BVwG - W252 2271849-1/15E
From GDPRhub
| BVwG - BVwG - W252 2271849-1/15E | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(7) GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR Article 32(1) GDPR § 1(1) DSG § 114 Wiener Stadtverfassung § 24d(2)(3) GTelG 2012 Article 102 B-VG |
| Decided: | 28.01.2025 |
| Published: | |
| Parties: | Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) Complainant represented by Knyrim Trieb Rechtsanwälte OG Austrian Data Protection Authority (DSB) Municipal Health Department MA15 City Government of Vienna Österreichische Gesundheitskasse Data Processing Companies |
| National Case Number/Name: | BVwG - W252 2271849-1/15E |
| European Case Law Identifier: | |
| Appeal from: | DSB (Austria) DSB-D770.1336 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
| Initial Contributor: | Lejla Rizvanovik |
The Federal Administrative Court considered an appeal against a decision by the DPA regarding the use of health data to send COVID vaccination reminders.
English Summary
Facts
In late 2021, vaccination reminder letters were sent to uninsured persons over 18 residing in Austria who had not yet received a COVID-19 vaccine. The letters were issued in the name of various health institutions and officials, including the COVID-19 project manager and a chief physician. Numerous recipients filed complaints with the Austrian DPA, alleging unlawful access to their data stored in the central vaccination register.
Following an official investigation, the DPA determined that the complainant was responsible for the data processing and had unlawfully accessed and used health data for the mailing campaign. The complainant contested this decision, arguing that it was not the data controller and that the access to vaccination data was justified under pandemic management regulations. The case was subsequently referred to the Federal Administrative Court.
Holding
The Court ruled that the complainant was not the data controller within the meaning of Article 4 GDPR#7. It found that the ultimate decision-making authority regarding the purpose and means of the data processing lay with the city’s health department and the responsible city councillor, rather than the complainant. The complainant had merely executed the data processing based on political and administrative directives.
The Court also held that the DPA had failed to correctly identify the data controller and had erroneously directed its decision against the complainant. Given the misleading nature of the vaccination reminder letters, which bore multiple institutional logos and signatures, the complainants could not reasonably determine the responsible party. The Court further emphasized that under Austrian procedural law, complainants are not necessarily required to specify the exact data controller when filing a complaint.
As a result, the Court annulled the DPA’s decision without replacement, leaving the original complaint unresolved. The ruling clarified that the determination of the correct data controller falls within the investigative duty of the DPA. Finally, the Court found no grounds for allowing a revision of the case, as the legal issues were already clearly established in prior case law.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Vienna Office: Erdbergstraße 192 – 196, 1030 Vienna Tel: +43 1 601 49 – 0 Fax: +43 1 711 23 – 889 15 41 www.bvwg.gv.at Decision Date January 28, 2025 Case Number W252 2271849-1 /15E IN THE NAME OF THE REPUBLIC! a The Federal Administrative Court, with Judge Mag. Elisabeth SCHMUT LL.M. as presiding judge and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag. Adriana MANDL, as assessors, on the appeal of XXXX, represented by 1) Knyrim Trieb Rechtsanwälte OG, 1060 Vienna, Mariahilfer Straße 89a, and 2) Fellner Wratzfeld & Partner Rechtsanwälte GmbH, 1010 Vienna, Schottenring 12, co-participating party before the Administrative Court, XXXX, against the decision of the Data Protection Authority dated XXXX, GZXXXX after conducting an oral hearing on September 26, 2024, in a data protection matter, rightly ruled: A) The appeal is upheld and the decision is rescinded without replacement. B) The appeal is inadmissible. - 2 - Reasons for the Decision: I. Preliminary Remarks: The proceedings are based on the dispatch of vaccination reminder letters, which were sent in the name of the Covid-19 Project Manager XXXX, the Chief Physician XXXX, various social insurance providers, and in cooperation with XXXX at the end of November/beginning of December 2021 to socially insured persons over the age of 18 residing in XXXX who had not received a COVID-19 vaccination. A large number of recipients complained about this to the Austrian Data Protection Authority (hereinafter referred to as the "competent authority") because they suspected that their data stored in the vaccination register had been unlawfully accessed. In this context, it must first be clarified who is considered the data controller for this data processing under data protection law. II. Procedure: 1. By submission dated December 22, 2021, received on December 28, 2021, the co-participating party (complainant in the administrative proceedings) filed a complaint with the respondent authority and, in essence and in summary, alleged that XXXX had violated her right to confidentiality pursuant to Section 1 (1) of the Data Protection Act (DSG) by sending her a personally addressed vaccination reminder letter at the end of 2021, by improperly disclosing and processing the co-participating party's highly protected personal health data. She therefore requests that the violation of fundamental rights be declared. 