BVwG - W211 2227144-1

From GDPRhub
Revision as of 10:08, 10 September 2021 by FD (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W211 2227144-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 2 GDPR
Article 51 GDPR
Article 55(3) GDPR
Article 77 GDPR
Article 133(4) Federal Constitution of Austria (Bundes-Verfassungsgesetz)
Article 94 Federal Constitution of Austria (Bundes-Verfassungsgesetz)
§ 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 18 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 31 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 35 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 4 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Decided: 23.11.2020
Published: 01.02.2021
Parties: unnkown police investigator (data subject and complainant before the DSB)
Austrian Parliament / parliamentary committee of inquiry (controller and respondent before the DSB)
National Case Number/Name: W211 2227144-1
European Case Law Identifier: ECLI:AT:BVWG:2020:W211.2227144.1.00
Appeal from: DSB (Austria)
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Marco Blocher

The Austrian Federal Administrative Court held that the Austrian DPA is competent to handle complaints of a data subject regarding the allegedly unlawful disclosure of his data by a parliamentary committee of inquiry.

English Summary

Facts

The data subject is a member of the police unit called task force for combating street crime (Einsatzgruppe für die Bekämpfung der Straßenkriminalität - EGS) and operates as an undercover agent. After being summoned to a hearing by an parliamentary committee of inquiry, his full name was disclosed in the minutes of this hearing which were published online. The data subject requested the removal of his full name from the minutes since revealing his identity this would jeapordize his work as an undercover agent. After the parliamentary committee rejected his request, he filed a complaint with the Austrian DPA (Datenschutzbehörde -DSB).

The DSB rejected the complaint because it did not consider itself competent. The European legal system forsees a separation of state powers. As a parliamentary committee of inquiry is part of the legislative state power, the DSB - as part of the administrative state power - could not exert control over it. Furthermore, § 35 Austrian Data Protection Act (Datenschutzgesetz - DSG) only allows for the DSB to exert its investigative and corrective powers over certain supreme administrative organs (such as the Federal Ministers), but not over a parliamentary committee.

The data subject filed an appeal against this decision with the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG), which now issued its judgment.

Dispute

Is the DSB competent to exert its investigative and corrective powers over a parliamentary committee of inquiry and handle a data subject's complaint regarding the violation of his GDPR rights by the parliamentary committee?

Holding

The BVwG initially held that the exemption under Article 2(2)(a) GDPR (processing of personal data in the course of an activity which falls outside the scope of Union law) does not apply on the case at hand. According to the BVwG, the substantive provisions of the GDPR and the DSG are also applicable to acts which, like those of a parliamentary committee of inquiry, are attributable to the state function of legislation.

The BVwG further held, that the powers of the DSB under the GDPR are extensive. Neither Article 55, Article 77 or Article 51 GDPR nor the DSG limit the DSB's competence regarding data processing activities by a parliamentary committee. The Austrian Data Protection act in force prior to the applicability of the GDPR on 25.05.2018 (Datenschutzgesetz 2000) contained a provision that excluded the DSB's competence on acts that are attributable to the state function of legislation. The DSB as it is in force after 25.05.2018 does not contain such provision. Also, § 35 DSG does not exclude the powers vested in the DSB by the directly applicable GDPR.

Consequently, the BVwG overturned the DSB's decision. The DSB will now have to issue a decision on the merits of the case and assess whether the parliamentary committee of inquiry violated the data subject's GDPR rights.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
Federal Administrative Court
Decision date
23.11.2020
Business number
W211 2227144-1
Saying

W211 2227144-1/3E
In the name of the republic!
The Federal Administrative Court, by Judge Barbara SIMMA LL.M. as chairperson and the expert lay judge XXXX and the expert lay judge XXXX as associate judge, rules on the appeal of XXXX , represented by lawyer XXXX , against the decision of the data protection authority of XXXX in closed session:
A) 
The appeal is granted and the contested decision is set aside.
B)
The appeal is admissible pursuant to Art. 133 para. 4 B-VG.

