BVwG - W214 2242817-1

From GDPRhub
BVwG - BVWGT - W214 2242817-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 2 GDPR
Article 5 GDPR
Article 57(1)(f) GDPR
Article 58(1) GDPR
§ 2 DSG
§ 28(3) VwGVG
Decided: 16.01.2022
Published: 21.01.2022
Parties: 1. unknown data subject (co-participant and complainant in the procedure before the DSB)
2. unknown association (complainant before the court)
3. DSB (Austria)
National Case Number/Name: BVWGT - W214 2242817-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W214.2242817.1.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: kc

The Federal Administrative Court of Austria held that the Austrian DPA has to perform its own investigations when confronted with complaints and substantiate its decision accordingly.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject alleged a violation of Article 5 GDPR by the complainant and brought his complaint to the Data Protection Authority (Datenschutzbehörde - DSB). They claimed that the president of the complainant had discussed his person in confidential telephone calls with various offices. According to him, the information discussed was suitable to portray him negatively.

The complainant argued that the oral discussion at a general meeting was not subject to the material scope of Article 2 GDPR. Furthermore, it argued, that even in case of the application of the GDPR, Article 5 hat not been violated.

The DSB decided in favour of the data subject.

Holding[edit | edit source]

The court did not decide on the subject matter. Instead, it repealed the contested decision and referred it back to the DSB in accordance with § 28(3) VwGVG. It concluded that the reasoning of the DSB's decision had been too superficial. According to the court, the decision showed a lack of investigation since the DSB had not even presented what type of personal data had been processed.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

16.12.2021

standard

B-VG Art133 Para.4
DSG §1
GDPR Art5
VwGVG §28 paragraph 3 sentence 2

saying

W214 2242817-1/7E

DECISION

The Federal Administrative Court, through the judge Dr. Eva SOUHRADA-KIRCHMAYER as chairwoman and the expert spawning judges Mag. Huberta MAITZ-STRASSNIG and Mag. Claudia KRAL-BAST as assessors on the complaint of XXXX / XXXX ( XXXX ), represented by attorney DDr. XXXX , against the decision of the data protection authority of April 23, 2021, Zl. DSB-D124.982 2020-0.204.354, decided:

a)

The contested decision is revoked in accordance with Section 28 (3) second sentence VwGVG and the matter is referred back to the data protection authority for the issue of a new decision.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reason:

I. Procedure

1. In his complaint to the data protection authority (DSB, authority concerned before the Federal Administrative Court) dated June 17, 2019, the co-participant (complainant before the authority concerned), XXXX, alleged a violation of Art. 5 GDPR. He submitted that the complainant's president had been called by various offices, that confidential telephone calls had taken place during which his person had been discussed. On April 26, 2019, during the general meeting of the association and in connection with the additions to the agenda he had made, the president reported publicly and without his consent that telephone calls had taken place in which the assessment of his behavior had been the subject. In any case, this information relating to his person and the form of the presentation were suitable for portraying him in a false light and for being able to accuse him of a contemptible quality or attitude. Since he held no functions or offices, his relations with "that place" were of a private nature. The information about him, which was dealt with during these confidential telephone calls, was not intended for third parties.

Attached to the data protection complaint was an e-mail correspondence between the party involved and the complainant from May/June 2019, which was intended to prove that confidential discussions had taken place in which he was personally involved and that some of this was done without his consent and from the been reported out of context.

2. After the authority concerned had issued an order to rectify defects, the person involved corrected his complaint by email dated August 5th, 2019 and stated that the complaint was directed against the President or the complainant's board of directors, i.e. not against a natural person. The ascertained violation of his right to secrecy - use of information concerning himself from the confidential telephone calls - took place on April 26, 2019 during the complainant's general meeting.

