BVwG - W176 2255954-1

From GDPRhub
BVwG - W176 2255954-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 1 GDPR
Article 4(1) GDPR
Decided: 30.05.2023
Published: 23.06.2023
Parties:
National Case Number/Name: W176 2255954-1
European Case Law Identifier: ECLI:AT:BVWG:2023:W176.2255954.1.00
Appeal from: DSB (Austria)
Appeal to: Unknown
Original Language(s): German
Original Source: BVwG (Austria) (in German)
Initial Contributor: mg

An Austrian Court ruled that, as the GDPR does not apply to legal persons, a company cannot rely on GDPR provisions to lodge a complaint. The court confirmed DPA’s decision to dismiss the complaint that was lodged after the time limitation period under the national law already expired.

English Summary

Facts

A company filed a complaint against an individual – the controller – that unlawfully processed personal data of its employees and shareholders.

The Austrian DPA dismissed the complaint claiming that the company waited more than 1 year since the time it became aware of the unlawful processing before filing. Therefore, its right to lodge a complaint expired.

The company appealed the decision before the Austrian Federal Administrative Court. According to the company, by refusing to examine the case in the merits the Austrian DPA violated Article 77 GDPR.

The Austrian DPA argued that a legal person does not fall within the personal scope of the GDPR pursuant to Article 1(1) and (2) GDPR. Therefore, no discussion on the applicability of Article 77 GDPR was relevant in the case at issue.

Holding

The court clarified that only data subjects within the meaning of Article 4(1) GDPR have a right to lodge a complaint with the competent supervisory authority pursuant to Article 77 GDPR. Legal persons are not included in the category of "data subjects", as the GDPR mentions only “an identified or identifiable natural person”.

As a legal person does not fall within the scope of protection of the GDPR, but (potentially) only of national data protection law, the national legislator can establish time limitations in the exercise of the right to lodge a complaint. This was the case with Austrian law, which enables the DPA to reject a complaint when the latter was filed after one year since the relevant facts became known to the affected legal person.

Therefore, the court upheld the DPA’s view and dismissed the appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

05/30/2023

standard

B-VG Art133 Para.4
DSG §1 para.1
DSG §24 paragraph 4
GDPR Art77

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last amended by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01.01.2014 last changed by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from 01.01.2000 to 31.12.2013

DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009

saying

W176 2255954-1/4E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag. NEWALD as chairman and the expert lay judges Mag. BOGENDORFER and RAUB, on the complaint of XXXX, represented by Höhne, in der Maur. BOGENDORFER and RAUB on the complaint of roman XXXX, represented by Höhne, at Maur & Partner Rechtsanwälte GmbH & Co KG, against the decision of the data protection authority of April 5th, 2022, Zl. D124.0006/22, 2021-0.917.305 (participants Party: XXXX regarding violation of the right to secrecy, rightly recognized in a closed session: Co KG, against the decision of the data protection authority of April 5th, 2022, Zl. D124.0006/22, 2021-0.917.305 (participating party: Roman XXXX regarding Violation of the right to secrecy, rightly recognized in closed session:

a)

The complaint is dismissed as unsubstantiated.

b)

The revision is not permitted according to Article 133, Paragraph 4 of the Federal Constitution. The revision is not permitted according to Article 133, Paragraph 4 of the Federal Constitution.

text

Reasons for decision:

I. Course of the procedure and facts Roman one. procedure and facts

1. In a letter dated December 30, 2021, XXXX (hereinafter: Complainant, BF) lodged a data protection complaint with the data protection authority (authority concerned before the Federal Administrative Court) against XXXX (hereinafter: Co-involved party, MP) for violating the right to secrecy and brought in this respect essentially: 1. In a letter dated December 30, 2021, roman XXXX (hereinafter: Complainant, BF) lodged a data protection complaint with the data protection authority (authority before the Federal Administrative Court) against roman XXXX (hereinafter: Co-Involved Party, MP) for violation of the right to secrecy and brought essentially:

In the period from April 17, 2020 to July 6, 2020, the MP downloaded confidential personal data from employees and shareholders of BF, a total of 600 files. This was discovered on July 15, 2020.

