BVwG - W256 2227693-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 52: Line 52:
}}
}}


The Austrian Federal Administrative Court upheld an appeal against a decision by the national DPA, in which it found a company which ran a loyalty programme to not have obtained valid consent for such processing. In particular, the court held that the Austrian DPA should have considered whether the processing could be based on legitimate interest rather than consent.
The Austrian Federal Administrative Court (BVwG) upheld an appeal against a decision by the national DPA. The latter originally found a company which ran a loyalty programme to not have obtained valid consent for such processing, but the court held it should have considered whether the processing could be based on legitimate interest rather than consent.


== English Summary ==
== English Summary ==

Revision as of 09:58, 12 January 2022

BVwG - W256 2227693-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 6(4) GDPR
Decided: 31.08.2021
Published: 06.12.2021
Parties:
National Case Number/Name: W256 2227693-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W256.2227693.1.00
Appeal from: DSB (Austria)
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: Frederick Antonovics

The Austrian Federal Administrative Court (BVwG) upheld an appeal against a decision by the national DPA. The latter originally found a company which ran a loyalty programme to not have obtained valid consent for such processing, but the court held it should have considered whether the processing could be based on legitimate interest rather than consent.

English Summary

Facts

The appellant is a company which ran a loyalty programme for which it collected and processed data subjects’ personal data. More precisely, it “combined and [analysed their] participation data and purchase data in order to send [them] individualised information on [the] programme that is relevant to me and tailored to my interests (…) in order to send [out] advertising with personalised offers about products and services of the operator and [its] partners.” It claimed this data would be deleted if individuals revoked their consent to such processing.

The Austrian DPA, following an ex officio investigation into the company's data practices, found that it unlawfully processed the programme’s participants’ personal data because it failed to obtain their valid consent. In particular, the information on profiling was neither available in an easily accessible form nor formulated in clear and simple language, and could therefore not be used as a legal basis under Article 6(1)(a) GDPR. The company "had at no time relied on legitimate interests within the meaning of Article 6(1)(f) GDPR as a legal basis for processing for the purpose of profiling", and the DPA originally found that such a balancing of interests would in any case turn out against it.

The company filed an appeal against this decision with the Austrian Federal Administrative Court. The appeal was deemed permissible because “[there was] no case law of the highest courts on the question of whether, in order to assess the lawfulness of data processing in the case of invalid consent pursuant to Article 6(1)(a) GDPR, it is permissible to have recourse to other permissible elements of Article 6 GDPR.”As such, this was the key issue in this case.

Holding

Issue 1: Legal basis

The complainant argued that:

  1. the DPA had asked it questions regarding the method of obtaining consent from a data subject, in particular with regard to personalised advertising and profiling, on the basis of a request for comments, but that the complainant had not been given any further opportunity to comment;
  2. it wrongly assumed the invalidity of the present declarations of consent;
  3. it had applied too narrow a standard of review by referring to the case law of the Federal Administrative Court in examining the declarations of consent; and
  4. it had not (sufficiently) examined the permissibility of data processing on another legal basis, which is why the contested decision was already unlawful for these reasons.

The company argued the legal basis for the processing was not only consent under Article 6(1)(a) GDPR, but also the legitimate interest of the complainant under Article 6(1)(f) GDPR. The combination of different data and selection criteria with the aim of orienting advertising measures as closely as possible to the actual interests of the persons concerned served the legitimate interest of both parties. While the complainant could thus keep the misallocation of the resources used as low as possible, the data subject would only be sent advertising that corresponded to his or her (presumed) interest and would thus not be harassed with unnecessary advertising. In addition, the processing of data could also be based on Article 6(4) GDPR and the possibility of further processing.

According to the jurisprudence of the Federal Administrative Court, the failure of the public authority to address alternative legal bases for data processing in an official review procedure meant the object of review was too narrow in this case, and therefore had to be annulled without replacement. Other legal bases, in particular Article 6(4) GDPR and Article 6(1)(f) GDPR, should have been examined in respectively some and more detail. The DPA was found to have failed to consider the interests of the complainant and those of the persons concerned, instead wrongly relying exclusively on the "reasonable expectations" of the person concerned.

The DPA argued that whilst the consent it assessed was valid for two out of the four registration methods relied on by the company operating the loyalty scheme, the consent for the website and flyer methods did not meet the requirements for transparent and clearly visible consent. It stated that the complainant had relied solely on this legal basis throughout the entire procedure, which is why other legal bases, which the complainant had now raised for the first time, should not even be considered. It relied on:

  1. the concept of the GDPR, which was designed so that the supervisory authority had to review the processing operations solely on the basis of the processing list;
  2. Article 57 GDPR, under which it is not the task of the DPA to draw up a substitute authorisation for a controller;
  3. Article 5(2) GDPR, under which it is up to controllers to prove that they comply with the principles of the GDPR; and
  4. Article 29 Working Party guidelines in which they expressly point that controller had to decide in advance on which legal basis to base its processing, and cannot retroactively choose legitimate interests as a basis for justifying a processing operation if problems arose with the validity of the consent.