3. At the request of the authority concerned, the complainant submitted a statement on November 5th, 2019, in which it was stated, among other things, that in the case of the oral discussion at a general meeting, there was no processing that was subject to the material scope of the GDPR pursuant to Art. 2, because it was not an automated process and no file systems were used for it. Therefore, the application of the co-participant could not lead to success and the procedure should be discontinued for this reason alone. The co-participant does not indicate which violation he is specifically complaining about. In this respect, it is not specified which data is supposed to be the protection of which has allegedly been violated. The person involved only speaks of “information”, but no precise personal data can be derived from this. At the general meeting of members on April 26, 2019, members were discussed in general, what the task of the general meeting was. Exchanging information about members is therefore covered by the purpose of general meetings within the meaning of the Associations Act and thus even if it had been about substantiated personal data and a processing operation within the meaning of the GDPR or applicable national data protection laws, there was no violation of the principles of data protection Article 5 GDPR. When the complainant speaks of confidential talks, he does not indicate which talks are said to be involved; Confidential conversations would, as the name suggests, also be subject to data protection and disclosure of such conversations would lead to a violation of data protection or message protection and the privacy of other affected persons. Should a member of the complainant refer to confidential discussions during the General Assembly, it is up to those present at the General Assembly to draw their own conclusions or not. It was of interest to a general meeting of the complainant whether a member behaved in accordance with the complainant's statutes or not; however, a violation of data protection principles cannot be inferred from this. This general information about the co-participant is neither personal data that the co-participant made available to the complainant, nor data collected independently. Under no circumstances is it an inadmissible processing of personal data of the co-participant if his behavior, which, as mentioned, affects a statutory interest of the association of which the co-participant is a member, is reported in general. This would grossly contradict the freedom of expression, which, like data protection, is protected throughout Europe and under fundamental rights. According to the Law on Associations, the purpose of a democratically established association must be to speak about its members, even and especially if they behave in a way that is detrimental to the purpose of the association. Preventing such information for the purpose of data protection would be tantamount to censorship, which should be condemned in the strongest possible terms. It was not the complainant who was guilty of an infringement of the law, but the person involved when he misused the means of the Data Protection Act in order to prevent legitimate information interests within the association to which he voluntarily belonged. Therefore, no violation of Art. 5 GDPR is evident.

4. On February 19, 2020, the authority concerned sent the complainant the complainant’s statement of November 5, 2019 and gave him the opportunity to submit a statement within a set period.

5. The co-participant subsequently submitted a statement on March 16, 2020 and argued, among other things, that the fundamental right to data protection pursuant to Section 1 DSG exists regardless of whether there is an automated process. Apart from that, the "meeting" took place on the basis of the printed "notes" previously prepared by the President, which indicates that a corresponding digital file existed. He complained that the information concerning him that was not intended for other people was not kept secret, and that the contents of the confidential telephone calls that took place, which were used for public (general assembly) speculation, were (from) withheld from him. Telephone calls between the President and "various offices" about a specific person would already speak of an exchange of personal data. The extent to which personal data can be derived from this can only be assessed after the content of these discussions has been disclosed. It is plausible that during a conversation with "various bodies" at least such personal data would be exchanged as: his name, his profession, possibly his professional situation and his origin, or his nationality, his affiliation with the complainant. It is part of his right to know the content of these phone calls, especially because the General Assembly referred to these phone calls in order to assess his conduct. "Various bodies" could not decide whether a member behaved in accordance with the complainant's statutes. The suppression of his criticism of the complainant's conduct by the President could not be described as the association's legitimate interest in information, as this violated the principle of freedom of expression. The complainant violated the principle of data protection by speculating with the information and disclosing information that would concern his person without informing him. Nothing stood in the way of the Executive Board discussing the content of these talks with him after the General Assembly at the latest. The confidential telephone calls were not part of the agenda and were not intended for the General Assembly; it is part of his legitimate interest in information if the confidential telephone calls that took place about himself were not known to the entire General Assembly and if their contents were not kept secret from him. Since he has no position in the club, all his contacts with "various bodies" concern his privacy and the President has nothing to report to the complainant.

6. With the decision now being challenged, the complaint of the co-participant was upheld and it was established that the complainant had violated the co-participant's right to secrecy by - without confronting the co-participant beforehand within a more intimate framework - for the first time in the General Assembly of April 26, 2019 with events concerning the association's (detrimental) behavior of the co-participant, which the complainant had been told by various bodies in confidential conversations (telephone calls).

