BVwG - W214 2225733-1
From GDPRhub
| BVwG - W214 2225733-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 5 GDPR Article 12 GDPR Article 14 GDPR Article 32 GDPR Article 57 GDPR |
| Decided: | 09.12.2021 |
| Published: | |
| Parties: | |
| National Case Number/Name: | W214 2225733-1 |
| European Case Law Identifier: | |
| Appeal from: | Datenschutzbehörde (DSB) Zl. DSB-123.957/0003-DSB/2019 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | Sara Horvat |
The data controller, a private company, published online a database with personal data, which they collected from a public database of a federal ministry.
English Summary
Facts
The data subject filed in a complaint at the Austrian DPA, in which he claimed that such processing could be misleading users and distorting competition, because only the one who would pay, would be in a better position and it also would not be indicated that the position is upon payment. There was no option for comments and ratings from users or any other way to get a possible better position on a List, than buying one - paying the additional fee. A new database and with it connected processing was also not necessary, since there already was a database made by the federal ministry. Also, the commercial interests of the data processor did not override the fundamental rights of the data subject and the data subject also could not expect that his data will be processed like that.
The data subject did not give his consent to this kind of data processing and demanded that the data processing stops. Furthermore, he claimed that the services of the data processor did not have any additional value or advantage – so that his potential customers could reach him better or have any informative advantage in comparison with the database of the federal Ministry where the data was primarily stored. There were also no legitimate interests of the data processor, which would allow the processing on the ground of Article 6(1)(f) GDPR or any other legitimate reason for the processing of personal data. The data subject also claimed a violation of Article 14 GDPR, since the information about the processing came after the processing has already started and was also poor in content. The data processor has upon notice complemented the privacy statement.
The data controller claimed that his undertaking did not pursue solely commercial interests, but was also in the interest of the general public since it was a specialized search machine and made it possible to search for a therapist. This fact would give the undertaking of the data processor an additional value, which would override the interest of the data subject and legitimate the data processing under Article 6(1)(f) GDPR.
In its decision, the DPA was weighing the interest of the general public to be informed and the interest of the commercial interest of the data processor, where it could not find that any of the interests would outweigh the other. Due to the fact that the data was already made public by the ministry and was in the sphere of his professional life, the DPA also did not hold, that the interest of the data subject would outweigh the interest of the data processor. Furthermore, the DPA held that the data subject, who did not pay additional fees, indeed had a commercial disadvantage in comparison with those who did and were in a better position in the search results, but there were alternative ways to get to the same information – ex. The List from the ministry, so this kind of disadvantage could not be taken into account.
The DPA held in its decision, that the information given to the data subject did not fulfill the requirements of Article 14(1)(c) GDPR (Deficiencies in the content of the privacy statement), since the information was to vague and gave too much room for interpretation. The data controller did not define in which cases the personal data of the data subject was processed upon which specific legal obligation, so it would be clear which processing would be allowed upon Article 6(1)(f) GDPR.
The DPA´s decision was brought to court by the data controller.
Holding
The court held that the data subject´s right to informational self-determination and freedom of occupation took precedence over the interests of the data controller. The fact that the personal data originated from a publicly accessible source did not change this. The general assumption of the non-existence of a violation of confidentiality interests worthy of protection for permissibly published data was not compatible with the provisions of the GDPR. The repeated publication of data that had already been published was also not permissible in any case, but (on the contrary) even if the personal data had been published on the internet, it could not be assumed that they could be further processed for all possible purposes. The resulting inadmissibility of the processing of the complainant's personal data thus led to a violation of his right to confidentiality under section 1(1) of the FADP, since his personal data had been processed for purposes other than those for which they were intended.
The data controller also failed in its duty to provide information under Article 14 GDPR, since he had informed the data subject in writing by letter about the inclusion in the online directory, but the letter itself did not contain any information pursuant to Article 14 GDPR. The controller referred in its letter to the data protection statement on its website, which constituted an impermissible media disruption. Furthermore, he failed to provide the information in a timely manner, therefore the court held him responsible for a violation of Article 14 GDPR. Irrespective of this, the privacy policy statement found on the website was also insufficient in content to comply with the information obligations under Article 14 GDPR, as it was far too general, completely vague, non-transparent, and partly inaccurate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
decision date
09.12.2021
standard
AVG §74
B-VG Art133 Para.4
DSG §1
DSG §24
GDPR Art12
GDPR Art14
GDPR Art32
GDPR Art5
GDPR Art57
GDPR Art58
GDPR Art6
GDPR Art77
GDPR Art83
VwGVG §28 paragraph 2
saying
W214 2225733-1/17E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through the judge Dr. Eva SOUHRADA-KIRCHMAYER as chairwoman and the expert lay judges Mag. Huberta MAITZ-STRASSNIG and Mag. Claudia KRAL-BAST as assessors on the complaint of XXXX, represented by XXXX Rechtsanwälte GmbH, against the decision of the data protection authority of August 19th, 2019, Zl. DSB -123.957/0003-DSB/2019,
a)
A1) decided:
The motion to oblige the respondent to reimburse the costs of the complaint within 14 days, otherwise execution, is rejected.
A2) rightly recognised:
Furthermore, the complaint is dismissed as unfounded in accordance with Section 28 (2) of the Administrative Court Procedure Act, Federal Law Gazette I No. 33/2013 as amended (VwGVG).
b)
The revision is not permitted according to Art. 133 Para. 4 B-VG.
text
Reasons for decision:
I. Procedure:
1. In his complaint dated December 21, 2018 (improved with a brief dated February 5, 2019) addressed to the data protection authority (DSB, authority before the Federal Administrative Court), the complainant alleged a violation of Section 1 (1) DSG in conjunction with Art Violation of the right to information according to Art. 14 GDPR applies. In summary, it was submitted that the complainant was XXXX and XXXX "XXXX. The party involved (respondent in the proceedings before the relevant authority), XXXX, runs an online directory of XXXX and XXXX in training under the domain XXXX, based in Austria. XXXX the Federal Ministry XXXX has to keep a XXXX with first and last name, academic degree, job title, additional title and place of work (with postal address, telephone number and e-mail address) and this list is freely accessible to everyone under XXXX. The party involved creates its own directory of personal data of all XXXX in Austria, using the XXXX of the Ministry. The party involved does not obtain the consent of XXXX, but only confronts them after they have already been included in their online directory by sending a standardized advertising letter explaining the entry that has been made and to further fee-based entry packages for the purpose of highlighting and prioritization or other design options. The complainant's personal data was also published in the XXXX directory and the standardized advertising letter was sent to him. The complainant had never consented to the publication of his personal data on the website cited, he even expressly rejected it. The data processing of the involved party is inadmissible due to a lack of justification, there is no legitimate interest of the involved party or a third party within the meaning of Art. 6 Paragraph 1 lit. f GDPR, since the data processing is a purely commercial activity of the involved party act. The added value of the participating party's online directory is reduced by the possibility of purchasing fee-based listing packages. The online directory does not make it easier for XXXX to contact private users, nor does it add any information to the Ministry's XXXX. On the contrary, users are misled and competition is distorted. It is therefore not necessary to keep this online directory as a second, parallel list to that of the Ministry. In addition, the interest of the involved party in the data processing does not outweigh the fundamental rights and freedoms of the data subjects, since there is no reasonable expectation that personal data from a state-run list would be processed for the purpose of achieving commercial interests of a private company. In addition, the procedure of the involved party also constitutes an encroachment on the freedom to work under Article 6 StGG, since the complainant would suffer a competitive disadvantage if he did not decide to purchase an additional package. Finally, it should be noted that the party involved with its online directory is also in breach of fair competition and professional ethics. In any case, the complainant's right to informational self-determination and freedom of employment takes precedence over the interests of the party involved. The fact that the personal data came from a publicly accessible source does not change that. The general assumption that there is no violation of confidentiality interests worthy of protection for legitimately published data is not compatible with the provisions of the GDPR. The repeated publication of data that has already been published is not in any case permissible, but (quite the contrary) even if the personal data has been published on the Internet, it cannot be assumed that it may be further processed for all possible purposes. The resulting inadmissibility of the processing of the complainant's personal data thus ultimately led to a violation of his right to secrecy under Section 1 (1) DSG, since his personal data had been processed inappropriately.
The involved party also violates the information obligations under Art. 14 GDPR. In the present case, the party involved informed the complainant in writing by letter that it had been included in the online directory. However, the letter itself did not contain any information pursuant to Art. 14 GDPR, rather the party involved referred to the data protection declaration in its letter their website, which constitutes an inadmissible media disruption. In addition, the provision of information by letter including a reference to the data protection declaration on the website was delayed within the meaning of Art. 14 DSGVO. The data processing by the involved party is also inadmissible in the absence of information (due to media disruption) under Art. 14 GDPR. Irrespective of this, the data protection declaration that can be found on the website of the party involved is also not sufficient in terms of content to comply with the information obligations under Art. 14 DSGVO, as it is far too general, completely vague and non-transparent and partly incorrect. In addition, the imposition of an effective, proportionate and dissuasive penalty is requested.
Attached to the data protection complaint was an excerpt from the register of associations as of December 21, 2018 for association "XXXX (enclosure ./A), excerpts from the website of the party involved XXXX (enclosure ./B and ./H), excerpts from the search mask or XXXX of the website XXXX of the Federal Ministry XXXX (Enclosure ./C), further excerpts from the website of the involved party XXXX and the website XXXX .at of the Federal Ministry for XXXX (Enclosure ./D), the standardized sales letter of the involved party (Enclosure ./E), a letter of formal notice from the legal representative of the complainant dated November 2nd, 2018 (enclosure ./F), a letter of reply from the party involved dated November 7th, 2018 and a letter of reply from the legal representative of the party involved dated November 12th, 2018 (enclosure ./G), an affidavit by a student Complainant's Legal Counsel (Supplement ./I), a printout of the Code of Conduct for XXXX (Supplement ./J), a printout of the Policy for XXXX on the Behavior in public (advertising guidelines, enclosure ./K) and a printout of the data protection declaration of the party involved from the website XXXX (the data protection complaint was attached to an extract from the register of associations as of December 21, 2018 of the association "XXXX (enclosure ./A), extracts from the Website of the involved party XXXX (enclosure ./B and ./H), excerpts from the search mask or XXXX of the website XXXX of the Federal Ministry XXXX (enclosure ./C), further excerpts from the website of the involved party XXXX and the website XXXX of the Federal Ministry XXXX (Enclosure ./D), the standardized sales letter from the party involved (Enclosure ./E), a letter of formal notice from the complainant's legal representative Enclosure ./L),
2. At the request of the authority concerned, the party involved submitted a statement through its legal representative on April 10, 2019 and initially stated that the private association " XXXX ", XXXX was the complainant, filed a complaint with the Commercial Court of Vienna, including an application for the issuance of an injunction filed against the party involved and its managing director. With a decision dated February 13, 2019, GZ XXXX, the Vienna Commercial Court dismissed the plaintiff’s request for security in its entirety and determined from a legal point of view that the data processing of the party involved was permissible under data protection law and that there was no violation of professional and fair competition law. The proceedings were based on the same allegations as in the complaint at issue. However, due to the conflict with XXXX, the complainant was removed from the platform on January 8, 2019 and his personal data was deleted.
