BVwG - W211 2231475-1
From GDPRhub
| BVwG - W211 2231475-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(2) GDPR Article 6(1)(c) GDPR Article 28 GDPR § 13(8) AVG § 25(1) VStG |
| Decided: | 20.10.2021 |
| Published: | |
| Parties: | anonymous DSB (Austria) |
| National Case Number/Name: | W211 2231475-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2021:W211.2231475.1.00 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
| Initial Contributor: | Heiko Hanusch |
The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under Art. 6 GDPR because the processor is to be seen as a mere - dependent – extension of the controller.
English Summary
Facts
The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he does not want the phone number to be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Art. 28 GDPR.
The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he literally expressed that he does not want his data to be given to a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller.
The DSB dismissed the complaint.
Holding
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.
The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Art. 29 GDPR). If the processing of data is in accordance with Art. 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Art. 6 GDPR.
In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Art. 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services.
Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address:
Erdbergstrasse 192 – 196
1030 Vienna
Phone: +43 1 601 49-0
Fax: +43 1 711 23-889 15 41
Email: einlaufstelle@bvwg.gv.at
www.bvwg.gv.at
DECISIONS D A T U M
2 0 . 1 0 . 2 0 2 1
BUSINESS NUMBER
W 2 1 1 2 2 3 1 4 7 5 - 1/9 E
I M N A M E N D E R E P U B L I K !
The Federal Administrative Court recognizes through the judge Mag. Barbara SIMMA LL.M. as
Chair and the expert lay judge Margareta MAYER-HAINZ and the
expert lay judge Dr. Ulrich E. ZELLENBERG as assessor on the
Complaint by XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in
closed session rightly:
a)
The complaint is dismissed as unsubstantiated.
b)
The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 -
Reasons for decision:
I. Procedure:
1. With a data protection complaint dated XXXX .2018 (received at the data protection authority on
XXXX .2018), the complainant claimed a violation of the right to secrecy
according to § 1 and §§ 8 as well as 62 para. 1 Z 1 Data Protection Act (DSG) by the Austrian
Post AG (the involved party).
The complainant stated in summary that the party involved was in form
of a "company", but is de facto a state-owned company. At the postal customs office be on
XXXX received a letter in 2018 containing goods ordered by the complainant.
Due to irregularities in connection with the shipment, the
Complainant contacted the involved party's "hotline" on XXXX .2018. He has
left his cell phone number there with a request to call him back, which he also shared
expressly asked the party not to pass this number on to third parties under any circumstances.
He was expressly assured of this. He was then from the party involved
been called back and was able to fix the shipment.
On XXXX .2018 he was called by XXXX. Upon specific request from
Complainant, where XXXX got his phone number and his name from, was him
been informed by the caller that she was entitled to this by the party involved
received for survey purposes. On the same day he was contacted by another number
been made, whereby the caller had obviously suppressed the number display.
After hearing "Do you want to take part in a survey", he immediately hung up.
At no time did he give his consent to the disclosure of his name and his
Telephone number given, but expressly requested, his contact details not
to pass on. Nor is there any public interest. Since he is from the
If I had no knowledge of the data being passed on, an objection is also not possible
been. The complainant was therefore violated in his right under § 1 para. 1 DSG
been. In any case, § 61 Para. 1 Z 2 DSG is also applicable.
2. With a statement dated XXXX .2018, the party involved led to this
Data protection complaint that XXXX is a processor in
within the meaning of Art. 28 GDPR. Obtaining consent for the present - 3 -
Data transmission is therefore not necessary. The customer satisfaction survey is not
by employees of the party involved, but by an external company
Have been carried out. This ensures that the party involved does not
personal results of the survey. The data transmission is under
Compliance with all data protection regulations, in particular Art. 28 ff DSGVO,
However, the complaint was taken to cause the complainant to
Block future customer satisfaction surveys.
3. By letter dated XXXX .2018, the data protection authority requested the involved party
again for comment. In particular, the party involved was pointed out
pointed out that the mere fact that the company in question is
allegedly to be a processor, nothing about the legality of the
processing statement.
4. The involved party submitted in a statement dated XXXX .2019 that they
Postal service providers within the meaning of the Postal Market Act (PMG) and also
Universal service operator according to § 12 PMG. According to the one assigned to her
Among other things, she has obligations to set up a complaints management system,
to publish information about the quality of their services at least annually (§ 32
PMG), to show the regulatory authority, among other things, the number of complaints (§
6 Para. 7 PMG) and the universal service in terms of the needs of users
develop and through appropriate measures and suggestions to secure the supply
to contribute to the further development of the universal service with postal services (§ 6 Para. 8 PMG).
In order to adequately meet this obligation, the party involved has the
Postal customer service set up, which was also used by the complainant
may be.
So that the quality is further developed in accordance with the legal obligation and also
could be published, the survey of the users is the most suitable and
most recognized method. The survey itself will be considered by the XXXX
Processor carried out within the framework of the agreement under Art. 28 GDPR
act. Purposes and means are specified by the party involved, whereby the XXXX
nor can it be qualified as a third party within the meaning of Art. 4 Z 10 GDPR. In the sense of the
Data minimization only get the phone number and the name of the
interviewer to enable proper addressing. the to
interviewers would only be contacted once per case, and the - 4 -
survey can be declined at any time. If at all, only one could hardly do it
noticeable impairment.
