BVwG - W176 2248585-1
|BVwG - W176 2248585-1|
|Relevant Law:||Article 15 GDPR|
Section 24(6) Austrian Data Protection Act
|National Case Number/Name:||W176 2248585-1|
|European Case Law Identifier:|
|Appeal from:||DSB (Austria)|
|Original Source:||BVwG (in German)|
The Federal Administrative Court held that a data controller who fails to respond to an access request (Article 15 GDPR) can subsequently remedy of the alleged infringement. In doing so, the court referred to section 24(6) of the Austrian Data Protection Law.
English Summary[edit | edit source]
Facts[edit | edit source]
This case concerns an access request submitted by a data subject, under Article 15 GDPR, to a money transfer and payment services company which primarily offers consumer and digital money transfers, the controller. The access request was submitted on 24 July 2019.
On 16 December 2019, the data subject filed a complaint with the relevant DPA. The controller responded on 21 February 2020 that it had complied with the access request “in full and good time”. At this point in proceedings, the data subject was able to see, from the controller’s statement, that the controller had used an online platform to comply with the access request. The data subject had previously received two emails through this online platform, but did not want to open them as the sender was not known to her at the time and the controller had not informed her that they would be using this system.
According to their submissions to the DPA, the data subject had concerns over this platform, and did not want to use it, as it required her to create an account and provide an ID card. She therefore requested that the controller send a physical copy of the requested information via a trackable express courier service, the controller agreed to do so.
The proceedings before the DPA continued and, in a submission dated 2 August 2021, the data subject asserted that the controller had not provided the information via courier as agreed. The DPA held in favour of the data subject, finding that the controller had violated Articles 12 and 15 GDPR, and ordered them to provide the information within 4 weeks.
The controller appealed this decision to the Federal Administrative Court (BVwG), essentially alleging that the DPA had issued its decision unlawfully and on the basis of inadequate findings of fact. The controller submitted that the data subject had submitted the access request on 24 July 2019, then on 8 August 2019 the controller asked for proof of identity, which the data subject provided on 16 August 2019. After this date, neither the controller nor the online platform asked for proof of identity again. Thereafter, the controller provided the information on 18 September 2019 by means of its data protection compliance system (the online platform); which involved remote access to a secure system. The data subject then deliberately ignored the emails sent through the platform providing the information. In its statement to the DPA on 23 September 2020, the data subject stated for the first time that it wished to receive the information directly by email. However, these submissions were not sent to the controller, who only found out about this request when the DPA issued its decision. Accordingly, the controller immediately provided the information, by email, on 7 September 2021.
Responding to a request for information sent by the BVwG, the data subject confirmed that she had received the required information on 7 September 2019.
Holding[edit | edit source]
After examining the facts and outlining the relevant legal provisions, the BVwG stated, very clearly, that the most relevant facts in this case are, firstly, that the data subject made a request for information of 24 July 2019 and, secondly, that this request was complied with by the controller by e-mail of 7 September 2021. As a result, the legal interest in a challenge by the Federal Administrative Court had ceased to exist, the appeal proceedings had become irrelevant and were accordingly discontinued.
In issuing its decision, the BVwG relies upon section 24(6) of the Austrian Data Protection Law, which states that a respondent may, until the conclusion of the proceedings before the data protection authority, subsequently remedy the alleged infringement by complying with the complainant's requests.
Comment[edit | edit source]
It is worth noting that the BVwG states the access request was complied with on 7 September 2021, after the DPA had issued its original decision. According to the wording of section 24(6), this provision applies when a respondent remedies any alleged infringement until the conclusion of the DPA proceedings. However, § 11of the Federal Law on the Procedure of Administrative Courts states that "unless otherwise provided in this and the preceding section, the procedural provisions to be applied to the proceedings under this section shall be those which the authority has to apply in proceedings preceding the appeal to the administrative court". Therefore, the DPA was able to rely on section 24(6) of the Austrian Data Protection Law, in determining that the infringement has been rectified and so the appeal is irrelevant and should be discontinued.