Text

Reasons for decision:
I. Course of proceedings:
In his data protection complaint of XXXX.2019, the complainant alleged a violation of his right to confidentiality pursuant to section 1 of the Data Protection Act (Datenschutzgesetz, DSG) and summarised that he was a member of the task force for combating street crime (Einsatzgruppe für die Bekämpfung der Straßenkriminalität, EGS) and worked there as an undercover investigator. He had been summoned as a respondent in the "XXXX Committee of Inquiry" and had also provided information there. In addition to him, other staff members had also been summoned as respondents. In the published minutes, however, the first name and surname of these persons had only been indicated with the initial letter. The complainant, however, appeared in the minutes with his full name and not only with the initial letters, although he had requested this on the basis of his legitimate interests and a non-existent overriding interest in information. In his submission of XXXX.2018, the complainant had submitted objections to the XXXX Committee of Inquiry against the scope of the publication pursuant to § 19 (3) of the Rules of Procedure for Parliamentary Committees of Inquiry (VO-UA) in due time. He had based his objections on the fact that he was investigating undercover on the street and could only achieve investigative successes if his capacity as an undercover investigator was not known to the public. He had also pointed out that his department had requested in writing that he be questioned in confidential or secret session in accordance with section 35 of the VO-UA. However, this request had not been granted. Subsequently, in a submission of XXXX.2018, he had requested the Committee of Inquiry to take the published minutes offline and to correct the error, namely the inclusion of his full name, and only then to put them online again. This had not been complied with either. 
In the contested decision of XXXX.2019, the data protection authority rejected the complaint, stating in substance that even if the General Data Protection Regulation (GDPR) does not simply deny the supervision of data protection supervisory authorities over legislative bodies, unlike over courts in the context of judicial activity (Article 55(3) GDPR), the separation of state powers is inherent in the European legal order. Control of the administration (executive) over legislation (legislative) was excluded. The National Council and its committees were the body through which legislative competence (together with the Federal Council) was exercised at federal level. The committee of enquiry, in which the complainant had testified and in which the testimony had been recorded, was an organ that was to be attributed to the legislative power of the state. However, the data protection authority was responsible for supervising compliance with the provisions of the GDPR and the DPA pursuant to Article 77 of the GDPR in conjunction with Articles 4 and 35(2) of the DPA. Exceptionally, the data protection authority is also responsible for the supervision of legislative bodies, to the extent provided for in the constitutional provision of section 35(2) DPA for individual administrative matters of certain legislative bodies. To an extent beyond that, supervision of the legislature by an organ of the executive, such as the administrative authority, the data protection authority, is not provided for. Committees of enquiry and recordings of evidence gathering, as tasks of legislative control over the administration, are therefore not subject to the jurisdiction of the data protection authority.
In his complaint to the Federal Administrative Court of XXXX .2019, the complainant stated that the scope of application of the DPA was not limited to certain persons or bodies. Section 26 of the FADP expressly provides that persons responsible in the public sector are all persons responsible who are established in the form of public law. This also applies to a committee of enquiry, as well as its chairperson or deputy. The chairperson or deputy chairperson of a committee of enquiry must, according to § 6 paragraph 3 second sentence of the VO-UA, ensure the protection of fundamental rights and the protection of personality. All the more reason, therefore, that the data protection authority must also be competent with regard to committees of enquiry or the chairperson or deputy chairperson of committees of enquiry. While the supervision of the data protection authorities is expressly excluded with regard to the area of the courts in the context of judicial activities (Article 55(3) of the GDPR), this is not the case with regard to committees of enquiry. As far as the data protection authority refers to the principle of separation of powers in the contested decision, it is pointed out that this principle is unknown to the Austrian Federal Constitution in such general terms. Moreover, to the extent that the data protection authority refers to Article 35(2) of the GDPR, it should be noted that this refers exclusively to the executive, namely the supreme executive bodies, but not to the legislative. The constitutional provision of Article 35(2) of the Data Protection Act was necessary because Article 94(1) of the Federal Constitution only provided for an explicit separation of powers with regard to the judiciary and the administration. However, this had nothing to do with the data protection issues in question regarding a committee of enquiry or the chairperson or deputy chairperson of a committee of enquiry. In addition, the data protection authority failed to recognise that the legislative function was to be interpreted narrowly under constitutional law. Article 24 of the Federal Constitution expressly refers to the National Council with regard to legislation. From a material point of view, a committee of enquiry has nothing to do with the making of laws in Austria. For this reason, too, the data protection authority had the competence to review data protection violations committed by the committee of enquiry.
4. by letter dated XXXX .2019, the data protection authority submitted the file.
II. the Federal Administrative Court considered:
1. findings:
The complainant lodged a complaint with the data protection authority on XXXX .2019 for violation of his right to confidentiality. He claimed to have been an undercover investigator and to have been called as a witness in the "XXXX -U Committee". However, his name appeared in the published minutes, although he had requested to be named only with the initial letters. 
The data protection authority rejected the complaint by decision of XXXX .2019 due to lack of jurisdiction. 
2. assessment of evidence:
The findings on the submission of the complaint and the decision of the data protection authority result from the administrative act in connection with the complainant's submissions and are not in dispute. 
3. legal assessment:
Re A)
1. legal bases:
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), are:
Article 2
Material scope of application
1. This Regulation shall apply to the processing of personal data wholly or partly by automatic means and to the processing otherwise than by automatic means of personal data which are stored or are intended to be stored in a filing system.
2. This Regulation shall not apply to the processing of personal data
a)	in the context of an activity which does not fall within the scope of Union law,
b)	by Member States in the context of activities falling within the scope of Chapter 2 of Title V of the TEU,
c)	by natural persons for the exercise of exclusively personal or family activities,
d)	by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and the prevention of threats to public security.
	
