BVwG - W211 2227660-1

From GDPRhub
Revision as of 13:22, 15 September 2021 by FD (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W211 2227660-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6 GDPR
§1 of the national data protection law (DSG)
Decided: 21.10.2020
Published: 28.12.2020
Parties: A tenant (defendant)
Austrian Data Protection Authority (co-defendant)
A property management organization (plaintiff)
National Case Number/Name: W211 2227660-1
European Case Law Identifier: ECLI:AT:BVWG:2020:W211.2227660.1.00
Appeal from: DSB (Austria)
Unknown
Appeal to: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Maïlys Lemaître

The Federal Administrative Court of Austria held that the disclosure of professional contact details of a tenant to a landlord constitutes a violation of the tenant’s right to confidentiality.

English Summary

Facts

The defendant had lodged a complaint with the DPA, claiming that the plaintiff, a property management organization, had disclosed their data to a third party without consent or any other legal basis.

Originally, the defendant had sent an email from his professional mailbox to the plaintiff about a piece of furniture placed in a common area of a property managed by them. Following this, the plaintiff got in touch with the landlord of the property on the matter, who in turn asked if he could get the contact details of the defendant in order to discuss the matter directly with him. For this purpose, the plaintiff forwarded the email message of the defendant - including his professional email address - to the landlord.

The defendant argued in its complaint before the DPA, that he had not been consulted prior to the data disclosure to the landlord and that he had been violated in his right to confidentiality, especially with regard to his professional contact details. The DPA granted the defendant’s complaint and found that the personal data, which was indicative of the defendant’s professional activity, should not have been disclosed by the plaintiff to a third party.

The plaintiff appealed this decision arguing that, by forwarding the email and all data of the defendant it contained, they were only fulfilling their legal obligation pursuant to the national housing property law to disclose the contact details of a tenant at the request of a landlord.

Dispute

Does the disclosure of the professional email address of a tenant to a landlord constitute a violation of the tenant’s confidentiality?

Holding

The Federal Administrative Court of Austria confirmed the Data Protection Authority’s decision by reminding the plaintiff that they could have had established contact between the parties involved in other ways, e.g. by referring to the postal address of the tenant, and that the disclosure of the professional email address could not be reconciled with the principle of data minimisation. The disclosure did therefore constitute a violation of the tenant’s right to confidentiality, which is why the appeal of the plaintiff was dismissed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

W211 2227660-1/9E

In the name of the republic!

The Federal Administrative Court, by Judge Barbara SIMMA LL.M. as chairperson and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as associate judge, rules on the appeal of XXXX , represented by Dr. XXXX , against the decision of the data protection authority of XXXX , Zl. XXXX in closed session:

A)

The complaint is dismissed as unfounded.

B)

The appeal is admissible pursuant to Art. 133 para. 4 B-VG.

Reasons for decision:

I. Course of proceedings:

1. on XXXX .2019, the now co-participating party lodged a data protection complaint with the data protection authority against the now complainant - a property management company - complaining that an enclosed email (from a professional email address) with the data contained therein had been forwarded to third parties without the complainant having consulted it.

After being asked to comment, an employee of the complainant stated in a letter of XXXX.2019 that the involved party had contacted him about a piece of furniture placed on the common areas of a property, after which he had called the tenant of the property regarding this piece of furniture, who in turn had asked to contact the involved party in order to discuss the matter directly with him. Since, in his experience, personal contact was usually most useful in such a case, he had forwarded the email message of the involved party - including the professional email address - to the tenant. By email message dated XXXX .2019, the employee had also apologised to the co-operating party in case he had committed a data protection breach. 3.

The co-operating party then stated in a statement dated XXXX .2019 that the reason for the complaint was that the complainant had passed on the co-operating party's professional data to a tenant without asking. The involved party was the owner of a flat in the property, was known there, appeared in the land register, her name was stored in the intercom system and could therefore be easily contacted by owners and tenants. A message could also have been left in the post box. There was therefore no reason for the complainant to pass on the professional data. 4.

In the contested decision of the data protection authority, the complaint of the involved party was upheld and it was found that the now complainant had violated the involved party's right to confidentiality by forwarding the involved party's email of XXXX.2019 to a tenant or flat owner of a property named in more detail, thereby disclosing personal data of the involved party that could be inferred from her professional activity.