If customers contact the postal customer service, they would
according to Art. 13 GDPR in the form of a taped announcement on the information on the topic
data protection on the website of the party involved. This
Information can be clearly inferred that appropriate surveys have been carried out
can become. Under point 3.2. of the website are market research institutes as possible
external service providers listed. When people post customer service
would contact, so be sure that they have the information in accordance with Art. 13 GDPR
would receive.
Between contacting Post Customer Service and being contacted by
the XXXX exists for a certain period of time, within which there are already contradictions
can be done. Participation in the survey is therefore voluntary and possible
be rejected at any time. Only when contacted by XXXX did he
Complainant lodged an objection, which is why no questioning
have taken place.
The establishment of customer service is based on a legal obligation. One
Questionnaire must be carried out to explain the complaints or to check the service
will. The survey is the most suitable and recognized or only method. In order to
the lawfulness of the data processing results from Art. 6 Para. 1 lit. c GDPR.
In addition, the party involved is also acting in the public interest, since the postal
Basic care including the associated quality check
/obligation to publish/obligation to improve had been transferred. Thus Art. 6 is also
Paragraph 1 lit. e GDPR relevant. In addition, Art. 6 Para. 1 lit. f
GDPR are used. The party involved does not act as an authority in the sense
the reason for exclusion. Interest in quality control
/obligation to publish/obligation to improve result from the legal requirements
PMG and is therefore legitimate. In this respect, there is a benefit for those involved
party as the responsible party, as they continuously ensure their service quality in accordance with the
legal requirements can be improved as well as a benefit for the general public than this
receive better basic care
viewed if this is for the perception of direct mail or advertising itself or
will also be tracked for processing for market research purposes. - 5 -
Likewise, this results from the basic right of entrepreneurial freedom (Article 16 of the GRC).
legitimate interest of the party involved, from their customers their assessment of the
To learn about complaint management in order to better
to be fair. Even without the existence of a legal obligation
the processing of personal data in question is therefore lawful. Only with the
The contact data used can be used to carry out a survey, with which the
processing was also necessary. The interest of the party involved and that
The interest of the general public in data processing outweighs the interest
of the complainant. In addition, the contact details are not particularly worthy of protection
Data.
The input was the agreement on order processing according to Art. 28 GDPR in copy
connected.
5. By letter dated XXXX .2019, the complainant made the following statement on the
Statements of the party involved: Initially, he wanted to add a "crass"
Inform the party involved of data misuse. The involved party uses on
Cookies and "spyware" that are not permitted on their website, especially since a direct
objection is not possible. This becomes more objective as a further objection
Complaint added.
For the opinion of the party involved, it can be stated that neither § 32 para.
6 PMG nor § 6 para. 7 and para. 8 PMG a justification for the transfer of data to third parties
contain. The argument of increasing efficiency would also include data transfer to third parties
not justify. In the course of his request, he received no information within the meaning of Art. 13
GDPR has been granted. It is irrelevant whether participation in the survey is voluntary
The subject of the complaint was the transfer of data to third parties. At no time did he
consent is given, whereby in particular a call to the "hotline" is not as such
can be rated. The market research company is not subject to the supervision of
with the party involved
The contract concluded is not applicable in the present case, as it explicitly allows data to be passed on
have objected. It would also have to be clarified whether the contract per se is moral and
be illegal.
6. With the contested decision of XXXX, the data protection authority rejected the
Privacy complaint regarding the illegal setting of cookies
(Point 1.). In addition, she dismissed the complaint as unfounded (paragraph - 6 -
2.). The complainant's application for a fine was granted
rejected (point 3.)
The data protection authority explained insofar as essential that the letter of the
Complainant from XXXX .2019 on the basis of the proceedings
Complaint submission of XXXX 2018 regarding the illegal setting of cookies
represents a significant change in the application within the meaning of Section 13 (8) AVG, which is why the
arguments to that effect had to be rejected. However, it was taken as an opportunity
been asked to initiate a separate complaints procedure.
In the present case, the "passing on" of the personal data of the
complainant by the party involved to the market research institute. the
Subsequent customer satisfaction requests from this company have the complaint case
of the complainant and is therefore exclusively in the interest and in the
Order of the involved party takes place. The pursuit of one's own purposes
Market research company was never intended, which means that a
independent responsibility of the market research company is to be denied. the
the present "passing on" is therefore one that can be attributed to the party involved
data processing.
The complainant's data was not transmitted or disclosed to "third parties",
but within the meaning of Art. 28 GDPR by the market research institute on behalf of
involved party has been processed as agreed. A right to that
responsible persons do not use any processors, does not exist. the
On the one hand, the involved party is obliged to do so due to the provisions of the PMG
to set up a complaints management system and, on the other hand, to ensure the quality of the
Universal service, ie postal delivery, services offered by suitable
Measures to improve, and thus to take certain measures. Even if
of the involved party in these regulations no concrete measure and also none
certain data processing is ordered, should not be subject to the legislature
that he gives the party involved the possibility of data processing
want to withdraw, because otherwise the provision would be meaningless.
The handling of a complaint from a customer and the
The quality assurance measures to be carried out are without name and contact address
unthinkable if the data required for this should not be processed. At - 7 -
Name and contact option there is no doubt that the data processing in
given minimal scope is also required.
Finally, it was stated that a subjective right to initiate a
Administrative penal proceedings against specific persons responsible under Art. 77 Para. 1 DSGVO or §
24 para. 1 and 5 DSG cannot be derived, and the principle of expediency according to § 25 para.
