BVwG - W258 2227269-1/14E: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 67: Line 67:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=DSB
|Appeal_From_Body=DSB (Austria)
|Appeal_From_Case_Number_Name=DSB-D550.148/0017-DSB/2019 (not publsihed)
|Appeal_From_Case_Number_Name=DSB-D550.148/0017-DSB/2019 (not published)
|Appeal_From_Status=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_From_Link=
Line 80: Line 80:
}}
}}


The Austrian Federal Administrative Court (BVwG) overturned the 18 million Euro fine imposed on the Austrian Postal Service: the Austrian DPA had failed to establish that the natural persons acting on behalf of the Austrian Postal Service had engaged in sanctionable conduct.  
The Austrian Federal Administrative Court (BVwG) overturned the 18 million Euro fine imposed on the Austrian Postal Service: the Austrian DPA had failed to establish that the natural persons acting on behalf of the Austrian Postal Service had engaged in culpable conduct.  


==English Summary==
==English Summary==
Line 117: Line 117:


==Comment==
==Comment==
It must be noted that the fine was only overturned due formal mistakes by the DSB. In the desision [[BVwG - W258 2217446-1]] the BVWG considered the processing of the data on the"affinity for a political party" by the Austrian Postal Service unlwaful.
It must be noted that the fine was only overturned due formal mistakes by the DSB. In the desision [[BVwG - W258 2217446-1]] the BVWG considered the processing of the data on the"affinity for a political party" by the Austrian Postal Service unlawful.


==Further Resources==
==Further Resources==
Line 126: Line 126:


<pre>
<pre>
Court
IN THE NAME OF THE REPUBLIC!
Federal Administrative Court
Decision date
11.09.2020
Business figures
W101 2132183-1
Saying
W101 2132183-1/36E


ON BEHALF OF THE REPUBLIC!
The Federal Administrative Court appointed the judge Mag. Gerold PAWELKA-SCHMIDT as chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB as assessors about the complaint of XXXX, represented by Schönherr Rechtsanwälte GmbH, 1010 Vienna, against the criminal judgment of the data protection authority of 23.10.2019, GZ DSB-D550.148 / 0017-DSB / 2019, rightly in a closed session recognized:


The Bundesverwaltungsgericht (Federal Administrative Court), represented by Dr Christine AMANN, Judge, as President, Mag. Huberta MAITZ-STRASSNIG, expert lay judge, as associate judge, and Dr Michael GOGOLA, expert lay judge, as associate judge, on the appeal brought by Google LLC (as legal successor to Google Inc.), represented by WOLF THEISS Rechtsanwälte GmbH & Co KG, against parts 1 and 2 of the decision of the data protection authority of 15 June 2016, GZ. DSB-D122.471/0007-DSB/2016, was correctly recognised:
A)
A)
Pursuant to § 28 (2) VwGVG in conjunction with § 24 (1) and (5) DSG as amended, the appeal is granted with the provisos that part 1. concerning the data protection complaint of 1 February 2016 is to be dismissed as unfounded to the extent challenged and part 2. is therefore to be set aside without substitution.
 
I. The complaint will be followed, the contested conviction will be corrected and the proceedings will be discontinued according to § 45 Abs 1 Z 3 VStG.
 
II. According to Section 52 (8) VwGVG, the complainant does not have to bear any costs.
 
B)
B)
The audit is permissible under Art. 133 para. 4 B-VG.
 
The revision is not permitted in accordance with Art. 133 Paragraph 4 B-VG.
 
 
 




