BVwG - W252 2246883-1

From GDPRhub
Revision as of 09:58, 13 July 2023 by Mg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W252 2246883-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 77 GDPR
Decided: 12.06.2023
Published: 12.07.2023
Parties:
National Case Number/Name: W252 2246883-1
European Case Law Identifier: ECLI:AT:BVWG:2023:W252.2246883.1.00
Appeal from: DSB (Austria)
Appeal to: Unknown
Original Language(s): German
Original Source: BVwG (Austria) (in German)
Initial Contributor: mg

According to an Austrian court, the principles of equivalence and effectiveness of EU law cannot prevent a national legislator from introducing a 1-year deadline for the exercise of the right to lodge a complaint pursuant to Article 77 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject was an employee of the controller. The data subject claimed that a manager addressed them through their official email address, even if the communication concerned personal issues unrelated to work. Thus, the data subject filed a complaint with the Austrian DPA.

The Austrian DPA dismissed the complaint because it was lodged after more than 1 year after the data subject became aware of the alleged infringement. The data subject appealed this decision before the Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG) for violation of Article 77 GDPR.

Holding[edit | edit source]

The court clarified that Article 77 GDPR, providing for the right to lodge a complaint with the competent DPA, does not establish any deadline for the exercise of such a right.

However, the activity of the DPAs is regulated by national procedural law within the limits of Article 58(4) GDPR. In lack of a regulation addressing the matter, specific rules governing procedures before the DPAs are subject to the principle of procedural autonomy of the Member States. The only limits to such a broad discretion of the Member States are the principle of equivalence – according to which procedural guarantees concerning European rights cannot be lower than guarantees set forth in the context of merely national rights – and the principle of effectiveness, which states that the exercise of European rights shall not be made impossible or excessively difficult in practice.

In the present case, the court pointed out how that the 1-year limitation period applied both to GDPR-related complaints and complaints which were exclusively based on national law. Therefore, the protection offered by the Austrian legislator respected the principle of equivalence.

Moreover, the introduction of such a deadline was considered necessary by the legislator, as the assessment of excessively old data protection violations would be in practice very difficult, if not impossible.

In light of the above, the court rejected the data subject’s appeal.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

06/12/2023

standard

B-VG Art133 Para.4
DSG §24 paragraph 4
GDPR Art58
GDPR Art77

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009

saying

W252 2246883-1/4E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint from XXXX, represented by Höhne, In der Maur The Federal Administrative Court, through judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint from roman XXXX, represented by Höhne, In der Maur & Partner Rechtsanwälte GmbH & Co KG, 1070 Vienna, Mariahilfer Straße 20, against the decision of the data protection authority of August 26, 2021, GZ XXXX, in a closed session in a data protection matter: Co KG, 1070 Vienna, Mariahilfer Straße 20, against the decision of the data protection authority of August 26, 2021, GZ Roman XXXX, in a closed session Rightly recognized meeting in a data protection matter:

A) The appeal is dismissed.

B) The revision is permitted in accordance with Article 133, Paragraph 4 of the Federal Constitution. B) The revision is permitted in accordance with Article 133, Paragraph 4 of the Federal Constitution.

text

Reasons for decision:

I. Procedure: Roman one. Procedure:

1. With a submission dated June 22, 2021, improved on August 16, 2021, the complainant (hereinafter “BF”) lodged a data protection complaint with the relevant authority and summarized that he had dealt with XXXX both professionally and as a private customer . At the beginning of 2019, his customer advisor there used the BF's business e-mail address to clarify a private matter of the BF and communicated with him via this. This violated the purpose limitation principle and the principle of integrity and confidentiality within the meaning of the GDPR. The use of the BF's business e-mail address for a private matter of the BF constitutes inadmissible processing of personal data.1. With a submission dated June 22, 2021, improved on August 16, 2021, the complainant (hereinafter "BF") lodged a data protection complaint with the relevant authority and summarized that he had dealt with roman XXXX both professionally and as a private customer. At the beginning of 2019, his customer advisor there used the BF's business e-mail address to clarify a private matter of the BF and communicated with him via this. This violated the purpose limitation principle and the principle of integrity and confidentiality within the meaning of the GDPR. The use of the BF's business e-mail address for a private matter of the BF constitutes inadmissible processing of personal data.

2. The authority concerned rejected the complaint by decision of August 26, 2021. The BF became aware of the alleged infringement in April 2019. The preclusion period of one year from knowledge of the adverse event has therefore already expired.

