BVwG - W252 2248013-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 22: Line 22:


|Date_Decided=26.01.2023
|Date_Decided=26.01.2023
|Date_Published=
|Date_Published=15.02.2023
|Year=
|Year=


Line 47: Line 47:
|Party_Link_2=
|Party_Link_2=


|Appeal_From_Body=DSB
|Appeal_From_Body= DSB (Austria)
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Status=
Line 60: Line 60:
}}
}}


Federal Administrative Court upheld a DPA decision that an individual cannot submit an access request in order to access personal data of their deceased father.
The Federal Administrative Court confirmed that an individual cannot submit a request to access the personal data of their deceased father.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In this case an individual was seeking to exercise data subject rights on behalf of his deceased father, against a bank (the controller). The individual in question had submitted an access request to the bank and subsequently made a complaint, dated 1 October 2018, alleging that the information he received from the controller was incomplete. In particular, he asserted that his father’s bank details were not included, even though he had inherited the data subject rights of his father.
In this case an individual was seeking to exercise data subject rights on behalf of his deceased father, against a bank (the controller). The individual in question had submitted an access request to the bank and subsequently made a complaint, dated 1 October 2018, alleging that the information he received from the controller was incomplete. In particular, he asserted that his father’s bank details were not included, even though he had inherited the data subject rights of his father. On 19 August 2021 the DPA rejected the complaint, the individual subsequently appealed this decision to the Federal Administrative Court (BVwG), on 24 September 2021.
 
On 19 August 2021 the DPA rejected the complaint, the individual subsequently appealed this decision to the Federal Administrative Court (BVwG), on 24 September 2021.


=== Holding ===
=== Holding ===
The BVwG dismissed the appeal in its entirety, in doing so, they referred to Recital 27 “this regulation does not apply to the personal data of deceased persons”. Furthermore, the court outlined that “an assertion of the right to information (right to access) under [[Article 15 GDPR|Article 15 GDPR]] on behalf of the father through his son as heir, is out of the question…. The fundamental right to data protection or the right to information is a highly personal right that only the data subject can exercise themselves… Accordingly, highly personal rights cannot be inherited”. Accordingly, the data subject had no right to access this data under [[Article 15 GDPR|Article 15 GDPR]].
The BVwG dismissed the appeal in its entirety. In doing so, the Court referred to [[Recital 27]] which clarifies that “this regulation does not apply to the personal data of deceased persons”. Furthermore, the court outlined that “an assertion of the right to information (right to access) under [[Article 15 GDPR|Article 15 GDPR]] on behalf of the father through his son as heir, is out of the question…. The fundamental right to data protection or the right to information is a highly personal right that only the data subject can exercise themselves… Accordingly, highly personal rights cannot be inherited”. Accordingly, the data subject had no right to access this data under [[Article 15 GDPR|Article 15 GDPR]].


== Comment ==
== Comment ==

Latest revision as of 08:38, 10 March 2023

BVwG - W252 2248013-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 15 GDPR
Decided: 26.01.2023
Published: 15.02.2023
Parties:
National Case Number/Name: W252 2248013-1
European Case Law Identifier:
Appeal from: DSB (Austria)
Appeal to: Unknown
Original Language(s): German
Original Source: Austrian Federal Administrative Court (in German)
Initial Contributor: LR

The Federal Administrative Court confirmed that an individual cannot submit a request to access the personal data of their deceased father.

English Summary

Facts

In this case an individual was seeking to exercise data subject rights on behalf of his deceased father, against a bank (the controller). The individual in question had submitted an access request to the bank and subsequently made a complaint, dated 1 October 2018, alleging that the information he received from the controller was incomplete. In particular, he asserted that his father’s bank details were not included, even though he had inherited the data subject rights of his father. On 19 August 2021 the DPA rejected the complaint, the individual subsequently appealed this decision to the Federal Administrative Court (BVwG), on 24 September 2021.

Holding

The BVwG dismissed the appeal in its entirety. In doing so, the Court referred to Recital 27 which clarifies that “this regulation does not apply to the personal data of deceased persons”. Furthermore, the court outlined that “an assertion of the right to information (right to access) under Article 15 GDPR on behalf of the father through his son as heir, is out of the question…. The fundamental right to data protection or the right to information is a highly personal right that only the data subject can exercise themselves… Accordingly, highly personal rights cannot be inherited”. Accordingly, the data subject had no right to access this data under Article 15 GDPR.