2. On November 26, 2021, the respondent authority initiated an ex officio review procedure against XXXX and the complainant, which the respondent authority concluded with a decision dated August 11, 2022, and determined that the complainant was the controller for the data processing in question pursuant to Article 4(7) of the GDPR. The respondent authority informed the co-participating party of the results of the ex officio review procedure (decision dated July 22, 2022, reference number XXXX) and stated, among other things, that, based on the findings therein, it assumed that XXXX was to be regarded as the controller under data protection law and thus as the respondent, and granted the complainant the opportunity to comment on this within two weeks. The co-participating party did not comment. - 3 - 3. By decision of XXXX, the respondent authority upheld the complaint insofar as it found that the complainant had violated the co-participating party's right to confidentiality by unlawfully accessing its data in the central vaccination register and the central patient index and processing this data for the purpose of sending a letter with information regarding an appointment for a coronavirus vaccination. 4. In its justification, the respondent authority stated that the complainant had accessed the co-participating party's data in the central vaccination register without a sound legal basis. Therefore, the subsequent data processing by the complainant was also unlawful. Contrary to the complainant's view, Section 24d (2) (3) GTelG 2012, Section 8 DSG, and the statutory jurisdiction regulations do not provide a basis for the data processing at issue in the proceedings. The application of Section 24d (2) No. 3 of the German Telecommunications Act (GTelG) 2012 requires, according to Section 24d (1) No. 4 of the German Telecommunications Act (GTelG) 2012, a specific access authorization pursuant to Section 24f (4) of the German Telecommunications Act (GTelG) 2012, which the complainant did not possess. 5. The appeal of April 5, 2023, is directed against this decision on the grounds of illegality. The complainant requested that the contested decision be set aside without replacement and that the proceedings be discontinued, that the decision be set aside and that the matter be remitted to the authority concerned, that the matter be decided on its own merits, and that the decision be amended to dismiss the data protection complaint. In summary, he justified this with the existence of a decided case, the incomplete nature of the complaint, a lack of investigation, and a deficient assessment of the evidence. Furthermore, the complainant was not a data protection controller, but even assuming responsibility, access to the vaccination data was permissible as part of pandemic-related crisis management. 6. The respondent authority submitted the complaint, attaching the administrative act, to the court hearing the case and, with regard to the disputed data protection responsibility, referred to a newspaper article stating that, according to XXXX, sending the vaccination reminders was the correct measure. 7. The appeal against the respondent authority's decision regarding the ex officio proceedings was upheld by a decision dated October 4, 2023, and the decision was rescinded without replacement. - 4 - 8. In parallel proceedings before the Federal Administrative Court (file number W252 2271937-1), a decision was issued on March 11, 2024, which became final and binding. With the hearing of the parties on April 29, 2024, the decision in case file W252 2271937-1 was communicated to the co-participating party, who was given the opportunity to submit a statement. With the summons of July 18, 2024, the minutes of the hearing in case file W252 2271937-1 dated October 18, 2023, and November 9, 2023, were submitted. 9. The matter was heard orally on September 26, 2024. Evidence was taken by: Inspection of the administrative act and inspection of the following file components of the parallel proceedings to W252 2271937-1, which were already provided to the parties in advance to prepare for the hearing and introduced into the proceedings: Hearing minutes for W2522271937-1 dated October 18, 2023, and November 9, 2023 (annex to the summons to the oral hearing on September 26, 2024). III. The Federal Administrative Court considered: 1. Findings: 1.1. On the course of the proceedings: 1.1.1. On the data protection complaint: On December 22, 2021, received on December 28, 2021, the co-participating party submitted a data protection complaint to the respondent authority using a sample form available online. The co-participating party argued that XXXX had violated its right to confidentiality pursuant to Section 1 (1) of the Data Protection Act (DSG) by sending it a personally addressed vaccination letter at the end of 2021, thereby improperly disclosing and processing the co-participating party's specially protected personal health data. The following vaccination reminder letter was attached to the complaint (error in the original): "P