The authority concerned determined the following:

"The Respondent is the association with the name XXXX XXXX was President of the XXXX in the period from April 21, 2017 to April 20, 2020. The Respondent held its general assembly ("General Assembly") on April 26, 2019, which was exclusively open to the members of club was accessible. At any rate, the complainant was (ordinary) member of the respondent at that time.

In connection with additions to the agenda made by the complainant, the respondent informed the assembled members of the association through its president about events relating to the association and in connection with the complainant. The Respondent also mentioned that there were inquiries from various bodies regarding the behavior of the Complainant (which was detrimental to the purpose of the association) and the Respondent reported in part on the relevant discussions or telephone calls. The discussions in question were of a confidential nature. The complainant was confronted by the respondent for the first time in the General Assembly with the inquiries and the content of the inquiries.

The complainant has not consented to the disclosure of this information.”

From a legal point of view, the authority concerned held that § 1 para. 1 and 2 DSG would determine that everyone, especially with regard to respect for his private and family life, has the right to confidentiality of personal data concerning him, insofar as a data protection worthy there is interest in it. Insofar as personal data is not used in the vital interests of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another. With regard to a violation of the right to secrecy, it does not matter how data is processed; a verbal notification could also result in a violation of this provision. The material scope of protection of the right to secrecy is therefore broader than that of the GDPR. Thus, it can be assumed that personal data will be used within the meaning of Section 1 DSG. It was undisputed that the complainant's (or a third party's) vital interest or consent was not present and nothing had been put forward in this regard. It is therefore necessary to examine whether the overriding legitimate interests of another would justify the restrictions on the right to secrecy in the present case. In this regard, the complainant had to agree that it is in the legitimate interest of an association that its members comply with the association's statutes and that behavior that is detrimental to the association is stopped. In addition, the fundamental right to freedom of expression represents a legitimate interest that can justify an interference with the fundamental right to secrecy. However, according to Section 1 (2) last sentence DSG, an interference with the interests of the data subject worthy of protection must be carried out in the mildest, most effective way, even in the case of otherwise permissible restrictions. This was not the case, as the complainant would have been able to confront the other party with the allegations in a more intimate setting before the general meeting (e.g. by writing a letter to the other party). The complainant did not claim anything to the contrary. Thus, the use of data was disproportionate and had to be decided in accordance with the verdict.

7. The complainant lodged a complaint with the Federal Administrative Court against this decision in a letter dated May 19, 2021 through her legal representative and argued that the decision was being contested due to formal and substantive illegality. The justification of the decision appears superficial and schematic. The authority concerned did not deal with the specific circumstances and, in particular contrary to Section 37 in conjunction with Section 39 (2) AVG, failed to carry out investigations and make specific determinations about the type and content of the data in question. Without such determinations, no proper legal assessment can be made, because only when the type and content of the data in question is determined can the legal assessment be made between the interests of the data subject in secrecy and the interest in using the data. In addition, the person involved gave rise to the use of data through his behavior at the general assembly of April 26, 2019. It concerned items on the agenda that had been dealt with at the General Assembly at the request of the other party involved. In any case, the data in question is not sensitive data within the meaning of Art 9 DSGVO. This relevant data had come from information obtained about the actions of the co-involved party in connection with the complainant, her objectives (purpose of the association), her area of responsibility and her reputation. They would thus affect the object of the complainant as an association under the VereinsG and in particular the general assembly of the complainant. This information obtained by telephone should therefore not be categorized as “confidential telephone calls”. Therefore, it is also incorrect if the authority concerned assumes unsubstantiated that it would have been necessary and possible to address the participant's behavior "before the General Assembly", meaning outside of the time of the General Assembly, namely before it was held. That was not necessary because the person involved himself brought up the issues in question at the General Assembly. Rather, it was necessary for the factual discussion of these issues and the reply to the allegations of the other party to use this data. An equivalent alternative did not exist. In addition, this use of data in the General Assembly is covered by the statutes of the objective and the scope of the complainant as an association, as defined in the statutes of the association, and is therefore lawful.