Comment

Issuing its decision, the court made a clear distinction between the data protection law right to information under Article 15 GDPR, and the right to information under civil law against the bank (RIS-Justiz RS0065988). The Court notes that, with regard to the father’s savings account in particular, these can generally be transferred as bearer securities and that information obligations under civil law may arise, which could provide a solution or remedy for the individual in this case.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

01/26/2023

standard

B-VG Art133 Para.4
GDPR Art15

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

saying

W252 2248013-1/6E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag. Adriana MANDL as assessors on the complaints of XXXX (participating party before the administrative court XXXX ), against the decision of the data protection authority of August 19th, 2021, GZ XXXX , rightly recognized in a closed session in a data protection matter:

A) The appeal is dismissed.

B) The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

1. With a submission dated October 1, 2018, improved with the submission dated November 7, 2018, the complainant (hereinafter: "BF") lodged a data protection complaint with the relevant authority and submitted in part that he had contacted the party involved (hereinafter: "MB ") requested information in accordance with Art. 15 GDPR. The information provided was incomplete, in particular because the bank details of his deceased father were not included, although he had inherited the rights of his deceased father proportionately.

2. With a decision dated August 19, 2021, the authority concerned rejected the BF’s complaint regarding a violation of the right to information.

3. The complaint of September 24, 2021 is directed against this. In this, the BF points out more detailed deficiencies in the notice, including the fact that the information provided is incomplete and that the rights of the testator have passed to him as the heir.

4. The authority concerned submitted the complaints together with the administrative act with a brief dated November 2nd, 2021, hg received on November 8th, 2021 and requested - essentially with reference to the reasoning of the contested decision - to dismiss the complaint.

Evidence was collected by inspecting the administrative and court records.

II. The Federal Administrative Court considered:

1. The following facts are established:

1.1. The complainant's father, XXXX (hereinafter referred to as the testator), died on January 1, 2015.

With the decision of the district court XXXX from August 5th, 2016, AZ XXXX, GZ: XXXX, clause 1) e), the inheritance was given to the BF at 1/9. According to point 2) A) and B), the BF is with the legal force of this decision to 1/9 on the savings books / savings accounts:

XXXX and the (current) account no. XXXX, all managed by MB, have become authorized to dispose of it.

1.2. On August 20, 2018, the BF submitted a request for information to the MB and requested information in particular about the following accounts (OZ 1, S 12; the information in brackets is only for better comprehension and indicates the location of the relevant information):

 XXXX (salary account of the BF; OZ 1, S 150 ff)

 Savings book XXXX (OZ 1, S 350)

 Savings book XXXX (OZ 1, S 351)

 Account no. XXXX (account of the father of the BF, see 1) B) of the decision on the inheritance; OZ 1, p. 145)

 Savings book XXXX (neither saved for BF nor his father; OZ 1, S 142)

 Savings book XXXX (neither saved for BF nor his father; OZ 1, S 142)

 Savings book XXXX (OZ 1, S 351)

 Savings book XXXX (OZ 1, S 351)

 Savings book XXXX (OZ 1, S 351)

 Savings book XXXX (OZ 1, S 351)

1.3. The MB answered this application on September 13, 2018 in excerpts as follows (OZ 1, S 577):

Attached was a detailed - 204-page - information from 24.08.2018 regarding the BF (customer number: XXXX) processed data (OZ 1, S 146 ff). The following data recipients emerge from this under the point “Consent to data transfer”:

XXXX

On October 1st, 2018, the BF also requested information about the account details of the savings accounts according to the decision to file a claim (OZ 1, S 40).

On November 22, 2018, the MB commented in part as follows (OZ 1, S 142):

The following correspondence was also attached from November 22, 2018 with the BF (OZ 1, 144):

And the following letter, also dated November 22, 2018 (OZ 1, S 145):

2. The findings result from the following assessment of evidence:

2.1. The findings on the decision to answer arise from the submitted copy of the same (OZ 1, S 35).

2.2. The content of the request for information from the BF, the recipients and the answers and information from the MB result from the harmless administrative act.

3. Legally it follows:

to A)

3.1. On the admissibility of the complaint:

The complaint was filed in accordance with § 7 para. 4 VwGVG and the other process requirements are also met. The appeal is therefore admissible.

3.2. On the legal bases:

The relevant legal norms are as follows:

Recital 27 GDPR

This regulation does not apply to the personal data of deceased persons. Member States may lay down rules on the processing of the personal data of deceased persons.

