BVwG - W176 2249328-1/4Z

From GDPRhub
BVwG - W176 2249328-1/4Z
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(a) GDPR
Article 83(4) GDPR
Article 83(6) GDPR
Decided: 25.05.2022
National Case Number/Name: W176 2249328-1/4Z
European Case Law Identifier:
Appeal from: DSB (Austria)
Zl. 2021-0.024.467 (D550.351)
Appeal to: Pending
BVwG (Austria)
W176 2249328-1
Original Language(s): German
Original Source: W176 2249328-1/4Z (in German)
Initial Contributor: MW

The Austrian Federal Administrative Court stayed proceedings in an appeal from an Austrian DPA decision pending an answer from the CJEU on whether an "undertaking" could be strictly liable for adminstrative infringements.

English Summary


The controller was the parent company of a conglomeration that operated a cross-company and cross-sector customer loyalty programme. Customers at participating retail outlets could register as members, collect points on the basis of their purchases and subsequently redeem them to receive discouts and other perks. The controller processed personal data obtained from participants in the loyalty program to, among others, automatically generate consumer profiles to create targeted ads. The controller claimed consent as the legal basis for this processing pursuant to Article 6(1)(a) GDPR and in its privacy policy stated that this consent was voluntary and could be revoked at any time.

The DPA initiated an official investigation and, based on the results of this investigation, also initiated administrative penal proceedings against a subsidiary of the controller. On 26.7.21, the DPA fined the subsidiary €2,000,000 for using legally invalid consent and thus unlawfully processing the personal data of participants in its loyalty program. The subsidiary appealed to the Federal Administrative Court (BVwG). The DPA also initiated administrative penal proceedings against the controller (the parent company), fining it €8,000,000 for the unlawful processing of personal data relating to the loyalty program.

The controller also appealed this decision to the BVwG, arguing that, among others, there was not only a lack of the necessary elements of the offence but that the controller could not be found at fault for the violation.


The Court stayed proceedings pending a ruling by the European Court of Justice (CJEU) in C-807/21 - Deutsche Wohnen SE. In that case the Higher Regional Court Berlin (KG Berlin) referred the following questions:

1) Is Article 83(4) to (6) 1 to be interpreted as incorporating into national law the functional concept of an undertaking and the principle of an economic entity, as defined in Articles 101 and 102 TFEU, as a result of which, by broadening the principle of a legal entity underpinning Paragraph 30 of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences; ‘the OWiG’), proceedings for an administrative fine may be brought against an undertaking directly and a fine imposed without requiring a finding that a natural and identified person committed an administrative offence, if necessary, in satisfaction of the objective and subjective elements of tortious liability?

2) If Question 1 is answered in the affirmative: Is Article 83(4) to (6) to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach of an obligation vicariously through an employee (see Article 23 of Council Regulation (EC) No 1/2003 1 ), or is the objective fact of breach caused by it sufficient, in principle, for a fine to be imposed on that undertaking (‘strict liability’)?


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date



AVG §38
B-VG Art133 Para.4
DSG §30
GDPR Art83
VwGVG §17


W176 2249328-1/4Z


The Federal Administrative Court, through the judge Mag. NEWALD as chairman and the expert lay judge Mag. BOGENDORFER and the expert lay judge Mag. ZIMMER in the complaint matter of the XXXX, represented by WOLF THEISS RAe GmbH & Co KG, against the criminal decision of the data protection authority of October 12th, 2021 , Zl. 2021-0.024.467 (D550.351), resolved:

A) Proceedings are suspended pending a preliminary ruling by the Court of Justice of the European Union in Case C-807/21.

B) The revision is not permitted according to Art. 133 Para. 4 B-VG.



I. Procedure and facts:

The current complainant founded the subsidiary XXXX as the parent company of the group, which operates a cross-company and cross-industry customer loyalty program under the name "XXXX". Customers of the participating stores can register as members, collect points based on their purchases and then redeem them for discounts, etc. As part of the member registration, point 4.4. of the data protection declaration under the heading "Automated processing and analysis (profiling for target group selections, [...])" pointed out that the operator, with the consent of the (club) member, is solely responsible for the member master data and purchasing data processed by himself and by the partners of the members for the automated personalization of advertising and marketing measures, analyze and thus gain new marketing profiling data. The legal basis for the processing is consent in accordance with Article 6 Paragraph 1 Letter a GDPR. According to point 4.4.6. According to the data protection declaration, this consent is voluntary and can be revoked at any time.

