BVwG - W211 2231475-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 11: Line 11:


|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS)
|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS)
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20211020_W211_2231475_1_00/BVWGT_20211020_W211_2231475_1_00.pdf
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=338ae3c0-a817-4450-a3bc-f0eccd78f81a&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20211020_W211_2231475_1_00
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE

Revision as of 19:12, 25 January 2022

BVwG - W211 2231475-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 6(1)(c) GDPR
Article 28 GDPR
§ 13(8) AVG
§ 25(1) VStG
Decided: 20.10.2021
Published:
Parties: anonymous
DSB (Austria)
National Case Number/Name: W211 2231475-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W211.2231475.1.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Heiko Hanusch

The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under Art. 6 GDPR because the processor is to be seen as a mere - dependent – extension of the controller.

English Summary

Facts

The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he does not want the phone number to be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Art. 28 GDPR.

The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he literally expressed that he does not want his data to be given to a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller.

The DSB dismissed the complaint.


Holding

The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.

The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Art. 29 GDPR). If the processing of data is in accordance with Art. 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Art. 6 GDPR.

In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Art. 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services.

Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                                                                              Postal address:
                                                                    Erdbergstrasse 192 – 196
                                                                               1030 Vienna

                                                                        Phone: +43 1 601 49-0
                                                                  Fax: +43 1 711 23-889 15 41
                                                              Email: einlaufstelle@bvwg.gv.at
                                                                           www.bvwg.gv.at




                     DECISIONS D A T U M

                                 2 0 . 1 0 . 2 0 2 1

                            BUSINESS NUMBER






                        W 2 1 1 2 2 3 1 4 7 5 - 1/9 E

                I M N A M E N D E R E P U B L I K !


The Federal Administrative Court recognizes through the judge Mag. Barbara SIMMA LL.M. as

Chair and the expert lay judge Margareta MAYER-HAINZ and the

expert lay judge Dr. Ulrich E. ZELLENBERG as assessor on the
Complaint by XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in

closed session rightly:


a)


The complaint is dismissed as unsubstantiated.

b)


The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 -






                            Reasons for decision:


I. Procedure:

1. With a data protection complaint dated XXXX .2018 (received at the data protection authority on

XXXX .2018), the complainant claimed a violation of the right to secrecy

according to § 1 and §§ 8 as well as 62 para. 1 Z 1 Data Protection Act (DSG) by the Austrian
Post AG (the involved party).


The complainant stated in summary that the party involved was in form
of a "company", but is de facto a state-owned company. At the postal customs office be on

XXXX received a letter in 2018 containing goods ordered by the complainant.

Due to irregularities in connection with the shipment, the
Complainant contacted the involved party's "hotline" on XXXX .2018. He has

left his cell phone number there with a request to call him back, which he also shared

expressly asked the party not to pass this number on to third parties under any circumstances.
He was expressly assured of this. He was then from the party involved

been called back and was able to fix the shipment.


On XXXX .2018 he was called by XXXX. Upon specific request from
Complainant, where XXXX got his phone number and his name from, was him

been informed by the caller that she was entitled to this by the party involved

received for survey purposes. On the same day he was contacted by another number
been made, whereby the caller had obviously suppressed the number display.

After hearing "Do you want to take part in a survey", he immediately hung up.

At no time did he give his consent to the disclosure of his name and his

Telephone number given, but expressly requested, his contact details not

to pass on. Nor is there any public interest. Since he is from the
If I had no knowledge of the data being passed on, an objection is also not possible

been. The complainant was therefore violated in his right under § 1 para. 1 DSG

been. In any case, § 61 Para. 1 Z 2 DSG is also applicable.

2. With a statement dated XXXX .2018, the party involved led to this

Data protection complaint that XXXX is a processor in

within the meaning of Art. 28 GDPR. Obtaining consent for the present - 3 -


Data transmission is therefore not necessary. The customer satisfaction survey is not
by employees of the party involved, but by an external company

Have been carried out. This ensures that the party involved does not

personal results of the survey. The data transmission is under
Compliance with all data protection regulations, in particular Art. 28 ff DSGVO,

However, the complaint was taken to cause the complainant to

Block future customer satisfaction surveys.

3. By letter dated XXXX .2018, the data protection authority requested the involved party

again for comment. In particular, the party involved was pointed out

pointed out that the mere fact that the company in question is
allegedly to be a processor, nothing about the legality of the

processing statement.


4. The involved party submitted in a statement dated XXXX .2019 that they
Postal service providers within the meaning of the Postal Market Act (PMG) and also

Universal service operator according to § 12 PMG. According to the one assigned to her

Among other things, she has obligations to set up a complaints management system,
to publish information about the quality of their services at least annually (§ 32

PMG), to show the regulatory authority, among other things, the number of complaints (§
6 Para. 7 PMG) and the universal service in terms of the needs of users

develop and through appropriate measures and suggestions to secure the supply

to contribute to the further development of the universal service with postal services (§ 6 Para. 8 PMG).
In order to adequately meet this obligation, the party involved has the

Postal customer service set up, which was also used by the complainant

may be.

So that the quality is further developed in accordance with the legal obligation and also

could be published, the survey of the users is the most suitable and

most recognized method. The survey itself will be considered by the XXXX
Processor carried out within the framework of the agreement under Art. 28 GDPR

act. Purposes and means are specified by the party involved, whereby the XXXX

nor can it be qualified as a third party within the meaning of Art. 4 Z 10 GDPR. In the sense of the
Data minimization only get the phone number and the name of the

interviewer to enable proper addressing. the to
interviewers would only be contacted once per case, and the - 4 -


survey can be declined at any time. If at all, only one could hardly do it
noticeable impairment.


