BVwG - W211 2231475-1

From GDPRhub
BVwG - W211 2231475-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 6(1)(c) GDPR
Article 28 GDPR
§ 13(8) AVG
§ 25(1) VStG
Decided: 20.10.2021
Published: 14.01.2022
Parties: anonymous
DSB (Austria)
National Case Number/Name: W211 2231475-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W211.2231475.1.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Heiko Hanusch

The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under Article 6 GDPR because the processor is to be seen as a mere extension of the controller.

English Summary

Facts

The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he did not want the phone number be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Article 28 GDPR.

The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he had already denied consent to any form of data sharing with a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller. The DSB dismissed the complaint.

Holding

The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.

The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Article 29 GDPR). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Article 6 GDPR.

In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Article 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services. According to § 6(8) PMG a postal service must further develop its service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of them by means of appropriate measures and proposals. Pursuant to § 32(3) PMG postal service providers must have a complaints management system in place so that users can raise disputes or complaints.

Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Saying


W211 2231475-1/9E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, by Judge Barbara SIMMA LL.M. as chairperson and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as associate judge, rules on the complaint of XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in closed session:

A)

The complaint is dismissed as unfounded.

B)

The appeal is admissible pursuant to Art. 133 para. 4 B-VG.


Text


Reasons for decision:

I. Course of proceedings:

By data protection complaint of XXXX .2018 (received by the data protection authority on XXXX .2018), the complainant alleged a violation of the right to confidentiality pursuant to section 1 and sections 8 as well as 62 para. 1 line 1 of the Data Protection Act (DSG) by Österreichische Post AG (the co-participating party).

The complainant summarised that although the co-participating party appeared in the form of a "company", it was de facto a state-owned enterprise. On XXXX 2018, the postal customs office received a letter containing goods ordered by the complainant. Due to irregularities in connection with the consignment, the complainant contacted the "hotline" of the involved party on XXXX 2018. He had left his mobile phone number there with the request to call him back, whereby he had expressly requested the involved party not to pass this number on to third parties under any circumstances. This had been expressly assured to him. He was then called back by the other party and was able to resolve the consignment.

On XXXX.2018, he had been called by XXXX. When the complainant specifically asked where the XXXX had obtained his telephone number and name, he was informed by the caller that she had obtained them from the co-operating party for survey purposes. On the same day, he had been contacted by another number, with the caller apparently suppressing the caller ID. After hearing "Do you want to participate in a survey", he immediately hung up.

At no time had he given his consent to the disclosure of his name and telephone number, but had expressly requested that his contact details not be disclosed. There was also no public interest. As he had not been aware of the disclosure of his data, it had not been possible for him to object. The complainant's right under Article 1(1) of the Data Protection Act had therefore been violated. Section 61(1)(2) of the FADP was also applicable in any case.

In its statement of XXXX.2018, the involved party stated in response to this data protection complaint that XXXX was a processor within the meaning of Article 28 of the GDPR. It was therefore not necessary to obtain consent for the data transfer in question. The customer satisfaction survey was not carried out by employees of the involved party, but by an external company. This ensured that the involved party did not receive any personal results of the survey. The data transfer had been carried out in compliance with all provisions of data protection law, in particular Art. 28 ff DSGVO. However, the complaint had been taken as an opportunity to block the complainant from future customer satisfaction surveys.

By letter of XXXX .2018, the data protection authority again invited the involved party to comment. In particular, it was pointed out to the involved party that the mere fact that the company in question was allegedly a processor did not say anything about the lawfulness of the processing.

In its statement of XXXX .2019, the intervening party argued that it was a postal service provider within the meaning of the Postal Market Act (PMG) and also a universal service provider pursuant to Section 12 PMG. In accordance with the obligations assigned to it, it had to establish a complaints management system, publish information on the quality of its services at least once a year (section 32 PMG), present the number of complaints to the regulatory authority (section 6(7) PMG) and further develop the universal service in line with the needs of users and contribute to the further development of the universal service by means of appropriate measures and proposals to ensure the provision of postal services (section 6(8) PMG). In order to adequately fulfil this obligation, the party involved had set up the postal customer service, which had also been used by the complainant.

In order to further develop and publish the quality in accordance with the legal obligation, the survey of users was the most suitable and recognised method. The survey itself was carried out by XXXX as a processor acting within the framework of the agreement according to Article 28 of the GDPR. The purposes and means were specified by the involved party, which meant that XXXX could not be qualified as a third party within the meaning of Article 4(10) of the GDPR. In terms of data minimisation, the third party only receives the telephone number and the name of the person to be interviewed in order to enable a proper approach. The persons to be interviewed would only be contacted once per occasion, and the interview could also be refused at any time. If at all, one could only speak of a barely noticeable impairment.