8. In a letter dated May 25, 2021, the authority concerned submitted the complaint, including the administrative act, to the Federal Administrative Court and issued a statement in which the complaint was disputed and stated that a classification of the information disclosed by the complainant in the General Assembly (keyword: " confidential conversations") as special categories of personal data iSd. Art. 9 GDPR was not made by the authority concerned in the contested decision. In the opinion of the data protection authority, the complainant's statements do not show to what extent the data in question was used in the mildest, most effective way.

II. The Federal Administrative Court considered:

1. Findings:

The procedure outlined under Item I. is used as a basis for the findings.

It is stated that the facts relevant to the decision were not certain at the time of the decision and that the relevant authority had not carried out any fundamental investigations.

The competent authority can carry out the omitted investigations faster and cheaper than the Federal Administrative Court.

2. Evidence assessment:

The findings result from the administrative act and are undisputed.

3. Legal assessment:

to A)

3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts recognize complaints against the decision of an administrative authority due to illegality.

According to Section 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates. According to § 27 Data Protection Act (DSG) as amended (which essentially corresponds to § 39 DSG 2000, which was in force until May 24th, 2018), the Federal Administrative Court decides in proceedings on complaints against decisions due to violation of the duty to inform according to § 24 Para. 7 and the decision-making duty of the Data Protection Authority by Senate. The Senate consists of a chairman and a competent lay judge from the circle of employers and from the circle of employees.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this Federal Act came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this Federal Act, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV as well as others are more detailed on the procedure for complaints pursuant to Art. 130 Para. 1 B-VG apply the aforementioned laws (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws which the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

According to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders are made by way of a resolution, unless a finding is to be made.

Pursuant to § 28 Para. 2 VwGVG, the administrative court has to decide on the matter itself on complaints pursuant to Art. 130 Para speed or associated with significant cost savings.

According to Section 28 (3) second sentence VwGVG, the administrative court can set aside the contested decision and refer the matter back to the authority for the issue of a new decision if the authority has failed to carry out the necessary investigations into the facts.

3.2. Regarding the process requirements:

The complaint was raised in accordance with Section 7 (4) VwGVG and the other process requirements are also met.

3.3.

To A):

According to the case law of the Administrative Court, a case may be referred back to the administrative authority to carry out the necessary investigations pursuant to Section 28 (3) second sentence VwGVG, in particular if the administrative authority has failed to carry out any necessary investigative activity, if they are only completely unsuitable for determining the relevant facts has taken investigative steps or only rudimentarily determined. The same applies if there are concrete indications that the administrative authority failed to carry out (e.g. difficult) investigations so that these can then be carried out by the administrative court (cf. VwGH 25.01.2017, Zl. Ra 2016/12/0109, margin no. 18ff.; VwGH 26.06 .2014, Zl. Ro 2014/04/0063). In the present case, the authority concerned did not make any investigations or determinations as to which personal data of the co-participant was processed by the complainant or communicated orally. In his complaint to the relevant authority, the complainant stated that the president of the association in question had “reported” at a general meeting of the association that telephone calls had been made in which [it] was about evaluating his behavior. The authority concerned also stated that the respondent had informed the assembled members of the association "about the association's events in connection with the complainant" through its president. The authority concerned also stated: “The Respondent also mentioned that there had been inquiries from various bodies regarding the behavior of the Complainant (which was detrimental to the purpose of the association) and the Respondent reported in part on the relevant discussions or telephone calls. The conversations were confidential. The complainant was confronted by the respondent for the first time in the General Assembly with the inquiries and the content of the inquiries."

The authority concerned did not explain in more detail how the authority concerned came to the conclusion that "events" were reported here and "partly reported from the relevant discussions and telephone calls" and that the complainant was confronted with the "content of the inquiries". Rather, with regard to the "events", reference is made to a statement by the current complainant in another procedure ("official knowledge of the DSB"), which is not included in the file. Even if there was talk of "happenings" in parallel proceedings at the authority concerned, further investigations into the the exact content of the notification.