If customers contact the postal customer service, they would

according to Art. 13 GDPR in the form of a taped announcement on the information on the topic
data protection on the website of the party involved. This

Information can be clearly inferred that appropriate surveys have been carried out

can become. Under point 3.2. of the website are market research institutes as possible
external service providers listed. When people post customer service

would contact, so be sure that they have the information in accordance with Art. 13 GDPR

would receive.

Between contacting Post Customer Service and being contacted by

the XXXX exists for a certain period of time, within which there are already contradictions

can be done. Participation in the survey is therefore voluntary and possible
be rejected at any time. Only when contacted by XXXX did he

Complainant lodged an objection, which is why no questioning

have taken place.

The establishment of customer service is based on a legal obligation. One

Questionnaire must be carried out to explain the complaints or to check the service
will. The survey is the most suitable and recognized or only method. In order to

the lawfulness of the data processing results from Art. 6 Para. 1 lit. c GDPR.


In addition, the party involved is also acting in the public interest, since the postal
Basic care including the associated quality check

/obligation to publish/obligation to improve had been transferred. Thus Art. 6 is also

Paragraph 1 lit. e GDPR relevant. In addition, Art. 6 Para. 1 lit. f
GDPR are used. The party involved does not act as an authority in the sense

the reason for exclusion. Interest in quality control

/obligation to publish/obligation to improve result from the legal requirements
PMG and is therefore legitimate. In this respect, there is a benefit for those involved

party as the responsible party, as they continuously ensure their service quality in accordance with the

legal requirements can be improved as well as a benefit for the general public than this
receive better basic care

viewed if this is for the perception of direct mail or advertising itself or
will also be tracked for processing for market research purposes. - 5 -


Likewise, this results from the basic right of entrepreneurial freedom (Article 16 of the GRC).
legitimate interest of the party involved, from their customers their assessment of the

To learn about complaint management in order to better

to be fair. Even without the existence of a legal obligation
the processing of personal data in question is therefore lawful. Only with the

The contact data used can be used to carry out a survey, with which the

processing was also necessary. The interest of the party involved and that
The interest of the general public in data processing outweighs the interest

of the complainant. In addition, the contact details are not particularly worthy of protection

Data.

The input was the agreement on order processing according to Art. 28 GDPR in copy

connected.


5. By letter dated XXXX .2019, the complainant made the following statement on the
Statements of the party involved: Initially, he wanted to add a "crass"

Inform the party involved of data misuse. The involved party uses on

Cookies and "spyware" that are not permitted on their website, especially since a direct
objection is not possible. This becomes more objective as a further objection

Complaint added.

For the opinion of the party involved, it can be stated that neither § 32 para.

6 PMG nor § 6 para. 7 and para. 8 PMG a justification for the transfer of data to third parties

contain. The argument of increasing efficiency would also include data transfer to third parties
not justify. In the course of his request, he received no information within the meaning of Art. 13

GDPR has been granted. It is irrelevant whether participation in the survey is voluntary

The subject of the complaint was the transfer of data to third parties. At no time did he
consent is given, whereby in particular a call to the "hotline" is not as such

can be rated. The market research company is not subject to the supervision of

with the party involved
The contract concluded is not applicable in the present case, as it explicitly allows data to be passed on

have objected. It would also have to be clarified whether the contract per se is moral and

be illegal.

6. With the contested decision of XXXX, the data protection authority rejected the

Privacy complaint regarding the illegal setting of cookies
(Point 1.). In addition, she dismissed the complaint as unfounded (paragraph - 6 -


2.). The complainant's application for a fine was granted
rejected (point 3.)


The data protection authority explained insofar as essential that the letter of the

Complainant from XXXX .2019 on the basis of the proceedings
Complaint submission of XXXX 2018 regarding the illegal setting of cookies

represents a significant change in the application within the meaning of Section 13 (8) AVG, which is why the

arguments to that effect had to be rejected. However, it was taken as an opportunity
been asked to initiate a separate complaints procedure.


In the present case, the "passing on" of the personal data of the

complainant by the party involved to the market research institute. the
Subsequent customer satisfaction requests from this company have the complaint case

of the complainant and is therefore exclusively in the interest and in the

Order of the involved party takes place. The pursuit of one's own purposes
Market research company was never intended, which means that a

independent responsibility of the market research company is to be denied. the

the present "passing on" is therefore one that can be attributed to the party involved
data processing.


The complainant's data was not transmitted or disclosed to "third parties",
but within the meaning of Art. 28 GDPR by the market research institute on behalf of

involved party has been processed as agreed. A right to that

responsible persons do not use any processors, does not exist. the
On the one hand, the involved party is obliged to do so due to the provisions of the PMG

to set up a complaints management system and, on the other hand, to ensure the quality of the

Universal service, ie postal delivery, services offered by suitable
Measures to improve, and thus to take certain measures. Even if

of the involved party in these regulations no concrete measure and also none

certain data processing is ordered, should not be subject to the legislature
that he gives the party involved the possibility of data processing

want to withdraw, because otherwise the provision would be meaningless.


The handling of a complaint from a customer and the
The quality assurance measures to be carried out are without name and contact address

unthinkable if the data required for this should not be processed. At - 7 -


Name and contact option there is no doubt that the data processing in
given minimal scope is also required.


Finally, it was stated that a subjective right to initiate a

Administrative penal proceedings against specific persons responsible under Art. 77 Para. 1 DSGVO or §
24 para. 1 and 5 DSG cannot be derived, and the principle of expediency according to § 25 para.