When customers contacted the postal customer service, they were expressly informed of the information on data protection on the website of the party involved in accordance with Article 13 of the GDPR in the form of a recorded message. This information clearly stated that corresponding surveys could be carried out. Under point 3.2 of the website, market research institutes were listed as possible external service providers. If people contacted the post customer service, it was therefore ensured that they would receive the information pursuant to Article 13 of the GDPR.

There is a certain period of time between contacting the post customer service and being contacted by the XXXX, within which objections can be made. Participation in the survey is therefore voluntary and can be refused at any time. The complainant had only lodged an objection when contacted by XXXX, which was why no survey had taken place.

The establishment of the customer service was based on a legal obligation. A survey had to be carried out to explain the complaints or to check the service. The survey was the most suitable and recognised or only method. The lawfulness of the data processing was therefore based on Article 6(1)(c) of the GDPR.

In addition, the party involved was also acting in the public interest, as it had been entrusted with the basic postal service, including the associated obligation to review/publish/improve quality. Therefore, Article 6(1)(e) of the GDPR was also relevant. In addition, Article 6(1)(f) of the GDPR could also be used as a legal basis. The involved party does not act as an authority in the sense of the ground for exclusion. The interest in the quality review/publication obligation/improvement obligation resulted from the legal requirements of the PMG and was therefore lawful. In this respect, there is a benefit for the party involved as the responsible party, as it can continuously improve its service quality in accordance with the legal requirements, as well as a benefit for the general public, as it receives a better basic service. An interest is considered legitimate, for example, if it is pursued for the purposes of direct advertising or advertising per se or for the processing of market research.

Likewise, the fundamental right of freedom to conduct a business (Art. 16 of the CFR) gives rise to the legitimate interest of the party involved to learn from its customers their assessment of the complaint management in order to subsequently better meet their needs and wishes. Even in the absence of a legal obligation, the processing of personal data in question was therefore lawful. A survey could only be carried out with the contact data used, which meant that the processing was also necessary. The interest of the involved party and the interest of the general public in the data processing outweighed the complainant's interest. Moreover, the contact details were not particularly sensitive data.

A copy of the agreement on commissioned processing pursuant to Article 28 of the GDPR was attached to the submission.

In his letter of XXXX 2019, the complainant made the following comments on the observations of the co-operating party: First of all, he wanted to add that there had been a "blatant" misuse of data by the co-operating party. The co-operating party used inadmissible cookies and "spyware" on its website, as, in particular, an immediate objection was not possible. This was added as a further grievance to the present complaint.

Regarding the statement of the co-participating party, it could be stated that neither § 32 (6) PMG nor § 6 (7) and (8) PMG contained a justification for the transfer of data to third parties. The argument of increasing efficiency would also not justify the transfer of data to third parties. In the course of his request, he had not been provided with any information within the meaning of Article 13 of the GDPR. Whether participation in the survey was voluntary was irrelevant, as the subject of the complaint was the disclosure of data to third parties. At no time had he given his consent, and in particular a call to the "hotline" could not be regarded as such. The market research company was not subject to the supervision of the co-participating party. Moreover, the contract concluded between XXXX and the co-participating party was not applicable in this case, as the co-participating party had explicitly objected to the transfer of data. It would also have to be clarified whether the contract was not per se immoral and unlawful.

In the contested decision of XXXX, the data protection authority rejected the data protection complaint regarding the unlawful setting of cookies (decision point 1). Furthermore, it dismissed the complaint as unfounded (decision point 2.). The complainant's request for the imposition of a fine was rejected (decision point 3).

The data protection authority essentially stated that the complainant's letter of XXXX.2019, based on the complaint of XXXX 2018 initiating the proceedings concerning the unlawful setting of cookies, constituted a substantial amendment of the application within the meaning of section 13(8) AVG, which is why the submission had to be rejected in this respect. However, it had been taken as an opportunity to initiate separate appeal proceedings.

In the present case, the "disclosure" of the complainant's personal data by the involved party to the market research institute had taken place. The subsequent customer satisfaction enquiry by this company had been about the complainant's complaint and had thus been carried out exclusively in the interest of and on behalf of the co-operating party. The pursuit of the market research company's own purposes had not been intended at any time, which meant that the market research company's independent responsibility had to be denied. The "transfer" in question was therefore data processing attributable to the co-participating party.

The complainant's data had not been transferred or disclosed to "third parties", but had been processed by the market research company on behalf of the involved party in accordance with Article 28 of the GDPR. There was no right for data controllers not to use processors. On the basis of the provisions of the PMG, the co-operating party is obliged to set up a complaints management system and to improve the quality of the services offered in the course of the universal service, i.e. postal delivery, by taking appropriate measures, and thus to take certain measures. Even if these provisions do not order the co-operating party to take any specific measures or to process any specific data, it cannot be assumed that the legislator intended to deprive the co-operating party of the possibility to process data, because otherwise the provision would be meaningless.