3. The present appeal by the BF of September 28, 2021 is directed against this decision. In this, the BF states that he explicitly based his complaint on Article 77 GDPR, which does not provide for any time restrictions on the rights of the data subject. Due to the priority of application of Union law, the statute of limitations in Section 24 (4) DSG should remain unapplied. It is therefore to decide on the content of his data protection complaint.3. The present complaint of the BF of September 28, 2021 is directed against this decision. In this, the BF states that he explicitly based his complaint on Article 77, GDPR, which does not provide for a time limit on the rights of the data subject. Due to the priority of application of Union law, the statute of limitations in Article 24, paragraph 4, DSG should remain unapplied. It is therefore to decide on the content of his data protection complaint.

4. The authority concerned submitted the complaint, following the administrative act, with a brief dated September 30, 2021, received on October 1, 2021, and applied for the complaint to be dismissed - with reference to the principle of procedural autonomy.

Evidence was collected by inspecting the administrative file.

II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:

1. The following facts are established:

The BF considers the use of his business e-mail address for private matters to be aggravated. This email communication took place in early 2019.

By April 2019 at the latest, the BF became aware that private matters were being handled via his business email address.

The BF sent his data protection complaint to the relevant authority by email on June 22, 2021.

2. The findings result from the following assessment of evidence:

The findings are based on the harmless administrative act.

The adverse event results from the BF's data protection complaint of June 22, 2021. In this he described in detail how he saw his rights violated and when he became aware of it (see in particular the administrative complaint of the BF of September 28th, 2021, S 2; OZ 1, S 9; as well as the rectification of defects by the BF of August 16th. 2021, p. 2; OZ 1, p. 46). The authority identified the relevant paragraphs of the written pleadings in its notice and used it as a basis for its assessment. The administrative complaint is directed exclusively against the legal assessment of the authority concerned. The ascertained facts, in particular the point in time at which they were noted, remained undisputed. Due to the express information in the remedy of defects dated August 16, 2021, there was no reason to doubt the information provided by the BF at the time the alleged infringement became known.

The submission date of the data protection complaint results from the unobjectionable administrative act. This shows the time stamp of the email from the BF from June 22nd, 2021 (OZ 1, S 7).

3. Legally it follows:

to A)

The admissible complaint is not justified.

3.1. On the subject of the complaint:

It should be noted at the outset that if the authority sued before the administrative court has rejected an application, the only matter in the appeals procedure before the administrative court is the question of the legality of this rejection (VwGH September 29, 2022, Ra 2021/15/0052).

3.2. Regarding the relevant legal provisions:

The relevant provisions of the GDPR are excerpted as follows:

"Article 58

powers

[…] 4. The exercise of the powers conferred on the supervisory authority under this Article shall be subject to appropriate safeguards, including effective judicial remedies and due process of law, in accordance with Union and Member State law, in accordance with the Charter. [...]"

The relevant provisions of the DSG are as follows:

"Complaint to the Data Protection Authority

§ 24. [...] (4) The right to have a complaint dealt with expires if the intervener does not report it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place, brings in. Late complaints are to be rejected.” Paragraph 24, […] (4) The right to have a complaint dealt with expires if the person intervening does not do so within one year of becoming aware of the adverse event, but at the latest within three years after the event of alleged dimensions has taken place. Late complaints are to be rejected.”

3.3. Regarding the right to lodge a complaint with a supervisory authority:

The right to lodge a complaint with a supervisory authority results directly from Article 77 GDPR. However, the GDPR does not contain any specifications regarding the deadlines for asserting a claim under Article 77 GDPR. The exercise of the powers of the supervisory authority is based on Article 58 (4) GDPR according to the procedural law of the member states (Zavadil in Knyrim, DatKomm Art 58 GDPR Rz 51; and Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 24 Rz 3). The right a complaint to a supervisory authority results directly from Article 77, GDPR. However, the GDPR does not contain any requirements regarding the deadlines for asserting a claim under Article 77, GDPR. The exercise of the powers of the supervisory authority is based on Article 58, Paragraph 4, GDPR according to the procedural law of the member states (Zavadil in Knyrim, DatKomm Article 58, GDPR margin no. 51; and Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG Paragraph 24, margin no. 3 ).

Furthermore, according to the settled case-law of the ECJ, in the absence of relevant EU rules, it is for the individual Member States, in accordance with the principle of the procedural autonomy of the Member States, to regulate the modalities of the administrative procedure and the judicial procedure, which are intended to ensure the protection of the rights deriving from EU law for individuals. However, these procedural modalities must not be less favorable than those for corresponding domestic legal remedies (principle of equivalence) and must not make it practically impossible or excessively difficult to exercise the rights conferred by the Union legal order (principle of effectiveness) (see ECJ 06.10.2015, C- 61/14, margin no. 46).

According to Section 24 (4) DSG, the right to have a complaint dealt with expires if the intervener does not file it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Belated complaints are to be rejected. Pursuant to Section 24, Paragraph 4, DSG, the right to a complaint being dealt with expires if the intervener does not report it within one year of becoming aware of the complaining event, but no later than three years after the event was alleged Measures has taken place. Late complaints are to be rejected.