Text
text
 
Reasons for the decision:
Reasons for the decision:
I. Course of proceedings:
XXXX (= applicant or complainant before the data protection authority and co-defendant before the Federal Administrative Court) filed a data protection complaint on 1 February 2016 against Google Inc. as complainant (= respondent before the data protection authority) on the grounds of an infringement of the right to information. The main grounds of his data protection complaint were as follows:
He had sent his request for information of 30 October 2015 to the complainant by registered mail and attached a copy of her passport as proof of identity. First, he had received a reply in English from the complainant in November 2015. In the complainant's reply of 22 December 2015 in German, he would have received a further response to his request for information. Even in the reply of 22 December 2015, he had not received the information he had requested.
With the request for information dated 30.10.2015, XXXX requested information on
all data processed concerning his person,
the information about their origin,
any recipients or groups of recipients of transmissions (as defined in Article 4 no. 12 DSG 2000),
the purpose(s) for which the data is used,
the legal basis(s) for the use of the data,
any automated individual decision making concerning him, and
the specific service providers involved.
The complainant's reply of 22.12.2015 was worded as follows:
"In response to your request for information regarding your personal information, we would like to refer you to Google Inc.'s online resources that Google Inc. makes available to its users to access their personal information.
These tools are accessible via the account settings (https://www.google.com/settings/datatools). Users can use the Dashboard (https://www.google.com/settings/dashboard) to quickly and easily view a summary of data related to their account, such as emails, contacts, search history and location history. He or she can also use Google Takeout (https://www.google.com/settings/takeout) to download a copy of the data stored in his or her account.
In the event that the required information is not accessible via the above-mentioned instruments, the user may submit his request to Google Inc. via a web form specially designed for this purpose (https://support.google.com/policies/contact/sar). This is accessible via the Privacy Troubleshooter (https://support.google.com/policies/troubleshooter/2990837?hl=en&rd=2). In order to authenticate the identity of the user, Google Inc. requires the user to log in to their Google Account in order to access the relevant web form.
Please note that in order to ensure that user data is kept secret and that the data is only disclosed directly to the user concerned, Google Inc. can only process requests for information that are made via the user's Google account.
To find information indexed by Google's search engine, you can use Google Search. We hope you understand that Google Inc. cannot simply produce a list of all results (or even printouts) associated with the name ' XXXX ' in response to your request for information. Because there is more than one person named XXXX, Google Inc. is unable to determine whether such information relates to you personally.
In the course of the administrative procedure, the Data Protection Authority requested several written comments from both parties.
By decision of 15.06.2016, GZ. DSB-D122.471/0007-DSB/2016, the data protection authority, on the one hand, partially granted the data protection complaint in part 1. and found in this respect that the complainant (= respondent before the data protection authority) had violated the right to information of the XXXX (= applicant or complainant before the data protection authority) in a total of 7 points and, on the other hand, in part 2. it obliged to provide information within a period of four weeks in case of any other execution in accordance with part 1. (In part 3. of this decision the data protection complaint was dismissed for the rest).
In the following sub-paragraphs of part 1, an infringement of the right to information was established in that the complainant had failed to provide information on
a) outside the user account of the XXXX to his person by them processed data,
b) specific recipients or groups of recipients of transmissions of the data of the XXXX , as far as this is not apparent in the context of an online inspection,
c) the concrete origin of the data of the XXXX , as far as this is not evident within the scope of an online inspection,
(d) automated individual decision making concerning the XXXX,
(e) the purpose(s) for which the data are to be used,
(f) the legal basis(s) for the use of the data; and
(g)the service providers specifically involved
was issued.
The data protection authority found the following facts in this decision:
By letter of 30 October 2015, XXXX had sent a request for information to the complainant, enclosing a copy of her identity card, in which he requested information on all the data processed in the complainant's current database relating to his person. He would also have requested information on the origin of the data, any recipients or groups of recipients of transmissions, the purpose or purposes of the use of the data and the legal basis of the use of the data. In the event that data were processed by computer for the purpose of assessing individual aspects of his person and that this processing would entail legal consequences or would subject him to a decision that would significantly affect him, he would have requested that the logical sequence of the automated decision-making process be explained to him in a generally understandable form. He would also have asked for the names and addresses of all service providers to be disclosed.
XXXX would have first received a letter from the complainant dated 18.11.2015, written in English and referring to existing online tools.