The handling of a complaint by a client and a customer as well as the quality assurance measures to be carried out were inconceivable without a name and contact address if the data required for this were not allowed to be processed. In the case of name and contact possibility, there was no doubt that the data processing was also necessary to the given minimal extent.

Finally, it was stated that a subjective right to initiate administrative penal proceedings against specific data controllers could not be derived from Art. 77(1) DPA or Art. 24(1) and (5) DPA, and that the principle of official channels pursuant to Art. 25(1) VStG applied. Therefore, administrative criminal proceedings could only be initiated by a data subject; there was no right to initiation.

In his complaint, which was filed in due time, the complainant stated, in so far as it is relevant here, that the data protection complaint concerned the transfer of data to third parties. It was completely irrelevant whether this disclosure was based on contracts under private law or other agreements.

The fundamental right to data protection was a constitutionally protected legal right that could not be overridden by contracts under private law. It was also irrelevant whether the data protection authority wanted to regard a third body as an "extended arm" or not. The complainant had only provided his (then) telephone number in response to a request by the hotline of the other party that it would otherwise not be possible to process the complaint, with the express instruction not to pass it on to third parties. The two companies that had ultimately received these telephone numbers and had contacted the complainant were market research companies whose business purpose was to collect customer requests for advertising purposes. It was not apparent in what way an advertising company could be useful for quality assurance. Sections 6 and 32 of the PMG also did not provide any indication that the co-operating party was thereby authorised to pass on customer data to third parties.

Article 28(2) of the GDPR stipulates that processors may not use other processors without the prior separate or general written consent of the controller. Thus, the transfer of the data to an advertising company had in any case taken place without a basis in data protection law. There was therefore a violation of data protection by the involved party, as it had passed on the complainant's data to a third party company without consent as defined in Article 7 of the GDPR and contrary to an explicit request by the complainant.

In the contested decision, the complaint regarding the inadmissible setting of cookies was also rejected. On the same date, however, the data protection authority had issued an order to remedy the deficiencies, setting a deadline without service, which could therefore not have been complied with, as the matter had been settled immediately. There had therefore already been a violation of the General Administrative Procedures Act insofar as the parties had not been granted a hearing. The use of cookies fell under both the term data processing and the term data transfer. It was therefore incorrect for the data protection authority to assume that the use of cookies by the party involved was not covered by the content of the complaint.

Moreover, the question of an administrative penalty was not pursued further in the contested decision, which again made clear the unwillingness of the data protection authority to deal with certain matters.

II. the Federal Administrative Court considered:

1. findings:

1.1 The complainant contacted the "hotline" of the involved party on XXXX .2018 due to delivery problems in connection with a postal item. There he left his mobile phone number with the request to call him back, whereby he expressly requested the co-participating party not to pass this number on to third parties under any circumstances.

On XXXX .2018, the complainant was called by XXXX. When the complainant specifically asked where the XXXX had obtained his telephone number and name, he was informed by the caller that she had obtained them from the co-operating party for survey purposes. On the same day, the complainant was contacted by another number for survey purposes and the caller had suppressed the caller ID. The complainant ended this call immediately after the other party asked if he wanted to participate in a survey.

1.2 The following contract was concluded between the co-operating party and XXXX on XXXX .2018 (reproduced in extracts):

"AGREEMENT ON A CONTRACT PROCESSING pursuant to Art. 28 of the GDPR.

concluded between

XXXX (hereinafter referred to as the "Controller")

and

XXXX

XXXX (hereinafter "Processor")

1. subject matter of the agreement

a) The scope of duties of the Processor includes the performance of surveys of all kinds and as required, but in particular the performance of the regularly ongoing survey of "Satisfaction with Postal Customer Service".

In the context of this agreement, "personal data" shall be understood to mean those personal data which the controller transfers to the processor in the context of the agreement described in more detail above or the processing of which is instructed to the processor in that agreement.

b) The categories of personal data processed and the categories of data subjects are as follows

persons in accordance with Appendix 1.