The Court held that the DPA wrongfully found the company to have unlawfully processed the personal data of data subjects involved in the loyalty scheme, and it cannot be inferred from the Article 29 Working Party guidelines (that it partially based its decision on) that it would generally not be possible to have recourse to other permissive elements of Article 6 GDPR in the absence of prior information of the data subject.

It also stated that Recital 47 GDPR could not be interpreted to mean that the absence of a declaration of consent renders any consideration of possible legitimate interests of a controller in the processing superfluous from the outset. The Court additionally set out that that a balancing of interests must be carried out in any case, but that the reasonable expectations of a data subject with regard to a processing concerning his or her data must be taken into account accordingly. Thus, it rejected the view of the Austrian DPA that an invalid declaration of consent, in the absence of information of the data subject about further legal bases, would in any case result in unlawful data processing and make a review of the other legal bases unnecessary.

Finally, the court held that the DPA's remedial powers under Article 58(1)(b) GDPR could not be invoked even if consent were invalid, as it could not be assumed "without further ado that there was a violation of the lawfulness".

Issue 2: Procedural law

After the original decision, the complainant submitted a request for referral. In it, the company argued that the Austrian DPA had amended the outcome of the contested decision, thus exceeding its power of review, and that the preliminary decision on the complaint went beyond the scope of the complaint procedure with regard to the finding that no other legal basis under Article 6 of the GDPR could be considered for the processing for the purpose of profiling.

The authority concerned submitted the complaint, together with the administrative act, to the Federal Administrative Court and submitted a rebuttal. In it, the authority stated that the subject of the original decision had been the question of the permissibility of the processing in question. However, in the view of the authority concerned, the investigation procedure had shown that the complainant based the processing solely on the legal basis of consent (which it failed to obtain).

First, the Court held that according to the VwGVG ((Administrative Court Procedure Act), the request for referral is only directed at the submission of the complaint to the administrative court, even if it also contains additional grounds. Since the appeal is directed against the initial decision and its grounds must refer to it, the initial decision also remains the standard for determining whether the appeal is justified or not. However, only the preliminary appeal decision replacing the initial decision can be repealed, amended or confirmed.

Second, it held that because the authority decided on whether a review of other grounds for authorisation may come into consideration under Article 6 GDPR in its preliminary appeal decision on the basis of the complainant's complaint, it exceeded the scope of its original decision. Thus, the preliminary decision on the complaint - insofar as it contained a review of the lawfulness of the data processing that was not limited to the declarations of consent - had to be repealed due to lack of competence.

Comment

Share your comments here!

Further Resources

The original DPA decision, although the court document is redacted, concerns the 'Jö Bonusclub'. It was widely reported on, including by major news outlets such as the Austrian 'Der Standard' - https://www.derstandard.at/story/2000128639162/joe-bonusclub-soll-millionenstrafe-zahlen?ref=rec

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



court
Federal Administrative Court


Decision date
08/31/2021


Business number
W256 2227693-1


Saying
W256 2227693-1 / 10E


IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag. Caroline Kimm as chairman, the expert lay judge Dr. Claudia Rosenmayr-Klemenz and the expert lay judge Dr. Michael Gogola as observer on the complaint of XXXX GmbH, represented by CMS Reich-Rohrwig Hainz Rechtsanwälte GmbH, against the decision of the data protection authority of October 23, 2019, GZ: DSB-D213.895 / 0003-DSB / 2019, based on the submission application from XXXX GmbH rightly recognized:
A) The complaint will be followed up in accordance with § 28 Paragraph 1 and 2 VwGVG and the preliminary decision of December 11, 2019, GZ: DSB-D062.297 / 0001-DSB / 2019 will be resolved without replacement.
B) The revision is permissible in accordance with Art. 133 Para. 4 B-VG.