XXXX Priority Letter XXXX Returns to XXXX [1st option field: Name and address of the co-involved party] Your personal appointment for the COVID vaccination is here! - 5 - The COVID vaccination is currently the most important measure [sic!] to control the pandemic and enable a largely normal life again. The European Health Board and the National Vaccination Committee expressly recommend the COVID vaccination in this context. Why is this vaccination so important? Vaccination reduces the personal risk of suffering a severe course of illness in the event of an infection and thus also the risk of an associated stay in an intensive care unit or death. The risk of developing long-term COVID (which is quite possible even with a mild course) is also greatly reduced. With the vaccination, you protect not only yourself but also those around you due to the lower risk of disease. As the pandemic progresses, more and more areas throughout Austria will be switched to the 2G rule (access only for fully vaccinated individuals or those who have recovered) to protect everyone. To protect your own health and so that you can continue to lead a normal everyday life without any problems in the future, a COVID vaccination has been reserved for you: [2nd option field: Vaccination date and vaccination location] We invite you to take advantage of this offer. To avoid any waiting times on site, you can book an alternative appointment online at XXXX or by phone at XXXX instead of the appointment reserved above. This also applies if you are acutely ill or, for example, cannot keep this appointment due to another treatment. In this case, XXXX will be happy to take care of the cancellation of the above appointment. If you have since been vaccinated, we would like to thank you very much! If you are aware that a COVID vaccination is not possible for you due to medical reasons (contraindications), please consider this letter as irrelevant. If you are unsure whether you can be vaccinated against COVID, we recommend that you consult a doctor for further information/consultation. Please bring your photo ID and – if available – your e-card with you for vaccination. XXX XXXX Project Manager Covid-19 XXXX The following logos appear under the names: - 6 - The procedure outlined in point II.2 has been finalized. 1.2. Regarding the creation and mailing of the vaccination reminder letter: In the summer of 2021, a nationwide discussion was held as part of pandemic management on writing a vaccination reminder letter to unvaccinated individuals. The acting City Councilor for "XXXX" of the city of XXXX, XXXX (acting City Councilor) instructed XXXX via the City Council Office to send a vaccination reminder letter to socially insured individuals over the age of 18 residing in XXXX who had not received a COVID-19 vaccination. The acting city councilor approached the general director of XXXX, XXXX, and asked for his support in this regard. XXXX instructed his communications department employee, XXXX, to support the "Vaccination Reminder Letter" project. XXXX provided the printing press. A group consisting of employees of XXXX, XXXX, XXXX GmbH, and XXXX GmbH made suggestions for the next steps, i.e., preparing a draft of the vaccination reminder letter, developing a plan for how the data for determining the specific recipients was to be collected via the patient index and the central vaccination register, and how the mailing was to be carried out. XXXX, an employee of XXXX, coordinated the project within XXXX. She organized the project agendas within XXXX and coordinated the project agendas with XXXX, the social insurance agencies, XXXX GmbH, and XXXX GmbH. Mr. XXXX of XXXX GmbH was the project manager for XXXX GmbH. XXXX GmbH was commissioned to identify the recipients of the letter. XXXX GmbH passed the order on to XXXX GmbH. The offer from XXXX GmbH dated November 19, 2021, was signed by XXXX as project manager for medical measures related to the coronavirus. In fulfillment of the contract, XXXX GmbH identified all persons from the patient index residing in XXXX who are over 18 years of age, starting on November 9, 2021. It then filtered out those individuals who had an entry in the central vaccination register for vaccination with a COVID-19 vaccine approved in the EU. XXXX GmbH transmitted the names and addresses of the remaining individuals in five tranches (November 9, 2021, November 14, 2021, November 17, 2024, November 22, 2024, and November 28, 2024) to XXXX as the printing service provider, which printed, enveloped, and mailed the letters. The costs for mailing the vaccination reminder letter were shared 50:50 by XXXX and XXXX. The funding budget for XXXX's pandemic measures at this time was held by XXXX. At the end of 2021, the vaccination reminder letter, as described in section 1.1.1, was sent, among other things, to the participating party by mail. The letter was personally addressed to the participating party. The name and address of the respective recipient were entered in the first option field. Potential vaccination dates and locations were entered in the second option field. 2. Evaluation of Evidence: 2.1. On the Procedural Course: The findings regarding the procedural course are based on the unobjectionable administrative act and the minutes of the hearing submitted to the proceedings under Ref. No. W252 2271937-1 dated October 18, 2023, and November 9, 2023. 