1 VStG applies. Administrative penal proceedings can therefore only be carried out by a person concerned
be suggested, there is no entitlement to initiation.
7. In the complaint, which was raised within the time limit, the complainant went so far
summarized here essentially that the data protection complaint the disclosure of
data to third parties. It is completely irrelevant whether this transfer
based on private law contracts or other agreements.
The fundamental right to data protection is a constitutionally protected legal interest, which is not
can be overridden by private law contracts. It is also irrelevant
whether the data protection authority wants to see a third party as an "extended arm" or not.
At the request of the involved party's hotline, the complainant only
Otherwise processing is not possible, his (former) telephone number was announced,
this with the express note not to pass the same on to third parties. The two
Companies that ultimately receive these phone numbers and the complainant
contacted are market research companies whose business purpose is the survey
of customer requests for advertising purposes. It is not clear in what way
Advertising company could be useful for quality assurance. §§ 6 and 32 PMG would also offer
no indication that the involved party is thereby authorized to use customer data
to pass on to third parties.
Art. 28 para. 2 GDPR stipulates that processors must not
Processors without prior separate or general written consent
permission of the person responsible. Sohin be the
Passing on of the data to an advertising company in any case without a basis under data protection law
he follows. There is therefore a violation of data protection by the party involved,
since this without consent within the meaning of Art 7 GDPR and contrary to an explicit request by the
complainant's data to a third-party company.
In the contested decision, the complaint regarding the inadmissible setting of
Cookies have been rejected. With the same date, however, the Data Protection Authority
issue an order to remedy defects with a deadline without delivery, which - 8 -
could have been followed, since the matter had been discussed immediately. It
there is therefore already a violation of the AVG insofar as no hearing of the parties is granted
had been. The use of cookies falls under the term data processing,
as well as under the term data transfer. It is therefore incorrect if the
Data Protection Authority believes the use of cookies by the affiliated party
would not be included in the content of the complaint.
Moreover, the question of an administrative fine is not addressed in the contested decision
followed up, reflecting the unwillingness of the Data Protection Authority to deal with certain
make things clear again.
II. The Federal Administrative Court considered:
1. Findings:
1.1. The complainant contacted due to delivery issues related
with a postal item on XXXX .2018 the "hotline" of the party involved. left there
he left his cell phone number with a request to call him back, stating that he was the party involved
expressly requested not to pass this number on to third parties under any circumstances.
On XXXX .2018 the complainant was called by XXXX. On concrete
The complainant asked where the XXXX got his telephone number and his name
have, he was informed by the caller that she was from the involved
party received for survey purposes. On the same day, the complainant was
contacted another number for survey purposes, with the caller using the
had suppressed caller ID. The complainant ended that call immediately,
after his interlocutor had asked if he wanted to take part in a survey.
1.2. The following contract was concluded between the party involved and XXXX on XXXX .2018
completed (reproduced in excerpts):
"AGREEMENT ON ORDER PROCESSING according to Art. 28 GDPR
concluded between
XXXX (hereinafter "Responsible")
and
XXXX
XXXX (hereinafter "processor")
1. Subject of the agreement - 9 -
a) The area of responsibility of the processor includes conducting surveys
of all kinds and as required, but in particular the implementation of the regular
ongoing survey of "satisfaction with Swiss Post customer service".
In the context of this contract, “personal data” includes such
to understand personal data that the person responsible dem
processors within the framework of the contract described in more detail above
or the processing of which is assigned to the processor in that contract.
b) Categories of personal data and categories of data subjects are processed
Persons according to Annex 1.
2. Processor Obligations
a) The processor undertakes to process personal data and
Processing results exclusively within the framework of the written (e-mail
sufficient) to process orders from the person responsible. All
Data processing activities take place exclusively in a member state of
European Union instead.
b) The processor is not authorized to process personal data of the
disclosure to third parties without the written consent of the person responsible. So far
the processor is obliged to do so by law
to inform the person responsible immediately in advance.
c) The transfer of personal data to third parties, to which no legal
obligation of the processor exists, sets a written (e-mail
sufficient) order of the person responsible.
d) Processing of personal data for the company's own purposes
Processor may only be used with the prior written consent of the
responsible.
e) The processor undertakes to maintain data secrecy and
declares in a legally binding manner that he is responsible for all data processing
has obligated persons to maintain confidentiality before starting the activity or these
are subject to an appropriate statutory obligation of confidentiality. He has
all persons entrusted with data processing are obliged to
Data provided to them solely because of their professional activity
be entrusted or accessible, without prejudice to other statutory provisions
To keep confidentiality obligations secret, unless legally permissible
There is a reason for the transmission/disclosure of the data. In particular, the remains
Confidentiality obligation of the persons responsible for data processing
even after they have finished their job or left the company
Processor upright.
f) The Processor declares in a legally binding manner that it has all the necessary
Measures to ensure the security of processing in accordance with Art. 32 GDPR
has taken. The processor assures that the data described in Appendix 2 and
selected, risk-appropriate, technical and organizational - 10 -
have taken and will continue to take action to
personal data against accidental or unlawful destruction and against
to protect against loss as well as their proper processing and the
Ensure non-accessibility for unauthorized third parties. The Processor
undertakes to implement the technical and organizational measures in the above
Keeping it up to date with the latest technology and looking for technical progress or
to update or adapt to a changed threat situation.