The managing director and shareholder of the party involved is XXXX XXXX. Due to his professional know-how as a digital project manager and critical comments from colleagues from the therapeutic environment, he came to the realization that the existing XXXX did not correspond to the current technical and conceptual status and that a new system would offer significant added value and contribute to easy access could contribute to patient information. The project was launched in September 2018 when the party involved sent the letter Enclosure ./E by post to all XXXX who were entered in the list maintained by XXXX. The mailings had a predominantly positive response, but the party involved immediately complied with every change and deletion request. The involved party bases the processing on legitimate interests within the meaning of Art. 6 (1) lit. f GDPR. The interests of the party involved (and the public) are legitimate, the platform of the party involved serves to provide the public with information about XXXX and to establish contact between the XXXX and the users of the platform. The generally available personal data of XXXX would be processed in order to operate this platform within the scope of the corporate purpose of the party involved. The interest in operating and marketing this platform is justified. The object of the company or the business concept is in accordance with the applicable law, is presented to the XXXX several times - with different degrees of detail depending on the information interest - and there is a need for such a platform. Contrary to the statements of the complainant, it is completely irrelevant whether the interests pursued are (also) commercial in nature or whether the interests pursued are also pursued by another person responsible. Legitimate interests would include any interest covered by law, including gainful employment. Irrespective of this, the interests pursued by the party involved are not of a purely commercial nature, since they are aimed at providing the public with information about XXXX and practicing XXXX. Such resonating interests of the public could also be legitimate interests within the meaning of Art. 6 Para. 1 lit f GDPR and even give the legitimate interests “more weight”. In addition to the legal irrelevance, it is also incorrect that - as the complainant claims - the goals and purposes that the party involved is pursuing with the platform are already fully achieved by the list of the BM XXXX, and the added value of the platform reduce the ability to purchase advanced listing packages for a fee. The added value of the platform was also recognized in the decision of the Vienna Commercial Court of February 13, 2019, GZ XXXX. The interests pursued by the party involved would also have fundamental rights implications. On the one hand, they are an outgrowth of the freedom of expression and information according to Article 11 GRC and Article 10 ECHR, which also includes factual information from legal entities - it is completely legitimate to make the (already public) data of XXXX available on the platform. On the other hand, they are a result of entrepreneurial freedom in accordance with Art. 16 GRC (or also the freedom to work in accordance with Art. 6 StGG), in the sense of freedom of economic activity. Since free entries are also listed as relevant on the platform, the complainant's allegation that it is only possible to successfully establish contact with those interested in therapy services with regard to XXXX, who have purchased an additional package that is subject to a fee, is unfounded. There is no misleading of users or distortion of competition. The data processing is necessary to achieve legitimate interests. In order to achieve the goals and purposes that the platform aims to achieve, it is necessary to process the (public) personal data of XXXX. There would be no more lenient means of achieving the interests pursued. There is also no predominance of the complainant's (or other XXXX's) interests or fundamental rights and freedoms. Since the legitimate interests of the party involved would inevitably also include the interests of the public and, moreover, also result from certain fundamental rights of the party involved (freedom of expression, entrepreneurial freedom, etc.), they would carry particular weight, in the event of non-processing there would be economic disadvantages for the involved party would arise and the public would be deprived of a useful and important information tool, the personal data would come from the XXXX to be kept XXXX, they are therefore "generally available" within the meaning of § 1 Para. 1 DSG and as such public, which is the case with the A weighing of interests in favor of the person responsible must be taken into account, the data is also purely job-related and not sensitive within the meaning of Art. 9 DSGVO or otherwise susceptible to abuse, the complainant is not a person who is particularly worthy of protection, especially with regard to the data that is being processed et would be (purely job-related public data), compared to other common platforms, the data would be processed very cautiously, the platform in question, for example, does not allow users to rate XXXX, does not show any advertising from other XXXX on XXXX profiles, etc. The complainant failed to recognize that the data in question was public, generally available data and that the justified expectations with regard to further publication could therefore only be extremely low. In the case of data that – as here – must be published by law and must be kept public for the duration of the professional activity, data subjects could not reasonably assume that they would not be published again. Obtaining personal data from public sources is legitimized in the GDPR. This must apply in particular if the re-publication - as here - (also) takes place in the interest of the public and, moreover, in a factual manner on a technically relevant website. There is no contradiction to the original purpose of publication, since the public's interest in information is also the priority on the platform. In addition, there is a clear recognition and expectation from patients that operators of search platforms can process the necessary data. Since search platforms are common, socially recognized forms of appearance, this also means that XXXX , XXXX etc. do not seriously expect that their job-related data will not be processed on such platforms. No negative consequences for the complainant and XXXX are to be expected, rather positive consequences could result (influx of patients due to increased internet presence). The involved party offers the persons concerned an opt-out "without ifs and buts", regardless of the motives and regardless of whether in the specific case there is a legal obligation to stop data processing/delete the data in accordance with Art. 21 or 17 DSGVO existed, the party involved has so far complied with every request for deletion immediately (usually already on the day after the request). In summary, the data processing in question could therefore be based on the legal basis of legitimate interests pursuant to Article 6 Paragraph 1 lit f GDPR and there was no legal need to obtain the consent of the complainant (or other XXXX persons appearing on the platform).
The party involved also did not violate the information requirements of the GDPR. The data processing is legitimately based on Art. 6 Para. 1 lit f GDPR, the consent of the XXXX concerned is not required, which is why the information does not have to be provided at the time the data is collected. In this case, despite being made available on the Internet, there is no case in which information should have been provided at the latest at the time of the first disclosure, since the data had already been disclosed to the same extent and for the same potential recipients on the Internet - namely on the Internet retrievable XXXX of the BM XXXX - and therefore no disclosure within the meaning of Article 14 (3) (c) GDPR. In addition, the exception provision of Art. 14 Para. 5 lit b GDPR (disproportionate effort) applies. In view of the large number of XXXX, it would have required a disproportionate effort to physically attach the data protection declaration. The most important information according to Art. 14 GDPR and a link to the data protection declaration could already be found in the letter itself, which is why the provision of the information on the Respondent's website fulfills the information obligations of Art. 14 GDPR. The information obligations would also be fully met in terms of content, the data categories, recipients in other EU countries and the storage period would be sufficiently named. Even if one were to assume a breach of information obligations in accordance with Art. 14 GDPR, this would not result in the illegality/inadmissibility of the data processing according to the prevailing doctrine, since the data processing is based on a legitimate interest in accordance with Art. 6 (1) lit f GDPR and not based on the consent of the data subject. Nevertheless, the involved party complied with the request of the authority concerned and sent the complainant a detailed information letter in which it informed him that his personal data had been deleted, were no longer processed on the platform of the involved party and that he was informed in more detail than previously informed about the previous processing of his data. In addition, and also without thereby admitting a violation of the information obligations of Art. 14 DSGVO, the party involved has revised the data protection declaration on its website in order to make data processing on the platform even more transparent by providing even more detailed information.
Attached to the statement are excerpts from the website of the involved party XXXX, enclosures ./1 and ./8), an excerpt from the website XXXX on mobile use of the Internet (enclosure ./2), the FAQ for XXXX on the website of the involved party (Enclosure ./3), the terms and conditions of the website of the party involved (enclosure ./4), a press release from the party involved dated October 15, 2018 (enclosure ./5), an information letter to the complainant dated April 10, 2019 (enclosure ./ 6), the updated data protection declaration of the party involved (enclosure ./7) and the decision of the Vienna Commercial Court of February 13, 2019, GZ XXXX (enclosure ./9).
3. The authority concerned informed the complainant in a letter dated April 19, 2019 of the status of the proceedings, sent him the statement of the party involved dated April 10, 2019 and explained that they had to do with the alleged violation of the right to information in accordance with Art. 14 GDPR (not in the right to secrecy according to § 1 DSG) within the meaning of § 24 para. 6 DSG through the reaction of the respondent considers the complaint to be irrelevant. If the complainant does not justify within a period of two weeks from receipt of this letter in the context of the hearing of the parties in accordance with § 45 para. 3 AVG why the originally alleged infringement (information in the sense of Art. 14 DSGVO) is at least partially still considered not to have been remedied the authority concerned will informally discontinue the procedure in this regard.
4. The complainant then submitted an opinion on May 9, 2019 and stated that, contrary to the legal opinion of the party involved, the ECJ took the view that the complete and legally compliant provision of information to the data subject was a prerequisite for the lawfulness of the data processing. This applies all the more to those cases in which information is already indicated at the time of data collection, which is particularly the case when the person responsible for data protection collects data in order to prepare or implement a contract with the data subject and the data subject carries out the data collection could prevent an expression of will, or if the collection of data could only be based on consent. Exactly this applies to the present case, since the party involved wrote to XXXX (and thus also to the complainant) in a letter without being asked and offered them (him) the booking of fee-based extended entries or fee-based packages. Even if the view were to be taken that the party involved had subsequently remedied the violation of the information obligation pursuant to Art. 14 GDPR by sending an information letter and thereby held the complainant harmless, the alleged violation of the right to information obligation of the person responsible must still be dealt with in the present proceedings because the breach of the duty to provide information plays an important role in the argumentation of the inadmissibility or lack of lawfulness of the data processing. Finally, and notwithstanding the previous statements, the information about the data processing up to 08.01.2019 is still insufficient in terms of content for several reasons. Point 3 of the new data protection declaration does not indicate in which cases which of the specific legal bases mentioned should be applied and the general reference to the "relevant legal obligations" is insufficient; rather, these should be specifically named. As a result, the alleged violation of the right to information pursuant to Art. 14 GDPR cannot be regarded as irrelevant and the proceedings in this regard can be discontinued informally; the complainant therefore also considers his complaint for the reasons set out with regard to the violation of the respondent’s right to information pursuant to Art. 14 GDPR.
5. With the decision now under appeal, the authority concerned upheld the complaint regarding the alleged violation of the right to information within the meaning of Article 14(1)(c) (deficiencies in the content of the subsequently submitted data protection declaration) (point 1.) and supported the involved party to provide the complainant within a period of four weeks, otherwise execution, with a) the information pursuant to Article 14(1)(c) in such a way that it is clear in which cases the complainant's personal data was processed on the basis of which specific legal obligation and b) to provide the information pursuant to Article 14(1)(c) in such a way that it is clear in which cases the complainant's personal data were processed on the basis of the permission of Article 6(1)(f) (point 2 .). Otherwise, the complaint was dismissed (paragraph 3) and the complainant's application for the initiation of criminal proceedings against the party involved was rejected (paragraph 4).
The authority concerned initially stated that the subject of the complaint was the question of whether the party involved had violated the complainant's right to secrecy by removing his personal data from the public domain under the domain XXXX without his consent or the consent of the BM XXXX accessible list of the XXXX of the BM XXXX registered in Austria in their platform, which is publicly accessible under the domain XXXX, and published it in their online directory and whether the information in question was delayed or not legally compliant in terms of content according to Art. 14 GDPR Data processing was inadmissible and the complainant's right to secrecy was violated as a result.
The authority concerned established, among other things, that the complainant practiced as XXXX and was included in the list of registered XXXX published by the Federal Ministry for XXXX (BM XXXX) under the domain XXXX. This list is kept in pure text form, is not responsive (accordingly not optimized for use on mobile devices) and does not contain any information about additional training, main areas of work, health insurance billing and free places. The party involved operates a service and information portal relating to XXXX under XXXX, in which an XXXX directory is embedded (this can be accessed free of charge by website visitors), whose basic data on the entered XXXX , including that of the complainant, from the list of the BM XXXX (without the prior consent of the persons concerned and the BM XXXX ). The platform of the party involved is optimized for mobile devices (responsive). In contrast to the BM XXXX list, it contains a search function with only one form field and a detailed search with additional filters. In the directory of the party involved, additional information about the therapists would already be displayed in the free version (e.g. focus of work, job titles, methods used, additional training, health insurance statements and foreign languages). It is not possible to evaluate and comment on the individual XXXX on the platform of the party involved. In order to obtain advantages in relation to the online directory (in particular priority in the search results or special emphasis on one's own entry), the party involved sells the entered XXXX additional (fee-based) packages. In September 2018, the Respondent sent a (standardized) letter to the Complainant regarding the launch of the platform, which was the first contact between the party involved and the Complainant in this regard. By April 9, 2019 at the latest, the (personal) data of the complainant were no longer in the online directory of the party involved. In addition to the Respondent's platform, there are other options (websites, information points, etc.) to obtain information about XXXX registered in Austria.