The authority concerned stated in the legal assessment that "in this case it can be assumed that personal data will be used within the meaning of Section 1 DSG", but without justification or without reference to concrete evidence of any kind. It should be noted that the authority concerned has not determined this what exactly was said about the person involved in the complainant's general meeting or what was reported from these "confidential discussions", nor in what specific context this communication was made. Furthermore, the authority concerned did not investigate whether the current complainant processed data from the “confidential” telephone calls with the aid of automation and quoted from these notes at the general assembly, although the other party involved pointed out such processing. It also seems to emerge from the statement of the person involved that he wanted to extend the complaint to the alleged processing of personal data (notes) from the telephone calls, which the authority concerned did not respond to. In addition, the authority concerned did not request or consult the statutes of the association to determine whether the statements - which are to be specifically determined - in the specific context are covered by the statutes or not. However, these findings are necessary in order to make a legal assessment as to whether personal data of the person involved was processed at all and whether this processing - as submitted by the complainant - is covered by the statutes of the complainant's objectives as an association. Furthermore, it must be clarified which specific data was communicated in which context at all in the general assembly and whether the transmission of this data was covered by the articles of association. It is also only on the basis of this finding(s) that the interests of confidentiality of the other party involved can be weighed up against the interest in the use of the data by the complainant.

The authority concerned will therefore have to continue the omitted investigation steps in the continued proceedings and will have to collect comprehensible evidence. In particular, it will have to clarify the precise wording of the President's communication (e.g. by procuring appropriate minutes of the General Assembly or by questioning the parties more closely). Furthermore, the provision of the statutes of the association will be necessary and these will have to be used to check the legality. The question of whether there is an automated data application and, if so, which personal data it relates to or for what purpose it is used, will also have to be clarified. Insofar as it is necessary to determine what information the complainant's president received in "confidential telephone calls", reference may be made to Section 25 (3) DSG, according to which the relevant authority verified the lawfulness of the application of the restrictions within the meaning of Art 23 DSGVO has to be checked if a person responsible invokes such an authority towards the relevant authority. The authority concerned will therefore have to ask the complainant to disclose the content of the "confidential discussions" or what was said in the general meeting to her at least.

Due to the fact that the authority concerned did not deal with the circumstances of the individual case, the facts remained in need of comprehensive supplementation, which is why, with regard to this particularly serious gap in the investigation, a remittal pursuant to Section 28 (3) second sentence VwGVG is necessary and justified (cf . the decision of the Administrative Court of October 20, 2015, Zl. Ra 2015/09/0088).

A catch-up on the investigation procedure to be carried out and an initial determination and assessment of the relevant facts by the Federal Administrative Court cannot be within the meaning of the law, especially since an immediate further taking of evidence by the Federal Administrative Court would not be "in the interest of speed or associated with significant cost savings", this especially in view of the increased effort associated with the federal administrative court complaints procedure as a multi-party procedure. It was therefore determined that the authorities concerned could carry out the omitted investigations more quickly and cheaply than the Federal Administrative Court.

The contested decision was therefore to be annulled in accordance with Section 28 (3) second sentence VwGVG and the matter referred back to the data protection authority for the issue of a new decision.

In the present case, an oral hearing could be omitted in accordance with § 24 para. 2 no. 1 VwGVG because it was already clear on the basis of the file situation that the contested decision was to be annulled.

On B) Inadmissibility of the revision

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

This decision does not depend on the resolution of a legal issue of fundamental importance. There is neither a lack of case law of the Administrative Court nor does the decision in question deviate from the case law of the Administrative Court; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal issues to be resolved. In all significant legal issues, the Federal Administrative Court can rely on the established case law of the Administrative Court or on an already clear legal situation. It is also not apparent that a legal question arises in the specific case that is of significance beyond the (specific) individual case. Based on this, a legal question of fundamental importance within the meaning of Art. 133 Para. 4 B-VG cannot be answered in the affirmative (cf. e.g. VwGH 25.09.2015, Ra 2015/16/0085, with further references). It was therefore to be stated that the revision according to Art. 133 Para. 4 B-VG is not permissible.