g) The processor ensures that the person responsible respects the rights of the
data subject according to Chapter III of the GDPR (information, access, correction
and deletion, data portability, objection and automated
Decision-making in individual cases) and taking into account the Austrian
Federal law for the protection of natural persons during processing (DSG idgF)
within the statutory deadlines at any time, leaves the
responsible for all the necessary information and supports them in the process
Fulfillment of related obligations to the best of our ability. Will a corresponding
Application, with which the rights of the data subject are asserted, to the
Processor directed and it is evident from the content of the application that the
Applicant mistook the application processor for the person in charge of his
processing activity carried out for the person responsible, the
Processor to forward the request to the person responsible immediately
and this to the applicant, stating the date of receipt of the
to communicate the application.
h) The processor supports the person responsible in complying with the regulations
Articles 32 to 36 DSGVO mentioned obligations (data security measures, reports
of personal data breaches to the supervisory authority,
Notification of a Personal Data Breach
data subject, data protection impact assessment, prior consultation).
best efforts. In particular, the processor undertakes to
those responsible immediately, but no later than within 36 hours of this
Notice to notify of data breaches.
i) The processor is informed that he has a processing directory
has to be set up in accordance with Art. 30 Para. 2 GDPR.
j) The processor undertakes to provide the person responsible with that information
to provide the means to monitor compliance with this Agreement
mentioned obligations are necessary. In particular, the
Processor, the person responsible immediately upon request
appropriate written evidence of the implementation and effectiveness of the in Annex 2
to transmit the technical and organizational measures described. Over
At the request of the person responsible, the declaration of the
Protection of data secrecy regarding the person who is presented with the
execution of the order is entrusted.
k) With regard to the processing, the person responsible is given the
personal data granted the right, even by qualified and for
Employees sworn to secrecy or by a professional secrecy - 11 -
obligated person (court-certified expert etc.)
Processor to check the correctness of the data processing
Announcement to check. This during normal office hours and in coordination
with the data protection officer of the processor or another person responsible for
person responsible for data protection.
The data protection officer/responsible for data protection at
Processor is:
Mr. Mrs
XXXXXXX
l ) After completion of the order, the processor is obliged to
responsible for all processing results and documents that
contain contractual personal data; of that
The storage of the data left to the processor remains unaffected
personal data and processing results to the extent and as long as this is for
to guarantee its services.
After the warranty period has expired, the processor has all
to delete contractual personal data or to post them
Request of the person responsible before carrying out the deletion
keep. This applies in particular if the processor is to another
Storage of personal data not due to mandatory legal requirements
provisions is required.
At the request of the controller, the processor confirms the
data erasure in writing.
If the processor processes the personal data in a special
technical format processed, he is obliged to post the personal data
Completion of the order either in this format or at the request of the
Responsible in the format in which he received the personal data from
person responsible or in another common format
to release.
m) The processor must inform the controller immediately if he
is of the opinion that an instruction of the person responsible violates
EU or Member State data protection regulations.
3. Sub-processors
a) The processor is without the prior written consent of the
Controller not entitled to use a sub-processor.
b) In the event of written consent, the processor closes the
necessary agreements within the meaning of Art. 28 Para. 4 GDPR with the sub-
processor. It must be ensured that the sub-processor
enters into the same obligations as the processor based on this
agreement. The processor has the responsible person
Override of the obligations under the present agreement upon request
to be documented at any time. - 12 -
c) If the sub-processor does not meet his data protection obligations, he is liable
the processor towards the person responsible for compliance
Obligations of the sub-processor.
d) The person responsible gives his consent to the use of the information in Annex 3
named sub-processor.
4. Duration of Agreement
□ The term of the agreement is based on the contract mentioned in point 1a).
x The agreement is concluded for an indefinite period and can be changed by either party
be terminated in writing with a notice period of three months to the end of the month. the
The possibility of termination without notice for important reasons remains unaffected.
In this respect, a data protection service provider agreement between the contracting parties
in relation to the main service described in more detail in the contract referred to in point 1a),
already exists, it is determined by the present agreement on a
Order data processing replaced.
5. Miscellaneous Provisions
a) All disputes arising from and in connection with this contract
Austrian law, to the exclusion of the UN sales law and conflict of laws
provisions. For all disputes, this will be factual and for XXXX Vienna
locally competent court agreed.
b) Only what has been agreed in writing is binding; there are no oral ones
ancillary agreements. Changes and additions to the agreement require their
validity of the written form; this also applies to a waiver of the formal requirement
writtenness.
c) All rights and obligations arising from this agreement are transferred to any
Legal successors of both contracting parties.
d) The parties agree to the conclusion of this agreement and its content
to be treated confidentially. This does not apply to the extent that a party in accordance with the provisions
of the present agreement or due to legal obligation to
disclosure of this Agreement or any content thereof. This applies,
insofar as the present agreement does not contain any conflicting provisions
contains and there are no legal obligations to provide information.
e) Processor undertakes (i) that its legal representatives,
Employees and employed and/or commissioned subcontractors to all
applicable legal provisions in connection with anti-
comply with anti-corruption regulations and (ii) take appropriate measures to prevent the
Ensure compliance with anti-corruption regulations. A breach of anti-
Corruption regulations entitle the person responsible - without prejudice to others
Right of withdrawal and termination - for extraordinary termination without notice
agreement and to assert any claims for damages. - 13 -
f) Should any provision of this agreement be invalid or ineffective or
become, the contracting parties will agree a valid or effective
Set a provision that will invalidate or ineffective provisions
economically closest.