In the matter, the authority concerned initially stated that Section 1 (1) DSG should be interpreted restrictively in the light of the provisions of Union law, so that generally available data were not ipso facto excluded from the scope of data protection regulations. Rather, the processing of this data also requires justification within the meaning of Article 6 (1) GDPR. In the present case, the party involved had taken over the basic data of the complainant as XXXX entered in the list of the BM XXXX in their online directory. The complainant had not used any of the fee-based extensions, so his entry was merely a reproduction of the data sets from the BM XXXX list. The complainant's entry therefore did not represent any "informational added value". The party involved based the data processing in question on legitimate interests within the meaning of Article 6 (1) (f) GDPR. The result of this balancing of interests is also decisive for the question of whether there has been a violation of the right to secrecy or whether the legitimate interests of another within the meaning of Section 1 (2) DSG would outweigh the complainant's interests in secrecy. Two different types of interests are inherent in the processing of the complainant's personal data by the involved party, firstly, the collection, storage and publication of the complainant's personal data in the online directory of the involved party serves a business interest of the involved party, secondly, do not ignore the fact that the data processing of the party involved also serves an information interest of third parties, namely all persons who want to find out about XXXX registered in Austria, especially since access to the online directory is free for website visitors and the Respondent's website is the opposite to the list of BM XXXX is more innovative. This interest is not taken less into account because a list in this regard has already been published by another body. No unjustified interests could be seen in these two interests (this also not with regard to any breaches of fair trading law or a lack of approval on the part of the BM XXXX). Based on the list of the BM XXXX , in which the data of the registered XXXX , including that of the complainant, had already been published, the interests of the party involved in the data processing should not be given significantly more weight than would be the case without the consequent public interest , but due to the innovative preparation and the (also in the free version) additional content options, an increased initial weighting of the interests of the involved party by the resonating interests of the public can be assumed. In addition, due to the legally required publication of his data, the complainant had to reckon with the fact that this data would be used further. The personal data recorded in the list of the BM XXXX and taken over by the respondent for the "free entry" were definitely to be assigned to the "professional sphere" of the complainant and were also published in the list of the BM XXXX to be publicly maintained after XXXX ("generally available" ). It is therefore relatively less sensitive personal data. Accordingly, with regard to this data, a significantly reduced initial weighting of the complainant's interest in secrecy can be assumed. From the manner of the data processing in question, it can be deduced that the complainant (according to the findings, he did not purchase a paid expansion package and is in the online directory of the respondent, contrary to other customers of the party involved who have purchased such packages, not ( particularly) highlighted or ranked first in the search ad) could be disadvantaged in search queries, but it should also be mentioned here that, in addition to the online directory of the party involved, other information offers, such as the list of the BM XXXX or research using common search engines or from corresponding information centers, would exist, so that this disadvantage should be rated as minor in the context of the balancing of interests. Finally, there is no unequal balance of power between the party involved and the complainant and the complainant is not a particularly vulnerable person. In summary, it can be said that the party involved did not infringe the complainant's right to secrecy.
With regard to the possible inadmissibility of the data processing of the involved party as a result of a violation of the right to information within the meaning of Art. 14 DSGVO, it should be noted that this should be viewed separately from the admissibility of data processing, since this is a legal norm that is subject to special penalties and the legality of data processing according to Art. 5 ff GDPR.
With regard to the application made to impose an administrative penalty on the complainant, it should be stated that a subjective right to institute criminal proceedings against a certain person responsible cannot be derived from Art. 77 (1) GDPR or Section 24 (1) and (5) DSG and, moreover, from 25 para. 1 VStG, the principle of official expediency applies. Administrative penal proceedings can therefore only be initiated by a person concerned, there is no right to initiate such proceedings, which is why the complaint in this regard had to be rejected.
6. In a letter dated September 27, 2019, the party involved informed that it had complied with the order of the authority concerned with regard to the information obligation.
7 . The complainant filed a timely complaint with the Federal Administrative Court against the decision referred to in point 5 and initially stated that he was contesting the decision in part with regard to points 3 and 4.
The complainant argued (after repeating the facts) that the authority concerned had wrongly denied the inadmissibility of the data processing due to a lack of justification or sufficient information. The authority concerned based the admissibility of the data processing in question on allegedly overriding legitimate interests of the party involved pursuant to Art. 6 Para. 1 lit f GDPR, whereby they sometimes did not apply the criteria relevant for the assessment of the weighing of interests at all, and sometimes incorrectly. First of all, it should be noted programmatically that Art. 6 Para. 1 lit f GDPR is not to be understood as a catch-all event. Rather, this legal provision establishes an exception for those cases in which data processing according to Art. 6 Para. 1 lit a to e GDPR is not possible. With regard to the data processing in question, Art. 6 Para. 1 lit f GDPR must therefore be eliminated as a basis for justification, since in the specific case it would have been possible for the party involved without any problems and without further effort to base the data processing in question primarily on the consent of the data subjects . But even if one wanted to use Article 6 (1) (f) GDPR as the justification for the data processing in question, its application requirements would not be met here, contrary to the legal opinion of the authority concerned. The requirement of sufficiently clearly formulated legitimate interests was already lacking and this was also stated by the authority concerned (in connection with the breach of the information obligation). In addition, the interest of the party involved is not mandatory in the present case either, there is already a list with contact details of XXXX in Austria that is publicly accessible on the Internet by the BM XXXX, the additional properties of the website of the party involved that were determined by the relevant authority were already provided by others providers covered. In addition, the data processing is not necessary to achieve the interest pursued, since less drastic procedures would have been available in the specific case, namely obtaining the consent of the individual XXXX in advance (opt-in). In addition, in the present case, none of the XXXX could or should have assumed that the data from the database of the BM XXXX would be used by third parties for their own (commercial) purposes. Even in the case of data that is already publicly accessible in advance, there is no blank approval for its reuse or further use. Finally, the procedure of the involved party also constitutes an encroachment on the freedom of employment of XXXX according to Art. 6 StGG. If the XXXX does not decide to purchase an additional package, this would result in a competitive disadvantage compared to those XXXX who Search results would be ranked or highlighted. Contacting interested parties and acquiring new patients would be considerably more difficult for those XXXX who would decide against a paid option. Thus, XXXX are forced to make payments in order to create a balanced competitive situation, which, moreover, already exists considering only the only XXXX - official and provided for by law - of the Ministry. The interest of the affected XXXX to be able to practice their profession without being at a competitive disadvantage or without having to make unnecessary payments takes precedence over the (commercial) interest of the party involved.
If, within the framework of the weighing of interests, it is assumed - erroneously - that the data processing for the platform in question is admissible due to legitimate economic and public interests, this weighing of interests cannot automatically apply to the processing of personal data for contacting XXXX and the associated advertising purposes transferred or mixed with them. In the present case, it is shown that processing takes place for the platform (display of XXXX) and another for contacting and submitting offers (advertising purposes). If you look at the system of the GDPR with regard to processing, purpose limitation and legality of the processing, it seems contrary to the system to assume only one data processing due to a joint data collection (starting point) and an infinite number of processing options. It was therefore necessary to separate the processing operations, but the authority concerned had not made such a necessary distinction between the two processing activities. In addition, there is no direct reference or determination to the purposes of the processing in the decision of the authority concerned, so it seems questionable how the authority concerned, without corresponding determinations on the specified, clear and legitimate purposes of the two processing operations, the lawfulness of the processing by the involved party, legally adjudicate and reject the complainant's application. From the point of view of the party concerned, it is also incomprehensible how interests of the broader public could become relevant for the assessment of the lawfulness of processing to contact XXXX and related advertising purposes and through this an increased initial weighting of the interests of the involved party through the resonating interests of the public can be accepted. The authority concerned should therefore have disregarded the public interest and the reasonable expectations of the data subject. In the present case, it was unforeseeable for the complainant that his entry in the Ministry's XXXX could result in processing for advertising purposes. The balancing of interests should therefore have gone in favor of the complainant, since the contact by the party involved with the complainant is purely self-promotion, which is in any case less worthy of protection than, for example, donor advertising.
What is new is that the unsolicited transmission of complete access data by means of a simple letter poses a high risk for the person concerned. The postal contact chosen by the party involved, despite knowing the e-mail addresses, can only be explained by the intention to circumvent § 107 TKG and the associated consent required for electronic contact. A postal transmission - without the knowledge of the person concerned - could lead to unintentional disclosure not only to identity theft, but also to considerable financial and economic losses (damage to reputation). The party involved accepted these risks for economic reasons and therefore violated their obligations under Art. 32 GDPR. Due to the chosen form of contact, the party involved failed to ensure adequate security of the personal data, thereby violating the principles for the processing of personal data according to Art. 5 DSGVO.
8. The authority concerned communicated the complainant's complaint to the party involved on October 7th, 2019 and gave them the opportunity to comment within a period of 2 weeks in accordance with § 10 VwGVG.
9. On October 21, 2019, the party involved made a statement and initially stated that the appeal raised by the complainant against the decision of the Vienna Commercial Court of February 13, 2019, GZ XXXX, with the decision of the Vienna Higher Regional Court of April 4, 2019, Zl. XXXX was not followed and the revision was not admitted.
In terms of content, the involved party stated that it was completely irrelevant whether the involved party could have obtained the complainant's consent. Due to the fulfillment of the legal basis of Art. 6 Para. 1 lit f GDPR, there was no legal need to obtain the consent of the complainant (or the other XXXX appearing on the platform). This legal view is also inherent in the docfínder decisions, in which the Supreme Court and the relevant authority confirmed the lawfulness of the data processing of a doctor search portal, which was based on legitimate interests and not on consent (or any other legal basis). All the requirements for the applicability of Art. 6 (1) (f) GDPR have been met.
With regard to the alleged inadmissibility of contacting the complainant, it should be stated that the authority concerned also dealt with this contact and had no legal objections to it. As the operator of the platform in question, the Respondent has a legitimate interest in contacting the XXXX included in the list of the BM XXXX and adopted on its own platform - including the complainant - in order to advertise its own platform and so expand it further. The balancing of interests of the authority concerned also applies to the contacting of the complainant, the party involved had already used public (and by law must be kept public) professional contact data of the complainant once to inform him that he had been included in the platform of the respondent, and offered him the opportunity to add to his data - either as part of the free basic entry or by purchasing packages that are subject to a fee. Here, too, the complainant could and should have expected, for the reasons given above, that his job-related data would not only be published again on a relevant platform, but also that he would be contacted in this connection. Contrary to the statements made by the complainant, there would also be public interests involved in contacting the complainant, so that the relevant statements by the relevant authority would also apply in connection with the contacting of the complainant. The letter not only advertised the platform (and stated the link under which the respondent's data protection declaration could be accessed), but also informed that the complainant had the opportunity to update or supplement his data contained on the platform (either as part of the basic package or as part of a paid add-on package). Any updating or expansion of the information pool for the individual XXXX is obviously in the interest of the patients looking for information. The party involved also deleted the complainant's personal data without objection and did not send the complainant any further letters of this type. The complainant did not raise any confidentiality interests worthy of protection.