1 VStG applies. Administrative penal proceedings can therefore only be carried out by a person concerned

be suggested, there is no entitlement to initiation.

7. In the complaint, which was raised within the time limit, the complainant went so far

summarized here essentially that the data protection complaint the disclosure of

data to third parties. It is completely irrelevant whether this transfer
based on private law contracts or other agreements.


The fundamental right to data protection is a constitutionally protected legal interest, which is not

can be overridden by private law contracts. It is also irrelevant
whether the data protection authority wants to see a third party as an "extended arm" or not.

At the request of the involved party's hotline, the complainant only

Otherwise processing is not possible, his (former) telephone number was announced,
this with the express note not to pass the same on to third parties. The two

Companies that ultimately receive these phone numbers and the complainant
contacted are market research companies whose business purpose is the survey

of customer requests for advertising purposes. It is not clear in what way

Advertising company could be useful for quality assurance. §§ 6 and 32 PMG would also offer
no indication that the involved party is thereby authorized to use customer data

to pass on to third parties.


Art. 28 para. 2 GDPR stipulates that processors must not
Processors without prior separate or general written consent

permission of the person responsible. Sohin be the

Passing on of the data to an advertising company in any case without a basis under data protection law
he follows. There is therefore a violation of data protection by the party involved,

since this without consent within the meaning of Art 7 GDPR and contrary to an explicit request by the

complainant's data to a third-party company.

In the contested decision, the complaint regarding the inadmissible setting of

Cookies have been rejected. With the same date, however, the Data Protection Authority
issue an order to remedy defects with a deadline without delivery, which - 8 -


could have been followed, since the matter had been discussed immediately. It
there is therefore already a violation of the AVG insofar as no hearing of the parties is granted

had been. The use of cookies falls under the term data processing,

as well as under the term data transfer. It is therefore incorrect if the
Data Protection Authority believes the use of cookies by the affiliated party

would not be included in the content of the complaint.


Moreover, the question of an administrative fine is not addressed in the contested decision
followed up, reflecting the unwillingness of the Data Protection Authority to deal with certain

make things clear again.


II. The Federal Administrative Court considered:

1. Findings:


1.1. The complainant contacted due to delivery issues related

with a postal item on XXXX .2018 the "hotline" of the party involved. left there
he left his cell phone number with a request to call him back, stating that he was the party involved

expressly requested not to pass this number on to third parties under any circumstances.


On XXXX .2018 the complainant was called by XXXX. On concrete
The complainant asked where the XXXX got his telephone number and his name

have, he was informed by the caller that she was from the involved
party received for survey purposes. On the same day, the complainant was

contacted another number for survey purposes, with the caller using the

had suppressed caller ID. The complainant ended that call immediately,
after his interlocutor had asked if he wanted to take part in a survey.


1.2. The following contract was concluded between the party involved and XXXX on XXXX .2018

completed (reproduced in excerpts):

"AGREEMENT ON ORDER PROCESSING according to Art. 28 GDPR

concluded between
       XXXX (hereinafter "Responsible")
and
 XXXX

       XXXX (hereinafter "processor")

1. Subject of the agreement - 9 -


a) The area of responsibility of the processor includes conducting surveys
       of all kinds and as required, but in particular the implementation of the regular
       ongoing survey of "satisfaction with Swiss Post customer service".

       In the context of this contract, “personal data” includes such

       to understand personal data that the person responsible dem
       processors within the framework of the contract described in more detail above
       or the processing of which is assigned to the processor in that contract.

b) Categories of personal data and categories of data subjects are processed

       Persons according to Annex 1.

2. Processor Obligations

a) The processor undertakes to process personal data and
       Processing results exclusively within the framework of the written (e-mail
       sufficient) to process orders from the person responsible. All

       Data processing activities take place exclusively in a member state of
       European Union instead.

b) The processor is not authorized to process personal data of the
       disclosure to third parties without the written consent of the person responsible. So far

       the processor is obliged to do so by law
       to inform the person responsible immediately in advance.

c) The transfer of personal data to third parties, to which no legal
       obligation of the processor exists, sets a written (e-mail
       sufficient) order of the person responsible.


d) Processing of personal data for the company's own purposes
       Processor may only be used with the prior written consent of the
       responsible.

e) The processor undertakes to maintain data secrecy and
       declares in a legally binding manner that he is responsible for all data processing

       has obligated persons to maintain confidentiality before starting the activity or these
       are subject to an appropriate statutory obligation of confidentiality. He has
       all persons entrusted with data processing are obliged to
       Data provided to them solely because of their professional activity

       be entrusted or accessible, without prejudice to other statutory provisions
       To keep confidentiality obligations secret, unless legally permissible
       There is a reason for the transmission/disclosure of the data. In particular, the remains
       Confidentiality obligation of the persons responsible for data processing
       even after they have finished their job or left the company

       Processor upright.

f) The Processor declares in a legally binding manner that it has all the necessary
       Measures to ensure the security of processing in accordance with Art. 32 GDPR
       has taken. The processor assures that the data described in Appendix 2 and

       selected, risk-appropriate, technical and organizational - 10 -


       have taken and will continue to take action to
       personal data against accidental or unlawful destruction and against
       to protect against loss as well as their proper processing and the
       Ensure non-accessibility for unauthorized third parties. The Processor

       undertakes to implement the technical and organizational measures in the above
       Keeping it up to date with the latest technology and looking for technical progress or
       to update or adapt to a changed threat situation.

