BVwG - W211 2261980-1

From GDPRhub
BVwG - W211 2261980-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4 GDPR
Article 20 GDPR
§24 DSG
BV-G Art 133 Abs 4
Decided: 07.09.2023
Published: 05.10.2023
Parties:
National Case Number/Name: W211 2261980-1
European Case Law Identifier: ECLI:AT:BVWG:2023:W211.2261980.1.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: n/a

The Federal Administrative Court of Austria (Bundesverwaltungsgericht - BVwG) dismissed an appeal concerning the right to data portability under Article 20 GDPR in the case of an outdated app and ruled on the format of said data.

English Summary

Facts

The data subject concluded a contract with an app operator (the controller) in 2017 for the use of a health and fitness app, which she used until 2021. The data subject submitted a request for a transfer of her training data from 2020 in a structured, commonly used and machine-readable format by virtue of Article 20 GDPR.

The controller refused to do so because her request referred to an outdated version of the app which had been discontinued in the meantime, that is, the data were no longer synchronised to the servers of the controller and were only locally saved and processed on the data subject's device. Yet, the old app could still be used locally, hence, data processing only took place on the users' devices but the controller did not have access to the data and could thus not process them. Furthermore, users could access and download all of their training and health data from the website of the controlller, which the data subject did. The users were notified of this change in a sufficient way.

However, the data subject argued that she had not been properly informed of the changes regarding the processing and, as a layperson, she could not have known the difference. Furthermore, she pointed out that the "raw data" provided was not useable for the average user and that the controller kept processing her personal data because her contract with the controller had never been amended nor terminated.

The Austrian DPA (DSB) dismissed the complaint based on the fact that essentially no data was processed by the controller between 2020 and 2021 and thus Article 20 GDPR could not apply. Dissatisfied with the DSB's decision, the data subject filed an appeal with the BVwG, restating the arguments she had broguht before the DSB.

Holding

The BVwG held that after the date of the discontinuation, the data subject's training data was no longer saved and processed on the servers of the controller and data processing only continued on the device of the data subject through her own actions. Hence, the controller stopped processing the data subject's personal data from 2020 onwards. Accordingly, the BVwG held that the DSB had rightfully concluded that since the controller did not process personal data of the data subject between 2020 and 2021, the requirements for a right to data portability under Article 20 GDPR were not met.

The BVwG also held that the complaint regarding the contract itself does not fall under the authority of the DSB, as there is no processing of personal data contrary to the provisions of the GDPR, and a complaint regarding possible civil law obligations is to be referred to ordinary courts.

Further, the BVwG specified that the right to data portability under Article 20 GDPR does not require a "graphically attractive" presentation of the processed data and the questioned file format (JSON) does comply with the requirements of Article 20 GDPR, since it could be opened and displayed easily. Moreover, the BVwG clarified that Article 20 GDPR does not confer the data subject a right to choose the file format. As regards geographical data, the BVwG held that since no common format exists yet, the chosen format must be open, allow for the quality of data not to be hindered and allow the data subject to read and use the data by means of a pre-installed or easy to download app, which was the case here.

The court thus upheld the decision of the DSB.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details. 