However, concerns can be raised, in general, towards the functioning of section 24(6) of the Austrian Data Protection Law, as such a provision allows controllers to simply wait until a complaint is filed before rectifying any unlawful activities, rather than facilitating compliance from the outset.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
decision date 01/19/2023 standard B-VG Art133 Para.4 DSG §24 paragraph 6 GDPR Art15 VwGG §33 VwGVG §28 para VwGVG §31 para B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934 DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009 VwGG § 33 today VwGG § 33 valid from July 1st, 2021 last changed by Federal Law Gazette I No. 2/2021 VwGG § 33 valid from January 1st, 2014 to June 30th, 2021 last changed by Federal Law Gazette I No. 33/2013 VwGG § 33 valid from 03/01/2013 to 12/31/2013 last changed by BGBl. I No. 33/2013 VwGG § 33 valid from 07/01/2008 to 02/28/2013 last changed by BGBl. I No. 4/2008 VwGG § 33 valid from 01/05/1985 until 06/30/2008 VwGVG § 28 today VwGVG § 28 valid from 01/01/2019 last amended by Federal Law Gazette I No. 138/2017 VwGVG § 28 valid from 01/01/2014 to 12/31/2018 VwGVG § 31 today VwGVG § 31 valid from 01.09.2018 last changed by Federal Law Gazette I No. 57/2018 VwGVG § 31 valid from 01.01.2017 to 31.08.2018 last changed by Federal Law Gazette I No. 24/2017 VwGVG § 31 valid from 01/01/2014 to 12/31/2016 saying W176 2248585-1/10E DECISION The Federal Administrative Court, through the judge Mag. NEWALD as chairman and the expert lay judge Mag. BOGENDORFER and the expert lay judge Mag. ZIMMER as assessors, respectively, on the complaint of XXXX, represented by WOLF THEISS Rechtsanwälte GmbH & Co KG, against the Decision of the data protection authority of August 25, 2021, Zl. D124.2779, 2021-0.570.357 (participating party: XXXX ), decided in closed session: a) Pursuant to §§ 28 Para. 1 and 31 Para. b) The revision is not permitted according to Art. 133 Para. 4 B-VG. text Reasons for decision: I. Procedure: 1. With a submission dated February 27, 2020, the involved party (MP) filed a data protection complaint with the data protection authority (hereinafter: the authority concerned) against the complainant (BF) and summarized that the BF had violated its right to information , because she had given her inadequate information. Based on a complaint by the MP on December 16, 2019, the BF stated in a statement on February 21, 2020 that it had complied with the MP’s “access request” “completely and in good time”. However, BF did not meet its obligation under the GDPR in a timely manner, and its data protection request was not answered in full either. The MP was able to gather from the statement for the first time that the BF had used the online platform XXXX to process its request, of which it had not previously been informed. XXXX sent her two e-mails, but she did not open these e-mails because she did not know the sender at the time and the BF had not announced it. To this end, the MP should have identified themselves again so that they could have accessed the requested data. The MP attached the statement of the BF of February 21, 2020 to the complaint. 2. In its supplementary statement of March 12, 2020, the MP essentially referred to its previous submissions. 3. In a letter dated August 17, 2020, the BF commented that it had replied to the MP completely and in good time. However, since the MP had additional concerns regarding the use of the XXXX platform to receive and fulfill requests for individual rights, a letter had been written to the MP to address these concerns and again offered to provide the MP with the response to the access request again deliver. Nevertheless, the MP does not want to use the XXXX platform. However, the BF is prepared, upon the verified request of the MP and with her explicit instruction, to send the access request in paper form to a specific postal address provided by her and to re-provide the reply to the access request via a trackable express courier service. A letter from the BF addressed to the MP (also dated August 17, 2020) was attached. 4. In a brief dated August 2nd, 2021, the MP stated in summary that the BF had not yet provided the desired information on its data protection request either by e-mail or by "express courier service". The BF originally wanted to fulfill the obligation to provide information by transmitting the MP's data to XXXX. The MP should have created an account with XXXX with a copy of their ID card in order to receive their data relating to the BF as a user of the platform. There is no apparent need to involve the external company XXXX for identification in a data protection report; BF could have provided this data directly via its own internet infrastructure. 