By letter of 22 December 2015, the complainant had informed XXXX (in German) that the reply to the request for information referred to the online resources that the complainant had made available to its users in order to access their personal data. XXXX had been informed that the complainant could only process requests for information that were made via the user's Google Account. Google Search can be used to find information indexed by the complainant's search engine. Finally, XXXX had been informed that: "We hope you understand that Google Inc. cannot simply produce a list of all results (or even printouts) related to the name ' XXXX ' in response to your request for information. Because there is more than one person named XXXX, Google Inc. is unable to determine whether such information relates to you personally.
In a letter of the complainant dated 24 February 2016, XXXX (again in German) was informed that he could use the complainant's available online tools to obtain information on the data processed concerning his person. At the same time, he had again been informed that logging in via the account was the only possible form of authentication that the complainant could accept, since the presentation of a passport alone could not ensure that the person requesting information was the actual user of the account.
The complainant would not have asked XXXX to participate in the information procedure, for example by providing further details on the request for information.
XXXX had an e-mail address, XXXX @gmail.com, which was provided by a service of the complainant, GMail.
It could not be established that XXXX used or was registered with other services of the complainant, such as Google Chrome, You Tube, Google Drive, Google+, etc.
XXXX had not made use of the online tools provided by the complainant since the request for information was sent on 30 October 2015.
The complainant provided online tools that account and non-account holders of services provided by the complainant could use. In the case of account holders, the complainant requires them to log on to their account for identification purposes. The online tools would enable users to obtain an overview of the data stored about them in connection with an account, to download this data and to make restrictions and deletions.
The data protection authority gave the following legal reasons for the statement in part 1 of the above-mentioned decision:
In general, it should be noted that each applicant for information is entitled to individual treatment of his request for information. Each request for information or refusal to provide information must therefore be preceded by an examination of the individual case, possibly with the cooperation of the person requesting information.
In the present case, XXXX received replies which, although addressed personally to him, were largely standardised and made general reference to the possibility of using online tools. In the proceedings before the data protection authority, reference was also made to the complainant's data protection statement.
However, the complainant overlooked the fact that the request for information clearly also related to data that could not be obtained through online access.
The complainant had also at no time asked XXXX to specify its request for information - which might be too vague for the complainant - or to participate in the information procedure. Only an unsuccessful attempt to ask the person requesting information to cooperate or a failure to comply with the obligation to cooperate could constitute grounds for refusing to provide information.
No other reasons were given to XXXX to justify not providing information until the end of the procedure before the data protection authority.
The complainant lodged a complaint against parts 1 and 2 of this decision within the prescribed period.
In a letter from the data protection authority dated 08.08.2016, the complaint including the administrative act was forwarded to the Federal Administrative Court.
In a letter dated 13 November 2019, the Federal Administrative Court informed the complainant that in a so-called "old case" (= case already pending before the Federal Administrative Court before 25 May 2018), the new legal situation under the DSGVO and the DSG was applicable and offered him the opportunity to submit a written statement on any changes in the facts of the case within four weeks. By letter of the same day, the party concerned was also given the opportunity to submit written comments on the facts of the case.
In a letter of 13 December 2019 (received on 16 December 2019), the complainant asserted, inter alia, that she now bears the name "Google LLC" and that in the meantime, as can be seen from the enclosed current data protection declaration (= Enclosure ./1), she was no longer responsible under data protection law for the users of most Google services which are provided to consumers in the European Economic Area and Switzerland. This applies in particular to the search engine and the Google account.
Furthermore, the complainant asserted in this letter that, after receipt of the decision of the data protection authority and despite the appeal in the form of a complaint, she had sent a further reply letter dated 21 September 2016 to XXXX, which took into account the statements of the data protection authority in the contested decision (= Enclosure ./2).
As regards the written form, the complainant argued in particular that: "XXXX's incorrect assertion that online information was not an acceptable means of fulfilling the obligation to provide information could not be accepted, given the clear legal situation. This had also been correctly decided by the data protection authority. The complainant offered all its users a secure system for remote access. However, XXXX had refused all cooperation and access to the complainant's online tools under the previous procedure. The complainant had so far agreed to provide further guidance to help XXXX to access the information to which he was entitled, which was already available through the tools, but could not provide more than the complainant was obliged to do under the law.
