BVwG - W211 2210458-1/10

From GDPRhub
Revision as of 10:43, 24 February 2020 by AL (talk | contribs)
BVwG - W211 2210458-1/10
BVwGAT.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(1) GDPR

Article 4(7) GDPR

Article 5(1)(a) GDPR

Article 5(1)(c) GDPR

Article 5(1)(e) GDPR

Article 6(1)(f) GDPR

Article 12 GDPR

Article 13 GDPR

Article 83(1) GDPR

Article 83(2)(f) GDPR

Article 83(5)(a) GDPR

Austrian Data Protection Act (DSG)

Decided: 25. Nov. 2019
Published: n/a
Parties: anonymous
National Case Number: W211 2210458-1/10
European Case Law Identifier: ECLI:AT:BVWG:2019:W211.2210458.1.00
Appeal from: DSB (Austria)
Language: German
Original Source: RIS (in DE)

Federal Administrative Court ruled that controllership follows from factually deciding on the means and purposes of the processing and not from a pure legal assessment of who owns the entity processing the personal data in question. It lowered a penalty of EUR 1,800 (for CCTV without signage, that filmed public streets and had a 14 day retention period instead of 72 hours under Austrian law) to EUR 1,500 - given the income level of the controller.

English Summary

Facts

A kebab shop installed three cameras, two inside one outside. The outside camera has also captured a public street and a gas station on the other side. Instead of 72h under Austrian law, it kept data for 14-16 days. No warning signs were installed. The system was installed and accessed by the husband of the owner of the kebab place. A police officer reported the case, which was ultimately handled by the DPA. The DPA a violation of (I.) Articles 5(1)(a) and (c) as well as Article 6(1) GDPR and (II.) §§ 12, 50a and 50d of the Austrian Data Protection Act (DSG). The violations of the GDPR was taxed with EUR 1,200, the violation of the DSG with two times EUR 300.

Dispute

The controller disputed the legal and factual findings. He claimed that he has e.g. installed warning signs and changed the scope of the cameras and the deletion period.

He further argued that he was not the controller, because his wife was the owner of the kebap place.

Holding

The court saw no mistake in any factual findings. Later changes are irrelevant to find a violation of the GDPR.

As the husband has actually bought and installed the camera, as well as reviewed the footage, he had factual control and is the controller under Article 4(7) GDPR.

Given the financial situation of the controller, the penalty was reduced from EUR 1,800 to EUR 1,500.

Comment

Share your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the German original for more details.

DECISION

REASONS FOR DECISION

I. Course of proceedings

1. in a complaint dated XXXX .2018, S.Z., owner of a kebab stand, and the complainant, an employee of BH

XXXX that they would be harassed by a named police inspector. In support of the complaint, two videos were submitted to show police inspector interventions. It was also stated that a camera had been installed for €2,500 to prove what that police inspector was doing.

According to a statement of facts by LPD XXXX of XXXX 2018, S.Z., the owner of a kebab stand, installed a video camera on a container, which was not reported and not marked.

A further factual account of XXXX 2018 also showed that, during an inspection on XXXX 2018, a video system had been in operation that had been purchased and installed by the complainant in January 2018. The real-time recordings would be recorded on a hard disk and deleted after 15 days. One camera had a setting that would reach across the XXXX to a petrol station. No signs had been installed. Photos were attached to the facts of the case.

On XXXX 2018, BH XXXX conducted a witness hearing of police inspector XXXX, who summarized and essentially stated that there were three cameras at the kebab stand, two were installed inside and one at a storage container. The container also contained a PC on which the images from the cameras were displayed in real time and, according to the complainant, stored for up to 16 days. The camera outside would film as far as the petrol station's car wash, while the other two cameras would only cover the inside of the pass-through to the awning and the working area. Signs pointing to the video surveillance system were neither inside nor outside. The complainant had repeatedly stated that he had bought the system and camera himself and installed them with a friend. The reason given had been the documentation and surveillance and storage of the police inspector's official acts.

2) With XXXX 2018, the case was forwarded to the now competent data protection authority (DPO).

On XXXX 2018, the DSB then addressed a request for justification to the complainant, stating that the complainant was accused of having committed the following administrative offence(s): He was suspected as the person(s) responsible within the meaning of Article 4(7) of the GDPR for image processing (video surveillance) at the location of a container in the area of the snack bar (kebab stand) in XXXX , at least from XXXX .2018, to be responsible for the fact that

a) processing operations relating to the video surveillance in question would not be recorded

(b) recorded personal data are not deleted if they are no longer needed for the purpose for which they were collected and there is no legal obligation to retain them (note: retention for longer than 72 hours must be proportionate and must be separately justified and documented);

(c) the video surveillance would not be (appropriately) identified; and

(d) the video surveillance covers a public road and a service station - and is therefore not limited to areas which are under the exclusive control of the person responsible - and is therefore not proportionate to the purpose and not limited to what is necessary.

It was therefore suspected that by operating the video surveillance system in question, the complainant had failed to fulfil his obligations under §§ 50a ff of the German Data Protection Act 2000 and §§ 12 and 13 of the German Data Protection Act, at least by failing to exercise due care.

With justification dated XXXX .2018, the complainant, represented by a lawyer, announced that minutes of the video surveillance had of course been taken. Due to an error of law, the data and pictures of the surveillance had been stored for up to 14 days. The complainant had immediately arranged for a technician to reprogram the system so that the data would be deleted after a maximum of 72 hours. It was also incorrect that the video surveillance had not been marked accordingly: Appropriate, very clearly visible signs had been placed on the storage door as well as on the door and window of the sales van. It was also incorrect that the video surveillance would cover a public street and a petrol station. The only thing that could be seen was the area that was under the exclusive power of disposal of the person in charge, and that was up to the edge of the public road. In summary, it follows that the defendant could not have been charged with any administrative offence.

3 Thereupon, the data protection authority issued the challenged criminal decision of XXXX 2018 and charged the complainant with the following offences:

"You operate an image processing system (video surveillance) at least from 0 to 24 o'clock in XXXX 2018 from 0 to 24 o'clock in XXXX (snack bar/kebab stand area) as the person responsible within the meaning of Article 4 no. 7 of the GDPR.

1) The video surveillance system in question uses a camera installed on a container located on the property to record public space (specifically a public road) and a neighbouring petrol station. It is therefore not appropriate to the purpose of the processing and is not limited to the necessary extent.

2) The personal image data recorded by the video surveillance is not deleted within 72 hours. There is no separate protocol in this respect. A justification for an extended storage period is missing.

3) The video surveillance is not appropriately marked.

4) With regard to the allegation of a violation of the obligation to keep records pursuant to § 50b para. 1 DSG 2000 and § 13 para. 2 DSG, the administrative penal proceedings pursuant to § 45 para. 1 no. 1 (1st case) VStG are discontinued.

You have thereby violated the following legal provisions:

Re 1): Art. 5 para. 1 lit. a and c as well as Art. 6 para. 1 of the GDPR.

To 2):

c) Article 50b (2) DSG 2000 (for the period prior to 25 May 2018)

(d) Article 13(3) DSG (for the period from 25 May 2018)

To 3):

c) Article 50d (1) DSG 2000 (for the period prior to 25 May 2018)

(d) Article 13(5) DSG (for the period from 25 May 2018)

For these administrative offences the following penalty will be imposed on you:

a fine of Euro
	
if it is irrecoverable, a substitute custodial sentence of
	
imprisonment of
	
according to

To 1): € 1.200,00 To 2): € 300,00 To 3): € 300,00 . . . In total: € 1.800
	
To 1): 3 days To 2): 1 day To 3): 1 day ... In total: 5 days
	
Ad 1): Art. 83, para. 5, lit. a Previous search termDSGFOREXT search term Ad 2a): Art. 52, para. 2, item 7 DSG 2000 in conjunction with Art. 69, para. 5 DSG Ad 2b): Art. 62, para. 1, item 4 DSG Ad 3a): Art. 52, para. 2, item 4 DSG 2000 in conjunction with Art. 69, para. 5 DSG Ad 3b): Art. 62, para. 1, item 4 DSG in conjunction with Art. 16 VStG
			

Any further statements (e.g. about the crediting of provisional detention, about the expiry or about claims under private law):

You also have to pay according to § 64 of the Administrative Criminal Law 1991 - VStG:

XXXX Euro as a contribution to the costs of the criminal proceedings, i.e. 10% of the fine, but at least 10 Euro (one day of imprisonment equals 100 Euro);

Euro as compensation for cash expenses for

The total amount to be paid (penalty/cost/cash expenses) is therefore

XXXX Euro"

The prosecuting authority gave the following summary of the grounds for the criminal conviction: At least since XXXX.2018, the complainant has been responsible for the data protection of image processing by a video surveillance system consisting of three cameras at the operating site of a snack bar. The video surveillance system in question had been purchased and installed by the accused and was operated by him for the purpose of recording police checks. Image data generated by the video surveillance system had been presented in the form of two videos showing a police check by the defendant in the course of a visit to BH XXXX. Irrespective of this, S.Z. was the business owner of the business premises. Two of the total of three cameras were mounted in the interior area of the snack bar and would capture the work area as well as the interior, a third camera was mounted on a container located on the property; the latter captures both the kebab distance itself as well as wide areas of public space (specifically a public road) and a neighbouring petrol station. The video surveillance system was not suitably marked. Image data recorded by the video surveillance system would be stored on a digital storage medium within the container, with storage of the image data being possible for up to 14 days.