5. With the contested decision, the relevant authority upheld the data protection complaint and found that the BF had violated the MP's right to information by not complying with its request of July 24th, 2019 and not providing it with any information (point 1. ). The BF was instructed to provide information in accordance with Art. 15 GDPR within a period of 4 weeks, otherwise the MP would be executed (point 2). In justification, she essentially stated that the subject of the complaint was the question of whether the BF had violated the MP's right to information by not complying with her request of July 24, 2019. The MP was then asked by the BF to present a copy of a state ID card for an identity check. The MP did this by email, the BF then confirmed receipt of this copy of the ID card and informed the MP that her application would be forwarded to the responsible department. BF uses the software platform XXXX to answer requests for information. In the course of providing the information via this platform, XXXX asked the MP for another proof of identity. The MP did not comply and was therefore not given access to the platform. The MP does not want to use this platform, but would like to receive the information by e-mail. To date, the BF has not given the MP any information. The relevant authority essentially explained in appraisal of the evidence that the findings were based on the parties' corresponding arguments in this respect. In legal terms, the authority concerned explained that the BF had not given any information to the MP in accordance with Art. 15 GDPR. If the BF refers the MP to the possibility of obtaining information about the XXXX platform they are using, or alternatively to receive information by post by means of a verified application and express instructions, reference should be made to Art. 12 GDPR, which sets out the modalities regulate the exercise of the rights of data subjects. When the application was submitted, the MP had already identified themselves to the BF by presenting a copy of their ID, the BF accepted this proof of identity and initiated processing of the application. In the present case, therefore, it cannot be assumed that there are justified doubts as to the identity of the MP pursuant to Art. 12 (6) GDPR; such doubts were also not asserted by the BF. In addition, the BF did not claim in the course of the proceedings that it was not able to identify the MP in accordance with Art. 12 (2) GDPR. Only then should the BF refuse to provide information. Rather, it gives the impression that the processor's procedure is an automated procedure, without the requirements of Art. 12 GDPR being observed. However, as the “extended hand” of the BF, the processor had to accept the identification of the MP that had already taken place. In addition, the MP is not asked to submit additional information within the meaning of Art. 12 (6) GDPR, but to identify themselves repeatedly by means of a copy of their ID. This approach by BF or its processor does not correspond to the specifications of the GDPR. With regard to Art. 12 (2) GDPR, it should be noted that the BF prefers to make the information documents available to the MP via the XXXX platform and is requesting renewed proof of identity from the MP through its processor. On the other hand, they offer the MP the alternative of sending the information by post, but only after a verified application and express instructions. This is despite the fact that the MP wanted the information to be sent by e-mail and the BF knew the MP's e-mail address. The behavior specifically set by the BF therefore makes it more difficult to exercise the rights of the data subjects of the MP and also contradicts Art 12 DSGVO. 6. The complaint, which was filed within the time limit, is directed against this decision and essentially states the following (if relevant): The MP submitted its original request for information electronically on 07/24/2019, on 08/08/2019 the BF asked for proof of identity from the MP, whereupon the MP sent a copy of her passport in a letter dated 08/16/2019. As a result, neither the BF nor XXXX had asked for proof of identity again in this context before the request for information was fulfilled. On September 18, 2019, the BF provided the information using its data protection compliance system XXXX - i.e. using remote access to a secure system. Emails from XXXX that the MP received in August 2019 and which contained the access link to XXXX were not opened by the MP and were apparently deliberately ignored. The specific steps taken by the BF in connection with the answering of the information would result from the documentation from XXXX. In its statement of September 23, 2020, the MP announced for the first time that it wanted the information to be sent by email. However, both this statement and that of August 2nd, 2021 were not sent to the BF, so that the BF was not aware of it and was waiting for feedback. It was only because of the disputed decision that the BF found out that the MP had articulated her request for information by e-mail; Accordingly, the BF also immediately provided the information on September 7th, 2021 by e-mail. The relevant statements were only sent to the BF on September 20, 2021, due to an application for inspection of the files. The authority concerned charged the contested decision with illegal content by establishing a violation of the right to information, issued the decision unlawfully due to inadequate factual findings and violated essential principles of a fair process in the proceedings. Furthermore, it is suggested that the authority concerned should repeal the contested decision with regard to the information that has been provided in the context of a preliminary complaint decision. The complaint was inter alia the information to the MP from 07.09.2021 enclosed. 7. By letter dated November 19, 2021, the authority concerned submitted the complaint to the Federal Administrative Court, enclosing the case files. In its attached statement, the authority concerned denied the complaint in its entirety and referred to the contested decision in its entirety. 