2.2. Regarding the creation and mailing of the vaccination reminder letter: The findings regarding the creation and mailing of the vaccination reminder letter are based on the statements of the witnesses heard in the hearings for GZ W252 2271937-1 on October 18, 2023, and November 9, 2023. The findings regarding the nationwide discussion in the context of pandemic management are based on the statements of the witnesses heard in the hearings for GZ W252 2271937-1 before the Federal Administrative Court, which are consistent in this regard. The finding that the acting City Councillor XXXX instructed XXXX, via the City Council Office, to send a vaccination reminder letter to socially insured persons over the age of 18 residing in XXXX who had not received a COVID-19 vaccination is based, on the one hand, on the statement made by the acting City Councillor before the - 8 - Federal Administrative Court that the Minister of Health, the health policymakers, and the state councillors had already agreed in the summer of 2021 that a corresponding vaccination reminder letter was needed for the unvaccinated population (GZ W252 2271937-1, OZ 19, p. 12). After three federal states, XXXX, already had the logistics to schedule vaccination appointments and administer vaccinations, the acting city councilor communicated to all parties involved (the health authority, the social security funds) that a corresponding vaccination reminder letter should be sent to socially insured persons over the age of 18 residing in XXXX who had not received a COVID-19 vaccination (GZ W252 2271937-1, OZ 19; p. 13). On the other hand, this finding is based on the statements of XXXX, who stated that she began implementing the project when she received the order from the city council office. This order was based on the acting city councilor's request to draft and send a corresponding letter (GZ W252 2271937-1, OZ 13, p. 24). This statement is understandable, as it can be assumed that XXXX, as an employee of XXXX, would not have taken any further steps without a corresponding order. The email correspondence submitted in the proceedings shows that the City Council Office was in contact with XXXX regarding the vaccination reminder letter and forwarded important details, such as the financing, to XXXX (OZ 2; cross-procedural submission of further file components from the authority in question). The commissioning of XXXX by the City Council Office on behalf of the acting City Councilor is understandable insofar as XXXX, as a municipal department, is assigned to the "XXXX" business group, which is headed by the acting City Councilor. The purpose of the order is evident from the statement of the acting city councilor, according to which the letter was intended to increase the vaccination rate of the population, which could only be achieved if the unvaccinated people were vaccinated (GZ W252 2271937-1, OZ 19, p. 20). The finding that the acting city councilor approached XXXX and asked for support is based on the testimony of XXXX during the hearing, who stated that the acting city councilor had contacted him and that XXXX had instructed his staff to provide support (GZ W252 2271937-1, OZ 19, p. 29). This statement was confirmed by Ms. XXXX (GZ W252 2271937-1, OZ 19, p. 32). The finding that a group consisting of employees of XXXX, XXXX, XXXX GmbH, and XXXX GmbH developed proposals for further action is evident from the statements of witnesses XXXX and Ms. XXXX. They unanimously stated that a working group had been established in which XXXX from XXXX, Mr. XXXX from XXXX GmbH, Mr. XXXX from XXXX GmbH, and Ms. XXXX from XXXX were permanently represented, and various other people from other departments participated (GZ W252 2271937-1, OZ 19, p. 32; OZ 13, p. 25). From the consistent witness statements before the Federal Administrative Court, it is clear that XXXX coordinated the "Vaccination Reminder Letters to the Unvaccinated Population" project. This was also confirmed by XXXX in its statement before the Federal Administrative Court (GZ W252 2271937-1, OZ 13, p. 23). The finding that XXXX GmbH was commissioned and that XXXX GmbH passed the contract on to XXXX GmbH is based on the statement of XXXX, former managing director of XXXX GmbH, dated January 10, 2022, as part of the ex officio proceedings before the Data Protection Authority. The finding that XXXX signed XXXX GmbH's offer dated November 19, 2021, is based on the offer submitted to the Federal Administrative Court by the respondent authority in a written submission dated June 9, 2023 (OZ 2; cross-procedural submission of further file components by the respondent authority). The determination of how XXXX GmbH fulfilled the contract is based on the statement of XXXX, Head of Legal and Security at XXXX GmbH, in the ex officio proceedings before the Data Protection Authority dated February 24, 2024. The determination that the costs were borne 50:50 by XXXX and XXXX is based on the email from Ms. XXXX to XXXX dated November 3, 2021, in which the City Council Office confirmed that XXXX and the acting City Councilor had made the funding commitment (OZ 2; cross-procedural submission of further file components by the authority concerned). The finding that the funding budget for pandemic measures at that time was held by XXXX was confirmed by XXXX's statement (GZ W252 2271937-1, OZ 19, p. 41). The findings regarding the content and addresseeship of the vaccination reminder letter are based on the vaccination reminder letter submitted in the administrative proceedings, which corresponds to the vaccination reminder letter submitted by the co-participating party in its data protection complaint. - 10 - 3. Legal Assessment: Regarding A) The admissible complaint is well-founded. 