2. obligations of the processor

a) The Processor undertakes to process personal data and processing results exclusively within the framework of the written (e-mail sufficient) orders of the Controller. All data processing activities shall take place exclusively in a member state of the European Union.

b) The Processor is not authorised to disclose personal data of the Controller to third parties without the written consent of the Controller. As far as

the Processor is obliged to do so by law, the Processor shall not

the data controller without undue delay in advance.

c) The transfer of personal data to third parties, for which the processor is not legally obliged, requires a written (e-mail sufficient) order from the controller.

d) Personal data may only be processed for the processor's own purposes with the prior written consent of the controller.

e) The Processor undertakes to maintain data secrecy and declares in a legally binding manner that it has obliged all persons entrusted with the data processing to maintain confidentiality prior to commencement of the activity or that they are subject to an appropriate legal obligation of confidentiality. He/she has obliged all persons entrusted with data processing to keep confidential personal data entrusted or accessible to them exclusively on the basis of their professional employment, without prejudice to other statutory confidentiality obligations, insofar as there is no legally permissible reason for transfer/disclosure of the data. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after the termination of their employment or their departure from the Processor.

f) The Processor declares in a legally binding manner that it has taken all necessary measures to ensure the security of the Processing pursuant to Art. 32 GDPR. The Processor represents and warrants that it has taken and will continue to take the risk-appropriate technical and organisational measures described and selected in Appendix 2 to protect the Personal Data from accidental or unlawful destruction or loss and to ensure its proper processing and inaccessibility to unauthorised third parties. The Processor undertakes to maintain the technical and organisational measures in the above sense at the state of the art and to update or adapt them in accordance with technical progress or changes in the threat situation.

g) The Processor shall ensure that the Controller is able to fulfil the rights of the data subject pursuant to Chapter III of the GDPR (information, access, correction and deletion, data portability, objection and automated decision-making in individual cases) and taking into account the Austrian Federal Act on the Protection of Individuals with regard to Processing (DSG as amended) within the statutory time limits at any time, shall provide the Controller with all information necessary for this purpose and shall support the Controller in fulfilling the relevant obligations to the best of its ability. If a corresponding request asserting data subject rights is addressed to the processor and if it is evident from the content of the request that the applicant mistakenly believes the processor to be the controller of the processing activity carried out by the processor on behalf of the controller, the processor shall forward the request to the controller without undue delay and inform the applicant thereof, indicating the date of receipt of the request.

h) The Processor shall support the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation) to the best of its ability. In particular, the Processor undertakes to notify the Controller of any personal data breach without undue delay, but no later than 36 hours after becoming aware of it.

i) The Processor is advised that it must establish a processing directory in accordance with Article 30 (2) of the GDPR.

j)       The Processor undertakes to provide the Controller with the information necessary to monitor compliance with the obligations set out in this Agreement. In particular, the Processor undertakes to provide the Controller with appropriate written evidence of the implementation and effectiveness of the technical and organisational measures described in Annex 2 without undue delay upon the Controller's request. At the request of the controller, the declaration of data secrecy with regard to the person entrusted with the performance of the contract shall also be submitted to the controller in individual cases.

k) With regard to the processing of the personal data provided by the data controller, the data controller shall be granted the right to verify the correctness of the data processing at the data processor's premises by means of qualified employees who are bound to secrecy or by means of a person who is bound to professional secrecy (court-certified expert, etc.). This shall be done during normal office hours and in coordination with the Data Protection Officer of the Processor or another person responsible for data protection.
The data protection officer/person responsible for data protection at the Processor is:
Mr/Mrs

XXXXXXX

l ) The Processor shall be obliged to hand over to the Controller all processing results and documents containing personal data which are the subject matter of the contract after termination of the contract; this shall not affect the storage of the personal data and processing results handed over to the Processor to the extent and for as long as the Processor has to guarantee its performance.

After the expiry of the warranty period, the processor shall delete all personal data which are the subject of the contract or, at the request of the controller, store them securely before the deletion is carried out. This shall apply in particular insofar as the Processor is not obliged to continue to store personal data on the basis of mandatory statutory provisions.

statutory provisions.

Upon request of the controller, the processor shall confirm the deletion of the data in writing.

If the Processor processes the Personal Data in a special technical format, it shall be obliged to release the Personal Data after the termination of the contract either in that format or, at the request of the Controller, in the format in which it received the Personal Data from the Controller or in another commonly used format.

(m) The processor shall inform the controller without undue delay in the event that the processor

(m) The Processor shall inform the Controller without undue delay if the Processor considers that any instruction given by the Controller is in breach of EU or Member State data protection law.

3. sub-processors

a) The Processor shall not be entitled to use a sub-processor without the prior written consent of the Controller.

b) In the event of written consent, the Processor shall conclude the necessary agreements within the meaning of Article 28(4) of the GDPR with the sub-processor. In doing so, it shall be ensured that the sub-processor enters into the same obligations as those incumbent on the processor on the basis of this agreement. The Processor shall provide the Controller with documentary evidence of the transfer of the obligations under this Agreement at any time upon request.

c) If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the controller for compliance with the obligations of the sub-processor.

d) The Controller gives its consent to the use of the sub-processors named in Annex 3.

4 Duration of the Agreement

The duration of the agreement shall be governed by the contract referred to in point 1a).

x The agreement is concluded for an indefinite period and may be terminated in writing by either party with three months' notice to the end of the month. The possibility of termination without notice for good cause remains unaffected.

