BVwG - W211 2222613-2/llE

From GDPRhub
Revision as of 13:49, 6 September 2021 by JS (talk | contribs)
BVwG - W211 2222613-2/llE
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 14 GDPR
Article 15 GDPR
Article 25 GDPR
Decided: 09.08.2021
Published:
Parties: CRIF
National Case Number/Name: W211 2222613-2/llE
European Case Law Identifier:
Appeal from:
Appeal to: Pending appeal
Original Language(s): German
Original Source: Not yet published (in German)
Initial Contributor: n/a

The Federal Administrative Court of Austria (BVwG) decided that a decision of the Autrian DPA to dismiss a complaint on incomplete access request has to be partially rectified. The court held that only abstract information on the storage period and lacking information on recipients of personal data are in violation of the GDPR. In this regard, Article 77 GDPR grants an independent right to lodge a complaint with Data Protection Authorities irrespective of restrictions or additional requirements formulated by member states national law.

English Summary

Facts

In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit scoring agency operating in Austria. After receiving the response of the agency, the complainant stated a violation of their right to access due to its insufficiency. According to the complainant, the agency failed to precisely name data sources, purposes and the storage period for the personal data. In this regard, the complainant has not been informed on new recipients of their personal data as well. Furthermore, the agency did not provide a full copy of the personal data processed on the complainant. Accordingly, it also breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data.

The respondent indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, providing more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant.

The Austrian DPA dismissed the complaint, arguing that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient and a copy of the personal data does not include entire documents, exact copies or a facsimile of such, but it is in the choice of the controller on what and how exactly data is delivered. Moreover, Article 77 GDPR is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements.

Holding

The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period and purposes as well as the principles of minimization and confidentiality of the data. Further objections concerning the access to a copy of personal data were referred to the CJEU for a preliminary ruling (see also here).

Regarding the information on the data sources involved, the Court held, that the disclosure of several public sources and companies, in particular regarding the origin of the complainant's address data, may be considered complete and therefore in line with Article 15(1)(g) GDPR.

In terms of the storage period, however, the general information provided by the respondent (risk minimisation, identification, combating fraud, money laundering, terrorist financing) do not allow the complainant to assess how long his data will be stored. The missing possibility to assess when the data is, in the opinion of the agency,no longer necessary to process is therefore in breach of Article 15(1)(d) GDPR.

Furthermore, the respondent failed to inform the complainant on the disclosure of personal data to new recipients before their transmission. As the complainant could otherwise not be aware of the forwarding of their personal data, the lack of such obligatory information violates Article 14 GDPR.

The Court also stated that Article 77 GDPR allows data subjects to contact the data protection authority directly to lodge a complaint with a supervisory authority. It formulates an independent right to complaint, which is not linked to formal or substantive requirements or the provision of evidence of national law. In this regard, already violations on basic principles such as Article 5(c)(f) GDPR may concern the processing of the complainant's personal data and grant them that particular right. Any rejections of the complained violations based on a different assumption by the DPA may therefore be considered invalid and must be rectified.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.