3.1. Regarding the relevant legal provisions: Article 4 of Regulation (EU) 2016/679 (GDPR) states: "For the purposes of this Regulation, the following definitions shall apply: […] 7. Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; […]” Section 24 of the Data Protection Act reads: (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or Section 1 or Article 2, Chapter 1. (2) The complaint must contain: 1. the designation of the right deemed to have been violated, 2. to the extent reasonable, the designation of the legal entity or body to which the alleged violation of law is attributed (respondent), 3. the facts from which the violation of law is derived, 4. the grounds on which the allegation of illegality is based, 5. the request to establish the alleged violation of law, and 6. the information necessary to assess whether the complaint was filed in a timely manner. Article 102 (1) and (2) of the Federal Constitutional Constitution reads: “(1) Within the jurisdiction of the states, the Execution of federal acts, unless there are separate federal authorities (direct federal administration), is carried out by the Governor and the state authorities subordinate to him (indirect federal administration). To the extent - 11 - that federal authorities are entrusted with enforcement in matters handled by indirect federal administration, these federal authorities are subordinate to the Governor in the relevant matters and are bound by his instructions (Article 20, paragraph 1); whether and to what extent such federal authorities are entrusted with acts of enforcement is determined by federal law; they may, unless they concern entrustment with the execution of matters listed in paragraph 2, only be promulgated with the consent of the states involved. (2) The following matters may be handled directly by federal authorities within the scope of the constitutionally established sphere of influence: Border demarcation; trade in goods and livestock with foreign countries; customs; regulation and monitoring of entry into and exit from the federal territory; right of residence for reasons worthy of consideration; passports; residence bans, expulsion and deportation; asylum; extradition; federal finances; monopoly systems; monetary, credit, stock exchange and banking systems; weights and measures, standards and hallmarking systems; judicial system; press system; maintenance of public peace, order and security, including first general assistance, but with the exception of local security police; association and assembly law; aliens police and registration systems; weapons, ammunition and explosives systems, shooting; antitrust law; patents and the protection of designs, trademarks and other product names; transport systems; river and shipping police; Postal and telecommunications services; mining; regulation and maintenance of the Danube; torrent control; construction and maintenance of waterways; surveying; labor law; social and contractual insurance; long-term care benefits; social compensation law; commercial transactions with seeds and seedlings, feed, fertilizers, and plant protection products, as well as with plant protection equipment, including licensing and, in the case of seeds and seedlings, also recognition; monument protection; general matters relating to the protection of personal data; organization and management of the Federal Police; military matters; matters relating to civilian service; population policy; agricultural and forestry schools and educational systems in the matters referred to in Article 14a, Paragraph 2, as well as central educational institutions; universities and higher education, as well as the educational system relating to student dormitories in these matters; compulsory training for young people; public procurement. Article 103, Paragraph 2 of the Federal Constitutional Law (B-VG) reads: "When drawing up its rules of procedure, the state government may decide that individual groups of matters of the indirect federal administration, due to their material connection with matters within the independent sphere of activity of the state, shall be conducted by members of the state government on behalf of the governor. In these matters, the relevant members of the state government are bound by the instructions of the governor (Article 20) just as the governor is bound by the instructions of the federal government or individual federal ministers." - 12 - Item III. The allocation of responsibilities for XXXX reads: "The affairs of the indirect federal administration that are the responsibility of the Governor are to be handled by the municipal departments under the direction and responsibility of the responsible acting city councilor as a member of the state government, in accordance with Article 103 (2) of the Federal Constitutional Law, unless the allocation of responsibilities stipulates otherwise. This applies mutatis mutandis to the administration of federal assets assigned to the Governor pursuant to Article 104 (2) of the Federal Constitutional Law." According to the allocation of responsibilities for XXXX (GZ XXXX or XXXX), XXXX – in particular XXXX – was responsible for health and vaccination at the end of 2021. 