text
Reasons for the decision:
I. Procedure and facts:
In a letter dated September 5, 2019, the authority in question informed XXXX GmbH (hereinafter: the complainant) that it was initiating an official examination procedure against it in accordance with Article 58 (2) (b) GDPR in conjunction with Article 22 (1) DSG. In a first part, compliance with the provisions of the GDPR and the DSG is generally checked, which is why various documents, such as a processing directory, are requested. In a second part, the handling of personal data of the participants in "XXXX" is checked and the complainant is asked in this context, among other things, to explain how the consent of a data subject to receive personalized advertising through profiling when registering for XXXX will be obtained and in what way the information obligations according to Art 13 GDPR would be implemented in the context of such a registration for XXXX. In addition, a sample consent form was requested.
The complainant complied with this request by letter dated September 16, 2019 and October 7, 2019, while at the same time submitting various documents.
With the decision of October 23, 2019, GZ: DSB-D213.895 / 0003-DSB / 2019 (initial decision), the authority in question decided against the complainant in the official examination procedure as follows:
"1. The official examination procedure was justified and it is established that the request for consent to the processing of personal data from the data subjects registered on "XXXX" for the purpose of profiling by XXXX GmbH with the wording
"Declaration of consent: I [..] agree that XXXX GmbH and the XXXX partners, with whom I have used my XXXX card, (1) merge and analyze my participation data and purchase data in order to provide me with relevant information and to mine To send interests tailored, individualized information about the XXXX program and to adapt offers to collect and redeem XXXX to my needs (so-called "Profiling" for target group selection, advertising measures [..], in order to (2) advertise me with personalized offers about products and Services of the operator and the XXXX partners [..], and (3) that my personal data obtained in this way will be deleted if my consent is withdrawn, at the latest after the end of my membership. [..]. "
using the following methods:
i) website www. XXXX .at
ii) XXXX app
iii) XXXX in a partner's branch and
iv) Registration brochure ("Flyer")
does not meet the requirements for consent in accordance with Art. 4 Z 11 GDPR and Art. 7 GDPR and that consequently the processing of personal data from the data subjects registered on "XXXX" for the purpose of profiling by XXXX GmbH is inadmissible in the absence of valid consent.
2. The complainant is instructed, within a period of three months in the event of other execution, to submit the request for consent mentioned in ruling point 1. using the methods mentioned in ruling points 1. i) to iv) in accordance with Art 4 Z 11 GDPR and Art 7 GDPR adapt.
3. XXXX GmbH is forbidden and XXXX GmbH is instructed not to use the consent obtained in accordance with point 1. from May 1, 2020 for the purpose of profiling. This does not apply if valid consent is obtained from the persons concerned within the same period, in compliance with the requirements for consent in accordance with point 2.
Legal basis: Art. 4 Z 4 and 11, Art. 5 Paragraph 1 lit. a. Article 6 (1) (a), Article 7 (1) and (2), Article 12 (1), Article 13 (1) (c), Article 57 (1) (a) and (h), Article 58 (1) (c) . 1 b and para. 2 lit. d and lit. f [..] GDPR [..] "
In addition, the authority in question stated, among other things, that the complainant was the operator of the XXXX. This XXXX is a cross-company and cross-sector customer loyalty program. Different companies would participate. To this end, the complainant, as the operator, concludes a contract with the companies. Customers who purchase and shop products in the branches of the participating partners could register as members for the XXXX. The members could show the XXXX card with every purchase, which is scanned by the respective partner before payment. Members would collect points as part of the customer loyalty program. These could, among other things, be used to obtain discounts. In point 3 of her data protection declaration, the complainant points out that she is processing member master data and purchasing data presented in more detail. In point 4.4. In the data protection declaration, under the heading "automation-supported processing and analysis (profiling for target group selections, [...]"), it is pointed out that only if the member agrees, the operator as the sole responsible party can automate the member's master data and purchasing data processed by the operator and partners Personalization of advertising and marketing measures for the operator and the partners to carry out market research measures, continue to use, analyze and thus obtain new marketing profiling data. According to point 4.4.5., The legal basis for processing is the consent according to Article 6 (1) (a) GDPR Point 4.4.6. Consent is voluntary and can be revoked at any time.
Furthermore, the authority in question determined that the consent in question for profiling according to point 4.4. the data protection declaration is obtained using the methods set out in point 1 i) to iv). The way in which the consent for profiling was obtained from the authority concerned was presented in more detail for each method. Essentially, in all methods, albeit in different forms, the data protection declaration is first brought to the attention of the person concerned and then under the heading "Enjoy your personal benefits" the person concerned is asked for the consent stated in section 4.4. The profiling presented in the data protection declaration is requested.