Reasons for the decision:
I. Process:
1. In her complaint to the data protection authority (id “DSB”) dated XXXX .2021, the complainant (id “BF”) stated in summary that on XXXX .2021 she had submitted a request for data portability of her training data from XXXX .2020 to XXXX 2021 the now involved party (id “mP”), the operator of a running app. However, the mP refused to transfer the data on the grounds that this running app has now been discontinued. Despite repeated requests, the missing data was neither transferred to the new app nor was the requested data made available to the BF in a structured, common machine-readable format.
2. In a letter dated XXXX.2021, the mP commented on the data protection complaint and summarized that the BF had asked them to transfer sports activities recorded with an outdated and decommissioned app (XXXX) from their company to their new products contacted. The data to which the BF's request relates was recorded after XXXX.2020. The mP pointed out to the BF that the app had been discontinued on XXXX.2020 and that the application could still be used locally, but recorded data was no longer synchronized. Data processing only took place on the BF's cell phone. The mP never had access to the personal data in question and did not otherwise process it. The BF only exported its data from the app until XXXX.2020.
3. In a letter dated XXXX.2021, the mP took the position again and essentially stated that the BF never provided the data from XXXX.2020 to XXXX.2021 to the mP as the person responsible, and that the mP never processed this data. The mP does not have any app-specific terms and conditions or data protection regulations. All users were informed about the discontinuation of the “old” app via in-app notifications, push notifications and on the mP website. The campaign periods for the in-app notifications would have taken place on XXXX 2020, XXXX 2020 and XXXX 2020.
4. In a letter dated XXXX.2021, the BF replicated in summary and to the extent that it was procedurally relevant that it had concluded a contract with the mP in 2017 for the use of a health and fitness app, which is still valid. Therefore, they continue to process their data on this basis. There was never any change to the contract. The technical details of how this data would be processed (on a server or “locally”) could not or should not be known to the user of the app, and therefore also to the BF as a technical layperson.
The data that the mP processes regarding the BF was not made available in a common machine-readable format and was incomplete. In any case, the JSON and GPX file formats cannot be opened with a normal program and are therefore unusable for the average user. When exporting, the time periods are visible, but the data cannot be downloaded and used.
5. In a letter dated XXXX.2022, the mP commented for the third time and summarized, replicated and, to the extent that it was procedurally relevant, argued that it had not processed the BF's training data in the period XXXX.2020 to XXXX.2021. The BF was informed about the discontinuation of the app for XXXX 2021 by means of in-app notifications, push notifications and on the respondent's website.
Before XXXX.2020, there was a synchronization (processing) of the “data flow” for each recorded run with the mP servers. The relevant data would be displayed unchanged in the “new” application or could be transferred to it. As of December 14, 2020, there was no “data flow” between the app installed on the BF’s mobile phone and the mP servers or anything else within the mP’s sphere of influence.
The first log-in in the new app with the BF account took place on XXXX, 2021.
Synchronized data that is subsequently processed by the mP is generally exported in the JSON and GPX formats. JSON files could be opened with the “Editor” program (preinstalled on every Windows device) and with any other common word processing program. GPX is a common format for exchanging GPS data, which can be displayed, for example, with Google Maps or the Apple version “Maps”. It is a structured, common and machine-readable format.
6. In a letter dated XXXX.2022, the BF summarized and, to the extent relevant to the complaint, stated that an “in-app notification” about the discontinuation of the app was never visible to them. A person responsible cannot evade his or her obligations by actually no longer carrying out data processing, even though he or she is obliged to do so. There is no common and machine-readable format because it is essential for a data subject to be able to access and further process the data for their own purposes without technical hurdles or obstacles. The raw data provided does not provide any information content for the user.
7. In a decision dated XXXX 2022, the DSB dismissed the complaint and essentially stated that, based on the submissions of the BF and the mP, there was no processing of the BF's personal data within the meaning of the GDPR in the period from XXXX 2020 to XXXX. took place in 2021 through the mP. For the current period, the prerequisites for the exercise of the right to data portability within the meaning of Art. 20 GDPR by the mP were not met.
The BF exported its available personal data using a tool on the mP website. The format in which BF received its personal data was structured, common, machine-readable and interoperable, since, where there are no common formats for an industry or for a given context, personal data can be stored in commonly used open formats (such as XML, JSON or CSV) together with relevant metadata should be provided at the best possible level of granularity while maintaining a high level of abstraction. A data export does not have to have the same information content as the original representation of the data.