3.2. Applied to the facts of the case, this means: 3.2.1. Regarding the complainant as the controller within the meaning of Article 4(7) GDPR: According to Article 4(7) GDPR, the "controller" for the processing of personal data is the natural or legal person, public authority, agency, or other body which alone or jointly with others decides on the purposes and means of the processing of personal data; where the purposes and means of such processing are specified by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law. The ECJ has held that, according to the underlying provisions, the decision regarding the purposes and means of processing does not (necessarily) have to be made by written instruction (see ECJ July 10, 2018, C-25/17, Tietosuojavaltuutettu, para. 67). The dispatch of a vaccination reminder letter is a matter of healthcare, which must be implemented by indirect federal administration, i.e., generally by the respective state governor (Article 10(1)(12) in conjunction with Article 102(1) and (2) of the Federal Constitutional Law). In the case of Article 103(2) of the Federal Constitutional Law, implementation is carried out by members of the state government on behalf of the state governor; in the case of XXXX, by the city senate or the acting city councilors on behalf of the mayor (see, among others, Section 114 of the XXXX City Constitution). According to Section 106 of the XXXX City Constitution, XXXX is divided into business groups and, within these, into departments. Each business group is headed by an acting city councilor. According to the business organization of the XXXX Magistrate's Office dated January 13, 2021, XXXX has the - 13 - business group "XXXX," to which the XXXX municipal departments and the XXXX Health Association are assigned. This business group is headed by the acting city councilor XXXX. Nevertheless, the Magistrate, as an "authority" or "other body" within the meaning of Article 4(7) GDPR, can itself be the data controller: either if it is designated as the data controller under Union, state, or federal law within the meaning of Article 4(7) GDPR, last half-sentence, or if the data controller is not designated under Union, state, or federal law and the Office of the State Government itself determines the purpose and means of data processing. The purpose and means of data processing can no longer be assumed to be determined by the municipal administration if these are specified in detail by the mayor or the responsible member of the state government (city council). In such a case, the municipal administration can no longer be considered the controller of data processing. For the specific case, this means: The subject matter is the sending of a vaccination reminder letter, i.e., a matter of health care, which is carried out by the indirect federal administration in XXXX by the XXXX in the name of the state governor (Article 10 (1) (12), Article 102 (2) and 103 (2) of the Federal Constitutional Law (B-VG) in conjunction with Section 133 of the XXXX City Constitution, Division of Business for XXXX). Regarding the determination of the controller based on Union, state, or federal law: The controller under data protection law is not determined by Union, state, or federal law in XXXX. Regarding the question of who decided on the purpose and means of data processing: The purpose of the letter, namely to increase the vaccination rate in order to protect the country's citizens and the health care system, as well as the purpose of accessing the patient index and the central vaccination register, namely to determine the recipients of the vaccination reminder letter, was specified by the acting City Councilor for "Health, Social Affairs and Sports."The acting city councilor also determined the essential means of data processing, namely, the essential content of the letter, the definition of the recipient groups, and the necessary access to the patient index and the - 14 - central vaccination register. Although the vaccination reminder letter was coordinated and implemented by the responsible employees of the municipal departments, the ultimate responsibility and the specific decision always remained with the acting city councilor. The acting city councilor stated in his testimony before the Federal Administrative Court that XXXX GmbH was engaged as a service provider for implementation (GZ W252 2271937-1, OZ19, p. 15). Even though the acting city councilor did not sign the offer from XXXX GmbH himself, he determined that XXXX GmbH would be used for access to the patient index and the central vaccination register. The acting City Councillor did not issue any written instructions to his employees (XXXX). However, the bodies may issue orders in the form of individual or general, concrete or abstract instructions within the scope of their substantive and functional competence. It can therefore be inferred that the employees of XXXX and XXXX, who are assigned to XXXX, were commissioned by the acting City Councillor's general instruction to send a vaccination reminder letter to unvaccinated