The invalidity or ineffectiveness of individual provisions has no effect
on the validity or effectiveness of the entire contract.
g) This contract is drawn up in two originals, of which each contracting party has one
receives.
h) Appendices 1, 2 and 3 are considered to be an integral part of the contract.
[...]"
The processed data categories are included in the annex to the present contract
“Personal master data” (e.g. first and last name) and “contact data” (e.g.
telephone number) mentioned. The affected persons are employees and
called customers. The order processing contract also contains
technical and organizational measures, including confidentiality and integrity.
1.3. The complainant sent a letter dated XXXX .2019 to the
The data protection authority also provides that the party involved also unlawful
set cookies on their website and filed a privacy complaint to that effect.
2. Evidence assessment:
The findings result from the file in connection with the arguments of the parties,
in particular from the contract submitted between the party involved and XXXX
dated XXXX .2018, and are not disputed.
3. Legal assessment:
to A)
1. Section 1 of the Federal Act on the Protection of Natural Persons in Processing
personal data (Data Protection Act - DSG) reads (in excerpts):
(constitutional provision)
fundamental right to data protection
§ 1. (1) Everyone has, in particular with regard to respect for his private and
family life, right to confidentiality of personal data concerning him
Data insofar as there is a legitimate interest in it. The existence of such - 14 -
Interestisexcludedifdataduetotheirgeneralavailabilityorbecause
due to their lack of traceability to the person concerned, no claim to secrecy
are accessible.
(2) Insofar as the use of personal data is not in the vital interest
of the person concerned or with his consent, limitations of the right to
Confidentiality only to protect overriding legitimate interests of another
permissible, in the event of interference by a state authority only on the basis of laws that
from the in Art. 8 para. 2 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958, are necessary. such
Laws prohibit the use of data that, by their nature, deserve special protection,
only provide for the protection of important public interests and must at the same time
appropriate guarantees for the protection of the confidentiality interests of the persons concerned
determine. Even in the case of permissible restrictions, the encroachment on the fundamental right may in each case
only be undertaken in the mildest, most effective way.
[...]
The relevant provisions of Regulation (EU) 2016/679 of the European
Parliament and Council of April 27, 2016 on the protection of natural persons in the
Processing of personal data, the free movement of data and the cancellation of the
Directive 95/46/EG (General Data Protection Regulation), read (in excerpts):
Article 4 Definitions For the purposes of this Regulation, the term means:
1. “Personal Data” any information relating to an identified or
identifiable natural person (hereinafter "data subject"); as
identifiable is a natural person who directly or indirectly, in particular
by association with an identifier such as a name, an identification number
location data, an online identifier or one or more specific
characteristics expressing the physical, physiological, genetic, psychological,
economic, cultural or social identity of this natural person are identified
can be;
2. “Processing” any operation carried out with or without the aid of automated processes
or any such series of operations involving personal data such as that
Collecting, capturing, organizing, arranging, storing, adapting or
Modification, reading, querying, use, disclosure by
transmission, distribution or any other form of provision, comparison or
linking, restriction, deletion or destruction; - 15 -
3rd – 6th […]
7. "Responsible person" the natural or legal person, authority, institution or other
Body alone or jointly with others on the purposes and means of processing
of personal data decides; are the purposes and means of this processing
stipulated by Union law or the law of the Member States, the
Responsible person or can use the specific criteria according to his designation
provided for by Union law or the law of the Member States;
8."Processor" means a natural or legal person, public authority, agency or
another entity that processes personal data on behalf of the controller;
9. […]
10. “Third party” means a natural or legal person, public authority, agency or other body,
other than the data subject, the controller, the processor and the
Persons who are under the direct responsibility of the person responsible or the
processors are authorized to process the personal data;
11th – 26th […]
Article 6 Lawfulness of processing
(1) The processing is only lawful if at least one of the following
conditions are met: [...]
c) the processing is necessary for compliance with a legal obligation imposed by the
Controller is subject to; [...]
(2) Member States may have more specific provisions adapting the application
the provisions of this regulation in relation to processing to comply with paragraph 1
Maintain or introduce subparagraphs c and e by providing specific requirements for the
Processing as well as other measures more precisely to determine a lawful and according
ensure fair processing, including for others
special processing situations according to Chapter IX.
(3) The legal basis for the processing pursuant to paragraph 1 letters c and e
set by
a) Union law or
b) the law of the Member States to which the controller is subject. - 16 -
The purpose of the processing must be specified in this legal basis or in relation to the
Processing pursuant to paragraph 1 letter e may be necessary for the performance of a task that
is in the public interest or in the exercise of official authority which
responsible has been transferred. This legal basis may have specific provisions
to adapt the application of the provisions of this regulation, among others
Provisions on what general conditions for the regulation of
Lawfulness of the processing by the controller apply, what types of data
are processed, which persons are affected, to which institutions and for which
Purposes the personal data may be disclosed, what purpose they
are subject to how long they may be stored and what processing operations and
procedures may be applied, including measures to ensure a
lawful and fair processing, such as for others
special processing situations according to Chapter IX. Union law or the law of
Member States must pursue an objective in the public interest and in a
proportionate to the legitimate purpose pursued. [...]
Article 28 Processors
(1) If processing is carried out on behalf of a person responsible, then this person only cooperates
Processors who offer sufficient guarantees that appropriate technical and
organizational measures are carried out in such a way that the processing is in accordance with
the requirements of this regulation and the protection of the rights of the persons concerned
person guaranteed.