The subject of the examination is now the question of whether this request for consent corresponds to the requirements standardized in the GDPR. If this is answered in the negative, it should also be checked what effects this has on the permissibility of the processing of personal data for the purpose of profiling and whether a ban on data processing should be pronounced in the event of inadmissibility. In a similar case, the data protection authority has already stated that consent must be given in accordance with the requirements of Art 4 Z 11 GDPR and Art 7 GDPR and, in particular, in an understandable form. This consent does not meet these requirements for any of the four registration types. The related information on profiling would not be available in an easily accessible form, nor would it be formulated in clear and simple language. The consent can therefore not be used as a legal basis in accordance with Art 6 Paragraph 1 lit. The complainant had at no time relied on legitimate interests within the meaning of Article 6 (1) (f) GDPR as the legal basis for processing for the purpose of profiling, whereby it should be noted that such a weighing of interests would be against the operator anyway. According to recital 47, first sentence, GDPR, the “reasonable expectations” of the data subjects should be included in the context of such a weighing of interests and an average user cannot expect that “consent to profiling” will be given. Finally, Art 29 Data Protection Working Party also points out in its guidelines that it is not permitted to select retrospectively legitimate interests as the basis for justifying processing if problems with the validity of consent have arisen. Rather, those responsible would have to decide in advance which legal basis would be applicable for processing. Since, therefore, neither the consent according to Art. 6 Paragraph 1 lit a GDPR nor any other factual basis could be considered as the legal basis for the processing, it was stated in point 1 that the processing of personal data from the persons registered on "XXXX" to Purpose of profiling is inadmissible in the absence of valid consent. Since a violation of Article 7 (2) GDPR had been established and there was no legal basis for the processing in question, the remedial powers in question had to be granted. However, the complainant is free to obtain lawful data processing by obtaining new declarations of consent.
The complainant appealed to the Federal Administrative Court against this decision. In it, the authority stated - insofar as this was essential - that the authority concerned had asked the complainant to ask questions about the way in which the consent of a data subject was obtained, in particular with regard to personalized advertising and profiling, in the official examination procedure based on a request for comment However, the complainant was no longer allowed to comment. Apart from the fact that the authority concerned wrongly assumed the present declarations of consent to be invalid, with reference to the case law of the Federal Administrative Court, with the examination of the declarations of consent, with the examination of the declarations of consent, it had set too narrow a test standard and did not (sufficiently) on the admissibility of the data processing examined another legal basis, which is why the contested decision is unlawful for these reasons alone. The legal basis for the processing is not only the consent in accordance with Article 6 (1) (a) GDPR, but also the legitimate interest of the complainant in accordance with Article 6 (1) (f) GDPR. The merging of various data and selection criteria with the aim of orienting advertising measures as closely as possible to the actual interests of those concerned serves the legitimate interests of both parties. While the complainant can thus keep a misallocation of the funds used as low as possible, the person concerned is only sent advertising that corresponds to his (presumed) interest and the person concerned is therefore not bothered with unnecessary advertising. In addition, the data processing can also be based on Art 6 (4) GDPR and the possibility of further processing.
According to the case law of the Federal Administrative Court, the lack of a dispute by the authority concerned with alternative legal bases for data processing in an official examination procedure leads to the fact that the object of the examination is too narrow and that the decision has to be remedied without replacement. In misjudging the legal situation, the authority concerned limited itself exclusively to examining the legal basis of the consent. Other alternative legal bases were not examined at all, but merely stated that no further facts could be considered as a legal basis. The legal basis of Article 6 (4) GDPR was not even rudimentarily taken into account by the authority concerned, which is why, according to the case law of the Federal Administrative Court, the decision should be remedied without replacement. However, the reference to Art 6 (1) (f) GDPR that was only given in the grounds was inadequate. The authority in question did not in any way deal with the interests of the complainant or those of the persons concerned, nor did it make any determinations, but based it solely on the “reasonable expectations” of the person concerned.
With the preliminary decision on the complaint by the authority concerned dated December 11, 2019, GZ: DSB-D062.297 / 0001-DSB / 2019, the complainant's complaint was partially granted and the verdict was amended to read as follows:
"1. The official examination procedure was justified and it is found that
a) the complainant's request for consent to the processing of personal data from the data subjects registered on "XXXX" for the purpose of profiling with the wording [...]
using the methods i) website XXXX and ii) registration brochure ("Flyer") does not meet the requirements for consent in accordance with Art 4 Z 11 GDPR and Art 7 GDPR and that
b) for the previous processing of personal data from the data subjects registered on XXXX "for the purpose of profiling by XXXX GmbH in addition to the consent obtained using the methods i) website XXXX and ii) registration brochure (" flyer "), no other legal basis according to Art. 6 GDPR comes into consideration and the aforementioned previous processing is therefore unlawful.
2) XXXX GmbH is prohibited from processing personal data from the data subjects registered on "XXXX" for the purpose of profiling to the extent of point 1.
3) The complainant is given a period of six months to implement point 2.
Legal basis: [..] Art. 4 No. 4 and No. 11, Art. 5 Paragraph 1 lit. a. Article 6 (1) a, Article 7, Article 12 (1), Article 13 (1) (c), Article 57 (1) (a), (d) and (h), Article 58 (1) b and lit d as well as paragraph 2 lit d and lit f [..] GDPR [..] "