g) The processor ensures that the person responsible respects the rights of the

       data subject according to Chapter III of the GDPR (information, access, correction
       and deletion, data portability, objection and automated
       Decision-making in individual cases) and taking into account the Austrian
       Federal law for the protection of natural persons during processing (DSG idgF)
       within the statutory deadlines at any time, leaves the

       responsible for all the necessary information and supports them in the process
       Fulfillment of related obligations to the best of our ability. Will a corresponding
       Application, with which the rights of the data subject are asserted, to the
       Processor directed and it is evident from the content of the application that the

       Applicant mistook the application processor for the person in charge of his
       processing activity carried out for the person responsible, the
       Processor to forward the request to the person responsible immediately
       and this to the applicant, stating the date of receipt of the
       to communicate the application.


h) The processor supports the person responsible in complying with the regulations
       Articles 32 to 36 DSGVO mentioned obligations (data security measures, reports
       of personal data breaches to the supervisory authority,
       Notification of a Personal Data Breach

       data subject, data protection impact assessment, prior consultation).
       best efforts. In particular, the processor undertakes to
       those responsible immediately, but no later than within 36 hours of this
       Notice to notify of data breaches.

i) The processor is informed that he has a processing directory

       has to be set up in accordance with Art. 30 Para. 2 GDPR.

j) The processor undertakes to provide the person responsible with that information
       to provide the means to monitor compliance with this Agreement
       mentioned obligations are necessary. In particular, the
       Processor, the person responsible immediately upon request

       appropriate written evidence of the implementation and effectiveness of the in Annex 2
       to transmit the technical and organizational measures described. Over
       At the request of the person responsible, the declaration of the
       Protection of data secrecy regarding the person who is presented with the

       execution of the order is entrusted.

k) With regard to the processing, the person responsible is given the
       personal data granted the right, even by qualified and for
       Employees sworn to secrecy or by a professional secrecy - 11 -


       obligated person (court-certified expert etc.)
       Processor to check the correctness of the data processing
       Announcement to check. This during normal office hours and in coordination
       with the data protection officer of the processor or another person responsible for

       person responsible for data protection.
       The data protection officer/responsible for data protection at
       Processor is:
       Mr. Mrs

       XXXXXXX

l ) After completion of the order, the processor is obliged to
       responsible for all processing results and documents that
       contain contractual personal data; of that
       The storage of the data left to the processor remains unaffected

       personal data and processing results to the extent and as long as this is for
       to guarantee its services.
       After the warranty period has expired, the processor has all
       to delete contractual personal data or to post them

       Request of the person responsible before carrying out the deletion
       keep. This applies in particular if the processor is to another
       Storage of personal data not due to mandatory legal requirements
       provisions is required.
       At the request of the controller, the processor confirms the

       data erasure in writing.
       If the processor processes the personal data in a special
       technical format processed, he is obliged to post the personal data
       Completion of the order either in this format or at the request of the

       Responsible in the format in which he received the personal data from
       person responsible or in another common format
       to release.

m) The processor must inform the controller immediately if he
       is of the opinion that an instruction of the person responsible violates

       EU or Member State data protection regulations.

3. Sub-processors

a) The processor is without the prior written consent of the
       Controller not entitled to use a sub-processor.

b) In the event of written consent, the processor closes the

       necessary agreements within the meaning of Art. 28 Para. 4 GDPR with the sub-
       processor. It must be ensured that the sub-processor
       enters into the same obligations as the processor based on this
       agreement. The processor has the responsible person

       Override of the obligations under the present agreement upon request
       to be documented at any time. - 12 -


c) If the sub-processor does not meet his data protection obligations, he is liable
       the processor towards the person responsible for compliance
       Obligations of the sub-processor.

d) The person responsible gives his consent to the use of the information in Annex 3

       named sub-processor.

4. Duration of Agreement
□ The term of the agreement is based on the contract mentioned in point 1a).
x The agreement is concluded for an indefinite period and can be changed by either party

       be terminated in writing with a notice period of three months to the end of the month. the
       The possibility of termination without notice for important reasons remains unaffected.

In this respect, a data protection service provider agreement between the contracting parties
in relation to the main service described in more detail in the contract referred to in point 1a),
already exists, it is determined by the present agreement on a

Order data processing replaced.

5. Miscellaneous Provisions

a) All disputes arising from and in connection with this contract
       Austrian law, to the exclusion of the UN sales law and conflict of laws

       provisions. For all disputes, this will be factual and for XXXX Vienna
       locally competent court agreed.

b) Only what has been agreed in writing is binding; there are no oral ones
       ancillary agreements. Changes and additions to the agreement require their
       validity of the written form; this also applies to a waiver of the formal requirement

       writtenness.

c) All rights and obligations arising from this agreement are transferred to any
       Legal successors of both contracting parties.

d) The parties agree to the conclusion of this agreement and its content
       to be treated confidentially. This does not apply to the extent that a party in accordance with the provisions

       of the present agreement or due to legal obligation to
       disclosure of this Agreement or any content thereof. This applies,
       insofar as the present agreement does not contain any conflicting provisions
       contains and there are no legal obligations to provide information.


e) Processor undertakes (i) that its legal representatives,
       Employees and employed and/or commissioned subcontractors to all
       applicable legal provisions in connection with anti-
       comply with anti-corruption regulations and (ii) take appropriate measures to prevent the
       Ensure compliance with anti-corruption regulations. A breach of anti-

       Corruption regulations entitle the person responsible - without prejudice to others
       Right of withdrawal and termination - for extraordinary termination without notice
       agreement and to assert any claims for damages. - 13 -


f) Should any provision of this agreement be invalid or ineffective or
       become, the contracting parties will agree a valid or effective
       Set a provision that will invalidate or ineffective provisions

       economically closest.
       The invalidity or ineffectiveness of individual provisions has no effect
       on the validity or effectiveness of the entire contract.

g) This contract is drawn up in two originals, of which each contracting party has one

       receives.
h) Appendices 1, 2 and 3 are considered to be an integral part of the contract.