2. With a decision dated April 5, 2022, the relevant authority rejected the complaint by the BF.

The authority based its findings on the fact that the adverse event took place at least from April 17, 2020 to July 6, 2020.

Legally, she essentially stated that the BF itself stated that it was aware of the adverse event on July 15, 2020. However, the complaint was only raised on December 30, 2021. Accordingly, the relative preclusion period of one year after knowledge of the adverse event had already expired and the claim of the BF expired.

3. With a submission dated May 4th, 2022, the BF filed a complaint against the challenged decision and stated in summary that the legal assessment of the authority concerned was incorrect. The BF bases its complaint on Art. 77 GDPR. Section 24 (4) DSG contradicts Art. 77 GDPR, which is directly applicable and overriding Community law, and must therefore remain unapplied by the authority concerned. If the legal assessment was correct, the authority concerned should have recognized the priority of application of Art. 77 GDPR over Section 24 (4) DSG and should not have rejected the complaint due to delay.3. With a submission dated May 4th, 2022, the BF filed a complaint against the contested decision and stated in summary that the legal assessment of the authority concerned was incorrect. The BF bases its complaint on Article 77, GDPR. Paragraph 24, paragraph 4, DSG contradicts Article 77, GDPR, which is directly applicable and overriding Community law, and must therefore remain unapplied by the authority concerned. If the legal assessment was correct, the authority concerned should have recognized the priority of Article 77 GDPR over Article 24, paragraph 4, DSG and should not have rejected the complaint due to delay.

4. The authority concerned subsequently submitted the complaint together with the relevant administrative documents to the Federal Administrative Court and commented on the complaint as follows:

BF is a limited liability company and therefore a legal entity. The fundamental right to data protection is fundamentally limited to the protection of natural persons. The protection of the GDPR therefore only extends to natural persons, which is already made clear in the title of the GDPR and in Art. 1 Para. 1 and Para. 2 GDPR. An exception can only be found in the case law of the European Court of Justice insofar as the name of a natural person appears in the company name of the legal person, which is not the case in this case. Insofar as Art. 77 GDPR therefore stipulates that every data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates this regulation, then only a natural person is entitled to lodge a complaint justified. BF is a limited liability company and therefore a legal entity. The fundamental right to data protection is fundamentally limited to the protection of natural persons. The protection of the GDPR therefore only extends to natural persons, which is already made clear in the title of the GDPR and in Article 1, Paragraph 1 and Paragraph 2 of the GDPR. An exception can only be found in the case law of the European Court of Justice insofar as the name of a natural person appears in the company name of the legal person, which is not the case in this case. Insofar as Article 77 GDPR therefore stipulates that every data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates this regulation, then only a natural person is entitled to lodge a complaint justified.

In this context, the data protection authority has repeatedly dealt with the question of whether the basic right to secrecy under Section 1 (1) DSG, which has constitutional status, continues to apply to "everyone" - and thus also legal persons - after the GDPR came into force and came to the conclusion that legal persons are also actively entitled to lodge a complaint with the data protection authority pursuant to Section 24 DSG if they allege a violation of the rights guaranteed by Section 1 DSG. The European Court of Justice has already confirmed that Member States are free to extend the protection guaranteed by the GDPR to legal persons domestically, but this does not change the fact that this is a purely domestic concept. The DSG does not contain any provision according to which the Austrian legislature intends to subject legal entities entirely to the scope of protection of the GDPR. Only § 1 DSG provides for selective protection of legal entities. In this context, the data protection authority has repeatedly dealt with the question of whether the constitutional right to secrecy according to paragraph one, paragraph one, DSG after the entry into force of the DSGVO unchanged "everyone" - and thus also legal persons - and came to the conclusion that legal persons are also actively entitled to lodge a complaint with the data protection authority under Section 24, DSG, if they allege a violation of the rights guaranteed by Section 1, DSG. The European Court of Justice has already confirmed that Member States are free to extend the protection guaranteed by the GDPR to legal persons domestically, but this does not change the fact that this is a purely domestic concept. The DSG does not contain any provision according to which the Austrian legislature intends to subject legal entities entirely to the scope of protection of the GDPR. Only paragraph one, DSG, provides for selective protection of legal entities.