The authority concerned initiated an ex officio investigation procedure against XXXX GmbH and, based on the results of this investigation, also initiated administrative criminal proceedings against XXXX GmbH. In these proceedings, the relevant authority declared with a criminal judgment dated July 26, 2021 that XXXX GmbH, as the person responsible within the meaning of Art I am responsible for illegal data processing and imposed a fine of EUR 2,000,000 on XXXX GmbH for these violations in accordance with Section 30 (1) and (2) DSG in conjunction with Article 83 (5) (a) GDPR. On the other hand, XXXX GmbH filed a complaint with the Federal Administrative Court, which is led to Zl. W256 2246230-1.

In addition, the authority concerned initiated administrative penal proceedings against the complainant. With the contested criminal judgment of October 12, 2021, she stated that the complainant (also) as the person responsible within the meaning of Art as a result I am also responsible for illegal data processing (clause point II.), whereby it is stated for attribution that the (named) members of the complainant's board of directors caused the establishment of XXXX GmbH for the purpose of the operative business of "XXXX" and that they provided the financial and human resources and also failed to ensure compliance with data protection regulations through a suitable and effective group-wide data protection concept. A fine of EUR 8,000,000 was imposed on the complainant for these violations in accordance with Section 30 (1) and (2) DSG in conjunction with Article 83 (5) (a) GDPR.

The complainant lodged an appeal with the Federal Administrative Court against this penal decision. In it, she argued, among other things, that in the present case not only was the required factual lacking, but that she was also not at fault for the violation. In particular, contrary to the accusation of the authority concerned, not only was a suitable group-wide data protection management system implemented, but compliance with its specifications was also ensured in the specific case.

The authority concerned submitted the complaint together with the administrative act to the Federal Administrative Court.

With a supplementary submission of January 13, 2022, the authority concerned referred to the decision of the Berlin Court of Appeal of December 6, 2021, Zl. 3 Ws 250/21, with which two questions on the interpretation of Art. 83 GDPR were submitted to the Court of Justice of the European Union (ECJ). preliminary ruling pursuant to Article 267 TFEU. In the proceedings before the Court of Appeal - as in the present proceedings - the question is whether the supervisory authority in a procedure pursuant to Art. 83 GDPR must arrest and name the natural person who is responsible for the violation in order to attribution to the legal person to allow, or whether this is not necessary. In the contested criminal decision, the authority concerned made an attribution in accordance with Section 30 (1) and (2) DSG. Due to the preliminary ruling procedure, it is questionable whether this provision should be applied at all. The complainant criticized this attribution in her complaint. Should the relevant attribution provisions of § 30 DSG no longer be applied, the complainant's arguments in this context are irrelevant, since no attribution would have been necessary a priori. In addition, based on the second question referred, the CJEU will also have to deal with the question of the culpability of a legal person in general, in particular whether an objective breach of duty attributable to the person responsible is sufficient for the imposition of a fine ("strict liability principle"). The ECJ has already decided that there is no need for specific culpability beyond the objective realization of the facts of the case. A sanction therefore only requires the determination of the objective breach of duty. The decision of the ECJ on this question is relevant insofar as the complainant argues that she is not at fault for the violation and that the penal decision should therefore be set aside. It is therefore requested, among other things, to suspend the proceedings in question until the ECJ has reached its decision in the preliminary ruling proceedings initiated by the Court of Appeal.

II. Evidence assessment: The course of the procedure and facts described above result from the submitted administrative act and the statements made by the parties to the procedure in the procedure.

III. Legal assessment:

With the decision of December 6, 2021, the Berlin Court of Appeal addressed the following questions to the ECJ for a preliminary ruling:

"1. Is Art. 83 (4) to (6) GDPR to be interpreted in such a way that it incorporates the functional concept of company assigned to Art. 101 and 102 TFEU and the functionary principle in domestic law with the result that, with the extension of the legal entity principle on which Section 30 OWiG is based, fine proceedings are initiated immediately can be taken against a company and the fine does not require the determination of an administrative offense committed by a natural and identifiable person, possibly in a criminal offence?