Insofar as a service provider agreement under data protection law already exists between the contracting parties with regard to the main service, which is described in more detail in the contract referred to in point 1a), it shall be replaced by the present agreement on commissioned data processing.

5 Other provisions

a) All disputes arising from and in connection with this Agreement shall be subject to the following

Austrian law, excluding the UN Convention on Contracts for the International Sale of Goods and conflict of laws provisions. For all disputes, the competent court for XXXX Vienna shall be agreed.

b) Only what is agreed in writing shall be binding; there shall be no oral collateral agreements. Amendments and supplements to the agreement must be made in writing in order to be valid; this also applies to any waiver of the formal requirement of writing.

c) All rights and obligations arising from this agreement shall pass to any legal successors of both contracting parties.

d) The parties agree to treat the conclusion of this agreement and its contents as confidential. This shall not apply insofar as a party is obliged to disclose this agreement or the contents thereof in accordance with the provisions of this agreement or due to a legal obligation. This shall apply insofar as the present agreement does not contain any provisions to the contrary and no statutory obligations to provide information exist.

e) The Processor undertakes (i) to ensure that its legal representatives, employees and subcontractors used and/or commissioned comply with all applicable statutory provisions in connection with anti-corruption regulations and (ii) to take appropriate measures to ensure compliance with anti-corruption regulations. A breach of anti-corruption regulations entitles the responsible party - without prejudice to other rights of rescission and termination - to terminate the agreement without notice and to assert any claims for damages.

f) Should individual provisions of this agreement be or become invalid or ineffective, the contracting parties shall mutually agree on a valid or effective provision that comes as close as possible to the invalid or ineffective provisions in economic terms.

The invalidity or ineffectiveness of individual provisions shall not affect the validity or effectiveness of the entire contract.

g) This contract shall be drawn up in two originals, one of which shall be given to each contracting party.

h) Annexes 1, 2 and 3 shall be deemed to be integral parts of the contract.

[...]"

In the annex to the present contract, "personal data" (e.g. first and last name) and "contact data" (e.g. telephone number) are mentioned as processed data categories. Employees and customers are named as data subjects. Furthermore, the order processing contract contains technical and organisational measures, including confidentiality and integrity.

1.3 In a letter to the data protection authority dated XXXX.2019, the complainant additionally argued that the involved party was also setting illegal cookies on its website and submitted a data protection complaint to this effect.

2. assessment of evidence:

The findings result from the file in connection with the submissions of the parties, in particular from the submitted contract between the co-participating party and XXXX dated XXXX .2018, and are not disputed.

Legal assessment:

Re A)

1. § 1 of the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG) reads (in excerpts):

(constitutional provision)

Basic right to data protection

§ (1) Everyone has the right to confidentiality of personal data concerning him or her, in particular with regard to respect for his or her private and family life, to the extent that there is an interest worthy of protection. The existence of such an interest shall be excluded if data are not accessible to a claim to secrecy due to their general availability or due to their lack of traceability to the person concerned.

(2) Unless the use of personal data is in the vital interest of the data subject or with his or her consent, restrictions to the right to secrecy shall only be permissible to protect overriding legitimate interests of another, and in the case of interference by a state authority only on the basis of laws which are necessary for the reasons set out in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection, in order to safeguard important public interests, and must at the same time lay down appropriate safeguards for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the most lenient manner that leads to the objective.

[...]

The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), read (in extracts):

Article 4 Definitions For the purposes of this Regulation, the term:

1. 'personal data' means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. - 6. [...]

(7) 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law;

(8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. [...]

(10) 'third party' means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;

11. - 26. [...]

Article 6 Lawfulness of processing

(1. Processing shall be lawful only if at least one of the following conditions is met: [...]

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; [...].

Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying more precisely specific requirements for processing as well as other measures to ensure lawful and fair processing, including for other specific processing situations referred to in Chapter IX.

3. The legal basis for the processing operations referred to in points (c) and (e) of paragraph 1 shall be determined by

(a) Union law; or

(b) the law of the Member States to which the controller is subject.

The purpose of the processing shall be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the provisions of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the individuals concerned, the entities to which and the purposes for which the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations in accordance with Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate aim pursued. [...]

Article 28 Processors

(Where processing is carried out on behalf of a controller, the controller shall only use processors providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will comply with the requirements of this Regulation and ensure the protection of the rights of the data subject.

(2. The processor shall not use another processor without the prior specific or general written authorisation of the controller. In the case of a general written authorisation, the processor shall always inform the controller of any intended change to the use or replacement of other processors, giving the controller the opportunity to object to such changes.