In the present case, BF is therefore only protected by § 1 DSG and not by the GDPR. In this respect, the question of the compatibility of Art. 77 DSGVO with § 24 DSG does not arise. In the present case, the BF is therefore only protected by paragraph one, DSG and not by the DSGVO. In this respect, the question of the compatibility of Article 77, GDPR with Section 24, DSG does not arise.

Moreover, even if Art. 77 GDPR were considered to be applicable, there would be no incompatibility between Section 24 DSG and Art. 77 GDPR: The GDPR does not contain any detailed provisions on the complaints procedure before the supervisory authority. According to the settled case law of the European Court of Justice, the design of the procedural law therefore falls within the autonomy of the member states, provided that these provisions respect the principles of equivalence and effectiveness. It is not apparent that Section 24 (4) DSG does not meet these requirements, especially since these procedural regulations would apply both to complaints under the GDPR and to complaints under Section 1 DSG and those under Chapter 3 and thus also to circumstances that do not fall within the scope of EU law. These complaints would therefore be treated in exactly the same way. Nor can it be said that § 24 DSG standardizes completely unsuitable procedural rules. Rather, these would serve to create the elementary prerequisites for adversarial proceedings. In any case, the preclusion period is necessary in order to be able to finally determine a matter, especially since it corresponds to life experience that the further back a matter is, the more difficult it is to determine it. Moreover, even if Article 77 GDPR were considered to be applicable, there would be no incompatibility between Article 24 DSG and Article 77 GDPR: the GDPR does not contain any detailed provisions on the complaints procedure before the supervisory authority. According to the settled case law of the European Court of Justice, the design of the procedural law therefore falls within the autonomy of the member states, provided that these provisions respect the principles of equivalence and effectiveness. It is not apparent that paragraph 24, paragraph 4, DSG does not meet these requirements, especially since these procedural regulations would apply both to complaints under the GDPR and to complaints under paragraph one, DSG and those under Chapter 3, and thus also to facts , which did not fall within the scope of Union law. These complaints would therefore be treated in exactly the same way. Nor can it be said that paragraph 24, DSG, standardizes completely unsuitable procedural rules. Rather, these would serve to create the elementary prerequisites for adversarial proceedings. In any case, the preclusion period is necessary in order to be able to finally determine a matter, especially since it corresponds to life experience that the further back a matter is, the more difficult it is to determine it.

II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:

1. Findings

1.1. The Federal Administrative Court bases its decision on the facts presented under point I.1.1. The Federal Administrative Court places its decision under point Roman one. the facts presented.

1.2. In particular, it is stated:

BF is a legal entity based in Austria.

The adverse event occurred from April 17, 2020 to July 6, 2020 and the BF became aware of it on July 15, 2020.

In this regard, the BF asserted a violation of its right to secrecy in a submission to the relevant authority on December 30, 2021.

2. Evaluation of Evidence

The findings result from the administrative documents submitted by the relevant authority and from a GISA excerpt obtained on May 15, 2023 regarding the BF.