[...]"


The processed data categories are included in the annex to the present contract
“Personal master data” (e.g. first and last name) and “contact data” (e.g.

telephone number) mentioned. The affected persons are employees and

called customers. The order processing contract also contains
technical and organizational measures, including confidentiality and integrity.


1.3. The complainant sent a letter dated XXXX .2019 to the

The data protection authority also provides that the party involved also unlawful

set cookies on their website and filed a privacy complaint to that effect.

2. Evidence assessment:


The findings result from the file in connection with the arguments of the parties,

in particular from the contract submitted between the party involved and XXXX
dated XXXX .2018, and are not disputed.


3. Legal assessment:


to A)

1. Section 1 of the Federal Act on the Protection of Natural Persons in Processing

personal data (Data Protection Act - DSG) reads (in excerpts):


       (constitutional provision)

       fundamental right to data protection


       § 1. (1) Everyone has, in particular with regard to respect for his private and
       family life, right to confidentiality of personal data concerning him

       Data insofar as there is a legitimate interest in it. The existence of such - 14 -


       Interestisexcludedifdataduetotheirgeneralavailabilityorbecause

       due to their lack of traceability to the person concerned, no claim to secrecy

       are accessible.

       (2) Insofar as the use of personal data is not in the vital interest

       of the person concerned or with his consent, limitations of the right to

       Confidentiality only to protect overriding legitimate interests of another
       permissible, in the event of interference by a state authority only on the basis of laws that

       from the in Art. 8 para. 2 of the European Convention for the Protection of Human Rights and

       Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958, are necessary. such
       Laws prohibit the use of data that, by their nature, deserve special protection,

       only provide for the protection of important public interests and must at the same time
       appropriate guarantees for the protection of the confidentiality interests of the persons concerned

       determine. Even in the case of permissible restrictions, the encroachment on the fundamental right may in each case

       only be undertaken in the mildest, most effective way.

       [...]


The relevant provisions of Regulation (EU) 2016/679 of the European

Parliament and Council of April 27, 2016 on the protection of natural persons in the

Processing of personal data, the free movement of data and the cancellation of the

Directive 95/46/EG (General Data Protection Regulation), read (in excerpts):

       Article 4 Definitions For the purposes of this Regulation, the term means:


       1. “Personal Data” any information relating to an identified or

       identifiable natural person (hereinafter "data subject"); as
       identifiable is a natural person who directly or indirectly, in particular

       by association with an identifier such as a name, an identification number

       location data, an online identifier or one or more specific
       characteristics expressing the physical, physiological, genetic, psychological,

       economic, cultural or social identity of this natural person are identified

       can be;

       2. “Processing” any operation carried out with or without the aid of automated processes

       or any such series of operations involving personal data such as that

       Collecting, capturing, organizing, arranging, storing, adapting or
       Modification, reading, querying, use, disclosure by

       transmission, distribution or any other form of provision, comparison or
       linking, restriction, deletion or destruction; - 15 -


3rd – 6th […]


7. "Responsible person" the natural or legal person, authority, institution or other

Body alone or jointly with others on the purposes and means of processing
of personal data decides; are the purposes and means of this processing

stipulated by Union law or the law of the Member States, the

Responsible person or can use the specific criteria according to his designation
provided for by Union law or the law of the Member States;


8."Processor" means a natural or legal person, public authority, agency or

another entity that processes personal data on behalf of the controller;

9. […]


10. “Third party” means a natural or legal person, public authority, agency or other body,

other than the data subject, the controller, the processor and the
Persons who are under the direct responsibility of the person responsible or the

processors are authorized to process the personal data;


11th – 26th […]

Article 6 Lawfulness of processing


(1) The processing is only lawful if at least one of the following

conditions are met: [...]

c) the processing is necessary for compliance with a legal obligation imposed by the

Controller is subject to; [...]


(2) Member States may have more specific provisions adapting the application
the provisions of this regulation in relation to processing to comply with paragraph 1

Maintain or introduce subparagraphs c and e by providing specific requirements for the

Processing as well as other measures more precisely to determine a lawful and according
ensure fair processing, including for others

special processing situations according to Chapter IX.


(3) The legal basis for the processing pursuant to paragraph 1 letters c and e
set by


a) Union law or


b) the law of the Member States to which the controller is subject. - 16 -


The purpose of the processing must be specified in this legal basis or in relation to the

Processing pursuant to paragraph 1 letter e may be necessary for the performance of a task that

is in the public interest or in the exercise of official authority which
responsible has been transferred. This legal basis may have specific provisions

to adapt the application of the provisions of this regulation, among others

Provisions on what general conditions for the regulation of
Lawfulness of the processing by the controller apply, what types of data

are processed, which persons are affected, to which institutions and for which
Purposes the personal data may be disclosed, what purpose they

are subject to how long they may be stored and what processing operations and

procedures may be applied, including measures to ensure a
lawful and fair processing, such as for others

special processing situations according to Chapter IX. Union law or the law of

Member States must pursue an objective in the public interest and in a
proportionate to the legitimate purpose pursued. [...]