The prosecuting authority referred to the content of the criminal record of the competent bras, the content of the accused's justification and official queries in the trade law information system as evidence. The findings concerning the installation, purpose and coverage of the cameras referred to findings made by police officers, the veracity of which was beyond doubt, in particular with regard to the administrative and disciplinary liability of police officers; on the other hand, the defendant himself stated during an interview with the bra that he had bought the cameras in January 2018, installed them with the help of a friend and was using them for the purpose of recording police checks. As part of his justification, the defendant admitted, with regard to the allegation, that the legally permissible storage period of 72 hours had not been observed, but that he would continue to observe it. However, the defendant's further argument in the justification that public space was not covered and that there was a labeling system was not supported by any evidence, which is why this argument is largely regarded by the prosecuting authority as not suitable to refute the allegations made. Only with regard to compliance with the obligation to keep records, the prosecuting authority assumed - in case of doubt for the defendant - that proper records had been kept.

The legal consequence of this - insofar as it was material - was that in the present case there was undisputedly a picture recording within the meaning of § 12.1 of the German Data Protection Act. The collection and storage of the image data opened up the factual scope of application of Article 2 of the GDPR. In any event, the recorded image data constituted personal data within the meaning of Article 4 item 1 of the Data Protection Act of the next search term; due to the collection and storage of the image data, processing within the meaning of Article 4 item 2 of the Data Protection Act of the next search term was also given. The defendant was to be qualified as the person responsible for the present data processing within the meaning of Article 4 no. 7 GDPR, since he - and not the business owner - had purchased the cameras and operated them for the purpose of recording police checks.

In addition to the interior of the kebab stand and awning, the area where the images were taken also covered large areas of public space and a neighbouring plot of land, specifically public traffic areas up to an adjacent petrol station. Since a significant area of the space outside the business premises in question is covered by the image recording and road users passing by there by chance - who by their nature do not have to be exclusively customers of the kebab stand - do not reasonably have to expect to be recorded, the operation of the image recording infringes the principles laid down in Article 5 GDPR. A legal basis supporting the lawfulness of the data processing within the meaning of Article 6.1 GDPR was not apparent and had not been put forward by the defendant. In particular, the data protection authority did not recognise any legitimate interest in the operation of the image recording in question with regard to the spatial coverage of the image recording in question; rather, in the present case, the right to secrecy, protected by fundamental rights, of road users passing by accidentally in the recording area outweighed any interest in the operation of the image recording in question.

In the present case, the failure to fulfil the obligation to delete and record the images violated Article 13 (3) in conjunction with Article 62 (1) item 4 of the German Data Protection Act and, for the period prior to 25 May 2018, Article 52 (2) item 7 in conjunction with Article 50b (2) of the German Data Protection Act 2000.

Pursuant to Article 13, paragraph 5 of the DSG, the person responsible had to mark a photograph appropriately. In any event, the identification must identify the person responsible, unless this person is already known to the data subjects under the circumstances of the case. Paragraph 50d.1 of the DPA 2000 provided for a similar order. This was not possible in the present case because, as stated above, no signs were affixed outside the plant. The use of lettering such as "Achtung Videoüberwachung" (Attention Video Surveillance), the presence of which had been claimed by the defendant in the context of his justification without proof, did not constitute a suitable identification in the present case, since it would not provide any information regarding the data protection officer and his identity could not be inferred from the circumstances of the case. This is not so because the image processing is not carried out by the business owner itself.

Therefore, the authority complained of comes to the conclusion that the person responsible should have been able to operate the image recordings in question exclusively in compliance with the requirements with regard to the purpose and lawfulness of the data processing in the sense of Articles 5 and 6 GDPR and in compliance with the obligations laid down in Section 13 of the German Data Protection Act. Against this background, the defendant, as the person responsible under Article 4 no. 7 GDPR, was responsible for the objective factual side of the administrative offence of which he was accused under Article 83.5 lit. a GDPR and Article 62.1 no. 4 DPA and Article 52.2 nos. 4 and 7 DPA 2000.

The defendant's general assertions, in particular regarding the coverage of the cameras, were not suitable to substantiate the absence of fault within the meaning of sec. 5 para. 1 VStG. With regard to the expressed legal error regarding the duration of storage, it was argued that the defendant should have familiarized himself with the legal framework conditions for the operation of the video surveillance system before putting it into operation.

In contrast, in case of doubt regarding the compliance with the obligation to keep records, this obligation was to be considered fulfilled on the basis of the defendant's factual submissions and the proceedings were to be discontinued in this regard.

With regard to the assessment of the penalty, it was to be noted that in the specific case, the inadmissible operation of the image recording that had been established was potentially capable of violating the fundamental rights of a large number of road users who happened to come into the range of the camera in question. On account of the high level of injustice and the fact that it was a systematic violation of the obligation of the person responsible, the violation in question was to be regarded as serious. Finally, in the present case, the photograph had been systematically used to record police checks and had not been deleted over a relatively long period of time, which had to be taken into account as an aggravating factor. The intensity of the intervention, which had also covered an unlimited number of passers-by and participants in public road traffic, had been reflected in the amount of the penalty, particularly with regard to point I. The duration of the infringement of at least several months was also to be regarded as aggravating. In addition, it was assumed that the conduct had been negligent in any event. For this reason, and in order to prevent the accused from committing further criminal acts of the same kind, the imposition of a penalty was objectively necessary. In mitigating circumstances, it was taken into account that the accused had participated in the proceedings and that the authority had not recorded any relevant previous convictions.

4 On XXXX 2018, a complaint was lodged against the knowledge of the penalty and it was submitted in summary that the opinion of the prosecuting authority that the complainant was a responsible person within the meaning of Article 4 no. 7 GDPR was mistaken:

The managing director of the snack bar is S.Z.; the complainant is merely an employee of the snack bar and as such must follow the instructions of the managing director. Whoever actually installed the video surveillance system was irrelevant for administrative criminal liability if this was done in accordance with an instruction.

Furthermore, the video surveillance only covers part of the access road and the petrol station does not constitute a public space. Furthermore, the authority incriminated misjudged the factual and legal situation if it considered that there was no reasonableness in the present case and that the coverage of the camera was not limited to the necessary extent. It was not technically possible, due to the local conditions, to set the video surveillance required for operational purposes in such a way that a part of the public road was not recognisable.

The storage period of 14 days was based on a legal error on the part of the defendant. After becoming aware of the legal provisions, the defendant, in cooperation with the managing director, immediately ensured that a technician commissioned by the managing director reprogrammed the system so that the image data would be deleted within 72 hours.

Finally, the warehouse door as well as the door and window of the sales stand would have clearly visible signs.

For all these reasons, the penalty notice was wrongly issued and it is requested that a hearing of the appeal be convened and that the contested penalty notice ultimately be overturned and the administrative criminal proceedings be discontinued.

(5) By letter of XXXX 2018, the authority complained against submitted the complaint and the administrative act and also stated that the data controller was defined in Union law according to the GDPR and was the legal and natural person determining the means and the purpose of the processing; it did not necessarily coincide with the responsibility for any compliance with national law. A subsequent amendment of the storage period cannot alter the previous implementation of the offence. The lack of identification, at least at the time of the police checks, had been proved by the police photographs and was apparent from the police's account of the facts.

6 On XXXX 2019, an oral hearing of the complaint took place at the Federal Administrative Court, in which the complainant, his representative, representatives of the authority complained of, a witness and an interpreter for the Turkish language took part.