3. Legal Assessment

3.1. Regarding point A):

3.1.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts recognize complaints against the decision of an administrative authority due to illegality.3.1.1. According to Article 130, paragraph one, number one, B-VG, the administrative courts recognize complaints against the decision of an administrative authority due to illegality.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that had already been announced at the time this federal law came into force remain in force. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (paragraph one, leg.cit.) . Pursuant to Section 58, Paragraph 2, VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to Section 17 VwGVG, unless otherwise provided in this federal law, the provisions of the AVG with the exception of Sections 1 to 5 and Part IV as well as others apply to the procedure for complaints in accordance with Art. 130 Para. 1 B-VG The aforementioned laws (not relevant in the present case) and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the procedure preceding the procedure before the administrative court are to be applied accordingly Unless otherwise provided in this federal law, the procedure for complaints in accordance with Article 130, paragraph 1, B-VG, the provisions of the AVG with the exception of paragraphs 1 to 5 and the Roman IV part as well as other specified (in the present case not relevant ) Laws and, moreover, those procedural provisions in federal or state laws which the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

3.1.2. Regarding the process requirements:

The complaint was filed in accordance with Section 7 (4) VwGVG and the other process requirements are also met. The complaint was filed in accordance with Section 7, Paragraph 4, VwGVG and the other process requirements are also met.

3.1.3. The Administrative Court has repeatedly stated that if the relevant authority has rejected an application, the only issue in the appeals procedure is the legality of the rejection (cf. VwGH December 18, 2014, Ra 2014/07/0002, 0003; June 23, 2015, Ra 2015/22/0040, as well as 09/16/2015, Ra 2015/22/0082 to 0084, all mwN). The Federal Administrative Court is therefore barred from making a substantive decision on the application that is the subject of the proceedings. A referral back according to Section 28 (3) VwGVG is also out of the question (see VwGH December 16, 2009, 2008/12/0219).3.1.3. The Administrative Court has repeatedly stated that if the relevant authority has rejected an application, the only issue in the appeals procedure is the question of the legality of the rejection, see VwGH December 18, 2014, Ra 2014/07/0002, 0003; 06/23/2015, Ra 2015/22/0040, as well as 09/16/2015, Ra 2015/22/0082 to 0084, all mwN). The Federal Administrative Court is therefore barred from making a substantive decision on the application that is the subject of the proceedings. A remittal according to paragraph 28, paragraph 3, VwGVG is also out of the question (see VwGH December 16, 2009, 2008/12/0219).

3.1.4. In the matter:

3.1.4.1. According to Art. 77 Para. 1 GDPR, every data subject within the meaning of Art. 4 Z 1 GDPR in Austria has the right to lodge a complaint with the data protection authority. However, the GDPR does not apply to the processing of personal data of legal entities and in particular companies established as a legal entity, including the name, legal form or contact details of the legal entity (recital 14 sentence 2 GDPR).3.1.4.1. According to Article 77, paragraph one, GDPR, every data subject within the meaning of Article 4, number one, GDPR in Austria has the right to lodge a complaint with the data protection authority. However, the GDPR does not apply to the processing of personal data of legal entities and in particular companies established as a legal entity, including the name, legal form or contact details of the legal entity (recital 14 sentence 2 GDPR).

As stated, BF is a legal entity and therefore cannot assert a right to lodge a complaint with the data protection authority based on Art. 77 GDPR. As stated, BF is a legal entity and therefore cannot assert a right to lodge a complaint with the data protection authority based on Article 77, GDPR.

3.1.4.2. According to § 1 Para. 1 DSG, everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a claim for secrecy due to their general availability or due to their lack of traceability to the data subject.3.1.4.2. According to paragraph one, paragraph one, DSG, everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.

While the GDPR only protects natural persons (Art. 2 Para. 1 in conjunction with Art. 4 Z 1 GDPR), the fundamental right to data protection according to § 1 also applies to legal persons (Dopplinger in Bresich/Dopplinger/Dörnhöfer et al, DSG § 1 [ Status June 12, 2018, rdb.at] margin no. 3; Jahnel in Jahnel, commentary on the General Data Protection Regulation Art. Paragraph one, in conjunction with Article 4, number one, GDPR), the fundamental right to data protection under paragraph one also applies to legal entities (Dopplinger in Bresich/Dopplinger/Dörnhöfer et al, DSG paragraph one, [status 12.6.2018, rdb .at] margin no. 3; Jahnel in Jahnel, commentary on the General Data Protection Regulation Article 77, GDPR [status 1.12.2020, rdb.at] margin no. 5).