3. Regulation (EC) No 45/2001 shall apply to the processing of personal data by Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other legal acts of the Union governing such processing of personal data shall be adapted to the principles and rules laid down in this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC and in particular the provisions of Articles 12 to 15 of that Directive concerning the liability of intermediaries.
Article 55
Responsibility
1. Each supervisory authority shall be competent to carry out the tasks and exercise the powers conferred on it by this Regulation within the territory of its own Member State.
Where the processing is carried out by public authorities or private bodies on the basis of Article 6(1)(c) or (e), the supervisory authority of the Member State concerned shall be competent. In that case, Article 56 shall not apply.
(3) The supervisory authorities shall not be competent to supervise processing operations carried out by courts in the course of their judicial activities.
Article 77
Right to complain to a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78.
The relevant provisions of the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG) as amended by Federal Law Gazette I No. 14/2019, read (in excerpts):
(Constitutional provision)
Fundamental right to data protection
(1) Everyone has the right to confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, insofar as there is an interest worthy of protection. The existence of such an interest shall be excluded if data is not accessible to a claim to secrecy due to its general availability or due to its lack of traceability to the person concerned.
(2) – (4) […]
Scope and implementing provision
(1) The provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No. L 119, 4.5.2016 p. 1, (hereinafter: GDPR) and this Federal Act shall apply to the wholly or partly automated processing of personal data of natural persons as well as to the non-automated processing of personal data of natural persons stored or to be stored in a file system, unless the more specific provisions of Part 3 of this Federal Act take precedence.
(2) – (6) […]
Data protection authority
Institution
(1) The data protection authority shall be established as the national supervisory authority pursuant to Article 51 of the GDPR. […]
Supervisory authority under Directive (EU) 2016/680
Data protection authority
(1) The data protection authority shall be established as the national supervisory authority for the scope of application referred to in section 36(1). The data protection authority shall not be competent to supervise processing operations carried out by courts in the course of their judicial activities.
(2) With regard to the independence, the general conditions and the establishment of the supervisory authority, Articles 52, 53 and 54 of the GDPR as well as Section 18(2), Sections 19 and 20 shall apply mutatis mutandis.
Specific powers of the data protection authority
(1) The data protection authority shall be appointed to safeguard data protection in accordance with the detailed provisions of the GDPR and this Federal Act.
(2) (Constitutional provision) The data protection authority shall also exercise its powers vis-à-vis the supreme organs of law enforcement referred to in Art. 19 B-VG as well as vis-à-vis the supreme organs pursuant to Art. 30 paras 3 to 6, 125, 134 para 8 and 148h paras 1 and 2 B-VG in the field of administrative matters to which they are entitled.
The relevant provisions of the Federal Constitutional Act (B-VG) read (in excerpts):
Article 24: The legislation of the Confederation shall be exercised by the National Council jointly with the Federal Council.
Article 53 (1) The National Council may establish committees of enquiry by resolution. In addition, a committee of enquiry shall be established at the request of one quarter of its members.
(2) The subject of the investigation shall be a specific completed process in the area of execution of the Federation. This includes all activities of organs of the Federation through which the Federation exercises economic participation and supervisory rights, irrespective of the amount of the participation. A review of jurisdiction is excluded.
(3) – (5) […]
Article 94 (1) The judiciary shall be separate from the administration in all instances.
(2) […]