As regards the proof of identity of the XXXX, the complainant argued in this letter that: "On the basis of a copy of the passport alone, and in view of the large number of persons with identical names and the possibility of also using other people's names - such as "XXXX" as a pseudonym - no conclusion could be drawn as to the existence of any data processing that would require information. Therefore, the copy of a passport alone does not constitute sufficient proof of identity in the factual context in question. Nor did the sending of correspondence by Google to XXXX's e-mail address show that the complainant had no doubts about the allocation of the user account to him. The reply to the address given by XXXX did not remove the complainant's doubts as to the identity and allocation to a user account. Unfortunately, the provision of an e-mail address belonging to a Google Account is a tactic that unauthorised persons would also use to gain access to external data. The complainant had fulfilled her obligations by requesting access to the Google Account through the XXXX using the access data chosen by him. Without proper authentication, however, no information could be provided in case of doubts as to identity, which would exist in such a case. It is therefore up to XXXX to access his Google Account and view the data or information about him.
In a letter of 3 January 2020, XXXX, as an interested party, submitted written comments, stating in particular that, as a data subject, he was not obliged to cooperate and that he had been identifiable to the complainant. In his statement, XXXX stressed that the current legal situation under the DSGVO did not impose any obligation on information providers to cooperate and further explained that this was the case: Responsible persons were therefore only entitled to ask information applicants to specify their requests for information, but were not entitled to any clarification. Information seekers could therefore insist on being informed of all data processed concerning their person. The complainant's request for information had explicitly asked for information on all data relating to her person. The complainant was therefore under a legal obligation to provide him with complete information, without his having to cooperate in the provision of information.
In order to identify himself, he stated that Information seekers were also to be regarded as sufficiently identified if they knew the login data (user ID and password) of user accounts or could prove the power of disposal over user accounts (such as e-mail inboxes) in some other way. The complainant is in no doubt that he has power of disposal over the e-mail box "XXXX @gmail.com" stored with the complainant. The information to be provided by the complainant would therefore have to include all data processed in connection with this user account.
Finally, he claimed that he still considered that his right of access had been infringed because the complainant had still not provided him with written information on the data processed concerning him.
In a letter of 17 January 2020, the complainant further submitted, inter alia, that since 22 January 2019, Google Ireland Limited was the controller of personal data relating to the use of its services by users habitually resident in the EEA or Switzerland. To this extent, Google LLC is now "no longer the controller in the sense of the DSGVO of the processing activities previously covered by the complaint". This has no influence on the processing of personal data in making available the search results displayed in the Google search engine. The complainant was still responsible for these personal data in accordance with the provisions of the DSGVO.
In a letter from the Federal Administrative Court dated 30 January 2020, the complainant was requested, for further clarification, to submit to the Federal Administrative Court all contractual and other documents indicating "whether Google LLC or Google Ireland Limited is currently responsible for the XXXX information".
In its written observations of 21 February 2020, received on 24 February 2020, the complainant essentially submitted
As regards the current liability of Google LLC and Google Ireland Limited in respect of the seven sub-paragraphs of the contested part of the first part of the abovementioned decision, which relate to data processing outside the user account, the applicant states that the position of responsibility is differentiated in relation to any processing of personal data relating to the person of XXXX outside his Google account:
Google Ireland Limited would currently be responsible within the meaning of Art. 4 Z 7 DSGVO for any processing of personal data by XXXX outside the user account, but in connection with the use of a Google service;
during
Google LLC would currently be responsible within the meaning of Art. 4 Z 7 DSGVO for any processing of personal data of XXXX outside the user account in search results.
An oral hearing had been scheduled at the Federal Administrative Court for 02.04.2020, but this was cancelled again on 27.03.2020 due to corona conditions.
On 8 July 2020, an oral hearing was then held before the Federal Administrative Court, in which all parties involved in the appeal proceedings took part.
On the complainant's side, after prior consultation with the presiding judge, XXXX participated as XXXX. He gave the following reason for his presence at the hearing as an informed representative (see p. 4 of the minutes of the hearing): When the complainant received XXXX's request for information of 30.10.2015, he had held the same position as he does today. He recalled that he was well aware that they had received a letter from the XXXX, including the complainant's home address and a copy of her passport. However, given that the events of that time had taken place a long time ago, he might not be able to remember everything in full. At the hearing (on p. 6 of the minutes of the hearing), the informed representative confirmed that he had participated in the drafting of the complainant's reply letter of 22 December 2015 and that the information contained in the reply letter was correct to the best of his knowledge and belief at the time.
In the file, the informed representative has a power of attorney from "Google LLC", which was issued on 29.06.2020 in Menlo Park, California, by its Managing Member (= supplement to OZ 1/26).
As regards the question of liability, the presiding judge already stated at the hearing (on p. 3 of the minutes of the hearing) that Google Inc. was responsible for the proceedings concerning the request for information of 30 October 2015 and that Google LLC had entered the proceedings as its legal successor and thus as the current complainant.
Before the end of the hearing, the presiding judge had closed the evidence proceedings (on p. 11).
II The Federal Administrative Court considered