With a submission of December 30, 2021 - using the form of the Austrian data protection authority - the BF asserted a violation of the fundamental right to secrecy in accordance with Section 1 (1) DSG. The BF asserted with a submission of December 30, 2021 - using the form of the Austrian data protection authority - a violation of the fundamental right to secrecy according to paragraph one, paragraph one, DSG.

3.1.4.3. Pursuant to Section 24 (4) DSG, the right to have a complaint dealt with expires if the intervener does not file it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints are to be rejected.3.1.4.3. According to paragraph 24, paragraph 4, DSG, the right to a complaint being dealt with expires if the intervener does not file it within one year of becoming aware of the adverse event, but at the latest within three years after the event allegedly took place . Late complaints are to be rejected.

Section 24 (4) DSG standardizes a relative preclusion period for asserting the right to lodge a complaint of one year from knowledge of the adverse event and an absolute preclusion period of three years after the occurrence of the event (Schweiger in Knyrim, DatKomm Art. 77 GDPR [as of December 1st, 2021, rdb.at] margin no. 14). Paragraph 24, paragraph 4, DSG standardizes a relative preclusion period for asserting the right to complain of one year from knowledge of the adverse event and an absolute preclusion period of three years after the occurrence of the event (Schweiger in Knyrim, DatKomm Article 77, DSGVO [as of December 1st, 2021 , rdb.at] margin no. 14).

Since the BF became aware of the adverse event on July 15, 2020, but only raised the data protection complaint with the submission of December 30, 2021, the assertion was not made within one year of knowledge of the adverse event.

3.1.4.5. Result:

The data protection complaint of the BF therefore proves to be late.

As a legal entity, the BF could only assert a violation of Section 1 (1) DSG (fundamental right to secrecy). Since the BF cannot refer to the provisions of the GDPR, the question of the compatibility of Section 24 (4) DSG with Art. 77 GDPR is irrelevant from the outset, and the deadlines under Section 24 (4) DSG were therefore in any case applicable observe. As a legal entity, the BF could only assert a violation of paragraph one, paragraph one, DSG (basic right to secrecy). Since the BF cannot refer to the provisions of the GDPR, the question of the compatibility of paragraph 24, paragraph 4, DSG with Article 77, GDPR is irrelevant from the outset, and the deadlines according to paragraph 24, paragraph 4, DSG were therefore anyway to be considered.

The authority concerned thus rightly rejected BF's data protection complaint in accordance with Article 24, Paragraph 4 DSG. The authority concerned therefore rightly rejected BF's data protection complaint in accordance with Article 24, Paragraph 4, DSG.

3.2. According to § 24 para. 2 no. 1 VwGVG, there was no need for an oral hearing, especially since the state of the files shows that the complaint is not to be followed. 3.2. According to paragraph 24, paragraph 2, number one, VwGVG, there was no need for an oral hearing, especially since the state of the files shows that the complaint is not to be followed.

3.3. Regarding point B) (inadmissibility of the revision):

Pursuant to § 25a para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 para. 4 B-VG. The verdict must be briefly reasoned. According to paragraph 25 a, paragraph one, VwGG, the administrative court has to pronounce in the verdict of its finding or decision whether the revision is permissible according to Article 133, paragraph 4, B-VG. The statement must be briefly justified.

The revision is inadmissible because no legal question within the meaning of Article 133, Paragraph 4 of the Federal Constitutional Court of fundamental importance had to be assessed. The revision is inadmissible because there is no legal question within the meaning of Article 133, Paragraph 4 of the Federal Constitution was to judge, which is of fundamental importance.

It was therefore to be decided overall in accordance with the verdict.