During the oral hearing, the complainant essentially stated that he had been the manager of the snack bar; since XXXX 2018, he would now run the stand together with his wife. However, he did not have a trade licence; S.Z. used to have one and now his wife. The complainant had bought the cameras and the company had paid for them. They had been a condition of the insurance. A colleague had installed them, and there had been a marking since the cameras had been installed. The decision to mount and install the video system had been taken by the complainant and the S.Z., rather by the latter. The witness S.Z. (now S.T.Y.) stated in summary that before XXXX 2018, she had been the owner of the kebab stand, but now only worked there. The complainant had been an employee there. Since her knowledge of German had not been sufficient, she had asked the complainant to help her and, for example, to take care of purchasing, wages and organisational matters. The video system had been her idea; she had made the decision to buy the cameras. The cameras had been assembled and installed by a fellow Turkish citizen. She had told the complainant what she needed and asked him for help. He had then done the necessary things. A marking had been in place since the cameras had been installed. There had been no other suitable place for mounting the camera on the container.

(7) By letter of XXXX 2019, the complainant's representative at the complaint hearing submitted documents that had been requested by the complainant's representative at the complaint hearing and that had been sent to the authority complained of for the purposes of hearing the parties.

II The Federal Administrative Court considered

1. findings

With regard to the present facts material to the decision, reference is made to the statements made under I. regarding the course of the proceedings.

Based on the preliminary proceedings conducted by the authorities and the Federal Administrative Court, the following material facts have been established:

1.1 There is a snack bar at the address XXXX. Three cameras were purchased and installed there, two of them covering the inside of the snack bar, while a third camera was installed on a storage container and mounted in such a way that it filmed public road areas as far as a petrol station opposite. These cameras were in operation at least from XXXX .2018.

1.2 The complainant purchased and maintained video surveillance in the form of three cameras. With the help of another person, it was assembled and installed. The complainant was also able to independently retrieve recordings of the video surveillance. The complainant took the decisions on the acquisition of the specific video equipment, on the assembly and installation and on the relevant operation. He selected the other person who carried out the assembly and installation and carried out the IT work for it. He is the person responsible for image processing within the meaning of Article 4(7) GDPR.

1.3 The video recordings were stored on a computer for up to 14 days.

1.4. the video surveillance system was not suitably marked.

1.5. the setting of the cameras on XXXX 2019 did not show any more images of the petrol station and other parts of the public road.

After being informed by the complainant's lawyer, the storage period for the recordings was reduced to 72 hours. It is not possible to determine exactly when the storage period was reduced.

On XXXX 2019, two doors, including the door of the storage container, show stickers with the note "Attention, video surveillance".

1.6 None of the arguments concerning the complainant's income have been replied to.

2. assessment of evidence

2.1 The findings regarding the snack bar and its address are derived from the administrative act, an extract from the GISA of XXXX 2019 and are not disputed beyond that.

The fact that a total of three cameras were mounted and installed, whose images were also stored on a computer, was also not disputed by the parties.

The fact that two of these cameras cover or film the interior area (in the broader sense) of the snack bar results, on the one hand, from the photos submitted as a photo supplement by PI XXXX (in the file, dated XXXX 2018, cf. e.g. figures 5, 6 and 7), but also from the information provided by the complainant during the oral proceedings (cf. p. 6 of the minutes of the hearing).

The fact that a third camera was mounted on the storage container and covered a further part of the public road as well as a petrol station opposite, also results from the photo supplement of PI XXXX of XXXX 2018 (in the file, see Figures 5, 6 and 7). The complainant and the witness also stated at the oral hearing that the camera could not have been mounted differently; the road would automatically be seen (cf. the complainant's statement on p. 6 of the minutes of the hearing;

see the witness's statement on p. 15 of the minutes of the hearing). At the oral hearing, the complainant further stated that it was later changed again (i.e. the picture detail);

they had not known that one was not allowed to see so much outside (see p. 7 of the minutes of the hearing). It can therefore also be inferred from these statements by the complainant and the witness that the camera at the storage container covered the extended area (public road and petrol station).

In his justification of XXXX 2018, the complainant only counters this information and the photographs of XXXX 2018 with the assertion that the cameras in question only covered areas that were within the defendant's sphere of influence. However, this assertion cannot invalidate the validity of the photographs and the statements of the defendant himself and the witness.

Insofar as the complaint argues that only a part of the access road is covered by the video surveillance and that the neighboring gas station does not represent a public space, reference should again be made to the photo supplement, which shows a large part of public space, whereby it is important to determine to what extent road users who do not have to expect to be covered by video surveillance of the snack bar can also be covered, which is likely to be the case at the gas station.

At the beginning of the time of the crime it has to be said that the perception of the video camera and the detection area, especially the camera outside (at the storage container), has been documented at least since the inspection of the facility by PI XXXX. In addition, the report of the inspection on XXXX .2018, which is dated XXXX 2018, is accompanied by those photographs that recorded the camera at the storage container on the one hand, but also the detection range of the cameras on the screen for real-time monitoring.

2.2 The findings concerning the complainant are partly based on his own statements, on those of the witness and on the contents of the file.

The fact that the accused was in fact also the person who had power of disposal and relevant decision-making authority in connection with the installation, alignment and operation of the video system results from a holistic view of the results of the investigative procedure:

The complainant himself stated during the oral hearing of the complaint that he had been a kind of manager of the snack bar when it still belonged to S.Z., which had been the case until XXXX 2018. He had not had a trade licence, had done the shopping, had helped and collaborated, even sometimes in sales. S.Z. had not been able to speak German well, which is why the complainant had helped her in running the snack bar (see Minutes of the hearing, p. 4f).

The deciding Senate does not overlook the fact that the complainant, but also the witness (S.Z.) stated during the oral hearing that the decision to install the video system had rather been taken by the witness; S.Z. had been the "boss"; the witness (S.Z.) had decided to buy the cameras (see pp. 5 et seq. of the minutes of the hearing). On the other hand, when asked whether he had taken the decision to install the video equipment, the complainant stated that it had been both of them, but then rather her - meaning the owner, S.Z. (see p. 7 of the minutes of the hearing). Later, when he was reproached by the representative of the authorities in connection with the marking that there were statements by the witness, the police and photographs according to which there had been no signs, the complainant also argued that the witness did not know much about it (see p. 9 of the minutes of the hearing).

In this context, it emerges from the administrative act - and also from the perception of the Senate during the oral hearing - that the then owner of the snack bar, S.Z., had hardly any knowledge of German (see, for example, the note of XXXX 2018, according to which an interrogation of the S.Z. could not take place because she did not speak a word of German, and therefore an interpreter had to be requested; as well as the indication of the witness herself during the hearing, see p. 13 of the minutes of the hearing). The consistent statements of the complainant and the witness to the effect that the complainant therefore completed formalities, but also did the shopping, was active in sales and generally cooperated (see p. 4 of the minutes of the hearing) or was also responsible for the employees, wages and organisational matters (see p. 13 of the minutes of the hearing and the statement of the witness in this regard), make it possible to conclude that the factual management of the snack bar was basically the responsibility of the complainant.

The complainant finally stated in his hearing before the Federal Administrative Court that he had purchased the cameras at the behest of the owner. Furthermore, an acquaintance had installed them. When asked who knew about computers and who could store and delete data, the complainant stated that they were almost unfamiliar with computers (see p. 6 of the minutes of the hearing); if something had happened, that acquaintance had been called; this was also in order to reduce the storage time (ibid., but also p. 8 of the minutes of the hearing). However, when it was a question of whether that acquaintance had also been called if it had been a matter of evaluating the photographic material, the complainant submitted that he had done this himself, he had made the access at the time (see p. 9 of the minutes of the hearing). From this information, it can be inferred that although assistance was claimed for the installation of the system and possibly also for the adjustment of the reduction of the storage period, the complainant nevertheless had a basic knowledge of the computer system that stored the image recordings and was able to retrieve image recordings.

Finally, the statements made by the witness at the hearing of the appeal do not leave the impression that she would have had more detailed knowledge of the video system or that she would actually have been actively involved in the decision-making processes:

Her statements about the video system remain on the whole hesitant and superficial: Extract from the minutes of the hearing:

" [...] VR: Who made the decision to buy the cameras?

Z: When you start a business, cameras are installed.

VR repeats the question.

Z: Me.

VR: Who mounted or installed the cameras?

Z: A Turkish compatriot. I can't remember his name at the moment, because it was a long time ago.