persons over the age of 18 with social insurance and residence in XXXX. The complainant therefore decided neither on the purpose nor the means of data processing and therefore cannot be the controller within the meaning of Article 4(7) of the GDPR. 3.2.2. On the significance of the incorrect determination of the person responsible for the administrative procedure: According to the case law of the Administrative Court, party statements must be interpreted according to their objective explanatory value, i.e., it depends on how the statement must be objectively understood, taking into account the specific legal provision, the purpose of the procedure, and the file available to the authority. If the content of a submission is unclear, the party's intention must be investigated. In case of doubt, a submission made by a party to protect its rights should not be considered to contain such content that it deprives it of the opportunity to defend itself (see, for example, Administrative Court of Justice May 28, 2019, Ra 2018/15/0036). According to Section 24 (2) (2) of the Data Protection Act (DSG), a data protection complaint must only contain the designation of the legal entity or body to which the alleged violation of law is attributed if this is reasonable. In connection with the designation of the right deemed to have been violated within the meaning of Section 24 (2) (1) of the Data Protection Act (DSG), which must be included in the data protection complaint, the Administrative Court (VwGH) stated, with reference to the provision of the former Section 67c (2) of the General Data Protection Act (AVG), which is considered a model regulation, that the AVG is "alien to any formalism" (cf. Administrative Court of November 22, 2022, Ra 2019/04/0003, para. 24, with further references). Nothing else can apply to the requirements of Section 24 (2) of the DSG (cf. Administrative Court of September 3, 2024, Ra 2023/04/0094). The inaccurate or incorrect designation of the controller may be equivalent to the unreasonableness of naming him or her (see VwGH June 27, 2023, Ro 2023/04/0013, para. 34, with further references). The VwGH has fundamentally recognized that the correction of a designation of the respondent may be permissible within the framework of a justifiable interpretation of the party's statement by the DSB (see VwGH June 27, 2023, Ro 2023/04/0013, para. 34, with further references; see also VwGH March 18, 2022, Ro 2020/04/0027, para. 41 and VwGH April 28, 2021, Ra 2019/04/0138, paras. 15 et seq.). If, according to the Data Protection Act (specifically Section 24(2)(2)), there may be cases in which it may be unreasonable for the data subject to identify the controller themselves and to name them accordingly in the data protection complaint, then it is also possible to recognize situations in which the data subject identifies the controller inaccurately or even incorrectly, without this necessarily leading to a dismissal of the data protection complaint (cf. Administrative Court of Justice (VwGH) June 27, 2023, Ro 2023/04/0013, para. 34, with further references). As explained above, pursuant to Section 24(2)(2) of the Data Protection Act, a data protection complaint must only contain the designation of the legal entity or body to which the alleged violation of law is attributed if this is reasonable. In the present case, however, reasonableness is not given: The co-participating party named XXXX as the respondent in the data protection complaint. The vaccination reminder letter attached to the data protection complaint was signed by the legal representatives of two different legal entities and contains the logos of four different health insurance companies and a municipal department. The design of the vaccination reminder letter in question did not make it easier for the co-participating party to name or clearly identify the legal entity or body to which the alleged violation of law is attributable. The legal discussion held during the hearing in case number W252 2271937-1 between the representative of the authority being prosecuted and the complainant's legal representative regarding possible liability also shows that it was unreasonable for the co-participating party to name or clearly identify the (correct) responsible party when filing the complaint. to specify its original request. - 16 - If the co-participating party therefore directed its data protection complaint against XXXX, and five different logos, including XXXX, appear on the letter, for which the letter was also signed, and which was listed as the sender, then, in the context of the case and in light of the wording of the letter, as well as in light of the recent case law of the Administrative Court (03.09.2024, Ra 2023/04/0092 and Ra 2023/04/0094), the specific designation of the respondent ultimately determined by the respondent authority was unreasonable. The conduct of the respondent authority in the present administrative proceedings is therefore not objectionable. The complainant's statement of October 9, 2024, therefore cannot be upheld if it states that the recent Administrative Court rulings of September 3, 2024, are not applicable: the deciding Senate takes the view that the present case, particularly with regard to the confusing presentation of senders, signatories, and logos, is indeed comparable to those in