The authority in question stated that the complaint alleged that the registration process for the methods XXXX App "and" XXXX "was a screen-by-screen registration process, thus ensuring that the request for consent was clear from the rest of the registration process taken off. As a result, the affected person's full attention is directed to the current registration step. It was therefore assumed that there was a sufficient level of transparency and thus sufficient consent, which is why the point of the ruling had to be adjusted accordingly. However, the consent for the website and flyer methods - as already stated in the initial notification - still does not meet the requirements for a transparent and clearly visible obtaining consent, which is why this does not serve as a valid legal basis for processing in accordance with Article 6 (1) (a) GDPR can be used. The complainant relied solely on this legal basis throughout the proceedings, which is why other legal bases that the complainant brought up for the first time should not be taken into account. The concept of the GDPR is designed in such a way that the supervisory authority has to check the processing operations against the processing directory and the complainant cites the consent for the processing in question as the sole legal basis. Apart from that, it is not the task of the supervisory authority according to Art 57 GDPR to invoke a substitute permission for a person responsible and a supervisory authority is not entitled to do so. Rather, it is up to the person responsible to prove that he is complying with the principles of the GDPR, as can be seen in Article 5 (2) GDPR. However, even if the complainant's statements were followed, it should be noted that a weighing of interests against the complainant would fail and further processing would be inadmissible. The Art. 29 Data Protection Working Party expressly points out that it is not permitted to choose retrospective legitimate interests as the basis for justifying processing if problems arise with the validity of the consent. The person responsible must decide in advance on which legal basis to base his processing. The complainant had based her entire concept of processing personal data on the legal basis of consent and did not refer to an additional legal basis or further processing in accordance with Article 6 (4) GDPR. The legal basis of Article 6 (1) (f) GDPR and Article 6 (4) GDPR are out of the question because it contradicts the principle of good faith and the requirement of transparency if a person responsible, after a consent has been found to be invalid, retrospectively based on another permit. Apart from these (already sufficient) reasons, a balancing of interests would also not be in favor of the complainant, because an exact picture of the economic and social situation is created on the basis of the profiling and this cannot be qualified as a harmless invasion of privacy. The economic advantage could not justify the invasion of privacy. Art 6 Paragraph 4 GDPR does not represent an independent legal basis, but requires a valid legal basis according to Paragraph 1 GDPR. Since the legal basis referred to in paragraph 1 already fails, further processing for other purposes would not be considered. Since in the present case there is no legal basis for the processing in question in accordance with Art 6 (4) GDPR, a corresponding ban should be imposed.
By letter of December 27, 2019, the complainant submitted an application for a reference. In it, the complainant pointed out - insofar as this was essential - that the authority concerned had changed the verdict of the contested decision and thus exceeded its authority to examine. The preliminary decision on the complaint relates to the finding that no other legal basis under Art 6 GDPR can be considered for processing for the purpose of profiling beyond the matter of the complaint procedure. Incidentally, the consents obtained - as already stated in the complaint - are legally valid. But the “blocking effect” of the consent carried out by the authority in question could not be followed either. A legal requirement for permission is not omitted because additional consent is obtained. According to Article 17 (1) (b) GDPR, an obligation to delete would only apply in the event of a revocation if there is no other legal basis. From this it follows that a revocation of the consent according to the system of the GDPR cannot lead to inadmissible data processing. The applicability of the statutory permit does not depend on the person responsible having invoked it. Ultimately, the authority concerned overlooks the fact that the participation data and purchase data used for profiling in accordance with point 4.1. and 4.2. the data protection declaration on the legal basis according to Art 6 Paragraph 1 lit b GDPR (fulfillment of the contract) would be used to manage the membership and to process the customer loyalty program. Contrary to the opinion of the authority concerned, Art 6 (4) GDPR with regard to the further processing of this data could very well be considered. Also, the opinion of the authority concerned that a violation of the principle of good faith precludes a weighing of interests according to Art.
The authority in question submitted the complaint, including the administrative act, to the Federal Administrative Court and issued a counter-notification. The authority in question stated that the subject of the initial order was the question of the admissibility of the processing in question. Due to the investigative procedure carried out, however, it emerged from the point of view of the authority concerned that the complainant based the processing solely on the legal basis of consent. In this respect, it was stated in the initial decision that the consent did not comply with the GDPR and the processing was accordingly inadmissible. The reasoning shows that a substitute legal basis such as the legitimate interest according to Art 6 Paragraph 1 lit f GDPR is out of the question. With regard to the blocking effect of the consent, it is also stated that the view is also taken in the literature that several legal bases can only be used side by side if the person concerned has been informed about them. In the present case, the complainant based its processing solely on consent.
II. The Federal Administrative Court has considered:
2. Evidence assessment:
The course of the procedure and the facts set out above result from the submitted administrative act.
3. Legal assessment:
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation) OJ L 119 of 04.05.2016, hereinafter: GDPR, read as follows:
"Art 5 principles for the processing of personal data
(1) Personal data must
a) are processed in a lawful manner, in good faith and in a manner that is understandable for the data subject ("lawfulness, processing in good faith, transparency");
[….]
Art 6 lawfulness of processing
(1) The processing is only lawful if at least one of the following conditions is met:
a) The person concerned has given their consent to the processing of their personal data for one or more specific purposes;
[..]
f) The processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the person concerned, which require the protection of personal data, outweigh them, in particular if the person concerned is a Child acts.
[..]
(4) If the processing for a purpose other than that for which the personal data was collected, is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, is a necessary and proportionate measure for Protection of the objectives referred to in Article 23 paragraph 1, the person responsible will take into account - in order to determine whether the processing for another purpose is compatible with that for which the personal data were originally collected - among other things


a)
any connection between the purposes for which the personal data was collected and the purposes of the intended further processing,









b)
the context in which the personal data was collected, in particular with regard to the relationship between the data subjects and the person responsible,









c)
the type of personal data, in particular whether special categories of personal data are processed in accordance with Article 9 or whether personal data on criminal convictions and offenses are processed in accordance with Article 10,









d)
the possible consequences of the intended further processing for the data subjects,









e)
the existence of suitable guarantees, which may include encryption or pseudonymization.






[...]
Art 7 conditions for consent
(1) If the processing is based on consent, the person responsible must be able to prove that the person concerned has consented to the processing of their personal data.
(2) If the data subject gives his / her consent by means of a written declaration that also relates to other facts, the request for consent must be made in an understandable and easily accessible form in clear and simple language in such a way that it can be clearly distinguished from the other facts is. Parts of the declaration are not binding if they constitute a violation of this regulation.
(3) The person concerned has the right to withdraw their consent at any time. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of revocation. The person concerned will be informed of this before giving their consent. Withdrawing consent must be as easy as giving consent.
(4) When assessing whether consent was given voluntarily, the fact must be taken into account to the greatest possible extent whether, among other things, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data, which are not necessary for the performance of the contract.
Art 13 Duty to inform when collecting personal data from the data subject
If personal data is collected from the data subject, the person responsible shall notify the data subject of the following at the time this data is collected:


a)
the name and contact details of the person responsible and, if applicable, his representative;









b)
if applicable, the contact details of the data protection officer;









c)
the purposes for which the personal data are to be processed and the legal basis for the processing;









d)
if the processing is based on Article 6 paragraph 1 letter f, the legitimate interests pursued by the controller or a third party;






[..]
Art 17 right to cancellation [..]
The data subject has the right to request the person responsible to delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:


a)
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.









b)

The data subject withdraws the consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing.
[...]







Art 58
"(1) Each supervisory authority has all of the following investigative powers, which it permits
[..]
b) carry out investigations in the form of data protection reviews,
[..]
(2) Each supervisory authority shall have all of the following remedial powers which it may allow:
a) - to warn a controller or a processor that intended processing operations are likely to violate this regulation,
b) - to warn a controller or a processor if he has violated this regulation with processing operations,
c) - to instruct the controller or the processor to comply with the data subject's requests to exercise his or her rights under this Ordinance,
d) - to instruct the controller or the processor to bring processing operations into conformity with this Regulation, if necessary in a specific manner and within a specific period of time,
e) - to instruct the person responsible to notify the person affected by a personal data breach accordingly,
f) - to impose a temporary or permanent restriction on processing, including a ban,
g) - order the correction or deletion of personal data or the restriction of processing in accordance with Articles 16, 17 and 18 and the notification of the recipients to whom this personal data has been disclosed in accordance with Article 17 paragraph 2 and Article 19 of such measures,
h) - to revoke a certification or to instruct the certification body to revoke a certification issued in accordance with Articles 42 and 43, or to instruct the certification body not to issue certification if the requirements for certification are not or no longer met,
[...]. "
From a legal point of view it follows:
According to the case law of the Administrative Court, the preliminary decision on the complaint does not expire on the basis of a permissible application for a reference. The appeal that the administrative court has to decide on, however, remains the complaint in the case of a permissible submission: The submission - including one from parties other than the complainant - is based on the VwGVG (only) on the fact that the complaint is submitted to the Administrative court is presented, it may also contain an (additional) reason. Since the complaint is directed against the exit decision (and its justification must refer to it), the exit decision also remains the yardstick for determining whether the complaint is justified or not. However, only the preliminary decision on the appeal that has taken the place of the initial notification can be revoked, changed or confirmed (see VwGH, December 17, 2015, Ro 2015/08/0026 in detail).
It corresponds to the case law of the Administrative Court that the preliminary decision on the complaint pursuant to Section 14 VwGVG - not unlike the decision of the Administrative Court pursuant to Sections 28 and 31 VwGVG - is a decision on the complaint which, if no request for a reference is made, also finally settles it. It follows from this that the matter of the proceedings cannot be limited differently at this stage than in the proceedings before the administrative court itself. Section 14 VwGVG also (also) explicitly refers to Section 27 VwGVG, which defines the permissible scope of examination for the administrative court. Regarding the matter of the proceedings before the administrative court and the extreme limits of its authority to examine, the administrative court has repeatedly stated that it is only a matter that formed the content of the verdict of the initial decision (see VwGH 6.5.2020, Ra 2019 / 08/0114; VwGH 8.5.2018, Ro 2018/08/0011).
In the specific case, the authority in question, according to its own statements in the initial decision, limited the subject of the examination to the review of the declarations of consent as the legal basis for data processing for the purpose of profiling and was accordingly also in the ruling and in the legal bases of the initial decision referred exclusively to the lack of one of the DSGVO corresponding declaration of consent is referred to as the legal basis for such data processing ("[..] it is established that the request for consent [...] does not meet the requirements for consent according to Art 4 Z 11 GDPR and Art 7 GDPR and that consequently the Processing [..] in the absence of valid consent is not permitted "[..] Legal basis: [..] Art. 6 Paragraph 1 lit a, Art 7 Paragraph 1 and Paragraph 2, [..] ").
An examination of the other possible legal bases according to Art 6 GDPR did not take place and this was obviously not the subject of the ex officio examination and investigation procedure. The authority in question not only reduced its entire examination procedure to the legal basis of consent for the data processing in question and only asked the complainant questions about this in its request for a statement, but instead conducted it with reference to the guidelines of Art 29 data protection group in the initial decision (and also in the further procedure) even decidedly and justifying that another legal basis, such as that of the legitimate interests according to Art 6 Paragraph 1 lit f GDPR, should not be considered retrospectively in the event of problems with a declaration of consent and such a weighing of interests due to the “reasonable expectations” of those affected, it was not even offered or was never asserted by the complainant. You have therefore (solely) based on the violation of law pursuant to Article 7 (2) GDPR, taken appropriate measures in accordance with Article 58 (2) GDPR.
In its preliminary ruling on the complaint and in its counter-notification submitted to the Federal Administrative Court, the authority concerned also stated that the complainant had relied exclusively on the legal basis of consent and that it was not the task of a supervisory authority to use a substitute authorization for a person responsible.
In view of these statements and considerations - as the ruling in the initial decision makes unequivocally and sufficiently clear - it can be assumed that the subject matter of the initial decision issued ex officio by the authority concerned is solely based on the existence of a legally valid declaration of consent as (possible) The legal basis for the data processing in question was limited (see also the constant case law of the VwGH cited in Hengstschläger / Leeb, AVG § 59 (status 1.7.2005, rdb.at), Rn 111, according to which only if there are doubts about the content of the ruling for the interpretation of which the justification must also be used.).
A further review of any other permissions that may be considered under Art 6 GDPR was therefore - as can also be seen from the own statements of the authority concerned, deliberately - not included in the examination subject of the notification of exit (officially determined by the authority concerned) and can be a such should therefore in no way be the subject of a complaint procedure directed against this decision.
Since the authority concerned, based on the complainant's complaint, agreed on this in its preliminary decision on the complaint, it exceeded the matter of its original decision. The preliminary decision on the complaint was therefore to be resolved without replacement for this reason (due to lack of jurisdiction) - provided it included a review of the legality of the data processing that was not limited to the declarations of consent.
But even otherwise, the authority concerned does not have any authorization to make the present (pre-appeal) decision (see on the administrative court's authority to review the matter if the matter is exceeded by the preliminary appeal decision VwGH 08.05.2018, Ro 2018/08/0011, according to which the Federal Administrative Court itself in this case about the appeal - within the matter of the procedure limited by the initial decision - has to decide).
When issuing the decision, the authority concerned relied on its powers under Article 58 Paragraph 2 lit d and f GDPR.
Both the remedial authority of the instruction standardized in Art. 58 Paragraph 2 lit d GDPR and the prohibition under Art 58 Paragraph 2 lit f GDPR presuppose that there has been an (established) violation of the GDPR (see Polenz in Simitis, Hornung , Spiecker (Ed.), Data Protection Law, Art. 58 Rz 33 and 38).
In the present case, the authority concerned - as already explained above - (exclusively) checked in its (initial) decision determining the matter and determined that the data processing for profiling was unlawful due to a lack of valid consent according to Art 6 (1) (a) GDPR. An examination of the other possible legal bases according to Art 6 GDPR did not take place.
With reference to the guidelines of the Article 29 Data Protection Group, the authority concerned stated that a retroactive use of another legal basis for processing in the event of problems with the declaration of consent (the person responsible) was not permitted with regard to Article 13 (1) (c) GDPR and, moreover, the complainant never referred to any other legal basis.
In doing so, however, the authority in question fails to recognize, on the one hand, that it is solely responsible for checking the legality of data processing and that it is only bound by the law and not dependent on an expressed standard application claim of the person responsible (see Klement in Simitis / Hornung / Spiecker (ed .), Data protection law, Article 7, margin no.34).
On the other hand, the authority concerned is thus also mixing the principles of "legality", "processing in good faith" and "transparency", which are standardized in Art must be considered from each other (see Jahnel, Commentary on GDPR, Art. 5 Rz 9 and Art 13 Rz 40; Herbst in Kühling / Buchner (Hrsg), DSGVO² Art 5 Rz 11; Frenzel in Paal / Pauly, DS-GVO / BDSG² , Art 6 GDPR margin no.7; Roßnagel in Simitis, Hornung, Spiecker (ed.), Data protection law, Art. 5 para. 1 margin no.39).
For example, information that is not in accordance with Art.13 (1) (c) GDPR may constitute a violation of the principle of transparency or, if applicable, processing in good faith and may also be punished as such by the authority concerned (see Heberlein in Ehmann / Selmayr , DSG-VO2, Art 5 margin no.35; Roßnagel loc.
A lack of authorization for data processing per se and thus a violation of the principle of legality detailed in Art 6 GDPR cannot be derived from this per se (cf. Jahnel, op. Cit., Art. 5 Rz 9; Roßnagel, op. Cit.).
It is also not overlooked that the principles standardized in Article 5 (1) (a) GDPR have reciprocal substantive references to one another and, for example, the principle of good faith in the context of a weighing of interests between the interests of the person responsible and required under Article 6 (1) (f) GDPR those of the data subjects can be taken into account (see Recital 47 of the GDPR; Jahnel, loc. cit., Rn 12; Schantz in Simitis, Hornung, Spiecker (ed.), Data Protection Law, Art. 6 Para.
Nevertheless, it should be noted that the principle of legality regulating the authorization or even the obligation to process is not necessarily related to the principles of “transparency” and “processing in good faith” that regulate the manner of processing, and to this extent also is to be considered independently of these (see also Herbst, op. cit. 7; Frenzel op. cit. Art. 5, para. 13 ff).
A different point of view would have the consequence that any violation of the method of processing would also result in unlawful data processing and, even in the case of legitimate or even mandatory data processing, this would have to result in unrestricted deletion, among other things. Such an obligation to delete without exception cannot be derived from the GDPR. Rather, Article 17 (1) (d) GDPR even explicitly stipulates that when consent is revoked, the data are only to be deleted if there is no other legal basis (cf. Herbst supra para. 10; Jahnel, para 26).
Incidentally, the wording of Art 6 (1) GDPR ("[..] if at least [..]") clearly shows that the legality of data processing is based not only on one, but on several equally important legal bases (cf. Buchner / Petri, in Kühling / Buchner (Hrsg), DSGVO² Art 6 Rz 22; Jahnel loc. cit. Art 6 Rz 5 ff).
The fact that, in the event of an invalid consent, generally recourse to other permissions under Art 6 GDPR would not be possible if the data subject was not given prior information can ultimately not be inferred from the guidelines of Art 29 Data Protection Working Group cited by the authority concerned and from the relevant literature (including Buchner / Kühling, in Kühling / Buchner (ed), GDPR² Art 7 margin no. 18; Schantz in Simitis, Hornung, Spiecker (publisher), data protection law, Art. 6 para. 1 margin no. 12).
Rather, it exclusively refers to the constellation of the revocation of a declaration of consent and the fact that the data subject in this case suggests further processing of his data on the basis of his declaration of consent, which is decisive for the weighing of interests of Art 6 Paragraph 1 lit f GDPR Do not expect decision-making power (anymore), referred to.
However, this does not make a statement about the other possible conditions of permission of Art 6 GDPR, nor about the - here present - case of a (supposedly) not even sufficiently made aware of the person concerned and thus not triggering any expectations at all.
Ultimately, however, it cannot be inferred from recital 47 of the GDPR, cited by the authority concerned in this context exclusively in relation to Art 6 (1) (f) GDPR, that the lack of a declaration of consent means any balancing with possible legitimate interests of a person responsible in the processing from the outset make superfluous. Rather, it is just stated that in each case a weighing of interests must be carried out, but the reasonable expectations of a data subject with regard to processing of his data must be taken into account accordingly ("The lawfulness of the processing can be determined by the legitimate interests of a controller .. . be justified, provided that the interests or the fundamental rights and freedoms of the data subject do not prevail; the reasonable expectations of the data subject ... must be taken into account. ").
The view of the authority concerned that an invalid declaration of consent would in any case result in unlawful data processing if the data subject was insufficiently informed about other legal bases and would make a review of the other legal bases unnecessary, cannot be accepted.
The mere examination of the legal basis of consent cannot therefore justify a violation of the principle of legality and therefore no entitlement to remedial action based on Article 58 (2) (d) and (f) GDPR (see also expressly the decision of the Federal Administrative Court on this , BVwG, 04.04.2019, W214 2207491-1 / 14E).
The preliminary decision on the complaint was therefore to be resolved entirely without replacement, whereby for the sake of completeness it is pointed out that it is incumbent on the authority concerned and that it is not prevented from issuing any instructions pursuant to Art 58 in a (renewed) official procedure with a changed (perhaps expanded) subject matter of the procedure Paragraph 2 of the GDPR.
Finally, it is also noted that with this result - since even if there was a possibly invalid declaration of consent, a violation of the legality and thus an entitlement to remedy according to Article 58 Paragraph 1 lit b and lit f GDPR could not be assumed without further ado - a dispute with the (in) validity of the present declaration of consent, but also with the right to remedy the case on the part of the court.
to omit an oral hearing:
An oral hearing could be omitted in the present case according to § 24 Abs 2 Z 1 VwGVG because it was already established on the basis of the file situation that the contested decision had to be "set aside" (cf. for the similar earlier legal situation Hengstschläger / Leeb, AVG § 67d [status 1.7.2007 , rdb.at] margin no. 22, according to which “repeal” means the complete elimination, ie in any case the elimination of the contested decision without replacement).
to B) Admissibility of the revision:
According to § 25a Abs 1 VwGG, the administrative court has to pronounce in the verdict of its decision or decision whether the revision is admissible according to Art 133 Abs 4 B-VG. The statement must be briefly justified.
The revision is permissible according to Art 133 para 4 because the decision depends on the solution of a legal question that is of fundamental importance. For example, there is no case law of the highest court on the question of whether retrospective recourse to other permissions under Art 6 GDPR is permissible in order to assess the legality of data processing in the event of an invalid consent according to Art 6 Para 1 lit a GDPR.
It was therefore to be decided by the Senate according to the ruling.


European Case Law Identifier
ECLI: AT: BVWG: 2021: W256.2227693.1.00