It was explained that the only issue to be examined in the proceedings was whether the forwarding of the data of the involved party, which indicated his professional activity, would constitute a violation of the right to confidentiality. The professional email address would be a personal data pursuant to Art. 4(1) of the previous search termDSG; the same applied to an addition next to the name of the involved party, as this would define a group affiliation in more detail and, in connection with the email address or the name, would make it possible to draw conclusions about it. The sending of the email was to be qualified as processing within the meaning of Art. 4(2) of the previous search term data protection act. In principle, there was a legitimate interest in keeping this personal data confidential. There were no overriding legitimate interests in restricting the right to confidentiality; the only justification for forwarding the data was that an unbureaucratic and uncomplicated solution should have been found. In any case, the disclosure of data that would indicate the professional activity of the involved party did not appear to be justified. Moreover, this would not satisfy the principle of data minimisation according to Art. 5 (1) lit c Previous search termDSG Next search term. 

In her complaint of XXXX.2019, the complainant stated that the prescribed balancing of interests had remained deficient. As the property manager in charge of managing the property, she had fulfilled her basic obligation under section 20(1) of the Condominium Act by forwarding the address for service provided by the co-owner, namely the email address, to another condominium owner upon request. Other provisions only applied in the case of explicit instructions to the contrary by individual condominium owners. Such an instruction had only been issued by the co-owner on XXXX.2019. As early as 2015, at the request of one co-owner, the complainant had asked the other co-owners whether they objected to the disclosure of contact details and delivery addresses, which the co-owner had not done. In the course of the introduction of the previous search termDSGVNext search term, an information letter on the use of personal data had been sent; in this context, too, there had been no prohibition of the disclosure of the data and delivery addresses held by the complainant. By forwarding the email of XXXX.2019, the complainant had therefore complied with its obligation to disclose the delivery addresses at the request of another condominium owner. Until the prohibition of the forwarding of the professional email address, which had been announced as the address for service, on XXXX.2019, the complainant had therefore not only been entitled, but even obliged, to forward the address for service upon request of a co-owner, which, according to prevailing case law, also included the email address. In doing so, the complainant had only fulfilled her administrator obligations. It was therefore requested that the contested decision be amended to the effect that the complaint and the application of the co-participating party for a declaration of a violation of the right to secrecy be rejected. 6.

By letter of XXXX .2020, the data protection authority submitted the complaint and the administrative act to the Federal Administrative Court. 7.

7 In its statement of XXXX.2020, the complainant stated, to the extent that it was material, that it always noted email addresses in its system when a condominium owner contacted it by email, whereby the involved party had already contacted the complainant in 2015 with its professional email address. She had only prohibited the use of her professional email in an email dated XXXX 2019; now only her private email address appeared in the complainant's system.

The other party replied by email of XXXX 2020 that it only wanted to state that it was not concerned that the complainant used the professional email address in its communication with the complainant, which did not bother it. She was only concerned that the property management company was simply passing on her e-mail address to third parties without consulting her.

II. the Federal Administrative Court considered:

1. findings:

1.1 The complainant operates a property management company which has been entrusted with the management of the XXXX property.

The co-applicant is a co-owner of this property and also lives at this address.

1.2 The involved party contacted the complainant by email of XXXX .2019 and requested information about a piece of furniture that was parked on the common area. By email dated XXXX 2019, the complainant forwarded this email to the affected tenant of a medical practice, who is also the owner of a flat in the property. That tenant had previously requested the contact details of the involved party in order to have a direct conversation with him about the piece of furniture.

The email message of the involved party shows her professional email address as "XXXX". 

1.3 It is further established that since the email correspondence of XXXX.2015, the involved party had already been corresponding with the complainant via the (professional) email address ending in ...@ XXXX. Thus, this email address of the involved party ending in ...@ XXXX was also used by the complainant as a contact address and thus as an address for service.

The complainant contacted the condominium owners of the property once in a letter dated XXXX.2015 and asked whether there were any objections to disclosing the delivery addresses of the co-owners to a condominium owner or her partner at their request. With an enclosed form, this disclosure could be expressly objected to. The co-owner did not object to the disclosure of her address for service to those interested parties.