Article 15 GDPR

Right of access of the data subject

(1) The data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, you have the right to information about this personal data and the following information:

a) the processing purposes;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) if possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

e) the existence of a right to correction or deletion of the personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing;

f) the existence of a right of appeal to a supervisory authority;

g) if the personal data are not collected from the data subject, all available information about the origin of the data;

h) the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) and — at least in these cases — meaningful information about the logic involved and the scope and envisaged effects of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards in accordance with Article 46 relating to the transfer.

(3) The person responsible provides a copy of the personal data that are the subject of the processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be made available in a common electronic format, unless otherwise specified.

(4) The right to receive a copy under paragraph 3 shall not affect the rights and freedoms of other persons.

3.3. To justify the complaint:

3.3.1. Regarding the right to information:

As follows from Art. 15 Para. 1 GDPR, every data subject has the right to request confirmation from the person responsible as to whether personal data relating to them is being processed. If this is the case, you have a right to information about this personal data. In addition, the information specified in Art 15 Para 1 lit a - h or Para 2 GDPR must be provided.

The information should enable a data subject to be aware of the processing of their personal data and to be able to check its legality (Recital 63 GDPR). The information must comply with the transparency requirement of Art 12 Para 1 GDPR, which requires that information intended for the person concerned is precise, easily accessible and understandable and written in clear and simple language (Recital 58 GDPR; Jahnel, comment on data protection -Basic Regulation Art 15 GDPR margin no. 33).

3.3.2. Applied to the case this means:

The BF requested information from the MB in the letter dated August 20, 2018 and October 1, 2018 within the meaning of Art 15 GDPR from the MB. The MB provided the BF with information on September 13, 2018, and supplemented this with letters or emails dated November 22, 2018.

In his complaint, the BF complains that he was not informed of all the savings credits listed in the decision on responsibility and that the recipients of the other information were not sufficiently specified, there were ambiguities with regard to the risk class, the information was not provided in a timely manner and he violated his right to secrecy may be.

3.3.2.1. For information on all savings balances

If the BF requests information about all the savings credits listed in the decision on responsibility, it should be noted that the correspondence between MB and BF dated November 22, 2018 shows that the BF has already received information about his deceased father's current account and a savings book (XXXX). (OZ 1, S 144 f).

In general, however, it should be noted with regard to the accounts listed in the declaration of responsibility that, from a data protection point of view, they only contain personal data of the deceased father. Recital 27 of the GDPR provides that the GDPR does not apply to the personal data of the deceased, which means that an assertion of the right to information under Art. 15 on behalf of the father, through his son as heir, is out of the question. The fundamental right to data protection or the right to information is a highly personal right that only the data subject can exercise themselves (Thiele/Wagner, practical commentary on the Data Protection Act (DSG) § 1 margin number 34; Jahnel, commentary on the General Data Protection Regulation Art. 15 DSGVO margin number 5 f). Accordingly, highly personal rights cannot be inherited and therefore cannot be exercised by the BF (Werkusch-Christ in Kletečka/Schauer, ABGB-ON1.08 § 531 Rz 3). Since the accounts listed in the decision on responsibility were kept by the BF's father, they do not contain any data on the BF and therefore cannot be disclosed. The same applies to the savings accounts that are not held by the BF or his father.

With regard to savings accounts in particular, it should be noted that these can generally be transferred as bearer securities by handing over the certificate, without the bank having to be aware of this. It therefore seems expedient to link information - similar to the payment under Section 32 Para 1 BWG - to the submission of the savings certificate (see on this on the civil law right to information: RIS-Justiz RS0102511; and Riss, The information obligation of the credit institution after the death of the customer and their procedural enforcement, ÖBA 2011, 166 (185)).

In the present case, a clear distinction must be made between the right to information under civil law against the bank, which is linked to the customer status (RIS-Justiz RS0065988) and the (present) right to information under data protection law, which is based on the personal reference of the data.

The complaint was therefore not justified in this regard.

3.3.2.2. Regarding the other arguments of the BF:

The authority concerned has already correctly stated that it is basically only called upon to investigate the subject of the complaint to an appropriate extent (see Art. 57 Para. 1 lit f GDPR), which is why in its decision it only addressed the subject matter of the BF put forward by the BF accounts of the deceased father.

In his complaint, however, the BF complained that he was not able to determine which recipients, what data, for what purposes and for what period of time was transmitted to the information relating to his accounts (complaint from the decision; OZ 1, S 921).