(3. Processing by a processor shall be carried out on the basis of a contract or other legal instrument under Union or Member State law binding the processor in relation to the controller and specifying the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. That contract or other legal instrument shall in particular provide that the processor shall

(a) process the personal data only on the documented instructions of the controller, including in relation to the transfer of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject, in which case the processor shall communicate those legal requirements to the controller prior to the processing, unless the law in question prohibits such communication on grounds of substantial public interest;

(b) ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of secrecy;

(c) takes all necessary measures in accordance with Article 32;

(d) complies with the conditions for using the services of another processor referred to in paragraphs 2 and 4;

(e) in view of the nature of the processing, assists the controller, where possible, with appropriate technical and organisational measures, in complying with its obligation to respond to requests for the exercise of the data subject's rights referred to in Chapter III;

(f) taking into account the nature of the processing and the information at its disposal, assists the controller in complying with the obligations referred to in Articles 32 to 36;

(g) upon completion of the provision of the processing services, either erase or return, at the controller's choice, all personal data, unless there is an obligation under Union or Member State law to retain the personal data;

(h) provide the controller with all necessary information to demonstrate compliance with the obligations laid down in this Article and allow and contribute to audits, including inspections, carried out by the controller or another auditor appointed by the controller.

With regard to point (h) of the first subparagraph, the processor shall inform the controller without undue delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.

(Where the processor uses the services of another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal instrument in accordance with Union or Member State law, in particular providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of this Regulation. Where the other processor fails to comply with its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that other processor.

(5) - (6) [...]

The relevant provisions of the Postal Market Act (PMG), read (in extracts):
Universal service

Definition and scope

§ 6. (1) - (7) [...]

(8) The universal service operator shall be obliged to further develop the universal service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of the universal service by means of appropriate measures and proposals. In this context, longer opening hours, better accessibility and all possibilities of securing locations, in particular through externally operated post offices, shall be examined in particular.

(9) [...]

Obligations of postal service providers

§ 32. (1) - (2) [...]

(3) Postal service providers shall establish a complaints management system so that users can raise disputes or complaints.

(4) - (5) [...]

(6) Postal service providers shall publish at least annually comparable, adequate and up-to-date information on the quality of their services, in particular the transit times of the mail carried, using the methodology set out in ÖNORM EN 13850, and shall disclose this information to the regulatory authority upon request in paper and electronically processable form prior to publication.

2. application of the legal bases to the complaint in question:

The subject matter of the complaint is the question whether the co-operating party violated the complainant's right to confidentiality by transmitting the complainant's contact details (name and mobile phone number) to XXXX, which subsequently used these data for the purposes of a customer satisfaction survey.

2.1 Regarding point 1 of the contested decision: Rejection of the data protection complaint due to the unlawful setting of cookies:

In the contested decision, the data protection authority stated that the complainant's submission of XXXX.2019 on the basis of the complaint of XXXX.2018, which initiated the proceedings, concerning the unlawful setting of cookies constituted a substantial amendment of the application within the meaning of Section 13 (8) AVG and that the submission had therefore to be rejected in this respect. However, the submission had been taken as an opportunity to initiate a separate data protection complaint procedure.

According to section 13 (8) AVG, an amendment of the application is only admissible if it does not change the substance of the matter, whereby the legislator deliberately accepted the vagueness of this term. However, the AB emphasise that the law is amendment-friendly, so that in case of doubt, an amendment of the application that changes the essence is not to be assumed.

However, an amendment to an application is said to affect the essence of the matter and therefore continue to be inadmissible in any case if it is not in fact an amendment to the original application but a new, "different project", i.e. if the project acquires a different quality in the light of the applicable substantive laws (see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of 1.1.2014, rdb.at)).

In the case at hand, the original data protection complaint of XXXX 2018, which exclusively referred to the violation of the right to confidentiality by the transmission of the complainant's contact data to XXXX and the use of the same by XXXX for the purpose of a customer satisfaction survey, underwent a substantial amendment in the meaning of section 13(8) AVG by the submission of XXXX 2019, which dealt with the unlawful setting of cookies by the co-participating party. The complainant's supplementary submission concerning cookies in his statement of XXXX 2019 affects the essence of the subject-matter of the proceedings as presented in the complaint of XXXX 2018, insofar as it goes far beyond this and concerns a new, different, supplementary submission and thus a new - different - subject-matter of the complaint.

Against this background, the rejection of the data protection complaint regarding the setting of cookies by the data protection authority was correct.

Moreover, in light of the fact that further proceedings were opened by the data protection authority with regard to the complainant's supplementary - new - allegations concerning cookies, there is no lack of legal protection with regard to this point of the complaint.

2.2 Regarding point 2 of the contested decision: dismissal of the data protection complaint with regard to the asserted violation of the right to confidentiality pursuant to section 1 of the Data Protection Act:

In the data protection complaint, the complainant alleged that the co-participating party had unlawfully disclosed his name and telephone number to a "third party", the XXXX , and had thus breached confidentiality obligations.