VR: Who paid for the cameras and the installation?

Z: Me. I told the BF what I needed and asked him for help. He took care of the necessary things.

VR: Who was responsible for that then? Maintenance, computers, etc...

Z: I looked at the camera shots. Also the BF.

VR: For example, if a camera was broken, who would have taken care of it?

Z: There were no problems at all.

VR: How long were the image data or videos stored?

Z: In the beginning it was for a period of 14 days. Later we found out that this was not allowed, so we reduced the duration to 72 hours.

VR: Can you remember when you reduced the storage time to 72 hours?

Z: I can't remember the date. I can't remember the month either.

VR: Do you know who did that?

Z: The Turkish compatriot who helped us with this at the time.

VR: How was the video system marked?

Z: We installed the camera near the camp. We also saw the petrol station area.

VR repeats the question.

Z: There was a camera sign for it. People who passed by saw this sign that there were cameras there.

VR: Since when did these camera signs exist?

Z: From the time of the installation.

VR: Why is the camera on the container also directed at the road and the petrol station?

Z: The reason that the petrol station area was also visible was because only the place where the camera was mounted could be considered. There was no other suitable place for it.

VR: So why wasn't the camera set so that you could see less of the gas station?

Z: You could see very little of the gas station area.

VR: This reduction of the storage time from 14 days to 72 hours:

Who initiated this?

Z: The BF. [...]"

The facts of the case therefore emerge from the preliminary proceedings to the effect that although the witness S.Z. had been a business owner and owner of the snack bar when a video system was purchased, installed and operated, she hardly spoke any German and the factual management of the snack bar and the relevant decisions regarding the video system were essentially exercised or made by the complainant. The complainant describes himself as the (then) manager of the snack bar, he bought the system, he had it installed by an acquaintance and he is himself able to evaluate image recordings. Therefore, it was subsequently to be established that the complainant was also a responsible person within the meaning of the relevant applicable legal provisions.

2.3 The finding that the video recordings were stored for a period of up to 14 days is based on the information provided by the complainant himself, which is not disputed in this respect.

2.4 The fact that the video equipment was not sufficiently marked during the aforementioned period is apparent in particular from the report of PI XXXX of XXXX 2018, from the relevant photo supplement of the same day, and there from picture no. 4.

If the complaint states that there are clearly visible signs on the storage door as well as on the door and window of the sales stand, the complaint does not state since when these signs have been attached to the designated doors and windows. The fact that such signs have existed since the cameras were installed, as the complainant and also the witness indicated at the oral hearing (see p. 7 and p. 15 of the minutes of the hearing of XXXX 2019), is in contradiction with the photographic supplement of XXXX 2018. It must therefore be assumed that a corresponding marking of the video surveillance with clear signs was not appropriate at the time of the examination by PI XXXX.

It is noted that a comparison of the photos of XXXX 2019 that the complainant submitted after the oral hearing with the photo supplement of XXXX 2018 allows the conclusion that no marking was attached to the actually recognizable storage container door on XXXX 2018.

2.5 After the oral hearing, the complainant, through his lawyer, submitted photographs of the real-time monitoring screen dated XXXX 2019 which no longer showed those other parts of the public road and the service station.

In the course of the proceedings, the complainant and his representative consistently stated that they had reduced the storage period of the images to 72 hours. No indications that this should not have happened have emerged during the proceedings. However, neither the complainant nor the witness could indicate when this reduction of the storage period was supposed to have taken place, which is why no finding could be made on this point.

Finally, photos from XXXX 2019 were submitted, according to which on two doors, one of which is recognizable (in comparison with the photo supplement from XXXX 2018) the door of the storage container, there are stickers with the note "Attention, video surveillance".

2.6 No further information was provided on the complainant's income situation and the Authority's assessment in this regard was not contested. As a result, no separate findings have been made in this respect and no separate assessment of the evidence has been made.

3. legal assessment

To A)

3.1 Legal basis

3.1.1 The legal basis according to the Previous search termDSGVONnext search term is in extracts as follows:

Art. 4 Z 7 GDPR:

Article 4: Definitions

For the purposes of this Regulation: [...]

7) "controller" shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or national law, provision may be made for the controller or for the specific criteria for his or her designation in accordance with Union or national law

Article 5(1)(a) and (c) GDPR:

Article 5: Principles governing the processing of personal data

1) Personal data must

(a)-processed lawfully, fairly and in a way that is comprehensible to the data subject ('lawfulness, fairness, transparency')

[...]

(c)- be proportionate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization"); [...]

(e)- be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer where, subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject, the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research or for statistical purposes as provided for in Article 89(1) ("storage limitation"); [...]

Art. 6 para. 1 GDPR:

Article 6: Lawfulness of processing

1. Processing shall be lawful only if at least one of the following conditions is met:

(a) the data subject has given his consent to the processing of personal data relating to him for one or more specified purposes

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to implement pre-contractual measures taken at the request of the data subject;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary to protect the legitimate interests of the controller or of a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. [...]

Art. 12 and 13 GDPR:

Article 12: Transparent information, communication and procedures for the exercise of the rights of the data subject

1. The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and with all the notifications referred to in Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, intelligible and easily accessible form, in clear and simple language, in particular information specifically aimed at children. The information shall be provided in writing or in another form, including, where appropriate, by electronic means. If requested by the data subject, the information may be given orally, provided that the identity of the data subject has been established in some other form.

2. The controller shall facilitate the exercise of the rights of the data subject in accordance with Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his rights under Articles 15 to 22 only if he establishes that he is not in a position to identify the data subject.

3. The controller shall provide the data subject with information on the measures taken in response to the request pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request. This period may be extended by a further two months where this is necessary having regard to the complexity and number of requests. The responsible person shall inform the data subject of any extension of the time limit within one month of receipt of the request, together with the reasons for the delay. If the data subject submits the request electronically, he or she shall be informed by electronic means where possible, unless he or she indicates otherwise.

4. If the responsible person does not act upon the request of the data subject, he/she shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the delay and of the possibility of lodging a complaint or judicial remedy with a supervisory authority.

5. Information pursuant to Articles 13 and 14 and all notifications and measures pursuant to Articles 15 to 22 and Article 34 shall be provided free of charge. In the event of manifestly unfounded or, in particular, in the event of frequent repetition, excessive requests from a data subject, the controller may either

(a)-require an appropriate fee, taking into account the administrative costs of providing information or notification or of implementing the measure requested; or

(b)-refuse to act on the request.

The person responsible shall provide evidence of the manifestly unfounded or excessive nature of the request.

6. Without prejudice to Article 11, where the responsible person has reasonable doubts as to the identity of the natural person making the request in accordance with Articles 15 to 21, he may request additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised pictorial symbols in order to give a meaningful overview of the intended processing in a readily perceptible, comprehensible and clearly comprehensible form. If the pictorial symbols are presented in electronic form, they shall be machine-readable.

8. The Commission is hereby empowered to adopt delegated acts in accordance with Article 92 in order to define the information to be presented by pictorial symbols and the procedures for providing standardised pictorial symbols.

Article 13: Information to be provided where personal data are collected from the data subject

1. Where personal data are collected from the data subject, the controller shall inform the data subject of the following at the time of collection:

(a)-the name and contact details of the controller and, where appropriate, of his representative;

(b)-if applicable, the contact details of the Data Protection Officer;

(c)-the purposes for which the personal data are to be processed and the legal basis for the processing;

(d)-if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party;

(e)-where appropriate, the recipients or categories of recipients of the personal data; and

(f)-if applicable, the controller's intention to transfer the personal data to a third country or international organisation and the existence or absence of a Commission adequacy finding or, in the case of transfers made pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or adequate safeguards and the means of obtaining a copy of them or where they are available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time of collection of those data, with the following additional information necessary to ensure fair and transparent processing:

(a)-the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration

(b)-the existence of a right of access by the controller to the personal data concerned and the right to rectify or erase them or to limit their processing or a right to object to their processing, as well as the right to data transferability;

(c)-if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal;

(d)-the existence of a right of appeal to a supervisory authority;

(e)-whether the provision of personal data is required by law or contract or necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of not providing it; and

(f)-the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, he shall provide the data subject, prior to such further processing, with information on that other purpose and any other relevant information in accordance with paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has the information.

Art. 83 para. 5 lit. a GDPR:

Article 83: General conditions for the imposition of fines

[...]