Regarding the complainant's new submission, it should be stated that there was no violation of Art. 32 GDPR. The probability (or abstract suitability) that identity theft, financial losses or damage to reputation could occur is close to zero and can be de facto ruled out. The activation code does not lead to sensitive data, but to job-related data that is already generally available and which can also be found in a public source - the list of the BM XXXX. - as well as in other sources (e.g. platforms of other providers). In view of the nature of the data - or the person of the respondent - it is not to be assumed that there is criminal activity, to improperly appropriate access to it, to provide unauthorized persons with access to this data and any changes to it (which is not to be expected sei) is not suitable for causing damage to the affected XXXX, a XXXX on the platform of the party involved is simply not suitable for identity theft, inflicting financial damage or damage to reputation. In addition, the party involved used a reliable deliverer - the Austrian Post - to deliver the letters, the address data was verified data from an official source (list of the BM XXXX ), the letters were inconspicuous in terms of presentation, each XXXX have received an individual activation code which will expire/invalid after a certain period of time or if a XXXX wishes to be deleted from the platform. With the complainant, no risk had materialized and could no longer materialize. Even if such a breach of Art. 32 GDPR occurred, it would have no effect on the legality of the data processing. Any violation of Art. 32 GDPR would have to be assessed separately from the admissibility of data processing according to Art. 6 GDPR. The lawfulness is determined solely by Art. 6 GDPR; the compliance or non-compliance with the appropriate level of protection according to Art. 32 GDPR would have no influence on the fundamental legality of data processing, since it is punishable by law anyway (cf. Art. 83 Para. 4 lit a GDPR). In this respect, the same applies as in connection with a possible violation of the duty to provide information under Art. 14 GDPR, the relevant legal view of the relevant authority was not contested by the complainant in his complaint about the decision.
The statement was attached to the decision of the Vienna Higher Regional Court of April 4, 2019, line XXXX.
11. By letter dated November 15, 2019 (received at the Federal Administrative Court on November 25, 2019), the authority concerned submitted the complaint and the administrative act to the Federal Administrative Court for a decision and issued an opinion in which it stated that Art. 6 para. 1 lit .f GDPR should not, as the complainant believes, be regarded as an exception for those cases in which data processing is not possible under Article 6(1)(a) to e GDPR. Rather, the permissions are to be regarded as equivalent and the processing of personal data is then lawful if the criteria laid down in them are met. In addition, it should be noted that the complainant considered his right to secrecy pursuant to Section 1 DSG to have been violated and that this provides for a weighing of interests within the meaning of Section 1 (2) DSG, which the relevant authority carried out extensively. Contrary to the complainant's view, it was permissible for the involved party to send the standardized letter to the complainant. Even if the data processing based on the collection of the personal data of the complainant from the list of the BM XXXX and the further processing by sending the standardized letter from the party involved regarding the start of the platform is not dealt with in detail in the legal assessment of the decision, it is so the considerations regarding the use of the complainant's personal data for the platform of the party involved and the associated publication are also applicable here and the processing of the complainant's personal data regarding the standardized letter from the respondent is lawful.
12. In a letter dated February 19, 2020 (received by the Federal Administrative Court on March 4, 2020), the authority concerned submitted an additional notification to the Federal Administrative Court and stated that the Supreme Court, by decision of November 26, 2019, line XXXX, the extraordinary appeal against the The decision of the Vienna Higher Regional Court as the court of appeal of April 4, 2019, GZ XXXX, was not followed, which confirmed the decision of the Vienna Commercial Court of February 13, 2019, GZ XXXX. In its legal justification, the Supreme Court stated that, due to the lack of active legitimacy for the assertion of third-party data protection rights, there was no need for the plaintiff to deal with the content of the violations of data protection law that the defendants continued to allege in the appeal, but it follows from the decision of the Supreme Court that that the latter did not follow the professional and competition law concerns of the appellate applicant and the Senate was of the opinion regarding the professional law concerns of the appellate applicant that the publications of the defendant that were contested (priorities, additional information about "paying customers") would not violate any professional regulations. It is also not apparent that the platform contains inaccurate information XXXX ).
13. Based on the order of the business allocation committee of July 17, 2020, the case in question was assigned to the now responsible court department W214, where it arrived on July 24, 2020.
14. On October 14, 2021, the Federal Administrative Court informed the complainant of the statement of the party involved dated October 21, 2019 and the statement of the authority concerned dated November 15, 2019 to the party involved and the complainant and gave them the opportunity to submit a statement.
15. In a statement dated October 27, 2021, the complainant stated that, contrary to the view of the authority concerned, the respondent did not merely have inadequate data protection information pursuant to Art. 14 GDPR, but actually none at all. This is because Art. 14 Para. 3 lit b GDPR is relevant, according to which the information must be provided at the latest at the time of the first notification to the data subject. However, the postal advertising letter from the party involved did not contain any data information, but only a reference to a link under which this information could be found. The fact that at the time when the complainant received the advertising letter from the involved party the data protection information of the involved party was actually available on the website mentioned in this way was not established by the authority concerned. For this reason alone there is no fulfillment of the information obligations under Art. 14 GDPR by the party involved. However, where there is a violation of Art. 14 GDPR, the associated data processing cannot be lawful. Because the fulfillment of the information obligations according to Art. 13 and 14 GDPR serves to guarantee fair and transparent data processing according to EG 60 of the GDPR. However, compliance with these processing principles standardized in Art. 5 GDPR is a basic requirement for the lawfulness of data processing. Consequently, the insufficient provision of information by the party involved, which the authority concerned determined itself under Art. 14 GDPR, must result in the unlawfulness of the associated processing of the complainant’s personal data by the party involved. The authority concerned justifies the legitimate interests of the party involved in the data processing in question, in particular with an information interest of third parties, namely all persons who would like to find out about XXXX registered in Austria. However, the party involved uses personal data (of the complainant) from a list to be maintained by the public in accordance with XXXX “to safeguard the public interest” and uses the data obtained in this way to keep an essentially identical list with the same objective. However, a justification for data processing based on Art. 6 Para. 1 lit f) GDPR does not allow for any consideration of public interests. Correctly, the information interest of third parties articulated here should not be used as part of a weighing of interests according to Art. 6 Para. 1 lit f GDPR. In the absence of sufficient justification, the processing of the complainant's personal data by the party involved was also inadmissible for this reason.
16. In a statement dated October 28, 2021, the involved party stated again that the authority concerned and various civil courts had already confirmed that the data processing in question was permissible, and that the plaintiff was unsuccessful in every instance. In addition, there is supreme court ruling that affirms the legality of data processing in connection with a comparable business model (OGH June 27, 2016, 6 Ob 48/16a - docfinder) and which has already been confirmed under the new legal situation by the authority concerned (DSB January 15, 2019 , DSB-D123.527/0004-DSB/2018 – docfinder). With regard to the alleged inadmissibility of creating an online directory due to a lack of a legal basis, it should be stated that Art. 6 Para. 1 lit f GDPR is not an exception, but - as the relevant authority correctly explained - the permitted circumstances of Art. 6 Para. 1 GDPR are to be regarded as equivalent be. The authority concerned confirmed that the legitimate interests of the party involved in the data processing carried out actually exist and that the weighing of interests is in favor of the party involved. In connection with the balancing of interests, it should also be taken into account that the voluntary deletion of the complainant's data was expressly emphasized by the Article 29 Working Party as an "additional protective measure" that has an effect on the balancing of interests in favor of the person responsible. The balancing of interests is therefore clearly in favor of the party involved. Contacting the complainant by letter was also permissible under data protection law. The balancing of interests of the authority concerned can also be applied to contacting the complainant. Even the complainant, in his comments on consent, believed that he could and should have been contacted. The complainant is unable to explain why this should apply to data processing based on consent, but not to data processing based on legitimate interests. In addition, any updating or expansion of the information pool for the individual XXXX is obviously also in the interest of patients looking for information. The complainant had not brought forward any confidentiality interests worthy of protection that could prevent contact.
17. On November 3, 2021, the Federal Administrative Court informed the other party and the authority concerned of the statements and gave them another opportunity to submit a statement.
18. On November 12, 2021, the involved party submitted a statement in which it again stated that the complainant no longer had an interest in legal protection, since the personal data of the complainant had already been deleted from the platform by the involved party on January 8, 2019 and not would be processed more. In a letter dated September 27, 2019, the involved party sent the supplemented data protection declaration to the complainant, whereby the provision of information pursuant to Art. 14 GDPR in compliance with points 1 and 2 can now be regarded as complete (even if, in the opinion of the involved party, it has been so up to now had already been). A decision by the Federal Administrative Court could no longer affect the legal position of the complainant or the legal questions submitted were merely of an abstract and theoretical nature and conceivably not (or no longer) of practical relevance for the complainant. It follows that a need for legal protection (complaint) on the part of the complainant is to be denied and the complaint against a decision cannot be granted simply because this procedural requirement has not been met. Furthermore, it was stated that if the complainant believes that the party involved has not only - as has always been claimed - "inadequately" fulfilled the information obligation pursuant to Art. 14 GDPR, but rather "not at all", it should be countered that this question is not the subject of this complaints procedure. The complainant did not explicitly contest points 1 and 2 of the contested decision, which would refer to the data protection declaration of the party involved, which is why a possible violation of the right to information according to Art. 14 DSGVO in the sense of a complete non-disclosure of information ( and any consequences thereof) was withdrawn from the examination powers of the Federal Administrative Court. It is also not true that it was found that the letter from the party involved did not contain any information pursuant to Art. 14 GDPR. The content of the letter shows that information is contained in accordance with Art. 14 Para. 1 lit a and lit d as well as Para. 2 lit c and lit f GDPR. The complainant wrongly claims that the legal view of the authority concerned allegedly “contradicts the legal view of the ECJ”, which allegedly takes the view that the fulfillment of information obligations is indeed a prerequisite for the lawfulness of data processing. In support of this assertion, the complainant cites the decision of the ECJ C-201/14, which was still made under the old legal situation. However, this decision does not support the complainant's legal position; it does not deal with this legal question at all. The question was not whether data processing in the event of a breach of information obligations was inadmissible, but whether the information obligations could be derogated by national regulations (which was denied). Neither in this nor in other decisions did the ECJ state that non-compliance with information obligations would lead to the inadmissibility of (otherwise lawful) data processing - neither under the old nor under the new legal situation. There is also no basis for such an interpretation of the law – in particular under the GDPR, which expressly regulates the legality of data processing in Art. 6 and without reference to the information obligations under Art. 13 and 14. This was also confirmed by the relevant authority. The appeal to recital 60 is also not able to support the complainant's point of view. Apart from the fact that the recitals of a regulation have no normative character, the legal consequence derived by the complainant is that the information obligations under Art. 13 and 14 GDPR are to be equated with the principle of processing in good faith or with the principle of transparency, both of which result from Article 5 (1) (a) GDPR, are incorrect. First of all, it should be emphasized that the aforementioned principles must be distinguished from the principle of legality (which also results from Art. 5 Para. 1 lit. a GDPR) - these three principles would exist independently of each other. According to the prevailing doctrine, the principle of legality is to be understood in such a way that it refers to the requirement for the existence of a permit for data processing and not every separate violation of data protection regulations - including a violation of information obligations under Art. 14 DSGVO - is a violation of the principle of legality. This assessment can also be found in the recitals of the GDPR; recital 39 states that "any processing of personal data shall be lawful and fair" - lawfulness is therefore to be considered separately from fair processing. In addition, the complainant misunderstood the following: The principles under Art. 5 GDPR have a programmatic character and would therefore naturally be reflected to a certain extent in the "implementing provisions" of the GDPR. However, since Art. 5 GDPR is not only programmatic, but also directly binding and punishable in itself, these two forms of Art. 5 GDPR must be strictly distinguished from each other. It follows that although every violation of a principle under Art. 5 GDPR also includes a violation of an "implementing provision" of the GDPR, in which the programmatic character of the principle was reflected - vice versa, not every violation of an "implementing provision" also constitutes a breach of the relevant principle. A violation of an "implementing provision" must be sufficiently serious in order to be able to "condense" into a violation of a principle under Art. 5 GDPR. Otherwise there would be no reason to subject a violation of an "implementing provision" of the GDPR to a criminal sanction if this would always be a sanction-enforced Art. 5 GDPR violation anyway. There is no violation of the principle of processing in good faith or transparency. According to the decision of the authority concerned, the data protection declaration of the party involved is in order; only two bullet points of the data protection declaration, which encompasses several pages, were found to be “intransparent” – wrongly, in the opinion of the Respondent. Any other violation of the information obligations, in particular with regard to the other content, the type and time of the information provision - was denied by the authority concerned. It would be completely unobjective and legally erroneous to see a violation of Art. 5 GDPR in the - in the complainant's opinion wrongly - determined "minimal violation", because of which the relevant authority did not even consider it necessary to initiate administrative penal proceedings. Finally, the complainant believes that the relevant authority assumed the wrong basis when weighing up the interests in accordance with Article 6 (1) (f) GDPR. However, even if general interests are disregarded, the weighing up of interests is clearly in favor of the party involved on the basis of legitimate business interests. In addition, the complainant's assertion that the authority concerned should not have taken into account the information interests of the general public is legally incorrect. Art. 6 Para. 1 lit f GDPR already speaks expressly of "legitimate interests of the person responsible or a third party". Even the source cited by the complainant clearly states that general interests are taken into account when processing on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR, and the information interest of a broader public in publications is even expressly mentioned as an example. The former Article 29 Working Party also took this view.