2. If the answer to question 1. is in the affirmative: Is Art. 83 (4) to (6) GDPR to be interpreted as meaning that the company must have culpably committed the violation mediated by an employee (cf. Art. 23 of Regulation [EC] No 1/2003 of the Council of 16 December 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company in principle sufficient for a fine to be imposed on it (“strict liability”)? "

§ 30 Administrative Offenses Act (OWiG) reads as follows:

"(1) Has anyone

1. as a body authorized to represent a legal entity or as a member of such a body,

2. as a board member of an unincorporated association or as a member of such a board,

3. as a partner authorized to represent a legal partnership,

4. as a general representative or in a managerial position as a general manager or authorized representative of a legal person or an association of persons named in number 2 or 3,

5. as another person who is responsible for the management of the operation or company of a legal person or an association of persons mentioned in number 2 or 3, which also includes the supervision of the management or the other exercise of control powers in senior positions,

a criminal offense or an administrative offense has been committed, as a result of which the obligations affecting the legal person or the association have been violated or the legal person or the association has been or should be enriched, a fine may be imposed on them.


According to § 38 AVG, which according to § 17 VwGVG is also to be applied mutatis mutandis in administrative court proceedings, an authority can suspend proceedings until a final decision has been taken on preliminary questions that would have to be decided as main questions by other administrative authorities or by the courts, if the preliminary question already is the subject of pending proceedings before, inter alia, the competent court or such proceedings are pending at the same time.

A main question in this sense can also be a preliminary question in a preliminary ruling procedure pending before the ECJ. It entitles you to a suspension according to § 38 AVG if it is prior to the administrative court proceedings (cf. e.g. VwGH 13.12.2011, 2011/22/0316).

The questions submitted by the Court of Appeal to the ECJ deal with the question of whether the supervisory authority in a procedure under Article 83 GDPR - in accordance with national attribution rules such as Article 30 OWiG - must identify and name those natural persons who are responsible for the violation in order to to enable attribution to the legal entity or whether Art 83 GDPR already provides for direct entrepreneurial liability (question 1), which does not require specific fault (of an employee) beyond the objective realization of the facts (question 2).

Section 30 of the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act - DSG), Federal Law Gazette I No. 165/1999, in the relevant version Federal Law Gazette I No. 24/2018 (DSG) contains - similar to Section 30 OWiG - national attribution rules for the imposition of fines under the GDPR against legal entities and were they also applied in the present case by the authority concerned.

§§ 30 para. 1 to 3 DSG read as follows:

“General conditions for the imposition of fines

Section 30. (1) The data protection authority may impose fines on a legal entity if violations of the provisions of the GDPR and Section 1 or Article 2, Part 1, were committed by persons who acted either alone or as part of an organ of the legal entity and a managerial position within the legal entity


the power to represent the legal person,


the power to make decisions on behalf of the legal

to meet person, or

3. A power of control within the legal person

(2) Legal entities can also be held responsible for violations of the provisions of the GDPR and Section 1 or Article 2, Chapter 1, if a lack of monitoring or control by a person named in Paragraph 1 prevents these violations from being committed by a person responsible for the legal entity active person has made possible, provided that the offense does not constitute a criminal offense falling within the jurisdiction of the courts.

(3) The data protection authority shall refrain from punishing a person responsible in accordance with § 9 of the Administrative Penal Act 1991 - VStG, Federal Law Gazette No. 52/1991, if an administrative penalty has already been imposed on the legal person for the same violation.

In the present case, a company was accused of two violations due to factual, illegal and also culpable behavior of an organ authorized to represent during the period of the crime and therefore a (joint) penalty according to § 30 paragraphs 1 and 2 DSG in conjunction with Art 83 paragraph 5 lit. a DSGVO imposed on this company.

Since, based on the submitted questions, it is already questionable whether - as in the present case - national attribution regulations (as provided for in § 30 DSG) are applied at all in a procedure according to Art. 83 DSGVO and whether culpability is required for the punishment of a legal person, it can be assumed that the answers to the questions put to the ECJ by the Berlin Court of Appeal are also important for the handling of the complaint in question.

The proceedings in question were therefore to be suspended pending a decision on the aforementioned request for a preliminary ruling in the proceedings in Case C-807/21.

to B)

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

With regard to the application of § 38 AVG, the adjudicating court was able to rely on a well-established case law of the Administrative Court, which was cited in each case. An assessment of a legal question pending before another court as prejudicial to the proceedings at hand – as here – within the framework of these principles established by the Administrative Court, is not reversible (cf. VwGH September 13, 2017, Ra 2017/12/0068).