It is undisputed that a name and a telephone number are personal data of the complainant according to Art. 4(1) of the GDPR, which were also processed (i.e. transmitted, provided) according to Art. 4(2) of the GDPR.

The question therefore arises as to whether the data processing carried out by XXXX for the customer satisfaction survey constitutes processing by third parties.

In Art. 4(10) of the GDPR, the processor is explicitly excluded from the term "third party". Art. 4 no. 8 DSGVO in turn defines the term "processor". And a controller is characterised by the fact that it alone or jointly with others decides on the purposes and means of the processing of personal data (Art. 4 Z 7 DSGVO).

In the present case, the involved party determines the purposes and means of the processing, as can be seen from the contract it submitted and concluded with XXXX on XXXX .2018.

Article 28 of the GDPR then regulates the specific processing by a processor.

With regard to the question of privileging the examination of the lawfulness of the processing by the processor compared to other data processing, the following is stated in the literature [cf. on the following paragraphs Bogendorfer in Knyrim, DatKomm Art 28 DSGVO Rz 23 - 28 (as of 1.10.2018, rdb.at)]:

"The GDPR does not contain a comparable distinction in terms of data flows between the different actors of a data processing as in the DSG 2000 and correspondingly clear privileges. It summarises all processing steps across the board and without further distinctions in the definition of "processing" in Article 4(2) and understands it to mean "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". In the absence of differentiation within the very broad disclosure options mentioned in Art 4(2) (transmission, dissemination or other form of making available) and in the absence of an inclusion of commissioned processing in the canon of lawfulness bases according to Art 6 and 9, the question arises whether the "privileged status" of the data flow between the controller and the processor has ceased to exist and whether there must now be a lawfulness basis for it. The predominant opinion in the literature, however, sees this differently according to different interpretation approaches and still considers a separate justification basis for the data transfer to the processor to be unnecessary:

It is argued that Art 28 can be understood as an independent authorisation norm.

On the other hand, it is critically noted that Art 6 and 9 have a conclusive character and that there are no indications that the canon of lawfulness standardised there can be extended.

From a systematic and teleological point of view, [...] the literature rightly notes that the very ratio of Article 28 is geared towards establishing a close relationship between the controller and the processor in the processing operation, for which, as compensation, an "exemption" from the requirement of the existence of a lawful basis is to take place. The disclosure of personal data by means of transfer as defined in Article 4(2) therefore only means the transfer to third parties as defined in Article 4(10) and not to every recipient. The risk of a loss of control by the controller is not given by Art 28 and 29. The objective of facilitating the flow of data, which is also pursued by the GDPR (cf. recital 10), would not be achieved if a basis of lawfulness were required.

For systematic reasons, it is argued that the requirement of a lawful basis for the flow of data between a controller and a processor would put the processor on an equal footing with a controller, whereas Art 28(10), with its allocation of decisions on the purpose and use of resources for data processing (see recitals 6 and 8), speaks against this.

The approach that data processing by a processor is permissible on the basis of a balancing of interests according to Art 6 (1) (f) is not convincing as an argument for a "privileged" data flow between the controller and the processor, since here there is already a separate lawfulness check of the data transfer to the processor. From a practical point of view, it will regularly be true for non-sensitive data that the balancing of interests results in the lawfulness of the data flow to the processor. For special personal data according to Art 9, however, there is no possibility of a balancing of interests, which is why in these cases commissioned processing is not possible without a special justification according to Art 9. A linguistic approach that Art 28 can be evaluated as a general balancing of interests also in the case of special personal data is not to be found in the GDPR.

Another approach in the literature convincingly derives the "privileging" of commissioned processing from the definitions of data processing (Art 4(2)), controller (Art 4(7)), processor (Art 4(8)), recipient (Art 4(9)) and third party (Art 4(10)). In the case of data transfer to the processor, there is disclosure to a recipient, but no transfer within the meaning of Art 4(2), as this requires the existence of a "third party" pursuant to Art 4(10) and the processor is not such a third party.

The "recipient" is defined in Art 4(9) as "a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party [...]". [...]

A third party within the meaning of Article 4(10) is a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or the processor.

Recipient" can be understood as an umbrella term encompassing all actors other than the data subjects themselves, while the definition of "third party" implies a partial exclusion from the group of recipients by not including, in addition to the data subjects, the (original) controller, the processor and the persons authorised to act under their direct responsibility (e.g. employees or sub-processors) among the group of third parties. Since the processor, by definition, only processes personal data on behalf of the controller and is not a third party within the meaning of Article 4(10), he is notionally an "internal" recipient who has no authority of his own in the use of the transferred data and is bound by instructions. The data processing can therefore be regarded as a single processing operation for which only a single lawfulness check is required. This uniform approach is permissible because the broad definition of the term "processing" in Article 4(2) recognises not only isolated individual operations, but also a series of operations. The justification of the commissioned processing is accessory to the reason for authorisation of the underlying processing at the controller. The processor is merely the "alter ego" of the controller, its "extended arm", due to the close binding of instructions according to Article 29.