8. In letters dated December 16, 2022 and January 5, 2023, the Federal Administrative Court informed the MP that, with regard to the complaint by the BF and the Appendix 6 contained therein ("Information from September 7, 2021"), it assumes that the BF fulfilled the obligation to provide information to her and gave her the opportunity to comment 9. With briefs dated January 11, 2023 and January 13, 2023, the MP informed – apart from statements that the information previously provided by the BF about XXXX was inadequate – that on September 7, 2021, it received from the BF by e-mail the have received the desired information in response to their request for information. II. The Federal Administrative Court considered: 1. Findings: 1.1. On the one hand, the decision is based on the facts presented under point I. 1.2. In addition, it is found: BF is a money transfer and payment services company that primarily offers consumer and digital money transfer services to its customers. On July 24, 2019, the MP submitted a request for information to the BF in accordance with Art. 15 GDPR. On September 7th, 2021, the BF emailed the information requested by the MP to the MP. 2. Evidence assessment: 2.1. The statements on point 1.1. result from the complaint and the submitted administrative documents. 2.2. The statements on item 1.2. are based on the content of the file, whereby the determination of the information provided by the BF on September 7th, 2021 is based on the enclosure contained in the complaint and the notification of the MP with a letter dated January 11th, 2023, according to which you received the desired from the BF on September 7th, 2021 received information based on their request for information. 3. Legal assessment: 3.1. Regarding point A): 3.1.1. Pursuant to Section 24 (6) DSG, a respondent can subsequently remedy the alleged infringement by complying with the complainant's requests until the proceedings before the data protection authority have been completed. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (Section 13(8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be considered. From the provisions of § 28 Para. 1 and § 31 Para. 1 VwGVG it follows that the administrative court has to make a decision in the legal form of an order in the case in which the procedure - in this case the complaint procedure - is to be discontinued. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders of an administrative court are made by resolution, unless a decision is to be made. § 28 para. 1 VwGVG expressly excludes the termination of the proceedings, which in any case includes the termination of the complaints procedure, from the settlement by means of knowledge. However, it also follows from these provisions that a mere informal termination (e.g. by discontinuing by means of a memorandum) of proceedings conducted by the administrative court under the VwGVG is out of the question, since the administrative court has decided not to continue proceedings pending before it 1 VwGVG (see also Fuchs in Fister/Fuchs/Sachs, Administrative Court Proceedings, Section 28 VwGVG Note 5 and Section 31 VwGVG Note 5, as well as Schmid in Eder/Martschin/Schmid, The procedure of the administrative courts, Section 28 VwGVG Note K 3 and Section 31 VwGVG Note K 2) [cf. VwGH of April 29, 2015, Zl. Fr 2014/20/0047]. The VwGVG does not regulate the cases in which the procedure is to be discontinued. According to the general understanding, the termination occurs at the end of those proceedings in which a claim for settlement is lost after the complaint has been lodged. In addition to the case that the complaint is withdrawn, analogous to § 33 VwGG, a discontinuation can also be considered if the complainant is released from action (elimination of the complaint). This in principle both in the case of a formal release from action due to the removal of the objection that was incriminating for the complainant, as well as in the case of a material release from action due to the loss of the interest in legal protection (Art. 132 B-VG) (cf. Fister/Fuchs/Sachs, Verwaltungsgerichtsverfahren  § 28 VwGVG, note 5, cf. VwGH, January 28, 2016, Ra 2015/11/007; January 31, 208, Ra 2018/10/0022). 3.1.2. Since the MP's request for information dated July 24th, 2019 by email dated September 7th, 2021 was complied with by the BF, the legal interest in an objection by the Federal Administrative Court has ceased to apply, the complaints procedure has become irrelevant and has been discontinued accordingly. For the legal reasons mentioned above, this setting does not have to be made informally (nor in the form of a decision), but by means of a resolution. 3.2. For the cancellation of an oral hearing: An oral hearing within the meaning of § 24 VwGVG was not required, especially since the relevant facts are established according to the files in connection with the complaint and the hearing of the parties. 3.3. Re B) Inadmissibility of the revision: Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified. This decision does not depend on the resolution of a legal issue of fundamental importance. There is neither a lack of case law of the Administrative Court nor does the decision in question deviate from the case law of the Administrative Court; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal issues to be resolved. It was therefore to be stated that the revision according to Art. 133 Para. 4 B-VG is not permissible.