(2) The processor will not take on any other processor without prior approval
separate or general written approval of the person responsible. in the
In the event of general written approval, the processor will inform the
always inform those responsible about any intended change in relation to the addition or
the replacement of other processors, giving the controller the option
entitled to object to such changes.
(3) Processing by a processor is based on a contract
or any other legal instrument under Union law or the law of the
Member States that control the processor in relation to the controller
binds and in the subject and duration of the processing, type and purpose of the processing,
the type of personal data, the categories of data subjects and the obligations
and rights of the person responsible are defined. This contract or this other
Legal instrument provides in particular that the processor
a) the personal data only on documented instructions from the controller —
also with regard to the transfer of personal data to a third country or a - 17 -
international organization — processed, unless required by Union or EU law
Member States to which the processor is subject is obliged to do so; in one
In such a case, the processor shall notify the controller of these legal
Requirements prior to processing with, provided that the relevant right such notice
not prohibited because of important public interest;
b) ensures that those authorized to process the personal data
Persons have committed to confidentiality or an appropriate statutory
are subject to a duty of confidentiality;
c) take all measures required under Article 32;
d) the conditions for using the services referred to in paragraphs 2 and 4
of another processor;
e) in view of the nature of the processing, the person responsible, if possible with suitable ones
technical and organizational measures to fulfill its obligation to
Responding to requests to exercise the rights referred to in Chapter III
comply with the data subject;
f) taking into account the type of processing and those available to him
Information to those responsible for compliance with the provisions of Articles 32 to 36
supports the above obligations;
g) after completion of the provision of the processing services, all personal data
either deletes or returns at the discretion of the person responsible, unless after the
Union law or the law of the Member States an obligation to store the
personal data exists;
h) provide the controller with all the necessary information to demonstrate compliance with the
provides the obligations set out in this Article and reviews —
including inspections - carried out by the controller or another of the controller
commissioned auditors are carried out, enables and contributes to this.
With regard to subparagraph 1 letter h, the processor informs the
Responsible immediately if he believes that an instruction against this
Regulation or against other data protection regulations of the Union or the
violates Member States.
(4) If the processor engages the services of another processor
Right to request certain processing activities on behalf of the controller
to be carried out, this further processor will be assigned by way of a contract or - 18 -
another legal instrument under Union law or the law of the person concerned
Member State imposes the same data protection obligations as those in the Treaty or others
Legal instrument between the controller and the processor in accordance with
Paragraph 3 are set, whereby in particular sufficient guarantees are offered for this
must ensure that the appropriate technical and organizational measures are implemented in this way
that the processing is carried out in accordance with the requirements of this regulation.
If the other processor does not meet his data protection obligations, he is liable
first processor towards the person responsible for compliance with the obligations
that other processor.
(5) - (6) [...]
The relevant provisions of the Postal Market Act (PMG) are (excerpts):
universal service
term and scope
§ 6. (1) - (7) [...]
(8) The universal service operator is obliged to provide the universal service in accordance with the needs
further developed by users and through appropriate measures and
Proposals for securing the supply of postal services and for the further development of the
contribute to universal service. In this context, in particular longer
Opening hours, better accessibility and all possibilities of securing the location,
especially by third-party post offices.
(9) […]
Obligations of Postal Service Providers
§ 32. (1) - (2) [...]
(3) Postal service providers have to set up a complaints management system so that users
and users can raise disputes or complaints.
(4) - (5) [...]
(6) Postal service providers shall have comparable, appropriate and up-to-date information at least annually
Information on the quality of their services, in particular the transit times of those carried
postal items using the methodology specified by ÖNORM EN 13850
publish and the regulatory authority at their request prior to publication
in paper form and electronically processable form. - 19 -
2. Application of the legal bases to the present complaint:
The object of the complaint is the question of whether the party involved
thereby violated the right to secrecy by providing the contact details of the
Complainant (name and cell phone number) to the XXXX, from which this
Data was subsequently used for the purposes of a customer satisfaction survey.
2.1. Regarding point 1 of the contested decision: Rejection of the
Data protection complaint about illegal setting of cookies:
In the contested decision, the data protection authority stated that the entry of the
Complainant from XXXX .2019 on the basis of the proceedings
Complaint of XXXX .2018 regarding the illegal setting of cookies
represent a significant change in the application within the meaning of Section 13 (8) AVG and therefore this
arguments to that effect should be rejected. However, the input was taken as an opportunity
been asked to initiate a separate data protection complaints procedure.
According to § 13 para. 8 AVG, an application change is only permissible if this changes the matter
its essence is not changed, the legislature the vagueness of this
consciously accepted the turn. However, the AB emphasize the ease of change of the
law, so that in case of doubt there is no change in the application that would change the nature of the application
to go out.
However, an application change should then affect the essence of the matter and therefore continue to do so
in any case be inadmissible if it is not actually a matter of changing the
original application, but a new, "different project" if that
The project thus acquires a different quality in the light of the material laws to be applied
(see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of January 1st, 2014, rdb.at)).
In the present case, the original data protection complaint dated XXXX .2018, the
relates exclusively to the violation of the right to secrecy through the transmission of the
contact details of the complainant to the XXXX and the use of the same by
obtained this for the purpose of a customer satisfaction survey by entering the XXXX
2019, which the unlawful setting of cookies by the involved party to
The subject matter was a significant change in the application within the meaning of Section 13 (8) AVG. The
additional, cookies-related, submissions of the complainant in his statement of
XXXX .2019 affects the essence of the subject of the proceedings insofar as it is related to the
complaint of XXXX 2018 was presented as going far beyond this - 20 -
and a new, different, supplementary submission and thus a new - different -
subject of the complaint.
