professional

activity applies.

In the legal aid application, he again states that the DSB is involved in identity fraud

concerning his underage son and the family structure is involved and it is about the

Violation of constitutionally guaranteed basic and freedom rights with regard to
his person and that of his son in Austria and Italy.


This makes it clear that the subject matter to be dealt with is thematically in

is closely related to the previous data protection complaints of the applicant.

The application for legal aid to file a complaint against the

The decision referred to above was therefore to be dismissed for lack of sufficient prospects of success.

However, if the applicant states that (also) the decision of the

Innsbruck Regional Court, with which the initiation of the procedure for the appointment of a

adult representative was rescinded, it follows that the conduct of the proceedings was not
is hopeless, nothing of the sort can be inferred from this decision.


It was therefore to be decided accordingly.


3.2. to B)

The revision is not permitted according to Art. 133 Para. 4 B-VG because the decision is not from the

solution of a legal question that is of fundamental importance. The question whether

an appeal for which legal aid is sought, sufficient prospect
Success within the meaning of § 8a para. 1 VwGVG is not an individual case-related assessment

reversible.