8. The BF lodged a timely complaint against this decision on XXXX 2022 and essentially reiterated the arguments it had already made to the DSB. The mP carried out processing (storage) during the relevant period (XXXX.2020 to XXXX.2021) and the GDPR or the right to data portability is in any case applicable. This activity data has not yet been transmitted. With regard to the provision of activity data from XXXX 2017 to date, it was further stated that the JSON file format is not a structured, common, machine-readable and interoperable format and that there was a violation of Article 20 GDPR. BF cannot view, use or transfer the files provided without the appropriate technical knowledge.
9. In a letter dated XXXX.2022, the authority concerned submitted the administrative act to the Federal Administrative Court, requested that the complaint be dismissed and referred to the reasons for the contested decision.
10. In a statement dated XXXX.2023 after the complaint notification, the mP referred to its previous submissions in the administrative procedure and requested that the complaint be dismissed as unfounded.
II. The Federal Administrative Court considered:
1. Findings:
1.1. The BF has been using an account with mP in relation to a health and fitness app since XXXX 2017 and has therefore had a contractual relationship with it based on the general terms and conditions since this date.
1.2. The XXXX was discontinued by the mP on XXXX.2020. From this point on, the recorded data was no longer synchronized with the mP servers. From this point on, the training data recorded via the app was only saved and processed locally on the BF's mobile phone.
1.3. The BF used the XXXX until XXXX .2021.
1.4. The BF requested that the mP transfer its activity data from XXXX .2020 and that all activity data since 2017 be made available in a structured, common and machine-readable format.
1.5. A data subject can access and download the processed activity data on the mP homepage.
1.6. BF made use of this option and received a data copy of its own data, which was processed by the participating party on its servers, in JSON or GPX format. Uploaded photos were exported as JPEG or GIF.
The JSON and GPX file formats can be opened and displayed easily and with little time on a computer using the pre-installed “Editor” application and the free Google Maps web application.
2. Assessment of evidence:
2.1. The findings on 1.1. – 1.5. arise from the administrative act submitted and the court file, in particular the data protection complaint or the BF's statements, the mP's statements and the screenshots of the files made available.
Insofar as the BF submits in its complaint that it is undisputed and undisputed that the mP stored and thereby processed the BF's training data, including in the period from XXXX .2020 to XXXX .2021, and that there is no argument to the contrary by the mP, It should be pointed out that the mP provides consistent and comprehensible reasons throughout the entire official procedure (see mP statements of XXXX .2021, XXXX 2021 and XXXX .2022) as well as in its statement of XXXX .2023, precisely between the XXXX .2020 and XXXX .2021 no longer have BF's data stored and processed: the app was discontinued and there was no longer any data transfer (= synchronization) from local use on the BF's mobile phone to the mP servers .
2.2. The statement on 1.6., 1st paragraph, is based on the BF's own submissions from XXXX.2021 (as part of the complaint to the DSB).
The finding that the JSON and GPX file formats can be opened and displayed with simple means and little time on a computer with the help of the pre-installed application “Editor” and the free web application Google Maps is based on the relevant information from the mP as well as on one Self-experiment by the presiding judge.
3. Legal assessment:
To A)
3.1. Legal basis (in excerpts):
Right to data transfer – Art. 20 GDPR
(1) The data subject has the right to receive the personal data concerning him or her that he or she has provided to a controller in a structured, commonly used and machine-readable format and he or she has the right to transmit these data to another controller without hindrance from the controller to whom the personal data was provided, provided that
a)       the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) and
b)       processing takes place using automated procedures.
(2) When exercising their right to data portability in accordance with paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another controller, to the extent that this is technically feasible.
(3) The exercise of the right referred to in paragraph 1 of this Article is without prejudice to Article 17. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The right under paragraph 2 may not affect the rights and freedoms of other persons.
Definitions – Art. 4 Z 2 GDPR
2. “Processing” means any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data, such as collecting, recording, organizing, classifying, storing, adapting or changing, reading out, querying, the use, disclosure by transmission, distribution or other form of making available, alignment or combination, restriction, deletion or destruction;
Complaint to the data protection authority - Section 24 DSG
(1) Every data subject has the right to lodge a complaint with the data protection authority if he or she is of the opinion that the processing of personal data concerning him or her violates the GDPR or Section 1 or Article 2, 1st part.
(2) - (10) (…)
3.2. Explaining this from the comments (in excerpts):
According to the legal definition, the term “processing” consists of a general definition and a demonstrative list of different types of processing. Processing is therefore any process carried out with or without the help of automated processes relating to personal data or any such series of processes. According to the wording, it must be an executed process or a series of processes, whereby the requirement for execution indicates a consciously undertaken action. In addition, a series of processing operations are also included (Hödl in Knyrim, DatKomm Art 4 GDPR Rz 27 (as of December 1, 2018, rdb.at)).