5. Fines of up to EUR 20 000 000 or, in the case of an undertaking, of up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the greater, shall be imposed in accordance with paragraph 2 for infringements of the following provisions:

(a) the principles governing processing, including the conditions for consent, referred to in Articles 5, 6, 7 and 9

[...]

3.1.2 The legal principles according to the DSG 2000 are in extracts as follows:

Video surveillance

General information

§ 50a. (1) Video surveillance within the meaning of this section means the systematic, in particular continuous, detection of events affecting a specific object (monitored object) or a specific person (monitored person) by technical image recording or image transmission devices. The following paragraphs apply to such monitoring, unless otherwise specified by other laws.

Special logging and deletion obligation

§ 50b. (1) Each use of video surveillance shall be recorded. This shall not apply to cases of real-time surveillance.

(2) Recorded data shall be deleted after 72 hours at the latest, unless they are required for a specific reason for the realisation of the underlying protection or preservation of evidence purposes or for purposes pursuant to § 50a (6). § Section 33 para. 2 AVG applies. An intended longer retention period shall be stated and justified in the notification. In this case, the data protection authority may only register the video surveillance if this is regularly required for special reasons to achieve the purpose.

Information through labelling

§ 50d. (1) The client of a video surveillance system shall label it appropriately. In any case, the identification must clearly show the client, unless the client is already known to the persons concerned under the circumstances of the case. The identification must be carried out locally in such a way that every potentially affected person who approaches a monitored object or a monitored person has the opportunity to avoid video surveillance as far as possible.

(2) There is no labelling obligation for video surveillance in the context of the execution of sovereign tasks, which are exempted from the obligation to report under § 17 para. 3.

Administrative penal provision

§ 52. [...]

(2) Unless the offence constitutes a criminal offence within the jurisdiction of the courts, an administrative offence punishable by a fine of up to EUR 10 000 shall be committed by any person

4. violates its disclosure or information obligations pursuant to Articles 23, 24, 25 or 50d or

7. does not delete data after expiry of the period of deletion provided for in Section 50b (2)

3.1.3 The legal basis under the VStG is

Guilt

§ (1) Unless an administrative regulation on fault stipulates otherwise, negligent conduct shall be sufficient for criminal liability. Negligence is to be assumed without further ado in the case of violation of a prohibition or failure to comply with a bid if the facts of an administrative offence do not include the occurrence of damage or danger and the perpetrator cannot credibly demonstrate that he is not at fault for the violation of the administrative regulation.

(1a) Sub-Clause 1, second sentence, shall not apply if the administrative offence is punishable by a fine of more than EUR 50,000.

(2) Ignorance of the administrative regulation which the perpetrator has violated shall only be excused if it is proven that the perpetrator is not at fault and the perpetrator was unable to see the unlawfulness of his conduct without knowledge of the administrative regulation.

Penalties

§ 10 (1) The type and rate of penalty shall be determined by the administrative provisions, unless otherwise provided for in this Act.

(2) Unless a special penalty is stipulated for administrative offences, in particular for violations of local police regulations, they shall be punished by a fine of up to EUR 218 or by imprisonment for up to two weeks.

Alternative custodial sentence

§ (1) If a fine is imposed, a substitute custodial sentence shall be imposed at the same time in the event of uncollectability.

(2) The substitute custodial sentence may not exceed the maximum custodial sentence threatened for the administrative offence and, if no custodial sentence is threatened and nothing else is stipulated, may not exceed two weeks. A substitute custodial sentence of more than six weeks is not permissible. It shall be determined without consideration of § 12 in accordance with the rules for determining the penalty.

Penalty assessment

§ Section 19 (1) The basis for the assessment of the penalty shall be the significance of the legal interest protected by criminal law and the intensity of its impairment by the act.

(2) In the ordinary proceedings (sections 40 to 46), moreover, the grounds for aggravation and mitigation that come into consideration according to the purpose of the threat of punishment shall be weighed against each other, insofar as they do not already determine the threat of punishment. Particular attention shall be paid to the extent of fault. Taking into account the specific nature of administrative criminal law, §§ 32 to 35 of the Criminal Code shall be applied analogously. The income and financial circumstances and any duty of care of the accused are to be taken into account when assessing fines.

3.2 Proceedings before the Federal Administrative Court

Pursuant to Section 27 (1) of the DSG, the Federal Administrative Court, through its Senate, decides on appeals against decisions of the data protection authority, among other things.

3.3 The individual grounds of appeal

3.3.1. fulfilment of the objective elements of the offence

In the context of the facts of the case, the prosecuting authority assumed that the operation of the cameras had resulted in the recording of images within the meaning of Section 12 (1) DPA and that the material scope of application of Article 2 Previous Search TermDSGof the Next Search Term had been opened.

The recording area also extends to other areas of public space and to a neighbouring plot of land, which means that a significant area of the space outside the plant in question is covered. Road users passing by there by chance would not reasonably have to expect to be photographed, which is why the operation of the image recording infringes the principles standardised in Article 5 Previous search termDSGVONnext search term. A legal basis within the meaning of Art. 6(1) GDPR, which is suitable to justify the lawfulness of data processing, is not apparent and has not been put forward. In particular, no legitimate interest in the operation of the image recording in the light of the coverage area was recognised.

Failure to comply with the obligation to delete data provided for in Sections 13(3) of the Data Protection Act and 50b(2) of the Data Protection Act 2000 infringed Sections 13(3) in conjunction with 62(1)(4) of the Data Protection Act and 52(2)(7) in conjunction with 50b(2) of the Data Protection Act 2000.

Finally, the failure to fulfil the obligation to label provided for in Article 13, paragraph 5 of the DSG and Article 50d, paragraph 1 of the DSG 2000 violates Article 13, paragraph 5 in conjunction with Article 62, paragraph 1, line 4 of the DSG and Article 52, paragraph 2, line 4 in conjunction with Article 50d of the DSG 2000.

The complainant contested the assessment of the authority against which the complaint was brought: The authority against which the complaint was brought failed to take account of the factual and legal situation if it believed that there was no appropriateness with regard to the scope of coverage and that it was not limited to the necessary extent.

The excessively long storage period of the data and images was based on an error of law and was changed as soon as the legal provisions became known.

Finally, the applicant submits that there are clearly visible signs on the door of the warehouse and on the door and window of the sales stall.

However, the complainant could not get away with this argument:

1. the facts of the case: the camera mounted on the storage container:

It is not disputed that this is a picture recording in the context of which (also) personal data are collected and stored.

According to Art. 5 para. 1 lit. c of the GDPR, personal data must be adequate and substantial for the purpose and limited to what is necessary for the purposes of processing (data minimization).

"An overall consideration of the principle of data minimization, including its requirement that data be limited to the necessary extent, shows that it includes the requirements of data avoidance and data economy, and that its application is spread out over numerous aspects that currently overlap with the principle of purpose limitation and the principle of storage limitation:

The principle of data minimization generally limits the depth of intervention and thus the type of data, the personal nature of the data, the quantity of data, the level of detail of the data, the storage period of the data, the number of uses and the circle of persons authorized to access the data. Minimising the amount of data means both minimising the number of data subjects and minimising the amount of data per data subject.77 Cf. Pötters in Gola, DS-GVO Art 6 Rz 22. Minimising the personal reference means in particular checking whether the purpose of the processing can also be achieved with pseudonymised, aggregated or anonymised data. Even the mere display of data instead of their reproduction is a form of data minimisation if this is sufficient to achieve the purpose".

(Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art 5 GDPR, RZ 34ff (as of 1.10.2018, rdb.at)).

It must be stated at the outset that no further reasons were given in the complaint regarding the appropriateness of the discontinued coverage area. It must therefore be examined in its entirety whether the determined extended detection range of the camera on the storage container was actually designed in such a way that it was set up in the sense of the required data minimization.

The complainant and the witness in the appeal proceedings argued that the purpose of video surveillance had been a condition of the insurance. Furthermore, the complainant, the witness and also the complainant argued that the installation, as it had originally been carried out, had only been technically possible in this way.

In contrast, the photographs of XXXX 2019 that have now been submitted provide evidence that a corresponding adjustment of the camera on the storage container with a more limited field of view was and is apparently factually and technically possible. The snack bar can still be seen on them, which still seems to correspond to a possible earmarking to possible insurance requirements.

Conversely, however, it also follows from this that the earlier setting, which included a street and the neighbouring petrol station, cannot satisfy the principle of proportionality in the narrower sense of appropriateness, since the scope of coverage in any event went beyond the protective purpose of monitoring the snack bar for an insurance company. Nor can the relevance of the wider scope of coverage for insurance purposes be recognised, nor was such a relevance asserted.