1. observations:
The subject of the administrative procedure concerning a possible violation of the right to information is the assessment of whether the request for information of the XXXX of 30.10.2015 was complied with in conformity with the law by the complainant's reply of 22.12.2015 (written in German) - confirmed by a further reply of 24.02.2016.
During the administrative procedure before the data protection authority, Google Inc. was the principal (now the controller) for the processing of personal data of the XXXX . In the meantime, Google LLC has entered the proceedings as the legal successor to Google Inc. and is therefore the complainant.
In its request for information dated 30.10.2015, XXXX requested information on the following seven points:
all data processed concerning his person,
the information on their origin,
any recipients or groups of recipients of transmissions,
the purpose(s) for which the data is used,
the legal basis(s) for the use of the data,
possible automated individual decision making and
concretely consulted service providers.
As a result, the information requested by XXXX concerns his personal data both within and outside his user account with the complainant.
Already with the request for information, the complainant had been provided by XXXX with a copy of her passport as proof of identity. The complainant also knew the e-mail address (" XXXX @gmail.com") and the home address of XXXX. Moreover, there had already been correspondence between the complainant and XXXX using his e-mail address in 2014.
It is clear that in the run-up to the reply, XXXX was identifiable to the complainant on the basis of the available identity references and previous correspondence, possibly in combination with an appropriate location of the XXXX's computer.
Thus, the complainant was in principle obliged to provide the information requested by XXXX or, in case of impossibility, to provide negative information.
In its reply of 22.12.2015, XXXX was referred in a first step to the access to the online tools provided by the complainant in relation to its user account. In a second step, XXXX was asked to specify its request for information regarding all requested information that could not be accessed via the aforementioned online tools via a web form specifically provided for this purpose, specifically via (https://support.google.com/policies/contact/sar). This means that all personal data of XXXX - both inside and outside the user account - that could not be accessed via the online tools were included in this request for clarification by the complainant.
With regard to this data, in order to authenticate the identity of XXXX as a user, the complainant has requested that the user log in to his user account in order to access the relevant web form.
Furthermore, it is clear that XXXX did not comply with the complainant's request for clarification, although he could have done so in principle as the holder of a user account with the complainant.
For these reasons, it must be concluded that it is decisive,
that XXXX has been referred to his user account for access to the online tools, insofar as the requested information has been received in this regard, and
that, for all data not accessible via this link, he was asked by the complainant to specify his request for information in a further step, which he did not comply with; in this respect, XXXX subsequently did not receive any further information from the complainant in accordance with the law.
2. assessment of evidence:
The findings on the relevant facts are set out in the administrative act, the complaint and the judicial act.
In several written statements, XXXX made a claim both before the data protection authority and before the Federal Administrative Court (see also his statements in the hearing on p. 9f of the minutes of the hearing),
(a) that for the complainant there was no doubt whatsoever as to the allocation of the user account to his person and therefore no need for any further identification; and
(b) that he was not obliged to be referred to online tools provided by the complainant in order to obtain information at his own expense
On the basis of the existing identity references and the previous correspondence, XXXX was identifiable for the complainant - possibly in connection with a location of XXXX's computer - in the run-up to the reply, so that the argument of XXXX ad (a) can only be accepted.
All statements made at the hearing by the informed representative of the complainant to the effect that XXXX could not be identified either by the identity cards submitted or by additional internal organisational measures or other indications given to the complainant in the run-up to the reply are unrealistic and therefore lack credibility in view of the complainant's large organisational structure and its possibilities.
As a consequence of this, the complainant, as the provider of information, was at that time - as stated above - in principle obliged to provide either the requested information or, where appropriate, negative information.
The complainant complied with this obligation within the limits of her possibilities in her reply of 22.12.2015 - confirmed by that of 24.02.2016 - also in concrete terms by taking the two steps identified.
The reason given for the reference to access to online tools in this reply was literally "to quickly and easily consult a summary of the data related to the account". Furthermore, the complainant XXXX provided detailed information on how he can access his personal data in the user account itself (...). The informed representative of the complainant even offered to "communicate directly with XXXX in order to carry it out if necessary through the online tools" (see p. 8 of the minutes of the hearing).
Taking this into account, it is clear to the Senate that XXXX would have been able to access the online tools of his user account and that he had no access problem. Contrary to his submission ad (b), XXXX was therefore obliged to have himself referred to the complainant's online tools for his user account, but of course only with regard to those personal data that could be accessed there.
With regard to the above finding that the complainant's request for clarification covered all personal data of the XXXX that were not accessible in the online tools for the user account, the following considerations remain to be stressed:
The complainant had already argued in several written submissions, which was repeated in the hearing on p. 6, that the Commission did not, in principle, make automated individual decisions. On this basis, the presiding judge expressly asked the informed representative of the complainant (see p. 6f of the minutes of the hearing) why the complainant had not (already) given negative information to XXXX in her reply regarding possible automated individual decisions within the user account. The informed representative subsequently replied that the sentence in the first paragraph of the second page of the reply letter ("In the event that the required information is not accessible via the above-mentioned tools, the user may submit his request to Google Inc. via a web form specifically provided for this purpose.") is understood by him to mean "that we have requested a general clarification for everything that we were unable to provide via our online tools". The informed representative also expressly answered in the affirmative to the further question of the presiding judge as to whether the request for clarification in the reply letter thus also referred to automated individual decisions (within and outside a user account) (see above p. 7 of the minutes of the hearing).
The statement to the contrary made at the hearing by the representative of the authorities (on page 8 below of the minutes of the hearing) is refuted in view of the clear wording of the quoted sentence, which was also confirmed by the informed representative at the hearing.
The reason for the request for clarification - namely the protection of other persons known as " XXXX " - was already mentioned by the complainant in her reply (see penultimate paragraph on p. 2, cited in the course of the procedure on p. 3).
The above findings are moreover based on the informed representative's reply to the presiding judge's further question on p. 7 below as to whether the complainant would have been able to provide XXXX with all the information it requested if XXXX had clarified its request for information (concerning the data not visible in the online tools) by means of the web form provided, with further information on the requested data. This answer was essentially as follows: "This hypothetical question is difficult to answer, as it depends in particular on what additional information would have been provided by XXXX (in response to a more precise request for information via the web form). We did not even know which services were involved. (...) The point is that we took the case extremely seriously. It did not go into a black box and no automated reply went out, I consulted with a colleague and together we came to the conclusion that we could do no more than we did (in the reply). (...) As far as I know, we have never received any details in the form of a request for information via the XXXX web form.
On the basis of all these considerations, the Senate has reached the above conclusions.
The complainant's further reply of 21 September 2016, which was sent after receipt of the above-mentioned decision of the data protection authority, is not relevant to this result, which is why no findings were made in this regard.
3. legal assessment:
3.1 According to § 6 BVwGG, the Federal Administrative Court decides by single judges, unless federal or Land laws provide for a decision by senates.
Pursuant to Section 27 (1) DSG, the Federal Administrative Court decides through the Senate on appeals against notices, on breaches of the duty to inform pursuant to Section 24 (7) and of the data protection authority's duty to take decisions. Pursuant to the first sentence of Section 27(2) of the DSG, the Senate is composed of a chairman and one expert lay judge each from among the employers and the employees. The present case therefore falls within the competence of the Senate.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (section 1 leg.cit.). Pursuant to Article 58(2) of the VwGVG, conflicting provisions already announced at the time of entry into force of this federal act shall remain in force.
Pursuant to Article 17 of the Administrative Procedure Act (VwGVG), unless otherwise provided for in this Federal Act, the procedure on complaints pursuant to Article 130(1) of the Federal Constitution Act (B-VG) shall be governed by the provisions of the Administrative Procedure Act (AVG), with the exception of Articles 1 to 5 and Part IV, the provisions of the Federal Fiscal Code (Bundesabgabenordnung - BAO), Federal Law Gazette No 194/1961, the Agricultural Procedure Act (Agrarverfahrensgesetz - AgrVG), Federal Law Gazette No 245/1961, and the provisions of the Federal Law on the Supervision of Agricultural Procedures (Agrarverfahrensgesetz - AgrVG). No. 173/1950, and the Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29/1984, and, moreover, to apply mutatis mutandis those procedural provisions in federal or Land laws which the authority has applied or would have had to apply in the proceedings before the administrative court.
3.2 Under Article 28(1) of the VwGVG, the Administrative Court must settle the case by way of a decision, unless the complaint is to be rejected or the proceedings discontinued.
Pursuant to Article 28(2) of the VwGVG, the Administrative Court must decide on complaints under Article 130(1)(1) of the Federal Constitution if the relevant facts have been established or if the establishment of the relevant facts by the Administrative Court itself is in the interest of speed or entails a considerable reduction in costs.
Pursuant to § 31 (1) VwGVG, decisions and orders are made by way of a resolution, unless a ruling is required.
3.3. on A)
3.3.1 Section 69 (4) of the DSG does not contain any transitional provisions regarding the pending proceedings in data protection matters before the Federal Administrative Court. Thus, the legal situation applicable is that in force at the time the Senate passed its resolution (cf. VwGH of 19 February 2018, Ra 2015/07/0074; VwGH of 22 February 2018, Ra 2017/22/0125; and many others).   
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (basic data protection regulation) OJ L 119 of 4 May 2016, hereinafter referred to as "the Regulation": DSGVO, should read as follows
Article 4
Definitions