Strictly speaking, Article 20 does not grant a right to transfer the data, but to release it. The prerequisite is that the data is processed on the basis of consent or a contract. The right includes receiving self-provided data in a structured, common and machine-readable format and, if necessary, transmitting it to another responsible person and also requesting direct transmission to another responsible person.
According to Article 20 Paragraph 1, the right to data portability includes four cumulative requirements: Firstly, it must be data that concerns the data subject. Secondly, the data subject must have provided the data themselves: this initially refers to the data that the data subject has actively and knowingly transmitted to the person responsible. In the opinion of the Article 29 Data Protection Working Party, the right also includes data that has arisen or been generated through the use of the controller's service or through observation, e.g. raw data such as log files, location and traffic data for telephony, bank details of incoming transfers , search histories, music playlists from a streaming service, order histories, data recorded by fitness trackers or a connected vehicle. Data derived or generated from inferences is no longer considered to have been provided within the meaning of Art 20 Paragraph 1. This refers to data that the person responsible has generated by processing the data provided - whether through linking (e.g. user profiles based on a Smart meters, health profiles). It is not the purpose of the right to data portability to authorize the data subject to appropriate third-party services. The further requirements for the right to data transfer are, thirdly, that the processing is based on consent or on a contract, and fourthly, that the person responsible uses automated procedures for processing.
According to Art. 20 Para. 1 GDPR, those affected have the right to receive the data in a structured, common and machine-readable format. Transmission via e-mail and/or SFTP, web portal, API interface, etc. can be considered, if necessary also offline via data carrier. The aim is that the data can be further processed with little effort, so that, for example, transmitting data from an email account as a PDF does not meet these requirements. The need for expensive licenses also stands in the way of interoperability. The provision of metadata at the best possible level of granularity will generally be necessary in order to preserve the meaning of the information. XML, JSON, CSV, HTML and ODF are particularly suitable formats. The Article 29 Data Protection Working Party recommends industry solutions for interoperable standards and formats (for the three paragraphs above, see Haidinger in Knyrim, DatKomm Art 20 GDPR (as of December 1, 2022, rdb.at)).
Jahnel refers to the fitness app XXXX as an example: this offers the user the opportunity to download the personal data provided by him and relating to him via the official website. The data is exported via the website using a download button. The dataset is provided in JSON format. The fitness app XXXX also provides two tools on its website for the user to obtain body and performance data. You can choose whether you want to download the data of a specific period or the entire account archive. The data sets are transmitted in CSV format (Jahnel, Commentary on the General Data Protection Regulation Art. 20 GDPR Rz 24 (as of December 1, 2020, rdb.at)).
Controllers are expected to transmit personal data in an interoperable format. However, other responsible parties are in no way obliged to support these formats. If there are no common formats for a given industry or context, controllers should provide personal data in commonly used open formats (such as XML, JSON or CSV) together with relevant metadata at the best possible level of granularity, while maintaining a high level of abstraction ( Art 29 Data Protection Group, Guidelines on the right to data portability, WP 242, rev. 01/16/DE, p. 16, available online at https://www.dsb.gv.at/dam/jcr:01ff1101-f5bf- 494b-a7d2-64392db10b78/Guidelines%20to%20right%20to%20data%C3%BCportability,%20pdf.pdf (08/25/2023)).
3.3. Application of the legal basis to the facts at hand:
3.3.1. In the complaint, the BF complains that the DSB overlooked the fact that simply storing personal data constitutes processing within the meaning of the GDPR and that this applies to its activity data from XXXX .2020 to XXXX .2021. The counter to this is that, as correctly determined by the DSB, the mP discontinued its application from XXXX .2020, and therefore no activity data or other personal data was transmitted to the mP from this point onwards. The corresponding data sets were stored and thus processed exclusively on the BF's end device through their own actions or inputs. The fact that these actions took place in the mP's software environment ( XXXX ) is not an indication that the mP carried out data protection processing: the app was installed on the internal memory of the BF's end device and started communicating from XXXX .2020 the servers or other channels of mP are no longer available. The BF therefore processed its own data on its own device and used a tool (XXXX) that displayed the data points it collected on a graphical interface.