Article 130 (1) The administrative courts shall hear appeals [...].
(2a) The administrative courts shall hear complaints from persons who claim that their rights under Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - GDPR, OJ No L 119, 4. 5. 2016 p. 1, have been infringed by the respective administrative court in the exercise of its judicial powers. […]
Article 133 (1) The Administrative Court shall decide on [...].
2a. The Administrative Tribunal shall hear a complaint by a person who claims that his or her rights under the GDPR have been infringed by the Administrative Tribunal in the exercise of its judicial powers. […]
Application of the legal bases to the present complaint: 
The Administrative Court has already repeatedly stated that if the authority concerned has rejected an application, the appeal proceedings are only concerned with the question of the legality of the rejection (cf. VwGH 18.12.2014, Ra 2014/07/0002, 0003; 23.06.2015, Ra 2015/22/0040, as well as 16.09.2015, Ra 2015/22/0082 to 0084, all mwN). The Federal Administrative Court is therefore precluded from making a substantive decision on the application at issue. A referral back pursuant to § 28 para 3 VwGVG is also out of the question (see VwGH 16.12.2009, 2008/12/0219).
3. 
3.1 Material scope of application of the GDPR and the DPA
According to Article 2(1), the material scope of application of the GDPR is conceived comprehensively and thus refers to all wholly or partially automated processing of personal data or to the non-automated processing of personal data that are stored or are to be stored in a file system, and this - in principle - irrespective of who carries out these processing operations and to which state function a processing body is assigned. Insofar as para. 2 of Art. 2 GDPR provides for exemptions from the application of the GDPR for certain processing operations, these are also not based on the state function. An exemption from the applicability of the provisions of the GDPR in relation to a specific state function is therefore not to be inferred from the regulation itself. 
In the expert group on the GDPR and Directive (EU) 2016/680 in September 2017, the European Commission advocated a very restrictive interpretation of the term "activity falling outside the scope of Union law" of Art. 2(2) lit a GDPR, which suggests a full applicability of the substantive provisions of the GDPR also to legislation (cf. Kunnert in Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 4, K8 (as of 12.6.2018, rdb.at)).
Neither Union law nor the national legal order contain provisions that explicitly exclude the activities of committees of enquiry, which are part of the legislative power (cf. VfGH, 06.03.2008, B1535/07), from the scope of application of the GDPR. Section 4(1) DSG, according to which the "provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No. L 119, 4.5.2016 p. 1, (hereinafter: GDPR) and this Federal Act apply to the wholly or partly automated processing of personal data of natural persons as well as to the non-automated processing of personal data of natural persons stored or intended to be stored in a filing system, unless the more specific provisions of Section 3 of this Federal Act take precedence", rather claims the applicability of the GDPR and the FADP to all data processing operations of the aforementioned kind, regardless of who carries them out. 
In addition, pursuant to Art. 130 para. 2a B-VG, the administrative courts shall hear complaints by persons who claim that their rights under the GDPR have been violated by the respective administrative court in the exercise of its judicial powers, as well as pursuant to Art. 133 para. 2a B-VG, the Administrative Court hears the complaints of persons who claim that their rights under the GDPR have been violated by the Administrative Court in the exercise of its judicial powers, which results in the applicability of the GDPR also to judicial acts of the (administrative) courts (with regard to civil courts, cf. Sections 84f GOG). Finally, the literature also affirms an unrestricted binding of the ACA and the Ombudsman Board to the substantive data protection requirements (cf. Kunnert in Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 4, K8 (as of 12.6.2018, rdb.at)).