The deadlines mentioned in § 24 DSG are preclusive deadlines to be observed ex officio (see OGH 31.07.2015, 6 Ob 45/15h on the previous provision of § 34 paragraph 1 DSG 2000; as well as Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 24 Rz 2). The deadlines mentioned in paragraph 24, DSG are preclusive deadlines to be observed ex officio (see OGH 31.07.2015, 6 Ob 45/15h on the previous provision of paragraph 34, paragraph one, DSG 2000; as well Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG Paragraph 24, Rz 2).

For the present case this means:

The BF became aware of the alleged infringement in April 2019 at the latest. He only submitted his data protection complaint to the relevant authority on June 22, 2021, i.e. more than two years after becoming aware of it. The one-year subjective period of Section 24 (4) DSG had therefore already expired and the data protection complaint could no longer be raised. The BF became aware of the alleged infringement in April 2019 at the latest. He only submitted his data protection complaint to the relevant authority on June 22, 2021, i.e. more than two years after becoming aware of it. The one-year subjective period of paragraph 24, paragraph 4, DSG had therefore already expired and the filing of the data protection complaint was no longer permissible.

Contrary to the opinion of the BF, it is not evident in the present case that the deadlines of § 24 DSG would unreasonably restrict the right of appeal under the GDPR. As the authority concerned correctly explained, the deadlines of Section 24 (4) DSG also apply to complaints that are not subject to Union law. In particular, complaints are conceivable that "only" relate to § 1 DSG or complaints regarding processing for the purposes of police state security and military self-defence). There is therefore no unequal treatment of complaints subject to Union law (see the statement of the relevant authority of September 30, 2021, S 2 f; OZ 1, S 2 f). The argument of the BF was therefore not to be followed. Contrary to the view of the BF, it is not apparent in the present case that the periods of paragraph 24, DSG would restrict the right of appeal under the GDPR disproportionately. As the authority concerned correctly explained, the deadlines of paragraph 24, paragraph 4, DSG also apply to complaints that are not subject to Union law. In particular, complaints are conceivable that "only" concern paragraph one, DSG or complaints regarding processing for the purposes of police state security and military self-defence). There is therefore no unequal treatment of complaints subject to Union law (see the statement of the relevant authority of September 30, 2021, S 2 f; OZ 1, S 2 f). The argument of the BF was therefore not to be followed.

The alleged violation of rights had been known to the BF for more than two years at the time of submission. As can be seen from the explanations of the previous provision (§ 34 Para. 1 DSG 2000), the legislator considered the introduction of the period to be objectively necessary, since the determination of facts that date back a long time can be associated with considerable difficulties and a reliable assessment of the existence of data protection violations can be made more difficult (see ErlRV 1613 BlgNR 20. GP 50). The alleged violation of rights had been known to the BF for more than two years at the time of submission. As can be seen from the explanations of the previous provision (paragraph 34, paragraph one, DSG 2000), the legislator considered the introduction of the deadline to be objectively necessary, since the determination of facts that date back a long time can be associated with considerable difficulties and a reliable assessment of the existence of the deadline can be made made more difficult by data protection violations (see ErlRV 1613 BlgNR 20. GP 50).

The authority concerned therefore rightly rejected the data protection complaint.

3.4. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.3.4. According to paragraph 24, paragraph one, VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.

In the present case, the hearing according to § 24 para. 2 no. 1 VwGVG could be omitted, since the party's application initiating the previous administrative procedure - in this case the data protection complaint of the BF - had to be rejected. In addition, the Federal Administrative Court only had to rule on a legal issue (cf. ECHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34 et seq.). Neither Art. 6 Para. 1 EMRK nor Art. 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing. here the data protection complaint of the BF - was to be rejected. In addition, the Federal Administrative Court had to rule exclusively on a legal issue, see ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin no. 34 ff). Neither Article 6, Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing.

3.5. It had to be decided accordingly.

Regarding B) Admissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or resolution whether the revision is admissible in accordance with Art. 133 Para. 4 B-VG. This statement must be briefly reasoned. According to paragraph 25 a, paragraph one, VwGG, the administrative court has to pronounce in its decision or decision whether the revision is permissible according to Article 133, paragraph 4, B-VG. This statement needs a brief justification.

The revision is admissible because the decision depends on the solution of a legal question that is of fundamental importance. So far, there has been no case law from the Administrative Court to what extent the deadline of Section 24 (4) DSG also applies to cases in which the person concerned explicitly bases their complaint on Art. 77 GDPR. The revision is permissible because the decision depends on the solution depends on a legal question that is of fundamental importance. So far, there has been no case law from the Administrative Court to what extent the period of paragraph 24, paragraph 4, DSG also applies to those cases in which the person concerned explicitly bases his complaint on Article 77, GDPR.