19. The complainant also submitted a statement on November 12, 2021 and stated (insofar as relevant to the proceedings) that the statements of the party involved and the authority concerned were incorrect and incorrect. Insofar as the involved party cites the docfinder.at II decision of the Supreme Court, it should be noted that that decision was made on the legal situation before the GDPR came into force. Apart from that, the content of this decision is not comparable with the facts at hand when it is necessary to look closely, since the online directory operator there (unlike the party involved) acts as a neutral information broker. In a comparable case, the German Federal Court of Justice prohibited the online directory operator there from data processing and declared that the online directory operator should respect its legal position, which is based on the fundamental right to freedom of expression and freedom of the media, in relation to the right of the person who was included there with their basic data without being asked to the protection of their informational cannot assert self-determination. It should again be noted that maintaining a public database with XXXX is in the public interest, as XXXX shows, and the party involved, as a private body, cannot justify data processing with the protection of public interests.
II. The Federal Administrative Court considered:
1. Findings:
1. The procedure outlined under point I is used as a basis for the findings.
1.1. The complainant is XXXX and XXXX " XXXX ".
1.2. The Federal Ministry responsible for XXXX (BM XXXX ) in the relevant period (September 2018 to January 8, 2019) kept a public list of XXXX registered in Germany (currently 10,735 people) under the domain XXXX, which can be accessed on the Internet. This list is now maintained by the Federal Ministry for XXXX (BM XXXX). In this list, the first and last name, academic degree, job title, additional title, place of business and/or place of work (postal address, telephone number, e-mail address) of the persons recorded were and are stated in text form. The presentation was and is not responsive (i.e. not optimized for use on mobile devices) and did not contain or does not contain any information about additional training, main areas of work, XXXX and XXXX. The complainant's personal data are still on this list. On December 21, 2018, the data about him specifically shown on p. 10 of the decision that is the subject of the complaint was available and is still available to the same extent at the time of the decision.
1.3. The party involved has been running an online directory of XXXX and XXXX in XXXX under XXXX since XXXX, based in Austria. For this online directory, the party involved took over the data from the list of the BM XXXX without first obtaining the consent of the persons contained therein. The platform of the party involved is optimized for mobile devices (responsive display) and contains a search function with only one form field and a detailed search with additional filters. With regard to the design and content of the entries for the individual therapists, the platform offers the party involved a free variant on the one hand (according to the list of the BM XXXX and any specification of specialization or filter criteria), on the other hand (in the event of a corresponding order from the name bearer). ) also offers three (different in scope and placement) extended and chargeable packages (Basic, Top, Premium). The additional services offered with the paid booking of extended packages include, among other things, the prioritization and highlighting in the search results (without marking the paid entry), the inclusion of a profile picture of different sizes up to a gallery with 15 pictures/videos and the publication of additional information (publications, Link to homepage and blog article).
On the one hand, the platform serves the commercial interests of the party involved, and on the other hand it also serves the interests of the interested public in a user-friendly provision of data and the provision of additional information. In addition, the platform serves the interests of those XXXX who want to present themselves on the platform with additional information.
1.4. Personal data of the complainant was included in this list to the extent of the information published by the BM XXXX and was available from September 2018. The personal data of the complainant has not been processed in the online directory of the involved party since January 8th, 2019. However, the complainant can still be found by third parties in his professional capacity via the list of the BM XXXX, common search engines and the online directory "XXXX.
1.5. The involved party contacted the complainant in XXXX once by letter to inform him that the new Austrian XXXX started in September 2018 and that the complainant had been entered in the online directory of the involved party free of charge. The purpose of the online directory was described in the letter (including making the search for a suitable XXXX as easy and barrier-free as possible, achieving a relevant range of potential clients), and the complainant was sent a user name and an activation code with this letter which he can manage his entry. Finally, the complainant was offered the purchase of fee-based entry packages in order to achieve greater reach and to provide interested clients with additional information.
1.6. In his complaint to the data protection authority of December 21, 2018 (improved with the submission of February 5, 2019), the complainant submitted in summary that the party involved violated § 1 Para. 1 DSG and the requirements of Art. 6 and 14 DSGVO by included the complainant in XXXX's online directory maintained by her without prior consent and contacted the complainant in this context and also failed to meet her information obligations.
1.7. On April 10, 2019, the party involved sent the complainant an updated version of its data protection declaration by post.
1.8. By decision of the authority concerned dated August 19, 2019, the authority concerned upheld the data protection complaint of the complainant regarding the alleged violation of the right to information within the meaning of Article 14 (1) lit. c (deficiencies in the content of the subsequently submitted data protection declaration) (point 1.), instructed the involved party to provide the complainant within a period of four weeks, otherwise execution, a) the information pursuant to Article 14(1)(c) in such a way that it is clear in which cases the complainant's personal data is to be processed on the basis of which specific legal obligation had been processed and b) to provide the information pursuant to Article 14(1)(c) in such a way that it is clear in which cases the complainant's personal data were processed on the basis of the legal basis of Article 6(1)(f). be (point 2.). Otherwise, the complaint was dismissed (paragraph 3) and the complainant's application for the initiation of criminal proceedings against the party involved was rejected (paragraph 4).
1.9. The complainant lodged a timely complaint with the Federal Administrative Court against points 3 and 4 of this decision.
1.10. On September 27, 2019, the party involved sent the complainant additional information in response to the official order from the authority concerned.
1.11. With the decision of November 26th, 2019, line XXXX, the OGH did not follow the extraordinary appeal against the decision of the Vienna Higher Regional Court as the appeal court of April 4th, 2019, GZ XXXX, whereby the decision of the Vienna Commercial Court of February 13th, 2019, GZ XXXX, has been confirmed. The Supreme Court's decision shows that it did not follow the professional and competition law concerns of the appeal applicant and that the defendant's publications at issue (pre-rankings, additional information about "paying customers") do not violate any professional regulations.
2. Evidence assessment:
The findings result from the administrative act and the relevant court act and are undisputed.
3. Legal assessment:
3.1. According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates. According to § 27 Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings on complaints against decisions due to violation of the obligation to inform according to § 24 Paragraph 7 and the decision-making obligation of the data protection authority by the Senate. The Senate consists of a chairman and a competent lay judge from the circle of employers and from the circle of employees.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.
According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.
According to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders are made by way of a resolution, unless a finding is to be made.
Pursuant to § 28 Para. 2 VwGVG, the administrative court has to decide on the matter itself on complaints pursuant to Art. 130 Para. 1 Z 1 B-VG if (1.) the relevant facts are established or (2.) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.
3.1.1. The complaint was raised within the deadline and the other procedural requirements are also met.
Above all, it should be pointed out that, according to the findings at the time of the decision, the personal data of the complainant are no longer processed in the online directory of the party involved, but the authority concerned or, in the present case, the Federal Administrative Court, is not prevented from reporting a possible violation of the law in right to secrecy (in the past). The current case law of the Higher Administrative Court shows that in general the law in force at the time the decision is issued is to be applied, but a different approach [but] is required if the legislature expresses in a transitional provision that pending proceedings are still the previously applicable law is to be applied, or if it is to be discussed what was legal on a specific date or a specific period of time. The case submitted to the Administrative Court concerned an (alleged) violation of the right to secrecy through the transmission of data more than four years before the GDPR and the DSG came into force. The Higher Administrative Court stated that the question at issue is whether a process that took place at a certain point in time and was completed when the GDPR came into force was legal. It follows, however, that in the event of an (alleged) violation of the right to secrecy (also for the past) there is a right to a declaration (see Administrative Court of February 23, 2021, Ra 2019/04/0054-8 margin no. 25f.).
3.2. Legal situation:
The authority concerned based its decision on the following legal bases (if relevant for the complaint procedure in question): §§ 1 and 24 paragraphs 1, 5 and 6 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended and Art. 6, 12. 14, 57 paragraph 1 letter f, Article 58 paragraph 2 letter c and Article 77 paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), OJ No. L 119 of May 4th, 2015, p. 1. These provisions are also to be used in the present complaints procedure before the Federal Administrative Court; Art. 5 GDPR is also relevant.
§ 1 DSG reads:
§ 1. (1) Everyone has the right to confidentiality of their personal data, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data are not accessible to a claim for secrecy due to their general availability or due to their lack of traceability to the data subject.
(2) Insofar as the use of personal data is not in the vital interests of the data subject or with his consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time establish appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.
(3) Everyone has, insofar as he/she has personal data for automated processing or for processing manually, ie. files managed without automation support, in accordance with statutory provisions
1. The right to information about who processes which data about him, where the data comes from and what it is used for, in particular to whom it is transmitted;
2. the right to rectification of inaccurate data and the right to erasure of inadmissibly processed data.
(4) Restrictions on the rights under paragraph 3 are only permissible under the conditions specified in paragraph 2.”
§ 24 paragraphs 1, 5 and 6 DSG read:
"Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2, Part 1.
(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sector, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.
(6) Until the proceedings before the data protection authority have been concluded, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (section 13 (8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be taken into account.”
Art. 5 GDPR reads:
"Art. 5
Principles for the processing of personal data
(1) Personal data must
a) processed lawfully, fairly and in a manner that is transparent to the data subject ("lawfulness, fair processing, transparency");
b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");
c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");
d) accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");
e) stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored for a longer period of time to the extent that the personal data, subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject, are used exclusively for archiving purposes in the public interest or for scientific and historical research purposes or processed for statistical purposes in accordance with Article 89(1) ("storage limitation");
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality");
(2) The person responsible is responsible for compliance with paragraph 1 and must be able to demonstrate compliance (“accountability”).”
Art. 6 GDPR reads:
"Art. 6
lawfulness of processing
(1) The processing is only lawful if at least one of the following conditions is met:
a) The data subject has given their consent to the processing of their personal data for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to protect vital interests of the data subject or another natural person;
e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;
f) processing is necessary to protect the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.
2. Member States may maintain or introduce more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure a lawful and to ensure fair processing, including for other special processing situations as set out in Chapter IX.
(3) The legal basis for the processing pursuant to paragraph 1 letters c and e is determined by
a) Union law or
b) the law of the Member States to which the controller is subject.
The purpose of the processing must be specified in this legal basis or, with regard to the processing referred to in paragraph 1 letter e, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to Chapter IX. 4Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.
(4) If the processing for a purpose other than that for which the personal data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, is a necessary and proportionate measure to protection of the objectives referred to in Article 23(1), the controller shall, in order to determine whether the processing for another purpose is compatible with the one for which the personal data were originally collected, take into account, among other things
a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing,
b) the context in which the personal data was collected, in particular with regard to the relationship between the data subject and the person responsible,
c) the nature of the personal data, in particular whether special categories of personal data are processed in accordance with Article 9 or whether personal data relating to criminal convictions and offenses are processed in accordance with Article 10,
d) the possible consequences of the intended further processing for the data subjects,
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation."