In an undated letter in connection with the entry into force of the Previous Search Term Data Protection Act, i.e. 2018, the complainant informed the owners about the data processing carried out by it. This information stated, among other things, that possible categories of recipients included "other co-owners of the property (accounting, decision-making)", insofar as there was no legally permissible restriction on enabling the disclosure. This letter could be returned with the note that they had been sufficiently informed and that they expressly agreed to the use of the personal data. A prohibition of the use of the personal data of the involved party was not carried out by the latter in the wake of this letter from the complainant.

Finally, by email of XXXX .2019, the co-operating party prohibited the complainant, inter alia, from disclosing the data in all cases that are not mandatory by law. It further demanded that the professional email be deleted.

2. assessment of evidence:

The findings result from the file in connection with the submissions of the parties and are undisputed.

In particular with regard to the findings on 1.3, reference is made to the statement of the complainant of XXXX.2020 including the enclosures, against which the statement of the co-participating party of XXXX.2020 is not directed.

3 Legal assessment:

Re A)

1. legal basis under data protection law:

§ Section 1 of the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG) reads (in excerpts):

(constitutional provision)

Basic right to data protection

§ (1) Everyone has the right to confidentiality of personal data concerning him, in particular with regard to respect for his private and family life, insofar as there is an interest worthy of protection. The existence of such an interest shall be excluded if data is not accessible to a claim to secrecy due to its general availability or due to its lack of traceability to the person concerned.

(2) Unless the use of personal data is in the vital interest of the data subject or with his or her consent, restrictions to the right to secrecy shall only be permissible to protect overriding legitimate interests of another, and in the case of interference by a state authority only on the basis of laws which are necessary for the reasons set out in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection, in order to safeguard important public interests, and must at the same time lay down appropriate safeguards for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the most lenient manner that leads to the objective.

[…]

The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - Previous search termDSGVNext search term), are:

Article 5 Principles for the processing of personal data

1. Personal data must be

(a) be processed lawfully, fairly and in a manner comprehensible to the data subject ("lawfulness, fairness, transparency")

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) ('purpose limitation');

(c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ('data minimisation');

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate in relation to the purposes of their processing are erased or rectified without undue delay ('accuracy');

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods if the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes, or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('storage limitation');

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organisational measures ('integrity and confidentiality');

(2) The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate such compliance ("accountability").

Article 6 Lawfulness of processing

1. Processing shall be lawful only if at least one of the following conditions is met:

(a) - (e) [...]

(f) processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

(2) - (4) […]

2. application of the legal bases to the present complaint:

2.1 Arguments of the parties

The present proceedings were based on a complaint by the co-participant that her right to confidentiality had been violated by the complainant because the latter had forwarded a message containing her professional e-mail address to a third party without asking her.

The complainant initially justified this forwarding by stating that she wanted to find a solution to the problem of the furniture placed in the common area between the co-owners in the most uncomplicated way possible by facilitating a direct conversation.

The data protection authority found that the co-owner's right to confidentiality had been violated on the grounds that the co-owner had a legitimate interest in the confidentiality of the personal data relating to his or her professional activity, whereas the complainant had not asserted any overriding legitimate interests in the disclosure, and thus in the processing. The disclosure of data revealing the professional activity was "in any event" not justified; it appeared questionable why this disclosure had been necessary at all. Moreover, it would not satisfy the principle of data minimisation.

In her complaint, the complainant pointed out that under section 20 of the Condominium Act, she was obliged to disclose addresses for service known to her at the request of other condominium owners, provided that there was no prohibition in this regard, which had not existed in the case of the co-owner at the relevant time. 

2.2.

2.2.1 Email address; delivery by the property manager

It should be noted at the outset that the involved party had been using its professional email address ending in ...@ XXXX in its correspondence with the complainant at least since 2015. She did not object to the forwarding of the (so-called) delivery address to an interested owner in 2015 and did not respond accordingly to an information letter from the complainant in 2018 regarding the use of data in the context of the Previous search termDSGVNext search term. Only after the incident subject of the complaint, namely on XXXX .2019, did the co-operating party contact the complainant, prohibit the disclosure of the data beyond the scope required by law and demand the deletion of her professional email address, among others. Finally, the co-operating party also stated in its statement of XXXX 2020 that it was not bothered by the fact that the complainant herself would communicate with it via the professional email address.

It is therefore comprehensible for the discerning senate that the complainant assumed that the incriminated email address of the co-party was an address for service.

Furthermore, § 24 para. 5 WEG contains an obligation to send resolutions of the community of owners (in addition to the posting), whereby the sending to a condominium owner has to take place at the address of the condominium object or at another domestic address for service made known by him/her. Upon request, electronic transmission may also be provided for.