The specific recipients were informed to the BF in the data information from August 24th, 2018 on page 1 (OZ 1, S 149). In addition, the MB informed the BF in the letter dated September 13, 2018, as well as in the "information sheet on data protection" (points 2 and 3) of possible recipient categories and also informed the BF about the purposes of data processing (OZ 1, S 353 f , 577f).

If the BF considers the information to be incomplete because he was not informed of the period or time of transmission, this is not covered by the right to information. Article 15 GDPR does not result in an obligation to present a type of protocol from which the times of transmission result (see Haidinger/Löffler, No right to information at the time of data transmission, Dako 2021/40, 69).

If the BF argues in his complaint that it cannot be determined from which data the risk class is composed and what influence this could have on his financial situation (OZ 1, S 921), he must be countered with the fact that the MB stated this in the issued information has broken down. On the one hand, reference should be made to point 8 of the "information sheet on data protection" provided as part of the information, according to which a credit check is carried out when the loan is granted, which determines a scoring value using statistical comparison groups. For example, marital status, income and monthly expenses are used. The possible consequences are also described, ranging from a rejection of the loan application to entry in the small loan register. The scoring value of the BF is 03.20 (data information, S 1; OZ 1, S 149), which, according to the breakdown of the information provided on September 13, 2018, means a “good credit rating” (OZ 1, S 578).

Since the information thus contains meaningful information about the logic involved and the scope and intended effects of the calculation of the risk class, no violation of the right to information within the meaning of Art 15 Para 1 lit h GDPR is evident. It is sufficient for the data subject to be able to recognize which aspects of their person or their behavior are being used, but the algorithm itself cannot be disclosed (Jahnel, comment on the General Data Protection Regulation Art 15 GDPR margin no. 32).

The complaint was therefore not justified in this regard either.

3.3.2.3. For the claimed delay

If the BF argues that the information was given to him too late, he must be countered with the fact that the aim of a complaints procedure under Art. 15 GDPR in conjunction with Art. 77 GDPR in conjunction with Section 24 DSG is that the data subject receives the information to which he is entitled. This already results from § 24 paragraph 5 DSG according to which, for example, in the case of non-issued/incomplete information, a corresponding performance order is to be issued. A violation of the law cannot be determined in this regard, especially since the legal protection objective has been achieved upon receipt of the information and an independent right to a formal determination does not result from either the GDPR or the DSG (see the decision of the VwGH of 27.09 .2007, 2006/06/0330).

3.3.2.4. If the BF claims violations of the fundamental right to secrecy, the right to rectification, the right to data transferability and data security (OZ 1, S 833 f, 921 ff), it should be pointed out that this is not the subject of the decision. Thus, the "matter" of the complaints procedure before the VwG - regardless of the scope of examination specified by § 27 VwGVG - is only that matter that formed the content of the verdict of the administrative authority prosecuted before the VwG (cf. VwGH 16.11.2015, Ra 2015/12/ 0026, with further reference). The subject of the present proceedings before the VwG was solely the question of a violation of the right to information, which is why it was not necessary to go into more detail about the further arguments (VwGH 03/27/2018, Ra 2015/06/0011).

3.4. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.

According to § 24 para. 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's application, refrain from a hearing if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and a Neither Art. 6 Para. 1 ECHR nor Art. 47 GRC preclude the negotiation.

The oral hearing could be omitted because the facts relevant to the legal assessment had already been collected by the administrative authority in full and in a proper investigation and at the time of the decision of the adjudicating court was still up to date and complete as required by law. The complaint also did not allege any facts that contradicted or went beyond the result of the official investigation (VwGH February 24, 2015, Ra 2014/19/0171). The argument of the BF in the complaint that the information and information received was incomplete does not trigger an obligation to negotiate, especially since he is only appealing against the legal assessment of the authority (such as in particular the incompleteness of the information), but not against the facts relevant to the decision, this (the content of the information received) is undisputed in the present proceedings.

In the present case, the Federal Administrative Court therefore only has to rule on a legal issue (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34 et seq.). Neither Article 6 (1) of the ECHR nor Article 47 of the Charter of Fundamental Rights preclude the omission of the hearing.

3.5. It was therefore to be decided accordingly.

Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or resolution whether the revision is admissible in accordance with Art. 133 Para. 4 B-VG. This statement needs a brief justification.

According to Art. 133 para. 4 B-VG, the revision is not permitted because the decision does not depend on the solution of a legal question that is of fundamental importance. The adjudicating court was able to rely on the cited case law of the VwGH - especially with regard to the "matter" of the complaints procedure. There are also no other indications of a fundamental importance of the legal issues to be resolved.