Art. 12 GDPR reads:
"Art. 12
Transparent information, communication and modalities for exercising the rights of the data subject
1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication referred to in Articles 15 to 22 and Article 34 relating to the processing in a concise, transparent, understandable and easily accessible manner submit the form in clear and plain language; this applies in particular to information that is specifically aimed at children. 2The information is transmitted in writing or in another form, possibly also electronically. 3If requested by the data subject, the information can be given orally, provided that the identity of the data subject has been proven in some other way.
(2) The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller may refuse only on the basis of the data subject's request to exercise their rights under Articles 15 to 22 to take action if he can show that he is unable to identify the person concerned.
3. The controller shall provide the data subject with information on measures taken on a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. 2This period can be extended by a further two months if this is necessary taking into account the complexity and the number of applications. 3The controller shall inform the data subject of an extension of the deadline within one month of receipt of the request, together with the reasons for the delay. If the data subject submits the request electronically, they must be informed electronically if possible, unless they state otherwise.
(4) If the person responsible does not act upon the request of the data subject, he shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority or to lodge a judicial remedy.
5. Information pursuant to Articles 13 and 14 and all communications and actions pursuant to Articles 15 to 22 and Article 34 shall be provided free of charge. 2In the case of manifestly unfounded or - especially in the case of frequent repetition - excessive requests from a data subject, the person responsible can either
(a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or
b) refuse to act on the application.
The Controller shall provide evidence of the manifestly unfounded or excessive nature of the request.
6. Without prejudice to Article 11, if the controller has reasonable doubts as to the identity of the natural person submitting the request pursuant to Articles 15 to 21, he may request additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardized icons to give a meaningful overview of the envisaged processing in an easily perceptible, understandable and clearly traceable form. 2If the icons are presented in electronic form, they must be machine-readable.
8. The Commission is empowered to adopt delegated acts in accordance with Article 92 specifying the information to be represented by icons and the procedures for the provision of standardized icons."
Art. 14 GDPR reads:
"Art. 14
Information obligation if the personal data were not collected from the data subject
(1) If personal data is not collected from the data subject, the person responsible shall inform the data subject of the following:
a) the name and contact details of the person responsible and, if applicable, his representative;
b) additionally the contact details of the data protection officer;
c) the purposes for which the personal data are to be processed and the legal basis for the processing;
d) the categories of personal data being processed;
e) where applicable, the recipients or categories of recipients of the personal data;
f) where applicable, the intention of the controller to transfer the personal data to a recipient in a third country or an international organization and the existence or absence of an adequacy decision by the Commission or in the case of transfers pursuant to Article 46 or Article 47 or Article 49(1). Subparagraph 2, a reference to the appropriate or reasonable warranties and the ability to obtain a copy of them or where they are available.
(2) In addition to the information pursuant to paragraph 1, the controller shall provide the data subject with the following information, which is necessary to ensure fair and transparent processing for the data subject:
a) the period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;
b) if the processing is based on Article 6 paragraph 1 letter f, the legitimate interests pursued by the controller or a third party;
c) Existence of a right to information on the part of the person responsible about the personal data concerned as well as to correction or deletion or to restriction of processing and a right to object to the processing as well as the right to data portability;
d) if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent up until its withdrawal;
e) the existence of a right of appeal to a supervisory authority;
f) the source of the personal data and, if applicable, whether they come from publicly available sources;
g) the existence of automated decision-making including profiling in accordance with Article 22 paragraphs 1 and 4 and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
(3) The person responsible provides the information pursuant to paragraphs 1 and 2
a) taking into account the specific circumstances of the processing of the personal data within a reasonable period of time after obtaining the personal data, but no longer than within one month,
b) if the personal data are to be used to communicate with the data subject, at the latest at the time of the first communication to them, or,
c) if disclosure to another recipient is intended, at the latest at the time of the first disclosure.
(4) If the person responsible intends to further process the personal data for a purpose other than that for which the personal data was obtained, he shall provide the data subject with information about this other purpose and any other relevant information pursuant to paragraph 2 prior to this further processing .
(5) Paragraphs 1 to 4 do not apply if and to the extent
a) the data subject already has the information,
b) providing this information proves impossible or would require a disproportionate effort; this applies in particular to processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and guarantees referred to in Article 89 paragraph 1 or to the extent that the obligation referred to in paragraph 1 of this article is likely to achieve the objectives of this processing impossible or seriously impaired. In these cases, the controller takes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making this information available to the public,
c) the acquisition or disclosure is expressly regulated by Union or Member State legislation to which the controller is subject and which provide for appropriate measures to protect the legitimate interests of the data subject, or
(d) the personal data are subject to professional secrecy, including statutory secrecy, in accordance with Union or Member State law and must therefore be treated as confidential."
Art. 32 GDPR reads:
"Art. 32
security of processing
(1) Taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons, the person responsible and the processor shall take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk; such measures may include, but are not limited to:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services related to the processing;
c) the ability to quickly restore the availability of and access to the personal data in the event of a physical or technical incident;
d) a procedure for regularly checking, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing.
(2) When assessing the appropriate level of protection, particular account shall be taken of the risks associated with the processing, in particular through - whether accidental or unlawful - destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.
3. Compliance with an approved code of conduct pursuant to Article 40 or an approved certification mechanism pursuant to Article 42 may be used as a factor to demonstrate compliance with the requirements referred to in paragraph 1 of this Article.
4. The controller and the processor shall take steps to ensure that natural persons acting under their authority who have access to personal data only process them on instructions from the controller, unless they are required to do so by Union or Member State law obligated to process."
Article 57 (1) (f) GDPR reads:
"Art. 57
tasks
(1) Without prejudice to other tasks set out in this Regulation, each supervisory authority in its territory
f) deal with complaints from a data subject or complaints from a body, organization or association in accordance with Article 80, investigate the subject matter of the complaint to an appropriate extent and inform the complainant within a reasonable time of the progress and the result of the investigation, in particular, where further investigation or coordination with another supervisory authority is necessary;"
Article 58 (2) (c) GDPR reads:
"Art. 58
powers
(2) Each supervisory authority shall have all of the following remedial powers, allowing it to:
(c) to instruct the controller or processor to comply with the data subject's requests to exercise the rights to which he or she is entitled under this Regulation."
Art. 77 GDPR Para. 1 GDPR reads:
"Art. 77
Right to lodge a complaint with a supervisory authority
(1) Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement, if the data subject believes that the processing of the personal data concerning them violates this regulation."
Art. 83 GDPR reads:
"Art. 83
General conditions for imposing fines
1. Each supervisory authority shall ensure that the imposition of fines under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case.
2. Fines shall be imposed in addition to or instead of measures under Article 58(2)(a) to (h) and (j), depending on the circumstances of the case. 2In each individual case, when deciding whether to impose a fine and its amount, due consideration will be given to:
a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question and the number of persons affected by the processing and the extent of the damage suffered by them;
b) intentional or negligent breach;
c) any measures taken by the controller or processor to mitigate the harm caused to data subjects;
d) level of responsibility of the controller or processor, taking into account the technical and organizational measures they have taken pursuant to Articles 25 and 32;
e) any relevant previous breaches by the controller or processor;
f) the level of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects;
g) categories of personal data affected by the breach;
h) How the breach became known to the supervisory authority, in particular whether and, if so, to what extent the person responsible or the processor reported the breach;
i) compliance with measures previously ordered under Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;
j) compliance with approved codes of conduct pursuant to Article 40 or approved certification procedures pursuant to Article 42 and
k) any other aggravating or mitigating circumstances in the case at hand, such as any financial benefit gained or loss avoided, directly or indirectly, as a result of the breach.
(3) If a controller or a processor intentionally or negligently violates several provisions of this Regulation in the same or related processing operations, the total amount of the fine shall not exceed the amount for the most serious violation.
4. In accordance with paragraph 2, fines of up to EUR 10 000 000 or, in the case of a company, of up to 2% of its total worldwide annual turnover of the previous financial year, whichever is greater, shall be imposed for breaches of the following provisions is:
a) the obligations of controllers and processors pursuant to Articles 8, 11, 25 to 39, 42 and 43;
b) the obligations of the certification body in accordance with Articles 42 and 43;
c) the duties of the monitoring body referred to in Article 41(4).
5. In accordance with paragraph 2, fines of up to EUR 20 000 000 or, in the case of a company, of up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is greater, shall be imposed for breaches of the following provisions is:
a) the principles for processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
b) the rights of the data subject in accordance with Articles 12 to 22;
c) the transfer of personal data to a recipient in a third country or to an international organization in accordance with Articles 44 to 49;
d) all obligations under the legislation of Member States adopted under Chapter IX;
(e) failure to comply with an instruction or a temporary or permanent restriction or suspension of data transfers by the supervisory authority pursuant to Article 58(2) or failure to grant access in breach of Article 58(1).
6. Failure to comply with an instruction from the supervisory authority pursuant to Article 58(2) shall result in fines of up to EUR 20 000 000 or, in the case of an undertaking, of up to 4% of its total worldwide annual turnover of the previous financial year, in accordance with paragraph 2 of this Article , whichever of the amounts is higher.
7. Without prejudice to the remedial powers of the supervisory authorities referred to in Article 58(2), each Member State may lay down rules on whether and to what extent administrative and public bodies established in that Member State may be fined.
(8) The exercise of its own powers by a supervisory authority under this Article shall be subject to adequate procedural safeguards in accordance with Union and Member State law, including effective judicial remedies and due process.
9. Where the legal system of a Member State does not provide for fines, this Article may be applied in such a way that the fine is initiated by the competent supervisory authority and imposed by the competent national courts, ensuring that those remedies are effective and that the have the same effect as fines imposed by regulators. In any case, the fines imposed must be effective, proportionate and dissuasive. 3The Member States concerned shall notify the Commission by 25 May 2018 of any legislation which they adopt pursuant to this paragraph and any subsequent amending legislation or amendments thereto without delay."
3.3. Applied to the present case, this means the following:
3.3.1. To reject the application for reimbursement of costs:
This is a procedure for a complaint against a decision by an administrative authority due to illegality within the meaning of Art. 130 Para. 1 Z 1 B-VG. In this context, it should be noted that the complainant's request to oblige "the respondent" to reimburse costs apparently means the party involved.
Since the VwGVG does not provide for reimbursement of costs for complaints about administrative decisions, the corresponding regulations of the General Administrative Procedures Act 1991 (AVG) are to be applied on a subsidiary basis in accordance with § 17 VwGVG.
According to Section 74, Paragraph 1 of the AVG, each party involved has to bear the costs incurred in the administrative procedure themselves. This principle applies to all party costs, such as legal fees, costs for private reports, etc. (VwSlg. 16.636 A/2005 mwN). According to paragraph 2 leg. cit. The administrative regulations determine the extent to which a participant is entitled to a claim for reimbursement of costs against another participant.
A reimbursement of costs as requested by the complainant would therefore only be considered if there was a legal basis for this and the factual competence of the adjudicating court to discuss such an application (Art. 18 para. 1 B-VG).
In this regard, there is neither the VwGVG nor the AVG, which is to be applied on a subsidiary basis, for a reimbursement of costs in proceedings relating to a complaint against a decision, since § 35 VwGVG only provides a claim for reimbursement of costs for complaints about the exercise of direct administrative authority and coercive power within the meaning of Art. 130 Para. 1 Z 2 B-VG provides.
In the absence of a material-specific special regulation in the DSG or in the GDPR, there is also no claim for reimbursement of costs from Section 74 (2) AVG.
There are also no indications of an unplanned gap in the law that would allow it to be closed by analogy. On the contrary, the legislature has expressly opted for a basic self-defense of the costs in the administrative procedure and it cannot be assumed that it wanted to regulate a claim for reimbursement of costs in the DSG and merely "forgot" to do so.