These considerations do not overlook the fact that the explanatory notes to Section 4(1) of the Data Protection Amendment Act 2018 (1761 BlgNR 25. GP 4) state that this "federal law - as before - would not apply to acts of legislation and acts of the courts in the context of their judicial activities". However, this restriction stated in the explanatory notes has not found its way into the text of the provision with regard to legislation and is also not otherwise to be found in the DPA. 
As a result, it must be assumed that the substantive provisions of the GDPR and the DPA are also applicable to acts which, like those of committees of enquiry, can be attributed to the state function of legislation. 
3.2 The data protection authority's power of review
In the reasoning of the contested decision, the data protection authority correctly assumes that "the GDPR does not simply negate the supervision of data protection supervisory authorities over legislative bodies - in contrast to courts in the context of judicial activity (Article 55 (3) GDPR)", but subsequently fails to recognise the legal situation when it assumes its lack of competence with a blanket reference to the separation of powers and a control of legislation by the administration which, in its view, is thereby excluded. 
The supervisory power of the data protection authority is fundamentally comprehensive in the GDPR: 
Neither Art. 55 GDPR (competence of the supervisory authority) nor Art. 77 GDPR (right of appeal to a supervisory authority) exclude a competence of the data protection authority for data protection procedures under the legislation. Although Art. 77 GDPR cannot establish a competence of a supervisory authority (cf. mutatis mutandis regarding local competence Nemitz in Ehmann/Selmayr, Datenschutz-Grundverordnung2, K5 on Art 77 and Boehm in Simitis, Hornung, Spiecker (eds.), Datenschutzrecht, K 10 on Art 77), the rules contained therein serve to effectively protect the rights of data subjects within the scope of application of the GDPR. The complaints procedure is intended to give every data subject the opportunity to defend themselves against violations of their rights under the Regulation. It is more than a right of petition, namely a genuine legal remedy (cf. again Nemitz in Ehmann/Selmayr, Datenschutz-Grundverordnung2, K1f on Art 77). Art. 77 does not need to be transposed into national law, and the right of appeal standardised therein is not linked to formal or substantive requirements, e.g. of § 24 para. 2 - 6 DSG (cf. Schweiger in Knyrim, DatKomm Art 77 DSGVO, K8 (as of 1.12.2018, rdb.at)). 
The DPA also does not know of any provision according to which a control of the data protection authority over the processes relevant to data protection law could be excluded in the case of committees of enquiry; comparable provisions do not emerge from either Section 4 (1) or Section 18 (1) regarding the establishment of the data protection authority as supervisory authority pursuant to Art. 51 DPA. Only Section 31(1) of the DPA provides for an explicit exception to the competence of the data protection authority for the courts in the context of their judicial activities, whereby this provision regulates the establishment of the supervisory authority under Directive (EU) 2016/680 - the "Police Directive". The Austrian constitutional legislator opted to make the courts themselves competent to decide in such cases (cf. on this, as already mentioned above, Art. 130 para. 2a B-VG, but also §§ 84f GOG). 
Absence of an explicit legal basis 
In a constitutional state, however, whether or not a power of review is excluded can only result from positive law, as in the case of the former general prohibition of reciprocal instances between the judiciary and the administration, which was expressed in the separation requirement of Art. 94 B-VG, but has since been relativised by the creation of today's Art. 94 para. 2 B-VG (cf. Art. 94 para. 2 B-VG in the current version: "In individual matters, federal or provincial law may provide for recourse from the administrative authority to the ordinary courts instead of lodging a complaint with the administrative court"). 
An explicit provision of positive law, from which the lack of jurisdiction of the data protection authority would result, is not mentioned in the contested decision. Provisions such as the former sections 31(2) and 5(4) of the Data Protection Act 2000 as amended by Federal Law Gazette I 83/2013, which excluded from the competence of the data protection authority not only acts in the service of jurisdiction, but also explicitly those of legislation, are no longer in force; a comparable provision was not created in the currently applicable Data Protection Act. 