Against this background, the data protection complaint was rejected
the setting of cookies by the data protection authority.
In the light of the fact that in relation to the additional - new -, submissions regarding cookies
of the complainant by the data protection authority opened a further procedure
moreover, there is no lack of legal protection in relation to this complaint.
2.2. Regarding point 2 of the contested decision: Rejection of the
Privacy Complaint Regarding the Alleged Violation in the Right to
Confidentiality according to § 1 DSG:
The complainant submitted in the privacy complaint that the intervening party
unlawfully gave his name and phone number to a "third party" who is XXXX ,
passed on and thus violate confidentiality obligations.
A name and phone number are indisputably
personal data of the complainant according to Art. 4 Z 1 DSGVO, which also according to Art. 4
Z 2 GDPR were processed (i.e. transmitted, provided).
The question therefore arises whether the data processing carried out by XXXX for
Customer Satisfaction Survey constitutes processing by third parties.
In Art. 4 Z 10 GDPR, the processor is expressly excluded from the concept of third parties
exempt. Art. 4 Z 8 GDPR in turn defines the term processor.
And a responsible person is characterized by the fact that she alone or together with
others about the purposes and means of processing personal data
decides (Art. 4 Z 7 GDPR).
In the present case, the party involved determines the purposes and means of the
Processing, as can be seen from the submitted by her, with the XXXX on XXXX .2018
concluded contract results.
Art. 28 GDPR then regulates the specific processing by a processor.
Regarding the question of privileging the examination of the lawfulness of the processing
by the processor compared to other data processing is in the - 21 -
Literature The following stated [cf. on the following paragraphs Bogendorfer in Knyrim,
DatKomm Art 28 GDPR margin nos. 23 - 28 (status 1.10.2018, rdb.at)]:
“A comparable distinction in relation to the data flows between the different
Actors in data processing as in DSG 2000 and correspondingly clear privileges
does not include the GDPR. It summarizes all processing steps in a flat rate and without further
Differences in the definition of "processing" in Art 4 Z 2 together and understands
including “any operation performed with or without the aid of automated processes, or
any such series of operations related to personal data such as collecting,
collecting, organizing, arranging, storing, adapting or
Modification, reading, querying, use, disclosure by
transmission, distribution or any other form of provision, comparison or
association, restriction, deletion or destruction”. lack of differentiation
within the very broad disclosure options mentioned in Art 4 Z 2 (transmission,
dissemination or other form of provision) and in the absence of inclusion of the
Order processing in the canon of the legal basis according to Art. 6 and 9
the question of whether the "privileging" of the data flow between the person responsible and the
Processor has ceased to exist and there is now a legal basis for this
got to. However, the majority of opinions in the literature see this differently
Interpretation approaches differently and considers its own justification for the
Data transfer to the processor still not required for:
It is argued that Art 28 can be understood as an independent power norm.
On the other hand, it is critically noted that types 6 and 9 have a final character
and no indication of the possibility of expanding what is standardized there
canons of legality exist.
Based on a systematic and teleological view, [...] in the literature
rightly noted that Art 28 is geared precisely to the fact that when
processing process, there is a close bond between the controller and the processor
is produced, for which as compensation there is a "release" from the requirement of
existence of a legal basis should take place. The Disclosure
personal data by transmission iSd Art 4 Z 2 therefore only mean the transfer
to third parties within the meaning of Art 4 Z 10 and not to every recipient. The risk of losing control of
Articles 28 and 29 do not specify who is responsible. The same thing pursued with the GDPR - 22 -
If a
legal basis cannot be achieved.
From systematic considerations it is argued that the requirement for a
Legal basis of data flow between a controller and a
Processor puts the processor on an equal footing with a controller
would effect, whereas Art 28 para. 10 with the decision attribution
Purpose and use of means of data processing (see margin nos. 6 and 8).
The approach that data processing by a processor on the basis of a
Balancing interests according to Art. 6 Para. 1 lit f is permissible, can be used as an argument for a
"privileged" data flow between controller and processor
convince, since there is already a separate legality check of the data transmission
the processor takes place. From a practical point of view, it is used for non-sensitive data
regularly be correct that the balancing of interests the legality of the
Data flow to the processor results. For special personal information
Art 9, however, there is no possibility of weighing up interests, which is why in these cases
order processing is then not possible without special justification in accordance with Article 9
is. A linguistic approach that Art 28 as a general weighing up of interests also in the case of special
The GDPR does not indicate whether personal data can be evaluated.
Another approach in the literature guides the "privileging" of order processing
convincing from the definitions of data processing (Art 4 Z 2), the person responsible
(Art 4 Z 7), the processor (Art 4 Z 8), the recipient (Art 4 Z 9) and the third party (Art
4 Z10). Both data transmission to the processor are disclosed
to a recipient, but no transmission within the meaning of Art 4 Z 2 takes place, as this indicates the existence
of a "third party" in accordance with Art 4 Z 10 and the processor is not such.
According to Art. 4 Z 9, the "recipient" is defined as "a natural or legal person, authority,
Institution or other body to which personal data is disclosed, independent
whether it is a third party or not [...]," defined. [...]