Furthermore, it should be noted that there is no obligation to have a lawyer either in the proceedings before the authority concerned or in the proceedings before the Federal Administrative Court (§ 17 VwGVG in conjunction with § 10 AVG) and it was intended to provide the complainants with additional fees (apart from the fees required for filing the complaint). To make it possible to appeal to the Federal Administrative Court at low costs. It is also not necessary to consult a lawyer because the complaint to the relevant authority or the Federal Administrative Court cannot be rejected immediately in the event of any deficiencies in the execution of the complaint, but rather an order for improvement or rectification of defects must be issued (§ 17 VwGVG in conjunction § 13 para. 3 AVG), so that it is also possible for parties who are not represented by a lawyer to conduct such proceedings properly with the help of the instructions from the authority or the court.
In a comparable case, the Constitutional Court stated:
"It is within the legal policy leeway of the administrative procedure legislator whether and in which cases it standardizes a self-sufficiency of the procedural costs (in the sense of § 74 para. 1 AVG) or a claim for reimbursement of costs against another party (cf. § 74 para. 2 AVG in conjunction with the respective substantive law). . The disadvantage of having to bear one’s own costs in the (data protection law) administrative procedure is offset by the advantage of the lack of risk of being obliged to assume the costs of another party.” (E 315/2020-5 of February 26, 2020).
The complaint was therefore dismissed in this regard.
3.3.2. On the alleged violation of the right to confidentiality by the co-involved party due to the processing of the complainant's personal data in the online directory:
In summary, the complainant argues in his complaint that the authority concerned wrongly denied the inadmissibility of the data processing due to a lack of justification or sufficient information. The authority concerned sometimes did not apply the assessment of the criteria relevant to the weighing of interests at all, and sometimes applied them incorrectly.
However, the complainant is wrong in his statements:
According to Art. 6 Para. 1 lit. f GDPR, processing is justified if it is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, predominate.
In the case of a balancing of interests to be carried out according to these specifications, it must be checked which interests the person responsible is pursuing in the processing and what effects this processing has on the data subjects, in particular taking into account their fundamental rights and fundamental freedoms. In other words, a balance has to be made and which interests weigh more heavily. If the balance is in favor of the person responsible, the processing can be based on this justification, also if the interests are equal (Jahnel, commentary on the General Data Protection Regulation Art. 6 DSGVO margin no. 66 ff. (as of December 1st, 2020, rdb.at) ).
It therefore subsequently has to evaluate the legitimate interests of the person responsible (the party involved as the operator of the online directory) and third parties (persons who want to find out more about the listed XXXX or seek treatment, as well as XXXX itself, who have an interest in appearing on this platform) and those interests and possible consequences for the complainant (listed as XXXX until January 8th, 2019 in the directory) that result from the processing in question must be taken into account.
In order to specifically weigh up the interests, the ECJ has developed a "test scheme" for the largely identical previous provision of Art. 7 lit f GDPR, according to which the processing of personal data is permissible under three cumulative conditions (ECJ December 11, 2019, C-708/18 [Asociatia de Proprietari bloc M5A-ScaraA] margin no. 40):
1. Presence of a legitimate interest exercised by the controller or by the third party(s) (adapted to the slightly modified wording of Art. 6 Para. 1 lit f),
2. Necessity of processing personal data to realize legitimate interest and
3. no predominance of the fundamental rights and freedoms of the data subject.
Furthermore, it should be noted that - contrary to the complainant's view - Article 6 Paragraph 1 Letter f is not to be understood as an exception, but - as the relevant authority correctly explained - as equivalent to the other legal grounds for the admissibility of the processing are to be seen. This follows from the wording of the provision, according to which processing is only lawful if at least one of the following conditions is met (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 Rz 14 DSGVO). § 1 DSG also provides that the processing of personal data (among other things) is also lawful if it is necessary to protect overriding legitimate interests of another (Jahnel, comment on the General Data Protection Regulation Art. 6 DSGVO margin no. 6). The fact that, according to the complainant, it would have been possible for the party involved to obtain the consent of the person concerned is therefore irrelevant in the present case (see point 3.3.2.2. for more details).
3.3.2.1. Regarding the first requirement: Existence of a legitimate interest:
Contrary to the statements made by the complainant, the legitimate interests that can be brought into the meeting when weighing up the interests include legal interests as well as actual, economic or non-material interests. From the wording of the provision and the case law of the ECJ, it follows that the interests of a third party can also justify the processing by the person responsible (Jahnel, commentary on the General Data Protection Regulation Art. 6 DSGVO margin no. 73 (as of December 1st, 2020, rdb.at).
Accordingly, the complainant's argument that the relevant authority should not have taken the information interests of third parties into account when weighing up the interests cannot be accepted. Only public interests that are not related to individual persons are not recorded, in contrast to Art. 6 (1) lit. see Schantz in Simitis|Hornung|Spiecker [ed.] data protection law, Art. 6 Para. 1 margin no. 98f.). But this is not the case here. The Article 29 Working Party also takes the view that the interest of the general public or the interest of third parties may play a role in assessing the lawfulness of processing. It may also be the case that a company's private business interest coincides to a certain extent with a public interest (see Art. 29 Data Protection Working Party, WP 217 loc.cit. p. 36 and 45).
First of all, it should be noted that the party involved - as rightly assumed by the authority concerned - has an economic interest in the operation of the online directory, since it offers the XXXX existing in the directory extended and fee-based packages with which they can to a certain extent " "upgrade" by enabling a ranking and highlighting in the search results, the inclusion of a profile picture of different sizes up to a gallery with 15 pictures/videos and the publication of additional information (publications, linking to the homepage and blog articles). Such an economic interest in the sense of making a profit can in any case represent a legitimate interest within the meaning of this provision (see again Art 29 Data Protection Working Party in WP 217, 31 ff with reference to Art. 16 GRC).
In this respect, it is also irrelevant that there are already similar online directories of XXXX in Austria, because the legitimate interest of the person responsible is important (cf. Schantz in Simitis|Hornung|Spiecker [ed.] data protection law, Art. 6 para. 1 margin no. 99).
Furthermore, in the present case, there are interests of third parties, namely people who want to find out more about the listed XXXX or seek treatment. According to the findings, the platform of the party involved also offers added value for third parties compared to the public list of the (then responsible) BM XXXX by being optimized for mobile devices (responsive display) and containing a search function and a detailed search option with additional filters. The online directory also offers information on additional training, key areas of work, which XXXX and whether XXXX are available, provided one of the paid variants is used by the XXXX/XXXX concerned. It is not for the Federal Administrative Court to assess whether this constitutes a violation of fair trading provisions, as this falls within the jurisdiction of the ordinary courts. Moreover, the complainant's concerns in this regard were not shared in the proceedings already conducted before the civil and commercial courts.
According to what has just been explained, there are legitimate interests of the party involved as well as third parties.
3.3.2.2. On the second condition: Necessity of processing the personal data to realize the legitimate interest:
The processed personal data must be objectively appropriate for the intended use, relevant for the purpose and limited to what is necessary for the purpose (Jahnel, commentary on the General Data Protection Regulation Art. 6 GDPR Rz 76 (as of December 1st, 2020, rdb.at) .
In the present case, it is necessary to process the personal data of XXXX in order to realize the legitimate interest (operation of the online directory). A milder means is not apparent in this respect. Even the complainant does not contest this circumstance in his complaint about the decision, although he does not recognize the commercial interest of the party involved as a legitimate interest and thinks that consent should have been obtained. As the involved party also rightly points out, the necessity is not generally eliminated by the fact that it would have been possible for the involved party to obtain consent in advance, since this does not refer to the justification for the consent, but to those of legitimate interests. The specific circumstances of the data processing (cf. Schantz in Simitis|Hornung|Spiecker [ed.] data protection law, Art. 6 Para. 1 Rz 11) do not mean that the complainant's prior consent to the processing would have been necessary in the present case (see point 3.3.2.3 below). The statements made by the complainant in this regard cannot therefore be accepted.
3.3.2.3. Regarding the third condition: no preponderance of the fundamental rights and fundamental freedoms of the data subject:
Ultimately, as part of the balancing of interests, it is necessary to examine the relationship between the interests of the respective parties. The general maxim in the examination is that a minor and not particularly compelling interest of a person responsible usually only outweighs the interests and rights of the data subject if the effects on these interests and rights of the data subject are minor. The more important and compelling the legitimate interests of the person responsible are, the more massive interference with the interests and rights of the data subject can be justified as a result. Protective measures to mitigate unreasonable consequences for data subjects must also be taken into account here, which play a special role in the weighing process. In addition, the balancing of interests must always be carried out from an objective point of view. An important and helpful interpretation aid in this consideration can be found in recital Art 47 sentence 1: “The reasonable expectations of the data subject, which are based on their relationship with the person responsible, must be taken into account.” Sentence 4 of the same recital goes in the same direction: "In particular, when personal data is processed in situations where a data subject need not reasonably expect further processing, the interests and fundamental rights of the data subject could outweigh the interests of the controller." When considering what the reasonable expectations of the data subject in the respective processing context, it depends on whether the data subject could reasonably have expected at the time the data was collected, taking into account the circumstances, that data processing would take place for a specific purpose.
In the present case, it should be emphasized that the (in the past) processed data of the complainant were not incorrect (see Buchner/Petri in Kühling/Buchner, General Data Protection Regulation Federal Data Protection Act, 2nd edition, Art. 6 DS-GVO margin no. 151) and that The personal data of the complainant processed in the online directory are data that are already in the list of the BM XXXX and are therefore publicly accessible, which is why the complainant's interest in keeping these data secret is not to be regarded as particularly pronounced (cf. Heberlein in Ehmann/Selmayr , General Data Protection Regulation Art. 6 margin no. 28). The personal data of the complainant were only processed to the extent that they were already in the list of the BM XXXX. In addition, there is the fact that the personal data of the complainant in question is not a "special category of personal data" within the meaning of Art. 9 GDPR, criminally relevant data or data on the economic and financial circumstances of the complainant (see Schantz in Simitis|Hornung|Spiecker [ed.] data protection law, Art. 6 Para. 1 Rz 105f), which are to be assigned to the professional sphere of the complainant (cf. Buchner/Petri in Kühling/Buchner, Basic Data Protection Ordinance Federal Data Protection Act, 2nd edition, Art. 6 DS-GVO margin no. 150; Heberlein in Ehmann/Selmayr, General Data Protection Regulation, 2nd edition, Art. 6 margin no. 28) and the processing by the party involved also took place in a technically relevant online directory. According to the above, there is a close factual and typical connection, which is why it can be assumed that the complainant, as the data subject, had to reasonably (objectively) expect the processing. In its statement of October 28, 2021, the party involved also explained that negative consequences of data processing (such as identity theft, financial loss or damage to reputation) are not to be expected in the present case (and any risk in the present case does not materialize either has), especially since the processed data of the complainant - as already explained above - is not a "special category of personal data" within the meaning of Art. 9 DSGVO, no data relevant under criminal law or data on the economic and financial circumstances of the complainant, even those Access to this data or a change is not suitable for causing damage to the person concerned and it is impossible to fill the XXXX with content that is harmful to the reputation (cf. Schantz in Simitis|Hornung|Spiecker [ed.] data protection law, Art. 6 para. 1 margin no. 107) This submission is the complaint As a result, defuhrer did not oppose the content either. Even the complainant's appeal to the judgment of the German Federal Court of Justice of February 20, 2018, Zl. VI ZR 30/17, is unable to help the complaint to succeed. In the judgment cited, the BGH held that it endorsed the Senate judgment of September 23, 2014, VI ZR 358/12, according to which the storage of physicians' personal data in an evaluation portal limited to the functions of the basic data of physicians combined with grades and free text comments is allowed. Furthermore, it was stated that the doctor rating portal operated by the defendant fulfills an approved and socially desirable function. The present facts are also not comparable with those on which the judgment of the BGH was based, in that the party involved, by purchasing additional packages, gave the relevant XXXX / the relevant XXXX a priority and a visually more attractive design of their profile, including the listing of Allows additional information, but does not actively influence a decision of potential patients - as in the judgment of the BGH - by advertising reference to the local competition to non-paying doctors.