Article 28 Processors


(1) If processing is carried out on behalf of a person responsible, then this person only cooperates
Processors who offer sufficient guarantees that appropriate technical and

organizational measures are carried out in such a way that the processing is in accordance with

the requirements of this regulation and the protection of the rights of the persons concerned
person guaranteed.


(2) The processor will not take on any other processor without prior approval

separate or general written approval of the person responsible. in the
In the event of general written approval, the processor will inform the

always inform those responsible about any intended change in relation to the addition or

the replacement of other processors, giving the controller the option
entitled to object to such changes.


(3) Processing by a processor is based on a contract

or any other legal instrument under Union law or the law of the
Member States that control the processor in relation to the controller

binds and in the subject and duration of the processing, type and purpose of the processing,
the type of personal data, the categories of data subjects and the obligations

and rights of the person responsible are defined. This contract or this other

Legal instrument provides in particular that the processor

a) the personal data only on documented instructions from the controller —

also with regard to the transfer of personal data to a third country or a - 17 -


international organization — processed, unless required by Union or EU law

Member States to which the processor is subject is obliged to do so; in one

In such a case, the processor shall notify the controller of these legal
Requirements prior to processing with, provided that the relevant right such notice

not prohibited because of important public interest;


b) ensures that those authorized to process the personal data
Persons have committed to confidentiality or an appropriate statutory

are subject to a duty of confidentiality;


c) take all measures required under Article 32;

d) the conditions for using the services referred to in paragraphs 2 and 4

of another processor;


e) in view of the nature of the processing, the person responsible, if possible with suitable ones
technical and organizational measures to fulfill its obligation to

Responding to requests to exercise the rights referred to in Chapter III

comply with the data subject;

f) taking into account the type of processing and those available to him

Information to those responsible for compliance with the provisions of Articles 32 to 36

supports the above obligations;

g) after completion of the provision of the processing services, all personal data

either deletes or returns at the discretion of the person responsible, unless after the

Union law or the law of the Member States an obligation to store the
personal data exists;


h) provide the controller with all the necessary information to demonstrate compliance with the

provides the obligations set out in this Article and reviews —
including inspections - carried out by the controller or another of the controller

commissioned auditors are carried out, enables and contributes to this.


With regard to subparagraph 1 letter h, the processor informs the
Responsible immediately if he believes that an instruction against this

Regulation or against other data protection regulations of the Union or the
violates Member States.


(4) If the processor engages the services of another processor

Right to request certain processing activities on behalf of the controller
to be carried out, this further processor will be assigned by way of a contract or - 18 -


        another legal instrument under Union law or the law of the person concerned

        Member State imposes the same data protection obligations as those in the Treaty or others

        Legal instrument between the controller and the processor in accordance with
        Paragraph 3 are set, whereby in particular sufficient guarantees are offered for this

        must ensure that the appropriate technical and organizational measures are implemented in this way

        that the processing is carried out in accordance with the requirements of this regulation.
        If the other processor does not meet his data protection obligations, he is liable

        first processor towards the person responsible for compliance with the obligations
        that other processor.


        (5) - (6) [...]


The relevant provisions of the Postal Market Act (PMG) are (excerpts):

universal service

        term and scope


        § 6. (1) - (7) [...]


        (8) The universal service operator is obliged to provide the universal service in accordance with the needs
        further developed by users and through appropriate measures and

        Proposals for securing the supply of postal services and for the further development of the

        contribute to universal service. In this context, in particular longer
        Opening hours, better accessibility and all possibilities of securing the location,

        especially by third-party post offices.


        (9) […]

        Obligations of Postal Service Providers


        § 32. (1) - (2) [...]


        (3) Postal service providers have to set up a complaints management system so that users

        and users can raise disputes or complaints.

        (4) - (5) [...]


        (6) Postal service providers shall have comparable, appropriate and up-to-date information at least annually

        Information on the quality of their services, in particular the transit times of those carried
        postal items using the methodology specified by ÖNORM EN 13850

        publish and the regulatory authority at their request prior to publication

        in paper form and electronically processable form. - 19 -


2. Application of the legal bases to the present complaint:

The object of the complaint is the question of whether the party involved

thereby violated the right to secrecy by providing the contact details of the

Complainant (name and cell phone number) to the XXXX, from which this
Data was subsequently used for the purposes of a customer satisfaction survey.


2.1. Regarding point 1 of the contested decision: Rejection of the

Data protection complaint about illegal setting of cookies:

In the contested decision, the data protection authority stated that the entry of the

Complainant from XXXX .2019 on the basis of the proceedings

Complaint of XXXX .2018 regarding the illegal setting of cookies
represent a significant change in the application within the meaning of Section 13 (8) AVG and therefore this

arguments to that effect should be rejected. However, the input was taken as an opportunity

been asked to initiate a separate data protection complaints procedure.

According to § 13 para. 8 AVG, an application change is only permissible if this changes the matter

its essence is not changed, the legislature the vagueness of this

consciously accepted the turn. However, the AB emphasize the ease of change of the
law, so that in case of doubt there is no change in the application that would change the nature of the application

to go out.

However, an application change should then affect the essence of the matter and therefore continue to do so

in any case be inadmissible if it is not actually a matter of changing the

original application, but a new, "different project" if that
The project thus acquires a different quality in the light of the material laws to be applied

(see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of January 1st, 2014, rdb.at)).