On the significance of (current) Section 35(2) of the Data Protection Act: There is also nothing to be gained for the position of the data protection authority from the decision VfSlg 15.130/1998 and the constitutional provisions of the former Section 36(1) of the Data Protection Act and the current Section 35(2) of the Data Protection Act. In the aforementioned decision, the Constitutional Court stated that the audit of funds by the Court of Audit was not subject to the supervisory authority of the Data Protection Commission pursuant to Section 36 (1) of the Data Protection Act. The constitutional provision of [former] Section 36 (1) of the Data Protection Act was intended solely to create a constitutionally impeccable legal basis for the supervisory power of the Data Protection Commission also vis-à-vis the highest organs of the administration. However, there were no indications that the constitutional legislator, with this new provision, also intended to subject the financial audit by the Court of Audit, which is regulated in the fifth main section of the Federal Constitution, to the supervisory power of the Data Protection Commission. The Constitutional Court attributed the fact that this distinction was not expressed in the wording of Section 36 (1) of the Data Protection Act, in contrast to the jurisdiction, to the "answering character" of the provision. 
If the data protection authority now refers to the constitutional provision of [current] Article 35(2) of the Data Protection Act, which confers on it the competence to exercise its powers also vis-à-vis the supreme executive bodies referred to in Article 19 of the Federal Constitution as well as vis-à-vis the supreme executive bodies pursuant to Articles 30(3)-(6), 125, 134(8) and 148h(1) and (2) of the Federal Constitution in the area of administrative matters to which they are entitled, which, according to the ErlRV (1613 BlgNR 20. GP 51) and the ErlAB (99 BlgNR 26.GP) as a corresponding "answer" to the decision of the Constitutional Court on - as far as relevant here - VfSlg. 13.626/1993, it must be countered that this circumstance, as well as the statements of the Constitutional Court in VfSlg 15.130/1998, in the light of the legal bases of the GDPR and the current DSG, which are newly applicable today, are not able to support the rejection of a supervisory power of the data protection authority for data protection procedures in the course of legislation.
The reverse conclusion drawn by the data protection authority from the constitutional provision of Section 35 (2) of the FADP, that because investigative committees are not mentioned in this provision, a corresponding competence of the authority does not exist, is ultimately not convincing in view of the primacy of application of Union law.
On the exception of Art. 55(3) GDPR: The special rule of Art. 55(3) of the GDPR is obviously an exception that is limited to the area of judicial activity of the courts and is not amenable to generalisation, so that an unrestricted competence of the data protection supervisory authorities must be assumed for all other institutions that are endowed with independence, e.g. also national central banks or national audit offices (cf. Selmayr in Ehmann/Selmayr, Datenschutz-Grundverordnung2, K15 on Art 55). Subsequently, their competence must also be affirmed with regard to parliamentary committees of enquiry. 
Finally, this is also indicated by Recital 128 of the GDPR, according to which the provisions on the lead authority and the consistency mechanism should not apply if the processing is carried out by public authorities or private bodies in the public interest. In these cases, the supervisory authority of the Member State where the public authority or private body is established should be competent to exercise the powers conferred on it by the Regulation. 
The lack of an explicit supervisory power of the data protection authority in simple law