The fact that video surveillance with storage of the recorded data in principle constitutes processing (cf. Art. 4 para. 2 Previous Search TermDSGGVNext search term) of personal data within the scope of application of Art. 2 para. 1 GDPR was not disputed and is also not in question for the recognising Senate. The legal basis of Article 12 of the Data Protection Act is then no longer relevant.

The prosecuting authority is further to be granted justice if it believes that in the present case the fundamental right to secrecy of the road users passing by accidentally in the recording area is outweighed by a possible legitimate interest in the operation of video surveillance (with the extended coverage) in the sense of Art. 6 para. 1 lit f GDPR. A factual situation that goes beyond this for the lawfulness of the extended coverage of the camera on the storage container (see Art. 6 para. 1 lit. a. - e. GDPR) was not submitted by the complainant and does not result from the proceedings.

Thus, the objective facts of a violation of Article 5.1 lit. c and Article 6.1 lit. f. GDPR are fulfilled, since neither the principle of data minimisation was followed, nor was there a sufficient legitimate interest on the part of the complainant.

The punishability of this violation is based on § 83.1 and 5 GDPR.

2. facts: timely deletion of the data:

For the period prior to 25 May 2018, Section 50b (2) of the DPA 2000 contained the provision according to which recorded data were to be deleted after 72 hours at the latest unless they were required for a specific reason for the realisation of the underlying protection or preservation of evidence purposes or for purposes pursuant to Section 50a (6). An intended longer retention period was to be stated and justified in the notification. In this case, the data protection authority was only allowed to register the video surveillance if this was regularly required for special reasons to achieve the purpose.

For the period after 25.05.2018 (and thus for the period after the entry into force of the GDPR), Art. 5 para. 1 lit e GDPR provides that personal data shall be stored in a form which permits identification of data subjects only for as long as necessary for the purposes for which they are processed; personal data may be stored for a longer period provided that the personal data are processed exclusively for archiving purposes in the public interest or for scientific and historical research purposes or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ("storage limitation")

" The principle of storage limitation specifies the principle of data minimisation in relation to the storage period. It shall be limited to the strict minimum necessary. The period or criteria for determining the time of erasure shall be limited to the minimum strictly necessary for the purposes of the processing. The determination of the time limits or criteria therefore usually requires a case-by-case assessment, in which the necessity of the retention of data is assessed in relation to the processing purposes". (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art 5 GDPR, RZ 49f (Status 1.10.2018, rdb.at))

The complainant himself stated in the complaint and at the hearing that due to an error of law there was a setting according to which the images were stored for up to 14 days. After the complainant was informed of the legal provisions, the system was reprogrammed in such a way that personal image data was deleted within 72 hours.

The findings thus show that there was a longer retention period for personal data during the period of the offence, namely up to 14 days. It did not emerge from the investigation that this longer retention period would have been proportionate, would have been separately recorded and justified or would have been subject to a report and justified.

Thus it must be agreed with the prosecuting authority that the non-fulfilment of the standardised deletion obligation for the period before 25.05.2018 violated § 50b para. 2 DSG 2000.

With regard to the period after 25 May 2019, the recognising senate assumes that, in the absence of a corresponding opening clause in the GDPR , there is no room for the application of § 13 DPA, which must therefore remain unapplied (see European Court of Justice, 9 March 1977, C-106/77):

"The Austrian legislator bases its enactment of §§ 12 f DSG on Art 6 Paragraphs 2 and 3 and Art 23 GDPR and Chapter IX GDPR in conjunction with ErwGr 10. It should only be noted at this point that in the absence of a specific opening clause, it is questionable whether the Member States are still permitted to introduce or maintain national standards on video surveillance at all after the GDPR. Although Art. 6 (2) and (3) allow more specific regulations to be maintained or enacted at national level (if the other conditions are met), this is only possible for processing operations based on the permissible elements of Art. 6 (1) lit c and lit e (in the case of video surveillance by private individuals, this would probably be based on Art. 6 (1) lit c and lit e). 1 lit f)" (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 GDPR, RZ 79 (as of 1.10.2018, rdb.at)); see also Souhrada-Kirchmayer in Jahrbuch Öffentliches Recht 2018, NWV, p. 68; and also in this sense on the German legal situation regarding video surveillance for private purposes: Buchner/Petri in Kühling/Buchner, DS-GVO - BDSG, 2nd edition, C.H. Beck, Art. 6 GDPR, RZ 172, p. 277).

Finally, the German Federal Administrative Court also stated the following in a decision of 27.03.2019, BVwerG 6 C 2.18

"It follows that the opening clauses of Article 6.2 and 6.3 GDPR for processing operations under Article 6.1(1)(e) GDPR do not cover video surveillance of private parties responsible. For this reason, there is no room for a future application of Section 4 (1) sentence 1 of the Federal Data Protection Act in force since 25 May 2018 in the version of Article 1 of the Act of 30 June 2017 (Federal Law Gazette I p. 2097) - BDSG as amended - as the identical-word successor regulation of Section 6b (1) BDSG as amended to video surveillance of private parties responsible. These are to be measured against Art. 6 para. 1 subpara. 1 letter f GDPR.

The recognizing senate agrees with this opinion, which is why the established facts of the case are only to be subsumed under the corresponding provisions of the GDPR: The retention of the stored image data for a period of 14 days thus violated the principle of Art. 5 para. 1 lit e GDPR, since no indications whatsoever were found in the proceedings that the retention of the data for 14 days actually complied with an absolutely necessary minimum level. Even if it is to be assumed that video surveillance is necessary for insurance purposes, such a long storage period cannot result from the need to trace an insurance-relevant incident. Thus, this storage period is also without any basis in the context of a proportionality test of Art. 6 para. 1 lit f GDPR, since such a justified interest of the complainant was neither put forward nor results from the stated purpose for the operation of the video system. For this reason, it must be assumed that there has also been a violation of Article 5.1(e) and Article 6.1(f) GDPR with regard to the storage period of the image data of up to 14 days.

In the light of the current new situation regarding the applicability of the penalty provisions of the GDPR, it is necessary at this point to address the sufficient certainty of the penalty provisions:

In the context of a blanket criminal provision in the Freight Transport Act, the Constitutional Court stated that (emphasis not in the original) "[the Constitutional Court] has in constant case-law (cf. VfSlg. 12.947/1991 with numerous references to case law) considered the legislative process of the external separation of the offence and the threat of punishment, which is characteristic of blanket criminal provisions, to be constitutionally unobjectionable. Admittedly, he also regarded it as indispensable in the case of provisions of a general-penalty criminal law that the elements of the offence are characterised by the law with sufficient clarity as a prohibitory provision and thus as an offence, that furthermore, if the offence consists of a violation of a mandatory provision, the unlawful content of an omission is clearly recognisable and that finally the elements of the offence of a general-penalty provision must be characterised with such clarity that everyone is able to understand it as such (VfSlg. 12.947/1991 mwN). Thus, on the basis of a blanket criminal provision, unlawful and therefore punishable conduct may only be assumed if and to the extent that the addressee of the provision can see the distinction between lawful and unlawful conduct so clearly that any justified doubt on the part of the person subject to the provision as to the content of his or her dutiful conduct is excluded (VfSlg. 14.319/1995). (VfGH, VfSlg. 17479, 04.03.2005).

In terms of the subject matter, the recognising Senate assumes that Article 5.1 lit. e of the GDPR fulfils the requirement of sufficient certainty in that the requirement of reducing the storage period to a minimum and in direct relation to a purpose limitation is sufficiently clear from the provision. While it is acknowledged that Art. 5.1 lit. e) GDPR does not contain a permitted maximum duration of storage (cf. formerly 72 hours), on the other hand, the results of the proceedings do not show that the complainant has made any comprehensible considerations at all with regard to a reduction of storage duration to a necessary minimum. The question of the possible appropriateness of an implemented storage reduction in a specific individual case therefore does not arise.

The punishability of these violations is based on § 52.2 no. 7 DSG 2000 (for the period prior to 25 May 2018) and on § 83.1 and 5 GDPR.

3. facts: suitable identification:

For the period prior to 25.05.2018, Section 50d, Paragraph 1 DSG 2000 made the provision according to which the client of a video surveillance system must mark it appropriately. In any case, the identification must clearly show the client, unless he is already known to the persons concerned under the circumstances of the case. The identification must be carried out locally in such a way that every potentially affected person who approaches a monitored object or a monitored person has the opportunity to avoid video surveillance as far as possible.