In the present case, the original data protection complaint dated XXXX .2018, the
relates exclusively to the violation of the right to secrecy through the transmission of the

contact details of the complainant to the XXXX and the use of the same by

obtained this for the purpose of a customer satisfaction survey by entering the XXXX
2019, which the unlawful setting of cookies by the involved party to

The subject matter was a significant change in the application within the meaning of Section 13 (8) AVG. The

additional, cookies-related, submissions of the complainant in his statement of
XXXX .2019 affects the essence of the subject of the proceedings insofar as it is related to the

complaint of XXXX 2018 was presented as going far beyond this - 20 -


and a new, different, supplementary submission and thus a new - different -
subject of the complaint.


Against this background, the data protection complaint was rejected

the setting of cookies by the data protection authority.

In the light of the fact that in relation to the additional - new -, submissions regarding cookies

of the complainant by the data protection authority opened a further procedure

moreover, there is no lack of legal protection in relation to this complaint.

2.2. Regarding point 2 of the contested decision: Rejection of the

Privacy Complaint Regarding the Alleged Violation in the Right to

Confidentiality according to § 1 DSG:

The complainant submitted in the privacy complaint that the intervening party

unlawfully gave his name and phone number to a "third party" who is XXXX ,

passed on and thus violate confidentiality obligations.

A name and phone number are indisputably

personal data of the complainant according to Art. 4 Z 1 DSGVO, which also according to Art. 4

Z 2 GDPR were processed (i.e. transmitted, provided).

The question therefore arises whether the data processing carried out by XXXX for

Customer Satisfaction Survey constitutes processing by third parties.

In Art. 4 Z 10 GDPR, the processor is expressly excluded from the concept of third parties

exempt. Art. 4 Z 8 GDPR in turn defines the term processor.

And a responsible person is characterized by the fact that she alone or together with
others about the purposes and means of processing personal data

decides (Art. 4 Z 7 GDPR).


In the present case, the party involved determines the purposes and means of the
Processing, as can be seen from the submitted by her, with the XXXX on XXXX .2018

concluded contract results.


Art. 28 GDPR then regulates the specific processing by a processor.

Regarding the question of privileging the examination of the lawfulness of the processing

by the processor compared to other data processing is in the - 21 -


Literature The following stated [cf. on the following paragraphs Bogendorfer in Knyrim,
DatKomm Art 28 GDPR margin nos. 23 - 28 (status 1.10.2018, rdb.at)]:


“A comparable distinction in relation to the data flows between the different

Actors in data processing as in DSG 2000 and correspondingly clear privileges
does not include the GDPR. It summarizes all processing steps in a flat rate and without further

Differences in the definition of "processing" in Art 4 Z 2 together and understands

including “any operation performed with or without the aid of automated processes, or
any such series of operations related to personal data such as collecting,

collecting, organizing, arranging, storing, adapting or

Modification, reading, querying, use, disclosure by
transmission, distribution or any other form of provision, comparison or

association, restriction, deletion or destruction”. lack of differentiation

within the very broad disclosure options mentioned in Art 4 Z 2 (transmission,
dissemination or other form of provision) and in the absence of inclusion of the

Order processing in the canon of the legal basis according to Art. 6 and 9

the question of whether the "privileging" of the data flow between the person responsible and the
Processor has ceased to exist and there is now a legal basis for this

got to. However, the majority of opinions in the literature see this differently
Interpretation approaches differently and considers its own justification for the

Data transfer to the processor still not required for:


It is argued that Art 28 can be understood as an independent power norm.

On the other hand, it is critically noted that types 6 and 9 have a final character

and no indication of the possibility of expanding what is standardized there

canons of legality exist.

Based on a systematic and teleological view, [...] in the literature

rightly noted that Art 28 is geared precisely to the fact that when

processing process, there is a close bond between the controller and the processor
is produced, for which as compensation there is a "release" from the requirement of

existence of a legal basis should take place. The Disclosure

personal data by transmission iSd Art 4 Z 2 therefore only mean the transfer
to third parties within the meaning of Art 4 Z 10 and not to every recipient. The risk of losing control of

Articles 28 and 29 do not specify who is responsible. The same thing pursued with the GDPR - 22 -


If a
legal basis cannot be achieved.


From systematic considerations it is argued that the requirement for a

Legal basis of data flow between a controller and a
Processor puts the processor on an equal footing with a controller

would effect, whereas Art 28 para. 10 with the decision attribution

Purpose and use of means of data processing (see margin nos. 6 and 8).

The approach that data processing by a processor on the basis of a

Balancing interests according to Art. 6 Para. 1 lit f is permissible, can be used as an argument for a

"privileged" data flow between controller and processor
convince, since there is already a separate legality check of the data transmission

the processor takes place. From a practical point of view, it is used for non-sensitive data

regularly be correct that the balancing of interests the legality of the
Data flow to the processor results. For special personal information

Art 9, however, there is no possibility of weighing up interests, which is why in these cases

order processing is then not possible without special justification in accordance with Article 9
is. A linguistic approach that Art 28 as a general weighing up of interests also in the case of special

The GDPR does not indicate whether personal data can be evaluated.

Another approach in the literature guides the "privileging" of order processing

convincing from the definitions of data processing (Art 4 Z 2), the person responsible

(Art 4 Z 7), the processor (Art 4 Z 8), the recipient (Art 4 Z 9) and the third party (Art
4 Z10). Both data transmission to the processor are disclosed

to a recipient, but no transmission within the meaning of Art 4 Z 2 takes place, as this indicates the existence

of a "third party" in accordance with Art 4 Z 10 and the processor is not such.

According to Art. 4 Z 9, the "recipient" is defined as "a natural or legal person, authority,

Institution or other body to which personal data is disclosed, independent

whether it is a third party or not [...]," defined. [...]