A third party iSd Art 4 Z 10 is a natural or legal person, authority, institution or
other body, apart from the data subject, the person responsible, the processor
and the persons who are under the direct responsibility of the person responsible or the
processors are authorized to process the personal data. - 23 -
"Receiver" can be understood as an umbrella term that includes all actors
The data subject itself includes, while the definition of "third party" includes a partial exclusion from the
includes the group of recipients in that, in addition to those affected, it also includes the (original)
Those responsible, the processors and those under their immediate
Authorized persons (e.g. employees or sub-processors) are not responsible
assigned to the group of third parties. Because the processor by definition
personal data only processed on behalf and is not a third party within the meaning of Art 4 Z 10, he is
fictitious an "internal" recipient who has no personal competence in using the
transmitted data and who is bound by instructions. Data processing can
therefore be evaluated as a uniform processing operation, for which only one
uniform legality check is required. This unified view is
permissible because the broad definition of the term processing in Art 4 Z 2 is not only isolated
individual processes, but also a series of processes. The justification of
Order processing follows accessory to the reason for permission of the underlying
Processing by the person responsible. The processor is due to the close
According to Art. 29, only the “alter ego” of the responsible person is bound by instructions
"extended arm".
This argument is also found in the Article 29 Working Party's Opinion on the
terms "controller" and "processor".
Support. The controller and the processor become
regarded as the "inner circle of data processing" and not as a third party. The legality
the data processing activity of the processor is determined by the order placed by the
responsible. The processor is ultimately functional with a
Comparable to employees of the person responsible, who differ from this through his
organizational autonomy differs: it is up to the person responsible
decide whether to carry out data processing within his organization or entirely
or partially delegated to external organizations.”
Similarly also Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 to Art 28:
"Therefore, only the understanding remains, order processing as a permissible means of
Processing to understand which is the controller under the premise of
Compliance with the requirements of Art. 28 may be used. If the processing itself after a
of the conditions specified in Art. 6 Para. 1 is lawful, the person responsible can
or use several processors according to his instructions. In this respect, it is significant
that the factually identical definition of "processing" in Art. 2d DS-RL and Art. 4 No. 2 DS- - 24 -
GMO as processing not only isolated individual processes, but also a series of processes
knows. Therefore, if processing is not considered at the micro level, but at the
At macro level, an order processing can be considered part of the processing
let understand. However, the prerequisite is always that a transmission only to
processors bound by instructions. Once a transmission to a third party
takes place, the framework of the permissible means of processing is breached and it is required
a separate legal basis for the transfer."
For the present case, this means against the background that a contract between the
involved party and the XXXX, in which the order is clearly defined
is (customer satisfaction surveys) that there is in any case a contractual relationship. The XXXX
became an "extended arm" and thus as a processor for the party involved
active. The order processing that has taken place is therefore part of the processing by the
To see the responsible persons themselves and the legality of the same according to Art. 6 DSGVO
check.
As the data protection authority correctly explains in the contested decision, the
involved party based on Art. 6 Para. 1 lit. c GDPR, according to which the processing for
Compliance with a legal obligation is required. This results from §§ 32 para.
3 and 6 para. 8 PMG, which on the one hand provide for the establishment of a complaints management system
and on the other hand to take appropriate measures to improve quality
of the services offered as part of the universal service, namely postal delivery
oblige. Likewise, the assessment of the data protection authority is to be followed,
that the disclosure of the complainant's name and telephone number to the
Processor was required within the meaning of the provision, namely to fulfill her order,
determining customer satisfaction.
The procedural processing of the personal data of the
Complainant was therefore lawful, which is why the dismissal of the complaint by the
Data Protection Authority in this regard was right.
2.3. Regarding point 3 of the contested decision: rejection of the application for
Imposition of a fine:
In his data protection complaint dated XXXX .2018, the complainant stated that §
62 Para. 1 Z 2 DSG, thus the regulation on the imposition of administrative penalties,
applicable is what the data protection authority in the contested decision as an application
imposed a fine on the party involved. - 25 -
In line with this, the complainant also referred to the
from his point of view, the admissibility of imposing an administrative fine against the
related party reference. There is therefore no doubt that the request of
complainant to the imposition of an administrative fine against the co-involved
party is directed.
However, as the data protection authority correctly explained in the contested decision, a
subjective right to initiate administrative penal proceedings against a
Responsible_nneither from Article 77 paragraph 1 GDPR nor from Article 24 paragraph 1 and 5 GDPR.
The principle of ex officio according to Section 25 (1) of the VStG applies. So basically
no one has a legal claim that someone for whatever reason in
prosecution is taken. The authority has both in the initiation and in the
Carrying out the administrative penal proceedings ex officio (cf. Fister in
Lewisch/Fister/Weilguni, VStG § 25 Rz 3f (as of May 1st, 2017, rdb.at)).
Administrative penal proceedings can therefore only be initiated by a person concerned
there is no entitlement to initiation.
The rejection by the data protection authority therefore also took place on this point
Law.
3. Since only legal questions had to be clarified in the procedure, according to § 24 para. 4
VwGVG to waive the holding of an oral hearing (VwGH,
09/19/2017, Ra 2017/01/0276).
Regarding B) Admissibility of the revision:
According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or
Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. the
Statement must be briefly justified.
The revision is permissible according to Art. 133 Para. 4 B-VG because it is at the highest court
Case law, in particular on the qualification of the processor
Processor as an "extended arm" of the person responsible is missing.
It was therefore to be decided accordingly.