the cited Administrative Court rulings. Which of the possible group of persons actually decided on the purpose and means of data processing cannot be determined by the participating party, either from the vaccination reminder letter or by any other means, which is why the naming of the controller was unreasonable. It was therefore incumbent on the authority concerned, in the context of establishing the substantive truth, to determine who had determined the purpose and means of the data processing and was thus the controller of the data processing and the opponent of the data protection complaint. By ultimately mistakenly designating the complainant as the controller, it conducted the administrative proceedings against someone who was not covered by the co-participating party's application for legal protection. The decision therefore had to be annulled without compensation. 3.3. In view of this outcome, the co-participating party's data protection complaint remains pending. 3.4. The decision therefore had to be made in accordance with the ruling. 3.5. On further submissions and submissions 3.5.1. Res judicata The argument put forward by the complainant that the Federal Administrative Court should not rule on the grounds of res judicata cannot be accepted in the end, since the present proceedings (proceedings based on a request) and the parallel - 17 - ex officio review proceedings are two distinct proceedings. The fact that a matter can be taken up by both the affected party and a designated public institution or authority and reviewed in court proceedings does not lead to res judicata. The arguments of the authority concerned cannot be contradicted in this respect. 3.5.2. Defective Procedure To the extent that the complainant argues that the data protection authority, on the one hand, conducted the proceedings defectively and, on the other hand, improperly used the results of investigations from other proceedings, it should be noted that any procedural deficiencies before the authority concerned will be remedied by a flawless procedure before the Administrative Court (cf. Ra 2021/09/0251, Case No.: 9) and that the Administrative Court, within the framework of the unlimited nature of the evidence within the meaning of Section 46 of the Administrative Court Act (AVG), is entitled to use as evidence anything relevant to the decision-making process. In this respect, the elements of the parallel DPO proceedings were incorporated into the proceedings during the oral hearing on October 18, 2023. The complainant's argument is therefore unfounded (cf. Ra 2021/09/0251, Case No.: 11). 3.5.3. Suspension of the Proceedings For the reasons just stated, the suspension of the proceedings, requested with the complainant's supplementary submission of November 8, 2023, regarding the Administrative Court's request for a preliminary ruling to the ECJ in case Ra 2023/04/0024 (EU 2023/0007-1) of August 23, 2023, which raised, among other things, the question of whether institutions such as the Office of the State Government or the Municipal Council can act as data protection controllers, could also be omitted. The question of whether XXXX can be the data protection controller within the meaning of Article 4(7) is irrelevant for the present proceedings in view of the findings that the controller has not specified the purposes and means. 3.5.4. On the existence of a void decision The complainant argued in the hearing before the Federal Administrative Court and in his written submission of October 9, 2024, that it was necessary to examine whether a decision existed at all. The complainant argued that in the absence of an addressee, the decision was absolutely void. The XXXX was a mere agency, neither a natural nor a legal person, and acted as an auxiliary apparatus for the XXXX. The decisive factor was - 18 - that the XXXX – as an auxiliary apparatus – (also) provided services through indirect federal administration. The municipal administration exercised functions that were attributable to the federal government and was therefore considered a federal body in the functional sense. This argument of the complainant cannot be accepted: As already explained above, the municipal authority, as a "authority" or "other body" within the meaning of Article 4(7) GDPR, can itself be the controller under data protection law: either if it is designated as the controller under Union, state, or federal law within the meaning of the last sentence of Article 4(7) GDPR, or if the controller is not designated under Union, state, or federal law and the municipal authority itself determines the purpose and means of data processing. In this case, the municipal authority can, in principle, be the addressee of the decision, which is why the decision in question is not void. Regarding B) Inadmissibility of the appeal on points of law: According to Section 25a(1) VwGG, the administrative court must state in its decision or order whether the appeal on points of law is admissible pursuant to Article 133(4) B-VG. This decision must be briefly justified. The appeal is inadmissible because the decision does not depend on the resolution of a legal issue of fundamental importance. Based on the clear (cited) case law of the Administrative Court, which is applicable to the current legal situation, no legal issues of fundamental importance arise.