For the period after 25 May 2018 (and thus for the period after the entry into force of the GDPR), Art. 5 para. 1 lit a GDPR provides that personal data must be processed in a lawful manner, in good faith and in a manner comprehensible to the data subject:

"The principle of transparency was not explicitly mentioned in the DS-RL and the DSG 2000, but was implicitly contained in the provisions on the duty to inform. The principle of transparency is concretised in the GDPR by Art. 13 and 14 on the duty to inform and Art. 12 on the modalities in this respect. The content of the principle of transparency can thus also be seen from these provisions and from Recitals 39 and 58: It must be clear to those concerned that personal data are being processed, what data are being processed, for what purposes they are being processed and by whom they are being processed (identity of the controller) and to whom they may be transmitted. Furthermore, data subjects should be informed about risks, regulations, guarantees and rights relating to the processing and about the assertion of these rights. This information must be precise, easily accessible and comprehensible and must be written in clear and simple language. The importance of transparency of processing and hence of the obligation to provide information lies in particular in its function as a necessary condition for the exercise of the rights of data subjects: If the data subject is not aware that his/her data are being processed and/or does not know who is carrying out the processing, he/she cannot exercise his/her rights under Art. 15-21 in this regard.

Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art 5 GDPR, RZ 18f (Status 1.10.2018, rdb.at))

It is also necessary to check that the criminal provision is sufficiently precise with regard to this offence (see also above):

while it is objectively acknowledged that the aforementioned provision of the GDPR establishes principles of data use and does not make any more precise statements on the identification of the video system, it must nevertheless be viewed holistically that it has long been inherent in European data protection law that those affected must be informed about video surveillance. They should have detailed knowledge of the places that are monitored. In the context of the GDPR, the requirements for transparency and obligation to inform are listed in Art. 12ff. In particular Art. 13 GDPR is to be applied if personal data are processed by video surveillance, among other things. Based on the amount of information that a data subject is to receive, a "stratified access" and a combination of means can be chosen by a responsible person in order to comply with the transparency requirement. In the context of video surveillance, the most important information should be presented in a warning notice, while the necessary further information can be provided by other means (as a second layer) (see European Data Protection Board, Guidelines, Guidelines 3/2019 on processing of personal data through video devices, 10.07.2019, p. 21ff, available online at https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_de).

In its decision cited above, the Constitutional Court pointed out in relation to the Freight Transport Act that the applicable provisions would be provisions of primary law or directly applicable regulatory provisions, and that the penalty provisions would have been addressed to the "drivers" who, as such, would in any case be obliged to obtain information about the national and Community law provisions applicable to their professional practice. (see VfGH, VfSlg. 17479, 04.03.2005).

In this sense, it therefore appears unobjectionable to point out to the persons subject to the provisions of this Act that they are called upon to familiarise themselves with the possibility of the concrete formulation of the principle of transparency in the light of the provisions that have been in force to date (cf. § 50d.1 of the DPA 2000) or in the light of the previous practice of labelling video surveillance and to implement this appropriately. There is therefore no doubt as to the necessary certainty of the criminal provision of Art. 5 para. 1 lit a in conjunction with Art. 12 and Art. 13 GDPR.

It now emerges from the investigation results of the appeal proceedings that such a suitable identification was not appropriate at the time of the review by XXXX. Thus the non-fulfilment of the labelling obligation for the period prior to 25 May 2018 violated § 50d of the DSG 2000.

With regard to the facts of the case after 25 May 2018, the recognising Senate refers to the above statement that the legal basis of § 13, Subsection (1), Subsection (2), of the DSG 2000 is not applicable. 5 of the DPA must remain unapplied, and the established facts of the case must be subsumed under the corresponding provisions of the GDPR: Accordingly, the complainant did not mark his video surveillance and thus violated the prohibition on transparency in Article 5.1 lit. a in conjunction with Article 12 and Article 13 of the GDPR.

The punishability of this violation is based on Article 52, paragraph 2, item 4 of the DPA 2000 (for the period prior to 25 May 2018) and on Article 83, paragraphs 1 and 5 of the Previous Search Term DPA Next Search Term.

3.3.2 Criminal liability and fault of the complainant

In the contested criminal decision, the authority against which the action was brought found that the complainant had been the person responsible for data protection in respect of image processing by means of a video surveillance system at the operating site of a snack bar, at least since XXXX .2018. Irrespective of this, S.Z. was the business owner of the business premises. Against the background of the facts ascertained by the prosecuting authority, the complainant, as the person responsible pursuant to Article 4.7 of the GDPR , was responsible for the objective factual side of the administrative offence of which he was accused under Article 83.5.a of the GDPR  and under § 62.1.4 of the DPA and § 52.2.4 and 7 of the DPA 2000. The prosecuting authority further referred to § 5.1 of the VStG, according to which in the case of offences of disobedience, criminal liability is assumed if the offender does not make it plausible that he is not at fault for the violation of the administrative provision. It was incumbent on the defendant to make it credible that compliance with the administrative provisions had been impossible for him without his fault.

The complainant submitted in particular that during the period in question, S.Z. had been the manager of the snack bar. The complainant had not been the person who, alone or jointly with others, had decided on the purposes and means of processing personal data. He had merely been an employee of the stand and had followed the instructions of the manager.

On liability:

Pursuant to Art. 4 no. 7 GDPR, "controller" is the natural or legal person, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data.

" Responsibility is delegated to the person who has the power to decide. The decisive factor in allocating responsibility is therefore who decides on the essential aspects of the means of processing. The attribution of responsibility does not require that the controller itself processes data, is in possession of the processed data or has physical control. If he/she decides that data are to be processed, all persons and bodies that carry out steps of data processing under his/her supervision or instruction (auxiliary bodies) must be functionally assigned to him/her. The orientation of the definition of controller as the person or body that decides on the purpose(s) and means of the processing is a functionalist view, according to which responsibility is allocated on the basis of the actual influence on the decision.110 Article 29 Working Party, Opinion of 1. 6. 2012 on Cloud Computing (WP196) 12. There may be an explicit legal basis for this, in which case the allocation of the controller and the purpose, including data categories and data recipients, is usually clearly identifiable. If, however, a legal norm only provides for implicit legal obligations, the person or entity that is subject to this legal obligation and processes personal data for this purpose is considered to be the responsible party. Responsibility can also arise from the factual anticipation of decisions. If an actor actually and de facto decides to start data processing, this actor is to be regarded as the controller in the sense of GDPR. The decisive factor is who decides and not who decides lawfully. For example, a processor may become a controller if he or she determines processing purposes and means of processing himself or herself without being legitimized to do so. (Hödl in Knyrim, DatKomm Art 4 GDPR, RZ 83ff (Status 1.12.2018, rdb.at))

Thus the GDPR  in the definition of the responsible person is based on a de facto decision-making authority over the commencement of data processing. In the present proceedings, it was found that the complainant - contrary to what was submitted in the complaint - did indeed have de facto decision-making sovereignty over the acquisition, installation and operation of the video surveillance system. While he was formally neither the owner of the snack bar nor entitled to trade, he described himself as managing director, took on organisational and administrative tasks and management functions, also or primarily because the formal owner of the snack bar did not speak enough German to carry out these tasks. On the whole, the picture thus emerges that the essential decisions on the acquisition, installation and operation of the video system were not taken by the owner and holder of the business licence, but by the complainant, which is why he too is the person responsible under Article 4(7)(7) GDPR.

On culpability:

If nothing to the contrary is standardised, negligent conduct is sufficient for punishability under § 5 Paragraph 1, first sentence VStG. The applicable provisions of the DSG or the GDPR do not contain any provisions to the contrary. For disobedience offences, § 5 para. 1 second sentence VStG provides for the - refutable - presumption of negligent conduct. Since the presence of negligence is presumed by law in the case of disobedience offences, the accused must prove that he is not at fault for the violation of the administrative regulation (VwGH 30.10.1991, 91/09/0132).

However, this provision is not applicable if the administrative offence is punishable by a fine of more than € 50,000

is threatened (§ 5 paragraph 1a VStG). However, the Administrative Court has stated in its most recent ruling on § 5 VStG that this legal change is not subject to the favourable treatment principle of § 1 (2) VStG (VwGH, 21.05.2019, Ra 2019/03/0009).