This regulation is also applied to other notices than resolutions of the community of owners, such as forecasts, convocations of the general meeting of owners, transmission of minutes of the meeting, whereby delivery can be made to any address which, according to general life experience, can be expected to receive the mailing, which applies to a residential address according to the ZMR or a fax number previously announced as a possibility of delivery (cf. Würth/Zingher/Kovanyi, Miet- und Wohnrecht II23 § 24 WEG, K27 (as of 1.6.2015, rdb.at)). In the case of sending, no process according to the ZustellG is required, sending is sufficient and no receipt is required. These views take into account practical difficulties with individual notifications of condominium owners, especially in large complexes (cf. ibid. K 29). In the case of a form-free request, managers are finally obliged to deliver electronically - by email (cf. ibid. K 30).

2.2.2 Obligation of the property manager to pass on addresses for service made known to him:

It is true that it is one of the complainant's obligations under § 20 (1) of the Condominium Act (WEG) to provide flat owners, upon request, with the addresses for service of which it has been informed, whereby this obligation finds its limit where a property management gets into a conflict of interest due to conflicting instructions from co-owners. This obligation of the property management is justified by the fact that it has to support co-owners in exercising their individual rights to convene a meeting or to initiate any other necessary decision-making procedure within the community of owners (cf. OGH, 26.08.2008, 5 Ob 175/08h).

The fact that the facts of the case at hand - the use of common areas by a tenant who is also a co-owner of the property - are suitable in the light of § 17 WEG to require the formation of a will of the co-owners cannot be excluded from the outset.

Thus, the assumption of the complainant that in principle, but also in this case, she can be under a legal obligation to support co-owners by disclosing the addresses for service of other co-owners in order to enable the necessary formation of wills, can be accepted, unless this has been expressly objected to. 

2.2.3 Classification under data protection law

Even if, as shown above under 2.2.2, within the scope of application of § 1 of the Data Protection Act (fundamental right to data protection, right to secrecy) a legitimate interest of the complainant to be able to fulfil her legal obligations vis-à-vis the interests of all co-owners of the property can be identified, it must be taken into account in a weighing of such an interest of the complainant with the interests of the co-participating party to keep secret those personal data which indicate her professional activity, that the co-participating party lives in the administered property and can also be reached there. The complainant is therefore also in a position - without major effort - to fulfil her obligation under § 20 WEG by disclosing, for example, the name and postal address of the co-participating party to a requesting co-owner, thus enabling the contact to be made.

Finally, in the scope of application of the Previous Search Term Data Protection Act, Article 5(1)(c) thereof provides for the processing principle of data minimisation, according to which personal data must be adequate and relevant to the purpose and limited to what is necessary for the purpose of the processing. According to this principle, personal data may only be processed if the purpose of the processing cannot reasonably be achieved by other means (cf. Heberlein in Ehmann/Selmayr, DS-GVO2, K22 on Art 5).

While the co-party makes it clear that it is not bothered by the basic processing of its professional email address by the complainant, in its complaint it objects to the forwarding of this address to third parties, which is tantamount to processing of personal data under Art. 4 Z 1 and 2 Previous search termDSGVNext search term. Since the complainant would have had, and still has, the possibility to establish contact between the parties involved, e.g. by referring to the postal address of the involved party on the property as a lesser means, the forwarding of the professional email address cannot be reconciled with the principle of data minimisation.

Therefore, the authority concerned rightly found a violation of the right to confidentiality of the co-participating party, which is why the complaint has to be dismissed. 3.

3) Since only legal issues were to be clarified in the proceedings, the holding of an oral hearing - which had not been requested - could be waived pursuant to section 24(4) VwGVG (VwGH, 19.09.2017, Ra 2017/01/0276).

Re B) Admissibility of the appeal:

Pursuant to section 25a (1) VwGG, the administrative court shall state in the ruling of its decision or order whether the appeal is admissible pursuant to Art. 133 (4) B-VG. The decision shall be briefly substantiated.

The appeal is admissible because legal questions had to be solved that are of fundamental importance in the sense of Art. 133 para. 4 B-VG and for which there is no case law of the highest courts, such as the principle of data minimisation according to the Regulation on the Protection of Personal Data.

Therefore, the decision had to be made in accordance with the ruling.