A third party iSd Art 4 Z 10 is a natural or legal person, authority, institution or

other body, apart from the data subject, the person responsible, the processor

and the persons who are under the direct responsibility of the person responsible or the
processors are authorized to process the personal data. - 23 -


"Receiver" can be understood as an umbrella term that includes all actors
The data subject itself includes, while the definition of "third party" includes a partial exclusion from the

includes the group of recipients in that, in addition to those affected, it also includes the (original)

Those responsible, the processors and those under their immediate
Authorized persons (e.g. employees or sub-processors) are not responsible

assigned to the group of third parties. Because the processor by definition

personal data only processed on behalf and is not a third party within the meaning of Art 4 Z 10, he is
fictitious an "internal" recipient who has no personal competence in using the

transmitted data and who is bound by instructions. Data processing can

therefore be evaluated as a uniform processing operation, for which only one
uniform legality check is required. This unified view is

permissible because the broad definition of the term processing in Art 4 Z 2 is not only isolated

individual processes, but also a series of processes. The justification of
Order processing follows accessory to the reason for permission of the underlying

Processing by the person responsible. The processor is due to the close

According to Art. 29, only the “alter ego” of the responsible person is bound by instructions
"extended arm".


This argument is also found in the Article 29 Working Party's Opinion on the
terms "controller" and "processor".

Support. The controller and the processor become

regarded as the "inner circle of data processing" and not as a third party. The legality
the data processing activity of the processor is determined by the order placed by the

responsible. The processor is ultimately functional with a

Comparable to employees of the person responsible, who differ from this through his
organizational autonomy differs: it is up to the person responsible

decide whether to carry out data processing within his organization or entirely

or partially delegated to external organizations.”

Similarly also Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 to Art 28:


"Therefore, only the understanding remains, order processing as a permissible means of

Processing to understand which is the controller under the premise of
Compliance with the requirements of Art. 28 may be used. If the processing itself after a

of the conditions specified in Art. 6 Para. 1 is lawful, the person responsible can
or use several processors according to his instructions. In this respect, it is significant

that the factually identical definition of "processing" in Art. 2d DS-RL and Art. 4 No. 2 DS- - 24 -


GMO as processing not only isolated individual processes, but also a series of processes
knows. Therefore, if processing is not considered at the micro level, but at the

At macro level, an order processing can be considered part of the processing

let understand. However, the prerequisite is always that a transmission only to
processors bound by instructions. Once a transmission to a third party

takes place, the framework of the permissible means of processing is breached and it is required

a separate legal basis for the transfer."

For the present case, this means against the background that a contract between the

involved party and the XXXX, in which the order is clearly defined

is (customer satisfaction surveys) that there is in any case a contractual relationship. The XXXX
became an "extended arm" and thus as a processor for the party involved

active. The order processing that has taken place is therefore part of the processing by the

To see the responsible persons themselves and the legality of the same according to Art. 6 DSGVO
check.


As the data protection authority correctly explains in the contested decision, the

involved party based on Art. 6 Para. 1 lit. c GDPR, according to which the processing for
Compliance with a legal obligation is required. This results from §§ 32 para.

3 and 6 para. 8 PMG, which on the one hand provide for the establishment of a complaints management system
and on the other hand to take appropriate measures to improve quality

of the services offered as part of the universal service, namely postal delivery

oblige. Likewise, the assessment of the data protection authority is to be followed,
that the disclosure of the complainant's name and telephone number to the

Processor was required within the meaning of the provision, namely to fulfill her order,

determining customer satisfaction.

The procedural processing of the personal data of the

Complainant was therefore lawful, which is why the dismissal of the complaint by the

Data Protection Authority in this regard was right.

2.3. Regarding point 3 of the contested decision: rejection of the application for

Imposition of a fine:


In his data protection complaint dated XXXX .2018, the complainant stated that §
62 Para. 1 Z 2 DSG, thus the regulation on the imposition of administrative penalties,

applicable is what the data protection authority in the contested decision as an application
imposed a fine on the party involved. - 25 -


In line with this, the complainant also referred to the

from his point of view, the admissibility of imposing an administrative fine against the
related party reference. There is therefore no doubt that the request of

complainant to the imposition of an administrative fine against the co-involved

party is directed.

However, as the data protection authority correctly explained in the contested decision, a

subjective right to initiate administrative penal proceedings against a

Responsible_nneither from Article 77 paragraph 1 GDPR nor from Article 24 paragraph 1 and 5 GDPR.
The principle of ex officio according to Section 25 (1) of the VStG applies. So basically

no one has a legal claim that someone for whatever reason in

prosecution is taken. The authority has both in the initiation and in the
Carrying out the administrative penal proceedings ex officio (cf. Fister in

Lewisch/Fister/Weilguni, VStG § 25 Rz 3f (as of May 1st, 2017, rdb.at)).


Administrative penal proceedings can therefore only be initiated by a person concerned
there is no entitlement to initiation.


The rejection by the data protection authority therefore also took place on this point

Law.

3. Since only legal questions had to be clarified in the procedure, according to § 24 para. 4

VwGVG to waive the holding of an oral hearing (VwGH,

09/19/2017, Ra 2017/01/0276).

Regarding B) Admissibility of the revision:


According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or

Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. the
Statement must be briefly justified.


The revision is permissible according to Art. 133 Para. 4 B-VG because it is at the highest court

Case law, in particular on the qualification of the processor
Processor as an "extended arm" of the person responsible is missing.


It was therefore to be decided accordingly.