This argument also finds support in the Article 29 Working Party's opinion on the terms "controller" and "processor". The controller and processor are seen as the "inner circle of data processing" and not as third parties. The lawfulness of the data processing activity of the processor is determined by the mandate given by the controller. The processor is ultimately functionally comparable to an employee of the controller, distinguished from the latter by its organisational autonomy: it is up to the controller to decide whether to carry out a data processing operation within its organisation or to delegate it in whole or in part to external organisations."

Similarly, Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 on Art 28:

"Therefore, the only remaining understanding is to understand commissioned processing as a permissible means of processing, which the controller may use under the condition of compliance with the requirements of Art. 28. If the processing itself is lawful according to one of the conditions mentioned in Art. 6(1), the controller may use one or more processors according to his instructions. In this respect, it is significant that the factually identical definition of "processing" in Art. 2d DPA and Art. 4 No. 2 GDPR recognises as processing not only isolated individual operations, but also a series of operations. Therefore, if processing is not considered at the micro level but at the macro level, commissioned processing can certainly be understood as part of processing. However, the prerequisite is always that a transfer only takes place to processors bound by instructions. As soon as a transfer to a third party takes place, the framework of permissible means of processing is breached and a separate legal basis for the transfer is required."

For the case at hand, against the background that a contract was concluded between the co-operating party and the XXXX in which the mission is clearly defined (customer satisfaction surveys), this means that a contractual relationship exists in any case. The XXXX acted as an "extended arm" and thus as a processor for the co-participating party. The commissioned processing must therefore be seen as part of the processing by the controller itself, and the lawfulness of the same must be examined according to Art. 6 DSGVO.

As the data protection authority correctly states in the contested decision, the party involved can rely on Art. 6(1)(c) of the GDPR, according to which the processing is necessary for compliance with a legal obligation. This arises from sections 32(3) and 6(8) of the PMG, which on the one hand provide for the establishment of a complaints management system and on the other hand oblige the party to take appropriate measures to improve the quality of the services offered in the course of the universal service, namely postal delivery. The assessment of the data protection authority that the disclosure of the name and telephone number of the complainant to the processor was necessary in the sense of the provision, namely in order to be able to fulfil its mandate of determining customer satisfaction, is also to be followed.

The processing of the complainant's personal data that was the subject of the proceedings was therefore lawful, which is why the data protection authority was right to dismiss the complaint in this regard.

2.3 Regarding point 3 of the contested decision: Rejection of the application for the imposition of a fine:

In his data protection complaint of XXXX 2018, the complainant stated that Section 62 (1) (2) of the Data Protection Act, i.e. the regulation on the imposition of administrative fines, was applicable, which the data protection authority interpreted in the contested decision as an application for the imposition of a fine on the co-participating party.

In line with this, the complainant also referred to the admissibility of imposing an administrative fine on the co-participating party in his appeal against the decision. It is therefore beyond doubt that the complainant's request is also directed at the imposition of an administrative penalty on the co-participating party.

However, as the data protection authority correctly stated in the contested decision, a subjective right to initiate administrative penal proceedings against a controller can neither be derived from Article 77 (1) of the GDPR nor from Section 24 (1) and (5) of the DPA. The principle of official channels pursuant to Section 25 (1) VStG applies. Accordingly, no one has a legal right to be prosecuted for any reason whatsoever. The authority must proceed ex officio both in initiating and conducting administrative criminal proceedings (cf. Fister in Lewisch/Fister/Weilguni, VStG2 § 25 Rz 3f (as of 1.5.2017, rdb.at)).

Administrative criminal proceedings can therefore only be initiated by an affected person; there is no right to initiation.

The rejection by the data protection authority was therefore also correct on this point.

Since only legal questions were to be clarified in the proceedings, the holding of an oral hearing could be waived pursuant to section 24 (4) VwGVG (VwGH, 19.09.2017, Ra 2017/01/0276).

Re B) Admissibility of the appeal:

Pursuant to section 25a (1) VwGG, the administrative court shall state in the ruling or decision whether the appeal is admissible pursuant to Art. 133 (4) B-VG. The statement shall be briefly substantiated.

The appeal is admissible pursuant to Art. 133 para. 4 B-VG because there is a lack of case law of the highest courts, in particular on the qualification of the processor as the "extended arm" of the controller.

Therefore, the decision had to be made in accordance with the ruling.