In the course of the proceedings, there were no indications that the complainant was not at fault for the violation of the administrative provisions to be applied in the present case. Insofar as the complainant submits that he was not aware of the relevant legal provisions, it must be pointed out that he is under an obligation to become sufficiently familiar with the relevant standards in his field of activity (cf. e.g. with regard to a trade, VwGH, 22 December 1992, 91/04/0019). Such an obligation to make inquiries applies to the complainant in any case if he was not aware of the legal situation (cf. VwGH, 25 June 2013, 2013/09/0022). The complainant did not allege that he had obtained enquiries in good time and that he had been confused by them. An excusable error can therefore not be assumed.

In doing so, the complainant objectively acted contrary to due care, and it would also have been subjectively reasonable to expect him to have exercised due care. Thus, there is also a subjective reproachfulness of the accusations.

3.3.3 Assessment of the penalty

The complainant did not provide any information on his income and did not contest the income estimate by the contested authority. Thus, the assessment of the fine is based on the relevant considerations of the prosecuting authority.

The assessment of the penalty within a statutory penalty framework is a discretionary decision that must be made in accordance with the criteria laid down by the legislature in § 19 VStG (VwGH 05.09.2013, 2013/09/0106).

According to § 52 para. 2 DSG 2000, the penalty ranges up to € 10,000

and according to Art. 83 para. 5 GDPR up to an amount of 20.000.000 €.

The basis for the assessment of the penalty is the importance of the legal interest protected by criminal law and the intensity of its impairment by the offence (§ 19, paragraph 1 VStG). In addition, the reasons for aggravation and mitigation that come into consideration must be weighed against each other. Particular attention must be paid to the extent of fault. Taking into account the specific nature of administrative criminal law, §§ 32 to 35 of the Criminal Code are to be applied analogously. The income and financial circumstances and any duty of care of the accused must be taken into account when assessing fines (§ 19, paragraph 2 VStG).

Art. 83 para. 2 GDPR provides for the following criteria within the framework of the assessment of penalties:

Fines are imposed in addition to or instead of measures pursuant to Article 58 paragraph 2 letters a to h and i, depending on the circumstances of the individual case. In deciding on the imposition of a fine and on its amount, due account shall be taken of the following in each individual case:

(a)the nature, seriousness and duration of the infringement, having regard to the nature, scale or purpose of the processing operation concerned, as well as the number of persons concerned by the processing operation and the extent of the damage suffered by them

(b)-intentional or negligent nature of the breach;

(c)-any measures taken by the controller or the processor to mitigate the damage suffered by the data subjects;

(d)-the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have taken in accordance with Articles 25 and 32;

(e)-the relevant previous infringements committed by the controller or the processor;

(f)-the extent of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects;

(g)-categories of personal data concerned by the breach;

(h)-the manner in which the supervisory authority became aware of the breach, in particular whether and, if so, to what extent the controller or processor notified the breach;

(i)compliance with the measures previously ordered under Article 58 (2) against the controller or processor concerned in respect of the same subject matter, where such measures have been ordered;

(j)-compliance with approved codes of conduct referred to in Article 40 or approved certification procedures referred to in Article 42; and

(k)- any other aggravating or mitigating circumstances in the case in question, such as financial advantages directly or indirectly gained or losses avoided as a result of the infringement.

The prosecuting authority is to be agreed that, in particular in the case of a violation of the first set of facts (coverage of the camera on the storage container), it must be assumed that there is a potential large number of persons affected who may accidentally enter the illegal and disproportionate coverage of this camera. Therefore, this violation is to be considered as serious. It is also possible to follow the prosecuting authority to the effect that this violation is more serious than those violations concerning the storage period and the marking of the video surveillance.

The prosecuting authority must also be followed that the violations were committed over a longer period of time, at least several months.

The infringements were further based on negligence.

The complainant's cooperation in the proceedings and the absence of previous relevant infringements were considered by the prosecuting authority to be mitigating factors. The duration of the infringement and the intensity of the intervention by the operation of an inadmissible and disproportionate image processing system due to the extended coverage of the camera on the storage container were considered by the prosecuting authority to be aggravating factors.

Art. 83 para. 1 GDPR provides that fines under this provision shall be effective, proportionate and dissuasive. Accordingly, a complete relinquishment of a penalty cannot be considered.

As a mitigating circumstance, the appeal proceedings should also take account of the fact that the complainant claimed that, after becoming aware of the error of law regarding the storage period, he had reduced it accordingly, although the exact time at which this was supposed to have happened could not be established. In addition, with the photographs of XXXX 2019, he submitted indications that he intended to comply (at least partially) with the labelling obligation incumbent on him. With regard to the penalties for the 2nd and 3rd offences, these factors (cf. Art. 83 para. 2 lit f Previous Search Term Data Protection Act and § 34 para. 1 no. 15 of the Criminal Code) must be taken into account and the penalties were to be reduced accordingly.

On the other hand, it must be further acknowledged that there has been no inspection of the camera's coverage area at the storage container over a longer period of time and thus no such timely efforts to reduce the coverage area, which is why a reduction of the penalty in this area is out of the question.

There are no particular general or special preventive factors.

These considerations therefore lead to the following conclusion:

With regard to the 1st set of facts, the penalty of € 1,200 provided for by the prosecuting authority is appropriate in the light of the complainant's financial circumstances, his previous innocence, but also in the light of the wrongfulness of the violation and the threat of punishment.

With regard to the 2nd set of facts, the penalty is set at € 150.

and thus mitigates the mitigation of damage and consequences or the establishment of the lawful state of affairs and takes into account the lower threat of punishment under Article 52 (2) DSG 2000.

With regard to the 3rd offense, the penalty is also reduced to 150 €.

and thus also mitigates the reduction of damage and consequences or the attempt to restore the lawful state and takes into account the lower threat of punishment under Section 52 (2) DSG 2000.

Thus, the penalty is set at a total of 1,500 €.

If a fine is imposed, then pursuant to § 16, Subsection 1, VStG, a substitute custodial sentence is to be set at the same time for the case of its uncollectability. The substitute custodial sentence may not exceed the maximum of the custodial sentence threatened for the administrative offence and, if no custodial sentence is threatened and nothing else is stipulated, may not exceed two weeks. A substitute custodial sentence of more than six weeks is not permissible. It shall be determined without regard to § 12 VStG in accordance with the rules for determining penalties.

With regard to the assessment of substitute custodial sentences, the Administrative Court stated that the amount of the substitute custodial sentence is to be assessed in accordance with the culpability of the offender, taking into account the reasons for aggravation and mitigation; on the other hand, as in the present case, the personal circumstances and the economic capacity of the offender are only decisive when assessing the fine, but not the substitute custodial sentence (VwGH 28.05.2013, 2012/17/0567).

The determination of the substitute custodial sentence was already correctly oriented by the prosecuting authority - corresponding to the imposed fine - with only three days or one day at the lower end and was therefore not objectionable; however, it must be adjusted with regard to the determination of facts 2 and 3, as the fine was reduced there: Therefore, for the 1st offense a substitute imprisonment of 3 days is confirmed, for the 2nd offense

2. and 3. of the offence, a substitute imprisonment of 12 hours is determined in each case.

3.3.4 Result

For the reasons set out above, the complaint concerning the statement of objections concerning the penalty imposed had to be partially upheld. Furthermore, the applicable provisions of the law had to be corrected (cf. VwGH, 20.05.2015, Ra 2014/09/0033).

Pursuant to § 52.8 of the VStG, the complainant was not to be ordered to pay the costs of the appeal proceedings before the Federal Administrative Court because his appeal was partially granted.

Re B) Admissibility of the appeal

Pursuant to § 25a, Subsection 1, VwGG, the Administrative Court must state in its decision or order whether the appeal is admissible under Art. 133, Subsection 4, B-VG. The statement must be briefly substantiated.

The appeal is admissible pursuant to Article 133.4 of the Federal Constitution because the decision depends on the solution of a legal question of fundamental importance and there is no case-law of the Administrative Court on this point: thus the question of conformity with Union law and hence of the applicability of §§ 12 et seqq. of the DPA and subsequently of the substantive legal bases for the criminal proceedings in question and their determination arises.
Keywords
Determination law, image processing, data erasure,
Data minimization, data storage, data processing,
Confidentiality interest, fine, duty to inform,
labelling obligation, deletion obligation, personal
Data, memory limitation, penalty assessment, criminal knowledge,
Period of offence, disobedience, person responsible, costs of proceedings,
Proportionality, video surveillance, timeliness