The fact that there is no explicit provision according to which the data protection authority was made responsible for the examination of processing operations under data protection law in the context of committees of enquiry may also be due to the fact that, according to the ErlAB (99 BlgNR 26.GP), the establishment of a supervisory authority within the meaning of the GDPR did not seem necessary for the area of legislation, since - according to the considerations stated there - neither the GDPR nor the DPA would apply to this area (cf. AB 98 BlgNR 26. GP 5) (cf. Kunnert in Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 4, K 8 (as of 12.6.2018, rdb.at)). The fact that these considerations cannot be followed has already been shown above under 3.1: neither the GDPR nor the DPA contain any indication that the applicability of the substantive legal bases to transactions relevant to data protection law should be excluded in the context of the legislation. Finally, it can be added that the European legal situation does not differ in this respect from that prior to the enactment of the GDPR, on the basis of which the competence of the data protection authority to control acts that are to be attributed to the state function of legislation was already affirmed in doctrine for reasons of Union law (cf. Ennöckl, Der Schutz der Privatsphäre in der elektronischen Datenverarbeitung, 2014, 557 mwN). 
Summary
Thus, the sole argument of the separation of state powers in Austrian constitutional law is countered by the fact that neither the GDPR nor the DPA provides for an exception to the competence of the data protection authority to control the conformity of the processing of personal data with data protection law in the area of legislation, as it is, however, expressly provided for in the normative text for the courts in the context of their judicial activities. The data protection authority neither refers to a comparable prohibition regulation in the contested decision, nor was the discerning senate able to identify such a regulation. Insofar as the commentary refers to the case law of the Constitutional Court, such as VfSlg. 15.130/1998, it emphasises the "response character" of [former] § 36 para. 1 of the Data Protection Act, from which only a limited transferability of the statements made therein to a situation on the basis of a new legal basis under simple law and Union law is recognisable. Finally, it should not be forgotten that the GDPR in its Art. 77 intended to provide for effective legal protection in the scope of application of the regulation, which should enable every data subject to defend themselves against violations of their rights granted in the regulation. 
The facts complained of in this case, namely the publication of the full name of the complainant, who was summoned as a witness as an undercover investigator in a committee of enquiry, are prima facie likely to raise problems under data protection law (cf. on the concept of personal data and processing, Art. 4(1) and (2) of the GDPR and Art. 4(1) of the DPA, as well as on the processing principles, Art. 5(1)(c) and (e) of the GDPR and on the right to confidentiality, Art. 1 of the DPA), which in principle opens up the areas of application of the GDPR and the DPA. 
As a result, the data protection authority's assessment of a lack of jurisdiction in the pending appeal proceedings could not be upheld, and the contested decision rejecting the appeal must therefore be overturned. Regarding the legal consequences of the reversal, the parties are referred to section 28 (5) VwGVG. 
4 As only legal questions were to be clarified in the proceedings, the holding of an oral hearing - which was not requested - could be waived pursuant to section 24(4) VwGVG (VwGH, 19.09.2017, Ra 2017/01/0276).
Re B) Admissibility of the appeal:
Pursuant to § 25a para 1 VwGG, the administrative court shall state in the ruling of its decision or order whether the appeal is admissible pursuant to Art. 133 para 4 B-VG. The decision shall be briefly substantiated.
The appeal is admissible pursuant to Art. 133 (4) B-VG because there is a lack of case law of the Administrative Court on the question of the applicability of the GDPR and the DPA to facts within the framework of legislation and the supervisory power of the data protection authority regarding legislative action ie or other activities functionally attributable to legislation. 
European Case Law Identifier
ECLI:AT:BVWG:2020:W211.2227144.1.00