The argument that there must be processing because the service contract concluded with the mP has never been changed or terminated is ineffective, since the administrative procedure before the DSB with a complaint in accordance with Section 24 (1) DSG only involves the processing of personal data contrary to the provisions of the GDPR, § 1 or Article 2 1st main part of the DSG can be combated by a responsible person. A possible civil law obligation to process personal data or provide an agreed service falls within the jurisdiction of the ordinary courts. The DSB is also correct in its assessment based on the contested decision that it is irrelevant to the question of whether data protection processing was carried out whether such processing should have been carried out due to contractual obligations.
In the contested decision, the DSB therefore rightly came to the conclusion that, in the absence of processing of the BF's personal data by the mP in the period from XXXX.2020 to XXXX.2021, the requirements for an obligation on the part of the mP to transfer data within the meaning of Art. 20 GDPR are not given.
3.3.2. The BF further complains in the decision complaint that, contrary to the DSB's legal assessment, the mP has only provided the activity data from XXXX .2017 to date incompletely and not in a structured, common, machine-readable and interoperable format.
With regard to the complaint that the data for the period between XXXX .2020 and XXXX .2021 is incomplete, reference is made to the justification given.
However, the BF's statements in the complaint cannot be followed insofar as it assumes that the DSB has taken the legal opinion that a data transfer in accordance with Article 20 of the GDPR may contain “less or inferior” information. The DSB correctly refers to the derivable information content of the data export. According to the comments presented above, this only records data actively provided by the data subject and those data that have arisen or been generated through the use of the service of the person responsible or through observation (distance, distance, time, etc.). The added value of the data processing by the person responsible or a correspondingly graphically attractive representation is not covered by the right to data portability.
According to undisputed allegations, the mP transmitted the “raw data” to the BF together with the data points it observed or generated. Metadata with a connection to a specific geographical position on the earth's surface (waypoints) was transmitted in the GPX file format and other metadata in the JSON file format. The fact that the transmission took place through an active action by the BF in a web portal (download) does not hurt, since according to unanimous opinion the wording of Article 20 Paragraph 1 GDPR “to receive” should not be interpreted too narrowly.
If the specific format of data transmission is in doubt, it should be noted that BF has no subjective right to choose a specific file format. The format simply has to correspond to the purpose of Article 20 GDPR, which is actually the case. It can be seen from the comments above that JSON is a widely used, common, structured and therefore interoperable file format.
Insofar as the complaint on this topic complains that the DSB, in its reference to Jahnel's comment, which specifically mentioned the XXXX app, omitted the fact that the data was also transmitted there in CSV format, it must be noted that the reference in Jahnel on CSV data concerns the fitness app XXXX, and not the XXXX app. Jahnel also explicitly mentions JSON as an apparently suitable file format in RZ 23 (see above or Jahnel, comment on the General Data Protection Regulation Art. 20 GDPR (as of December 1, 2020, rdb.at), RZ 23-24).
If there is not (yet) a uniform format for the area of geographical data or a controller is not forced to support a specific file format, a format commonly referred to as “open” must be used, while maintaining quality of the relevant data. This is particularly characterized by the fact that it can be opened and reused by a data subject without a (provider)-specific program. According to the findings made above and the assessment of evidence, this is exactly the case: the file formats used here can be read and used without much effort using pre-installed or easily available applications.
3.4. According to Section 24 Paragraph 1 VwGVG, the administrative court must conduct a public oral hearing upon request or, if it deems this necessary, on its own initiative. According to Section 24 Paragraph 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's request, refrain from holding a hearing if the files show that the oral discussion does not lead to the expectation of further clarification of the case, and Neither Article 6 Para. 1 ECHR nor Article 47 CFR conflict with the cancellation of the hearing.
The parties did not request an oral hearing.
In the present case, the omission of an oral hearing can also be based on the fact that the facts for the assessment of the complaint have been clarified from the file in conjunction with the BF's submissions. The findings of fact were not substantiatedly challenged in the complaint. Neither did the facts need to be supplemented in any essential points, nor did they appear to be incorrect in any crucial points. In this case, the Federal Administrative Court therefore only has to rule on legal questions (cf. ECHR September 5, 2002, Appl. No. 42057/98, Speil/Austria). Even according to the jurisprudence of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH June 18, 2012, B 155/12).
Regarding B) Inadmissibility of the appeal:
According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Article 133 Paragraph 4 B-VG. The statement needs to be briefly justified.
According to Article 133 Para. 4 B-VG, the appeal is not permissible because the decision does not depend on the resolution of a legal question that is of fundamental importance. There is no evidence of a fundamental significance of the legal question to be resolved.
The decision therefore had to be made in accordance with the verdict.
Retrieved from "https://gdprhub.eu/index.php?title=BVwG_-_W211_2261980-1&oldid=35629"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki