BVwG - W258 2227269-1/14E

From GDPRhub
BVwG - W258 2227269-1/14E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(7) GDPR
Article 4(8) GDPR
Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 6(4) GDPR
Article 9 GDPR
Article 30 GDPR
Article 35 GDPR
Article 83(4)(a) GDPR
Article 83(5)(a) GDPR
Article 83(8) GDPR
Article 133(4) Federal Constitution (Bundes-Verfassungsgesetz - B-VG)
§ 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 30 Austrian Data Protection (Datenschutzgesetz - DSG)
§ 44a Austrian Adminstrative Penal Act (Verwaltungsstrafgesetz - VStG)
§ 45(1) Austrian Adminstrative Penal Act (Verwaltungsstrafgesetz - VStG)
Decided: 26.11.2020
Published: 02.12.2020
Parties: Austrian Postal Service (fined controller)
National Case Number/Name: W258 2227269-1/14E
European Case Law Identifier: ECLI:AT:BVWG:2020:W258.2227269.1.00
Appeal from: DSB
DSB-D550.148/0017-DSB/2019 (not published)
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Marco Blocher

The Austrian Federal Administrative Court (BVwG) overturned the 18 million Euro fine imposed on the Austrian Postal Service: the Austrian DPA had failed to establish that the natural persons acting on behalf of the Austrian Postal Service had engaged in culpable conduct.

English Summary[edit | edit source]

Facts[edit | edit source]

The facts and cirumstances that lead to the fine can be read in the summary of BVwG - W258 2217446-1, another decision of the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) dealing with different legal issues of the same case.

Based on the unlawful processing of data on the "affinity for a political party", the DSB imposed a 18 Mio Euro fine on the Austrian Postal Service. In detail, the DSB held the Austrian Postal Service responsible for violating

  • Article 5(1) GDPR
  • Article 6 (1) GDPR
  • Article 6(4) GDPR
  • Article 9 GDPR
  • Article 14 GDPR
  • Article 30 GDPR
  • Article 35 GDPR and
  • Article 36 GDPR.

The fine was issued directly against the Austrian Postal Service as controller under Article 4(7) GDPR without establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. Based on this omission, the Austrian Postal service appealed against the fine.

Dispute[edit | edit source]

Can the DSB impose a fine under Article 83 GDPR directly on a legal person, without having to investigate and establish culpable conduct of natural persons acting on behalf of the legal person?

Are the national rules of administrative penal law of any relevance to this question or is it to be answered solely under the rules of the GDPR?

Holding[edit | edit source]

The BVwG held that the provisions of the Austrian Administrative Penal Act (Verwaltungsstrafgesetz - VStG) and the Austrian Data Protection Act (Datenschutzgesetz - DSG) apply on fines imposed by the DSB under Article 83 GDPR: Pursuant to Article 83(8) GDPR, the exercise by the supervisory authority of its powers under Article 83 GDPR shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process. In light of this provision, the BVwG held, that national procedural rules are in fact to be applied when imposing a fine for a GDPR violation.

According to the BVwG, the DSB had violated § 44a and § 45 VStG and § 30 DSG by not establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. In order to impose a fine on the Austrian Postal Service, the DSB would have had to establish that natural persons who have

  • the authority to represent the Austrian Postal Service,
  • the power to take decisions on behalf of the Austrian Postal Service, or
  • the authority to exercise control within the Austrian Postal Service

violated the GDPR. Therefore the fine was overturned.

Comment[edit | edit source]

It must be noted that the fine was only overturned due formal mistakes by the DSB. In the desision BVwG - W258 2217446-1 the BVWG considered the processing of the data on the"affinity for a political party" by the Austrian Postal Service unlawful.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court appointed the judge Mag. Gerold PAWELKA-SCHMIDT as chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB as assessors about the complaint of XXXX, represented by Schönherr Rechtsanwälte GmbH, 1010 Vienna, against the criminal judgment of the data protection authority of 23.10.2019, GZ DSB-D550.148 / 0017-DSB / 2019, rightly in a closed session recognized:

A)

I. The complaint will be followed, the contested conviction will be corrected and the proceedings will be discontinued according to § 45 Abs 1 Z 3 VStG.

II. According to Section 52 (8) VwGVG, the complainant does not have to bear any costs.

B)

The revision is not permitted in accordance with Art. 133 Paragraph 4 B-VG.





text

Reasons for the decision:

I. Procedure:

1. On the basis of media reports on the alleged sale of personal data, in particular information about the "political affinity" of certain people, the authority in question initiated an official investigation procedure against the complainant on January 8, 2019, which with the decision of February 11, 2019 on the GZ DSB-D213.747 / 0002-DSB / 2019 has ended.

2. On the basis of the investigation results of the official investigation procedure, the authority concerned initiated administrative criminal proceedings against the complainant and, with a request for justification on February 20, 2019, charged her with the following administrative violations: The complainant is suspected

1. to have unlawfully processed special categories of personal data in accordance with Art. 9 GDPR (“party affinities”) in the course of exercising the trade “address publishers and direct marketing companies” by not obtaining the consent of the data subjects and otherwise not relying on any of the data processing in Art 9 DSGVO conclusively listed facts can be supported,

2. personal data such as

- Affinity for donations

- bioaffinity

- partnership

- annual income

- type of acquisition

- qualification

- Consumption-oriented basis

- Night owls

- Package frequency (number of packages in a certain period of time)

- Affinity for moving

- Investment affinity

- phase of life

to have unlawfully processed "address publishers and direct marketing companies" (storage and sale to third parties) in the course of exercising the trade, by not having obtained the consent of the data subjects and otherwise not based the data processing on any of the legality facts listed in Art 6 (1) GDPR could be

3. To have violated their obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" (note: XXXX stands for XXXX) by failing to carry out the data protection impact assessment within the period, contrary to the time specified in the data protection impact assessment March to June 2018, but at a later date, but in any case after May 25, 2018,

4. To have created the data protection impact assessment for the application "XXXX - target group addresses" incorrectly because it denies the processing of special categories of personal data, although according to Annex 2D the "party affinity" is calculated, and as a result the existence of a high risk therefore I will in any case deny

5. To have created the directory for processing activity "XXXX - target group addresses" incorrectly because it contained

- a. processing of particularly sensitive data, including political opinion, as well as

- b. extensive processing of sensitive data

will be denied

6. To have created the directory for processing activity "XXXX - target group addresses" inadequately because it did not list all of the data categories actually processed,

7. to have failed to carry out a consultation in accordance with Art 36 GDPR and

8. Not having fulfilled their obligations under Art 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties - e.g. sold or on made available in another way -

so administrative offenses according to

To 1): Art 5 Paragraph 1, Art 9 in conjunction with Art 83 Paragraph 5 lit a GDPR

To 2): Art 5 para 1, Art 6 para 1 in conjunction with Art 83 para 5 lit a GDPR

Re 3) + 4): Art 35 in conjunction with Art 83 Para 4 lit a GDPR

Re 5 + 6): Art 30 in conjunction with Art 83 Para 4 lit a GDPR

To 7): Art 36 in conjunction with Art 83 Para 4 lit a GDPR

Re 8): Art 14 in conjunction with Art 83 Para 5 lit b GDPR

to have committed.

4. After carrying out evidence proceedings and an oral hearing on September 23, 2019, the authority in question pronounced a penalty on October 23, 2019,

The accused had been responsible as the person responsible within the meaning of Art 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons in the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : GDPR), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:

to I .: from May 25, 2018 to February 21, 2019,

re II .: from May 25, 2018,

to IV .: from May 25, 2018,

to V .: from May 25, 2018 and

to VI .: from May 25th, 2018,

I. the unlawful processing of special categories of personal data within the meaning of Art 9 GDPR ("party affinities") within the scope of the business of "address publishers and direct marketing companies"; this by not obtaining the consent of the persons concerned and the data processing cannot otherwise be based on any of the facts conclusively listed in Art 9 GDPR;

II.

a) the unlawful further processing of personal data, namely the number of parcels received during a certain period of time (parcel frequency) and the frequency of relocations of persons concerned within the scope of the trade of "address publishers and direct marketing companies"; This is done by not obtaining the consent of the data subjects and the data processing cannot otherwise be based on any of the legality facts finally listed in Art 6 Para 1 GDPR and the data relating to the frequency of parcels and the frequency of relocation are changed to a purpose not covered by Art 6 Para 4 GDPR were;

IV. The inaccuracy of the data protection impact assessment for the application "XXXX - target group addresses", since in this the processing of special categories of personal data was denied, although the "party affinity" had been calculated and processed, and yet the result was a high risk in any case it was denied,

V. the flawedness of the directory for processing activity "XXXX - target group addresses", since according to this

a) processing of particularly sensitive data, including political opinion, as well as

b) extensive processing of sensitive data is denied and

VI. the inadequacy of the directory for processing activities “XXXX - target group addresses”, since it did not list all the data categories actually processed and so it was not drawn up in sufficient detail.

The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.

As a result, the person responsible violated the following legal provision (s):

Re I .: Art. 5 Para. 1 lit. a, Art. 9 in conjunction with Art. 83 Para. 5 lit. a GDPR

Re II.a): Art. 5 Para. 1 lit. a and lit. b, Art. 6 Para. 1 and Para. 4 in conjunction with Art. 83 Para. 5 lit. a GDPR

On IV .: Art. 35 in conjunction with Art. 83 Para. 4 lit. a GDPR

Re V. and VI .: Art. 30 in conjunction with Art. 83 Para. 4 lit. a GDPR.

A fine of EUR 18,000,000.00 is therefore imposed on them in accordance with Article 83 (5) (a) GDPR and the reimbursement of procedural costs in the amount of EUR 1,800,000.00 is imposed.

On the other hand, the procedure with regard to the charge

II b) unlawful processing through the storage and sale of personal data of the categories

- Affinity for donations

- bioaffinity

- partnership

- annual income

- type of acquisition

- qualification

- Consumption-oriented basis

- Night owls

- investment affinity

- phase of life,

III. The accused had thereby violated her obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" by not doing the data protection impact assessment in the period from March to June 2018, but at a later point in time, but in any case after May 25, 2018 , was carried out,

VII. According to which the accused (wrongly) failed to conduct a consultation in accordance with Art 36 GDPR,

VIII. According to which the accused has not fulfilled her obligations under Art. 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties sold or otherwise made available -

each set in accordance with Section 45 Paragraph 1 Item 1 (1st case) VStG.

5. The complaint in question of November 25, 2019 is directed against this finding because of deficiencies in the assessment, incorrect legal assessment, unlawful measurement of fault and assessment of the amount of the penalty and requested, with more detailed reasons, to remedy the penal decision without replacement and to proceed with the procedure in accordance with Section 38 VwGVG in conjunction with Section 45 (1) VStG to discontinue the procedure according to § 38 VwGVG in conjunction with § 45 Paragraph 1 Z 4 VStG in conjunction with § 11 DSG with issuance of a warning or in conjunction with § 33a VStG through advice or in conjunction with § 45 Paragraph 1 Z 1 VStG with a warning to suspend the penalty to reduce a measure appropriate to the act and guilt. Among other things, for the imposition of a fine according to the GDPR on a legal person such as the person concerned, it is not sufficient to fulfill a criminal offense, it must be for you as a legal person,who cannot act themselves, the actions of a natural person can also be attributed. The authority concerned omitted this attribution, which must be carried out in accordance with § 30 DSG.

6. With the submission of files dated January 7th, 2020, received on April 16, 2020, the authority in question submitted the complaint to the Federal Administrative Court, including the administrative act, disputed the complaint and applied for the complaint to be dismissed with a detailed explanation. Among other things, the authority in question stated that since fines under the GDPR are an association responsibility model of its own, which would not reduce procedural guarantees required under fundamental law, there would be no room for an attribution rule such as Section 30 of the GDPR.

7. With the parties to be heard on July 17, 2020, the authority in question was held up to the decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, which had been made in the meantime, according to which it was necessary to impose a fine on a legal person under the GDPR to demonstrate factual, illegal and culpable behavior of a natural person, which is to be attributed to the legal person and such a defect cannot be remedied by the administrative court, if the natural persons for whose behavior the legal person is to be held responsible for the first time specifies in the complaint procedure would.

8. With statements of July 29th, 2020, August 13th, 2020 and November 12th, 2020, the authority in question submitted that the criminal conviction showed that the board or its members, i.e. representatives within the meaning of Section 9 VStG, had been informed about data protection processes and referred In this regard, to the findings under point 4.7 of the penal decision, according to which the project "Fitness for the GDPR" had been decided by the board, the board had been reported to the board on all data protection-relevant aspects by the relevant natural persons in a managerial function and on the board's part XXXX was responsible has been.

Furthermore, the authority in question submitted that there was no “acte claire” in the sense of the case law of the European Court of Justice because, in deviation from the decision of the Austrian Administrative Court, the Conseil d'État, the highest French administrative court, in its decision of June 19, 2020, N ° 430810, assuming that it is not necessary for the imposition of fines according to the GDPR on legal persons to name natural persons whose behavior can be attributed to the legal person. Due to the different opinions of two highest courts from different Member States, this question must therefore be interpreted by the ECJ. Furthermore, the authority concerned referred to a - orally announced but not yet executed - judgment of the Bonn Regional Court of 11.11.2020,GZ 29 OWi-430 Js-OWi 366 / 20-1 / 20 LG, in Section 30 of the Administrative Offenses Act - OWiG, a regulation comparable to Section 30 DSG, according to which, for the imposition of a fine on a legal person, the attribution of the actions of a natural person Person needs to be partially incompatible with the imposition of fines according to Art 83 GDPR and the authority does not have to specifically determine which employee has committed acts.

The authority in question therefore applied for the cited judgment of the Bonn Regional Court to be obtained, as well as to obtain a preliminary ruling from the ECJ in accordance with Art. 267 TFEU on the question of whether a decision imposing a fine under Art. 83 GDPR on a legal person is an infringement and culpable behavior of a natural person is to be shown, which should be attributed to the legal person.

9. Mit Stellungnahme vom 04.09.2020 replizierte die Beschwerdeführerin zusammengefasst ua, dass auch mit dem ergänzenden Vorbringen der belangten Behörde kein tatbestandsmäßiges, schuldhaftes und rechtswidriges Verhalten einer natürlichen Person dargetan werde, das ihr als juristische Person zugerechnet werden könne. Mit der Anregung auf Vorabentscheidung durch den EuGH verlange die belangte Behörde vom EuGH eine unzulässige Auslegung einer nationalen Rechtsnorm, § 30 DSG, und Überprüfung der Rechtsprechung des VwGH. Die Umsetzung der Sanktionsnorm des Art 83 DSGVO sei – unter Verweis auf die Rechtsprechung des VwGH und weiterer näherer Begründung – dem nationalen Recht überlassen, weshalb es zu Unterschieden zwischen einzelnen Mitgliedstaaten kommen könne. Auch das strafrechtliche Beschleunigungsgebot spreche gegen eine Vorlage an den EuGH.

Evidence was obtained through inspection of the administrative file and the decision of the Conseil d'État of June 19, 2020, N ° 430810.

II. The Federal Administrative Court has considered:

1. The following is certain:

1.1. The authority concerned has carried out administrative criminal proceedings against the complainant, a legal person set up in the legal form of a stock corporation, for AZ DSB-D550.148.

1.2. In this process were

 apart from the summons of witnesses, addressed letters from the authorities concerned to the complainant, for the attention of XXXX,

 only accused the complainant of the administrative violations and

 Ms. XXXX as representative of the accused questioned as accused and all other natural persons questioned as witnesses.

1.4. In the criminal decision of the authority concerned dated October 23, 2019, GZ DSB-D550.148 / 0017-DSB / 2019, the following is carried out insofar as this is relevant to the procedure:

"Accused: XXXX (FN XXXX)

The XXXX with its seat in XXXX, XXXX, has [...]

as the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 for the protection of natural persons in the processing of personal data, for the free movement of data and for the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter: GDPR ), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:

[...]

The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.

[...]

Reason:

I. The following facts relevant to the decision are certain on the basis of the evidence procedure carried out: [...]

1.1. XXXX (hereinafter: XXXX) has been operating the business of address publishers and direct marketing companies since XXXX and sells personal data as part of the “XXXX” product that it receives from address dealers or that it has collected itself.

[...]

2.1. As of January 2016, a name allocation of so-called "XXXX" took place within the "Address Publishing and Direct Marketing" division. "

[...]

3.1. The XXXX transmits personal real data from the XXXX division, namely the XXXX division, to the “Address Publishing and Direct Marketing” division in order to assign the selection criterion of the XXXX to individual people by name and then market it.

[...]

4. Regarding the company's internal responsibilities:

4.1. On the part of the board, XXXX was responsible for the business area of ​​address publishing and direct marketing until XXXX, then XXXX. Below the executive board level, XXXX is responsible as the division manager of the XXXX division; it is the area in which all business activities related to addressed advertising take place. XXXX, around 800 employees of XXXX and departments that are employed in outsourced companies and group subsidiaries report. Including the head of the specialist department "XXXX" (short: XXXX, XXXX - internal term for the specialist area that deals with address and direct marketing), Mr. XXXX. The latter has held this position since XXXX, before that XXXX was in charge of this department until XXXX.The trade “address and direct marketing” within the meaning of § 151 GewO is located at XXXX in the “XXXX” department. This department belongs to the area of ​​"XXXX".

4.2. Within this area, Ms. XXXX is again the head of product and quality management; In the course of this, Ms. XXXX is also managing director for the trade of address publishers and direct marketing according to § 151 GewO. Her tasks include product development, process control and answering data protection queries from those affected. In addition, Ms. XXXX is responsible for coordinating with the data protection officer of XXXX. Ms. XXXX's position is referred to as the “data protection manager” within the corporate structure. Ms. XXXX is the company-wide data protection officer for XXXX. In addition, there are the aforementioned data protection managers in each business area.

4.3. Within the XXXX, preparatory measures for the coming into force of the GDPR began in 2017. This project intensified in autumn 2017 and an external, internationally operating consulting company was brought in. These preparatory measures were referred to by XXXX as the GDPR project "Fitness for the GDPR". From December 2017 so-called "steering committees" took place regularly:

4.4. The project client was the board of directors of XXXX (XXXX). The steering committee itself consisted of the following people:

- XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX

The extended steering committee also included the members of the Board of Management.

4.5. The project management was the responsibility of the data protection officer of XXXX, Ms. XXXX.

4.6. So-called project team jour fixes, project management jour fixes each week, steering committee meetings at least monthly and extended steering committee meetings took place every two months, the latter taking place monthly from March 2018. In addition, issues related to specific cases were dealt with in board meetings. XXXX took part in the project management jour fixes.

4.7. In summary, according to statements by XXXX, the aim of this project was to create the conditions for a holistic implementation of the GDPR through risk-oriented prioritization in several phases. This project order was decided and implemented by the board of directors and the steering committee. A project management team made up of representatives from the legal department and revision was used to implement the project. Regular reports on the progress of the project were made to the board of directors and management.

4.8. The head of the group-wide legal department of XXXX is XXXX, this is the authorized signatory of XXXX. In this function, she is also responsible for compliance with data protection law throughout the group.

[...]

4.9. The respective product responsibility lies with the respective heads of the respective departments. The legal department is involved in legal issues and legally relevant documents (e.g. submissions and applications to authorities and courts) must be approved by the head of the legal department.

4.10. With regard to the processing of data relating to "party affinities", the department heads, the head of the legal department and the data protection officer did not recognize any legal risk with regard to the entry into force of the GDPR on May 25, 2018; This is not because - contrary to our own practice in the case of requests for information according to Art 15 GDPR - it was assumed that it is not personal data but statistical extrapolations. Ms. XXXX was employed as data protection manager (DSM) in the area of ​​direct marketing; according to the assessment of XXXX, she has expertise in data protection law and she assessed the data processing as uncritical. As a result, no independent external legal assessment was sought.

4.11. The data protection officer, Ms. XXXX, did not express any concerns with regard to the legal risk of data processing for the creation and sale of the selection criterion of "party affinities" as part of the preparatory project for the GDPR. The same applies to the head of the group-wide legal department of XXXX.

4.12. As part of the entire investigation before the data protection authority, XXXX did not submit any documents from which a detailed legal dispute and examination of the legal question as to whether the data processing in connection with the creation and sale of the selection criterion of the "party affinities" within the scope of the product range of the Business "address publishing and direct marketing" with a view to the coming into force of the GDPR are in line with this or can be brought into line. There are no relevant meeting minutes for the above-mentioned preparatory meetings for the GDPR, as they were not prepared by the relevant managers of the departments of XXXX.At the related meetings, PowerPoint presentations were created and individual transcripts were made. Open points were addressed at the next meeting.

4.13. XXXX products were not discussed as part of the GDPR preparation. According to the head of the legal department, the aim was to provide general information to the board of directors about the GDPR with the mandate that the respective organizational units deal with it and report any necessary changes. Framework conditions were specified such as: the directory of processing activities and regular jour fixes for data protection managers. Regarding the XXXX in relation to party affinities, the assessment was that there was no need to change. A need for change would have been reported to the board; this, for example, if a change would have had an expected impact on sales or there would have been a need for investment.

[...]

III. Legally it follows from this:

[...]

2.17. [...] Specifically, the subjectively reproachable behavior of the accused consists in the fact that there is no legally detailed and well-founded discussion of any legal risks in connection with the product range of this business area in general and the selection criterion of the alleged party affinities in particular and the strict ones made available to political groups for a fee Requirements of the GDPR - more precisely their understanding of the term, the processing principles in Art. 5 and the processing prohibition in Art. 9 (1) - with the aim of bringing all processing operations in line with data protection requirements.

In the course of the investigation, neither the data protection officer nor the head of the legal department (an authorized signatory of the company), the head of the "XXXX" division or the head of the department for product and quality management within this division (she is the long-standing commercial manager for the trade of § 151 GewO), written evidence can be provided from which an appropriate legal analysis of this business area could be derived - corresponding to the size of the company and the enormous number of data records processed, and considering the large number of potentially affected persons would.

For example, no (albeit internal) legal opinion or a legal problem outline could be submitted that dealt with the legal opinion represented by the accused.

[...]

However, this expresses the subjectively reproachable behavior on the part of the accused and with regard to lawful alternative behavior the following would have been indicated:

- The data protection officer should have subjected the product range of the party affinities - but also the other product offerings of the business areas in question in connection with direct marketing - to a detailed examination and based on the considerations of the project "Fit for the GDPR" as a basis, if necessary with the consultation of an independent external data protection expert ;

- In the absence of such a check, the head of the legal department and the head of the "XXXX" division should have carried out or initiated such an examination;

- Ultimately, the board of directors should have initiated such a review with the aim of ensuring that all the business areas of XXXX in question were in compliance with data protection law.

The omission of all of this is to be regarded as grossly negligent behavior with regard to the scope of the data processing, the number of people affected and the resulting dangers for their legally protected legal positions.

2.18. In summary, it would have been reasonable for the accused - if only because of their size, their market position, the available knowledge and the available human capacities - to deal substantially with the legal question of the data protection qualifications of the party affinities they market and, as a result, the product range of the “Address Publishing and Direct Marketing” division with the legal requirements of the GDPR. The accused can be reproached for the simple assumption that there is no data protection problem or the failure to recognize one. [...]

3. Regarding ruling point II.a):

[...]

3.12. Regarding the subjective factual side, reference can be made to the relevant justification for point I. In summary, it would be the under point I.4. In any case, it was reasonable for the accused persons to be responsible for dealing with the legal question of the data protection admissibility of the (further) processing operations carried out by them and, as a result, the product range of the "Address Publishing and Direct Marketing" division in accordance with the legal requirements of the GDPR bring to.

[...]

6. Re point IV: [...]

6.2. In the data protection impact assessment, the accused denies the processing of special categories of personal data, in particular the potential political opinion, even though “party affinity” is mentioned in Appendix 2D. Consequently, this date was not included in the assessment.

6.3. Because the accused comes to the conclusion in the data protection impact assessment that no special categories of personal data within the meaning of Art. 9 GDPR are processed and that the risk assessment within the meaning of Art. c GDPR was carried out incorrectly, the data protection impact assessment "XXXX target group addresses" is incorrect. The accused thereby has the objective factual side of the sanction norm of Art. 83 Para. 4 lit. a GDPR fulfilled.

6.4. The accused can also be subjectively reproached for this violation: it would be the duty of the data protection officer and the others in point I.4. Those responsible have been to make a correct data protection assessment of the data quality in relation to party affinity and to incorporate it into the risk assessment according to Art. 35 (7) GDPR and to draw the necessary conclusions from this. With regard to the degree of fault, it is assumed in this context that the behavior is simply negligent, as the behavior in this regard is a consequence of the general misjudgment of party affinities, according to which these are not to be assigned to the special types of data listed in Art 9 (1) GDPR.

7. Regarding the ruling points V. and VI .:

[...]

7.6. Due to the inadequate keeping of the list of processing activities, the accused was informed about the objective facts of the sanction norm of Art. 83 (4) lit. a GDPR fulfilled.

7.7. The accused can also be subjectively reproached for this behavior, since the persons responsible should have ensured compliance with the requirements of a faultless and complete list of processing activities. With regard to point V. grossly negligent behavior is assumed. Failure to list the categories of personal data in sufficient detail is regarded as simply negligent behavior.

8. Regarding the imputability of the violations to the accused:

[...]

8.6. For the present situation, this means the following: The alleged violations are in any case attributable to the accused. They were committed by natural persons who were authorized to act on behalf of the legal person and consequently could act on their behalf. Nor can it be said that those responsible for the accused knew nothing about it; this results from the investigations carried out comprehensively for this purpose and the resulting from point I.4. stated findings. Accordingly, both the board of directors, the authorized signatories and all other executives up to the data protection officer were fully aware of all data processing operations, and they were also involved in the work project specifically carried out for this purpose in preparation for the coming into force of the GDPR.Ultimately, it would be within the competence of the board of directors to ensure that business operations are compatible with the applicable data protection law.

8.7. In the period of the offense, the acting natural persons belonged to the economic unit formed by the accused. The accused never denied this in the proceedings before the data protection authority.

8.8. As a result, there is a sufficient connection between the acting natural persons and the legal person, which allows the illegal and culpable behavior to be attributed to them.

8.9. A specific designation of the natural persons who acted culpably within the accused or who should have been made responsible for the possibly incorrect organization of the accused is not necessary in order to impose a fine on a legal person. [...] "

1.5. Further explanations on the actions of natural persons can not be found in the criminal judgment.

2. The findings result from the following assessment of evidence:

The findings are based on the harmless administrative act.

3. Legally it follows from this:

3.1. The admissible complaint is justified.

3.2. The complainant argues against the conviction that it is not sufficient to impose a fine under the GDPR on a legal person, such as the person concerned, to fulfill a criminal offense; as a legal person who cannot act itself, the actions of a natural person can also be attributed. The authority in question had omitted this attribution, which must be carried out in accordance with Section 30 of the DSG. With this argument, the complainant is in the right:

3.3. According to Section 30 (1) GDPR, the authority concerned can impose fines on legal persons, among other things, if violations of provisions of the GDPR have been committed by persons who have acted either alone or as part of a body of the legal person and have a management position within the legal person due to the Have the authority to represent the legal person, the authority to make decisions on behalf of the legal person, or have a power of control within the legal person.

Legal persons can also be held responsible in accordance with Section 30 (2) GDPR for violations of provisions of the GDPR and Section 1 or Article 2, main part, if there is a lack of supervision or control by a person named in Section 1, the commission of these violations by a for the legal person, provided that the act does not constitute a criminal offense falling under the jurisdiction of the courts.

3.4. For the imposition of a fine according to the GDPR on a legal person, the findings necessary to assess a factual, illegal and culpable behavior, which also meet any additional requirements of criminal liability, must be made in the criminal judgment and in the verdict all necessary elements for a punishment of the natural Person (§ 44a VStG), with the addition that the behavior of the natural person is attributed to the legal person. (VwGH 05/12/2020, Ro 2019/04/0229 with reference to VwGH 03/29/2019, Ro 2018/02/0023)

3.5. Applied to the specific situation, this means:

3.6. In the verdict of the judgment, the authority concerned did not name the natural person whose violation of the GDPR is to be attributed to the complainant. The penalty decision therefore proves to be illegal.

3.7. The administrative court is not allowed to cure this deficiency. Although the administrative court is authorized and obliged to correct an incorrect verdict and, if necessary, to make any missing determinations, it is not allowed to exchange the alleged act.

An inadmissible exchange of the accusation represents an extension of the accusation made by the administrative court in the complaints procedure or the use of facts other than the original basis of the punishment § 50 VwGVG does not exist. If the allegation is directed against the complainant as a legal person, then - due to the dependency of the legal person's criminal liability on the violation of the natural person attributable to it - the accusation against the natural person to be named therein is also included. (for the whole see VwGH 12.05.2020 Ro 2019/04/0229)

3.8. The authority concerned did not name a natural person, neither in the administrative evidence procedure nor in the verdict, whose behavior should have been attributed to the complainant. Also in the justification of the penal decision, which could be used to interpret the verdict, no factual, illegal or culpable behavior of a natural person is set out, which should be attributed to the legal person. It is true that the authority concerned establishes various responsibilities; However, there are no determinations as to who ultimately made the decisionto carry out the data processing recognized as unlawful or to create the data protection impact assessment and the list of processing activities in the manner recognized as unlawful or which lack of monitoring or control should have made the unlawfulness possible.

3.9. Thus, in the administrative criminal proceedings against the legal person, the specification of the natural person for whose behavior the legal person is held responsible would only constitute an inadmissible change in the allegation and the matter of the proceedings within the meaning of Section 50 VwGVG in the complaint procedure.

3.10. Since the lack of concrete definition of the allegation represents a procedural obstacle to a review by the Federal Administrative Court (see Honeder / Praschl-Bischler, case and factual decision in the case of an imprecise verdict in administrative criminal proceedings, ZVG 2016, 294), the criminal proceedings in question had to be discontinued.

3.11 The suggestion made by the authority concerned to submit the question to the ECJ for a preliminary ruling as to whether a natural person had to be shown to have acted as constitutive, illegal and culpable in order to impose a fine according to the GDPR was not to be complied with. The cited decisions of the French Conseil d'État and the Bonn Regional Court do not show any inconsistent application of European law in the individual member states:

According to Art 83 (8) GDPR, the procedural regulations of the member states must also be observed when imposing fines.

The requirement for the imposition of a fine on a legal person to specifically name a natural person whose behavior is to be attributed to the legal person is based on such a procedural provision, namely § 44a Z 1 VStG.

According to § 44a Z 1 VStG, it is legally necessary to describe the act with regard to the perpetrator and the circumstances so precisely that the assignment of the behavior to the administrative regulation that was violated by the act is made possible with regard to all elements of the offense (VwGH 13.12. 2019 Ra 2019/02/0184). Since legal persons cannot act themselves, their criminal liability is a consequence of the actions of a natural person. If a certain group of natural persons comes into question, whose behavior could justify the criminal liability of the legal person, according to the case law of the Administrative Court with regard to § 44a Z 1 VStG it is not sufficient to determine that any person from this group has committed the act - for example Any manager - the person acting must be specifically identified (see Section 99d BWG VwGH 29.03.2019 Ro 2018/02/0023 and to § 30 DSG VwGH 12.05.2020 Ro 2019/04/0229).

Before proceedings before the ECJ, against the background of the decision of the Bonn Regional Court - in the event of its confirmation by the highest court - it could be questionable whether a substantive provision such as § 30 DSG, which attributes the behavior of natural persons to the legal person to be punished, is in accordance with Art.83 GDPR, which is directly applicable in the member states.

But even if § 30 DSG were not applicable, the position of the authority concerned would not be of any help. In this case - in the present case - the attribution of the behavior of natural persons to the legal person would depend on whether through the actions of one or more natural persons, the legal person as the person responsible within the meaning of Art 4 (7) GDPR or, if necessary, as a processor within the meaning of Art 4 (8) GDPR to qualify or not.

Since, however, according to the case law of the VwGH according to § 44a Z 1 VStG, it is necessary to precisely determine the natural person whose behavior is to be attributed to the legal person and a reference to a potential group of possible natural persons would not be sufficient even then, if all persons from the group were active for the legal person, it would also be necessary in the case of the inapplicability of § 30 DSG due to the national procedural law of Art 44a Z 1 VStG, which is permissible under European law in accordance with Art 83 (8) GDPR To specifically name the acting persons.

Any different conditions under which fines can be imposed on legal persons in the individual member states are therefore due to the European law admissibility of different procedural rights. The judgments of other member states cited by the authority in question, which are supposedly in contradiction to the relevant decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, could therefore not show any contradicting application of the GDPR in the individual member states ECJ would have to be clarified.

3.12. It was therefore to be decided according to the ruling.

3.13. A negotiation could be dispensed with in accordance with Section 44 (2) VwGVG.

Regarding point B) inadmissibility of the revision:

Pursuant to Section 25a (1) VwGG, the administrative court has to pronounce in the verdict of its decision or decision whether the revision is permissible according to Article 133 (4) B-VG. This statement must be justified briefly.

The revision is inadmissible because there were no legal issues to be resolved which are of fundamental importance within the meaning of Art. On the question of whether it is necessary for the imposition of a fine under Art 83 GDPR on a legal person to demonstrate an offense, illegal and culpable behavior of a natural person attributable to it and to include it in the verdict of the penal decision, and under what conditions such a deficiency in administrative court proceedings can be cured, there is the cited case law of the Administrative Court.



Catchwords
Elimination of the decision Data protection Data protection officer Data protection authority Data protection procedure Data processing Data transfer Direct advertising Management function Fines Legal person Specification Control Cost bearing natural person Affinity for parties Personal data Political party illegality Criminal proceedings - setting of allegations of proceedings Termination of power of representation Administrative criminal proceedings Imputability
European Case Law Identifier (ECLI)
ECLI: AT: BVWG: 2020: W258.2227269.1.00
In RIS since
02.12.2020
Last updated on
02.12.2020
Document number
BVWGT_20201126_W258_2227269_1_00