Regarding the alleged encroachment on the freedom to work, it must first be stated that the freedom to work according to Art. 6 StGG refers to any self-employed or dependent activity that is aimed at achieving economic success (Grabenwarter/Frank, B-VG Art 6 StGG margin no 9 (as of June 20, 2020, rdb.at)). Taking up gainful employment is protected, as is exercising it (VfSlg 11.558/1987). In the present case, however, the complainant is not prevented from exercising his profession undisturbed if he (at his own request) does not appear in the online directory of the party involved (see OGH 27.06.2016, 6 Ob48/16a), especially since the Complainant continues to be listed as XXXX in the BM XXXX list and can be found via common search engines and other relevant portals.
The fundamental rights and fundamental freedoms of the complainant therefore do not outweigh the interests of the party involved and third parties in the present case. The complaint was therefore rightly dismissed by the relevant authority.
3.3.3. Regarding the alleged violation of the right to confidentiality by the co-involved party due to the contacting of the complainant in connection with the inclusion in the online directory:
In summary, the complainant complains that it was not permissible for the party involved to contact the company by letter.
In connection with the "legitimate interests" of the party involved and third parties, reference can be made to the statements under point 3.3.2. to get expelled. Contacting the affected XXXX, including the complainant, naturally also served to advertise the online directory of the party involved, which, according to the above, can also represent a legitimate interest.
Contacting those affected was also necessary in order to realize the legitimate interests of the party involved (the sale of extended and paid packages). Here, too, a milder remedy is not apparent. In addition, the letter in question also gave the data subjects basic information on the processing of their personal data.
It should also be pointed out once again that the personal data of the complainant used by the party involved to establish contact is already in the list of the BM XXXX - and in this respect publicly accessible - data, which is why the complainant's interest in secrecy in this data are not to be regarded as particularly pronounced. In addition, there is the fact that the complainant was contacted using data that can be assigned to the complainant's professional sphere. In addition, it was not a "special category of personal data" within the meaning of Art. 9 GDPR, criminally relevant data or data on the economic and financial circumstances of the complainant. Negative consequences of data processing were not to be expected (nor did any risk materialize in the present case). The involved party only contacted the complainant once and only processed the complainant's personal data in the above-mentioned connection with the online directory of the involved party, which is also directly related to the complainant's profession. It can therefore also be stated with regard to the contact of the involved party with the complainant that the fundamental rights and freedoms of the complainant in the present case did not outweigh the interests of the involved party.
3.3.4. Regarding the alleged non-fulfillment of the information obligation according to Art. 14 DSGVO:
Art. 14 GDPR regulates the information obligation in cases in which the personal data were not collected from the data subject (indirect collection). Specifically, this includes, for example, obtaining data from another person responsible by transmission, from commercial address dealers or - as in the present case - the own collection of data from public sources (Jahnel, comment on the General Data Protection Regulation Art. 14 DSGVO Rz 1 (as of 1.12.2020, rdb.at)).
First of all, it should be noted that the Federal Administrative Court - contrary to the statements of the party involved - considers itself authorized to examine the asserted reason for the complaint of the alleged non- or poor fulfillment of the information obligation according to Art. 14 DSGVO to the extent of the rejection of the data protection complaint by the authority concerned. The authority concerned found in point 1 of the contested decision that a violation of the right to information within the meaning of Article 14 (1) (c) (deficiencies in the content of the subsequently submitted data protection declaration) had taken place. Otherwise, however, the data protection complaint was dismissed as unfounded in point 3 and this rejection not only relates to the alleged violation of the right to secrecy, but also to the alleged deficiencies in the provision of information in accordance with Art. 14 DSGVO (cf. page 30 of the contested decision). Especially since point 3 was explicitly contested by the complainant, any violation of the right to information under Art. 14 GDPR to the extent that the data protection complaint was rejected is not withdrawn from the Federal Administrative Court's examination authority.
However, it should be noted that the intervening party - as stated above - sent the complainant an updated version of its data protection declaration by post on April 10, 2019. The complainant does not specifically argue to what extent the data protection declaration already submitted in the proceedings before the authority concerned is still deficient, but merely relies on the fact that the information was not provided at the "time of the first notification".
Pursuant to Section 24 (6) first sentence DSG, the respondent (here: the party involved) can, however, subsequently remedy the alleged violation of rights until the proceedings before the data protection authority have been completed by complying with the complainant's requests.
The authority concerned stated in the contested decision that the party involved sent the complainant the data protection declaration by post in the ongoing proceedings in order to fulfill the information obligation and thus subsequently eliminated any relevant violation of the law (apart from sub-items 4 and 5 of the data protection declaration).
In addition, the party involved has meanwhile complied with the order of the authority concerned.
Contrary to the right to secrecy and the explanations under point 3.1.1. With regard to Art. 14 GDPR, the complainant has no interest in ascertaining past infringements, which is why it can remain undecided whether the information was provided in accordance with Art. 14 GDPR (inadequate) at the time the complainant was contacted (cf. VwGH 27.09 .2007, 2006/06/0330, according to which a right to a determination of a past violation of the right to erasure of data from Section 31 (2) DSG 2000 cannot be derived and this equally with regard to any asserted right to a determination of violations of the right to information that occurred in the past must apply; such a right cannot be derived from Section 31 (1) DSG 2000). This case law of the VwGH can also be applied to the current legal situation, so that in the current proceedings before the Federal Administrative Court in the present case, a possible violation of the right to information pursuant to Art. 14 DSGVO in the past can no longer be discussed.
This is also against the background that the complainant cannot be agreed when he argues that a violation of Art. 14 DSGVO in any case causes the unlawfulness of the data processing. The Federal Administrative Court agrees with Illibauer's opinion, according to which the lack of information pursuant to Art. 14 GDPR cannot call into question the legality of the data processing per se, since the legality is determined by Art. 5 et seq. GDPR and the provision or non-provision of the information , since it is punishable by law anyway, cannot have any influence on the basic legality of the processing (see Illibauer in Knyrim, DatKomm Art. 14 DSGVO Rz 4 (as of October 1st, 2018, rdb.at); further quotations). Jahnel also assumes that the stronger arguments speak in favor of the basic classification of the information obligation as a regulatory provision, since on the one hand the information obligation is included in Chapter III "Rights of the data subject" and not in Chapter II "Principles", and on the other hand Art. 83 para. 5 provides for two separate criminal offenses, for a violation of the legality requirements in lit a on the one hand and for violations of the rights of the data subject in accordance with Articles 12 to 22 in lit b on the other. Something else should only apply if the person responsible completely neglects his information obligations, since Recital 60 considers it to be absolutely necessary for the principles of fair and transparent processing that the data subject is informed about the existence of the processing operation and its purposes. The judgment of the ECJ of October 1, 2015, C-201/14 cited by the complainant also does not result in anything different for the present case. The ECJ stated that “Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of data [...] then are to be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow the transfer of personal data from one administrative authority of a Member State to another administrative authority and their subsequent processing without the data subjects having been informed of the transfer and the processing. Apart from the fact that the decision of the ECJ was made before the GDPR came into force, it cannot be applied to the present case because the facts of the case in the judgment of the ECJ were based on a transfer of personal data by one administrative authority to another administrative authority, which referred to supported a measure which the I undermined information obligations. In contrast to the party involved, the administrative authority (according to the new legal situation) was fundamentally unable to invoke Article 6 (1) (f) GDPR with regard to the lawfulness of the processing. In addition, the complainant was informed by the party involved at least when the platform was set up about the existence of the processing operation and its purposes (to make the search [for those interested in therapy services, website visitors [for a suitable XXXX as easy and barrier-free as possible and [for the respective XXXX / the respective XXXX ] the achievement of a relevant range of possible clients) with reference to the data protection declaration (that this was not available at the time was not claimed by the complainant at any time in the proceedings before the relevant authority), which is why it can be assumed in this respect is that in the present case even a defective provision of information pursuant to Art. 14 GDPR did not result in any unlawfulness of the data processing.
3.3.5. Regarding the alleged violation of Art. 32 GDPR:
In this respect, the complainant argues that the unsolicited transmission of complete access data by means of a simple letter poses a high risk for the data subject concerned. A postal transmission - without the knowledge of the person concerned - could lead to unintentional disclosure not only to identity theft, but also to considerable financial and economic losses (damage to reputation). The party involved accepted these risks for economic reasons and therefore violated their obligations under Art. 32 GDPR. Due to the chosen form of contact, the involved party failed to ensure adequate security of the personal data, thereby violating the principles for the processing of personal data according to Art. 5 DSGVO.
First of all, it should be noted that the complainant submitted a violation of Art. 32 GDPR for the first time in the complaint about the administrative decision. Such was not the subject of the official procedure and was therefore not reflected in the contested decision.
According to the established case law of the Administrative Court, the administrative courts' authority to examine is limited by the "administrative matter" or the matter that formed the content of the ruling of the authority concerned (cf. e.g. VwGH 24.2.2016, Ra 2015/090138; 19.2.2018 , Ra 2015/12/0008).
It follows that a possible violation according to Art. 32 GDPR is withdrawn from the examination authority of the Federal Administrative Court, especially since the person concerned has no subjective right to demand individual specific measures from the person responsible (Bergauer in Jahnel, comment on the General Data Protection Regulation Art. 32 GDPR para 12 (as of December 1st, 2020, rdb.at)) and any violation of Art. 32 GDPR - similar to a violation of Art. 14 GDPR - in the present case has no effect on the legality of the data processing (cf. also Pilz in Gola , DS-GVO, Art. 32 Rz 2 mwN), since the party involved has taken appropriate protective measures (see point 3.3.2.3. above).
3.3.6. Regarding the rejection of the complainant's application for the initiation of criminal proceedings against the party involved (paragraph 4 of the contested decision):
In the contested decision, the authority concerned rightly states that with regard to administrative penal proceedings pursuant to Section 25 (1) VStG (with the exception of private prosecution matters which are not relevant here), the principle of official expediency applies, which is why the complainant has no right of application in this regard (cf. Fister in Lewisch/Fister/Weilguni, VStG2 with reference to VwGH May 23, 1990, 88/17/0141: An accusation to be made in the form of an indictment or in the form of an application for punishment is alien to the VStG - apart from private prosecution cases ). Also according to Art. 83 in conjunction with Art. 55ff GDPR, the supervisory authority is responsible for imposing fines (see Ehmann/Selmayr General Data Protection Regulation, 2nd edition, margin no. 10), so that the administrative offense is prosecuted ex officio, which is why there is no Application required (Gola in Gola, DS-GVO, Art. 83 Rz 30).
Finally, it should be noted that the complainant does not make any substantive statements in his complaint about the decision as to why the legal view of the authority concerned, as reproduced in the contested decision, should be incorrect. The rejection of the complainant's application for the initiation of criminal proceedings against the party involved by the relevant authority was therefore correct, which is why the complaint in this regard was also dismissed.
3.4. For the cancellation of an oral hearing:
Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing on application or, if it deems it necessary, ex officio.
According to § 24 para. 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can refrain from a hearing regardless of a party's application if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and Neither Art. 6 Para. 1 ECHR nor Art. 47 CFR preclude the omission of the hearing.
In the present case, the facts were clarified from the file situation. The use of further evidence was not necessary to clarify the facts.
In the present case, the Federal Administrative Court only has to rule on a legal question (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin no. 34 et seq.). According to the case law of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B 155/12).
It was therefore not necessary to conduct an oral hearing.
3.5. Re B) Inadmissibility of the revision:
Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.
According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The case law in question is consistent with the case law of the highest courts and can also be derived from the clear wording of the GDPR and the DSG. There are also no other indications of a fundamental importance of the legal question to be solved.
3.6. It was therefore to be decided accordingly.