For the purposes of this Regulation
I. Procedure:
1) "personal data" shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an on-line identification or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
 
2.-6. ()
1. On the basis of media reports on the alleged sale of personal data, in particular information about the "political affinity" of certain people, the authority in question initiated an official investigation procedure against the complainant on January 8, 2019, which with the decision of February 11, 2019 on the GZ DSB-D213.747 / 0002-DSB / 2019 has ended.
(7) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller or for the specific criteria for his or her designation in accordance with Union law or the law of the Member States
 
8.-26. (…).
2. On the basis of the investigation results of the official investigation procedure, the authority concerned initiated administrative criminal proceedings against the complainant and, with a request for justification on February 20, 2019, charged her with the following administrative violations: The complainant is suspected
 
1. to have unlawfully processed special categories of personal data in accordance with Art. 9 GDPR (“party affinities”) in the course of exercising the trade “address publishers and direct marketing companies” by not obtaining the consent of the data subjects and otherwise not relying on any of the data processing in Art 9 DSGVO conclusively listed facts can be supported,
 
2. personal data such as
 
- Affinity for donations
 
- bioaffinity
 
- partnership
 
- annual income
 
- type of acquisition
 
- qualification
 
- Consumption-oriented basis
 
- Night owls
 
- Package frequency (number of packages in a certain period of time)
 
- Affinity for moving
 
- Investment affinity
 
- phase of life
 
to have unlawfully processed "address publishers and direct marketing companies" (storage and sale to third parties) in the course of exercising the trade, by not having obtained the consent of the data subjects and otherwise not based the data processing on any of the legality facts listed in Art 6 (1) GDPR could be
 
3. To have violated their obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" (note: XXXX stands for XXXX) by failing to carry out the data protection impact assessment within the period, contrary to the time specified in the data protection impact assessment March to June 2018, but at a later date, but in any case after May 25, 2018,
 
4. To have created the data protection impact assessment for the application "XXXX - target group addresses" incorrectly because it denies the processing of special categories of personal data, although according to Annex 2D the "party affinity" is calculated, and as a result the existence of a high risk therefore I will in any case deny
 
5. To have created the directory for processing activity "XXXX - target group addresses" incorrectly because it contained
 
- a. processing of particularly sensitive data, including political opinion, as well as
 
- b. extensive processing of sensitive data
 
will be denied
 
6. To have created the directory for processing activity "XXXX - target group addresses" inadequately because it did not list all of the data categories actually processed,
 
7. to have failed to carry out a consultation in accordance with Art 36 GDPR and
 
8. Not having fulfilled their obligations under Art 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties - e.g. sold or on made available in another way -
 
so administrative offenses according to
 
To 1): Art 5 Paragraph 1, Art 9 in conjunction with Art 83 Paragraph 5 lit a GDPR
 
To 2): Art 5 para 1, Art 6 para 1 in conjunction with Art 83 para 5 lit a GDPR
 
Re 3) + 4): Art 35 in conjunction with Art 83 Para 4 lit a GDPR
 
Re 5 + 6): Art 30 in conjunction with Art 83 Para 4 lit a GDPR
 
To 7): Art 36 in conjunction with Art 83 Para 4 lit a GDPR
 
Re 8): Art 14 in conjunction with Art 83 Para 5 lit b GDPR
 
to have committed.
 
4. After carrying out evidence proceedings and an oral hearing on September 23, 2019, the authority in question pronounced a penalty on October 23, 2019,
 
The accused had been responsible as the person responsible within the meaning of Art 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons in the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : GDPR), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:
 
to I .: from May 25, 2018 to February 21, 2019,
 
re II .: from May 25, 2018,
 
to IV .: from May 25, 2018,
 
to V .: from May 25, 2018 and
 
to VI .: from May 25th, 2018,
 
I. the unlawful processing of special categories of personal data within the meaning of Art 9 GDPR ("party affinities") within the scope of the business of "address publishers and direct marketing companies"; this by not obtaining the consent of the persons concerned and the data processing cannot otherwise be based on any of the facts conclusively listed in Art 9 GDPR;
 
II.
 
a) the unlawful further processing of personal data, namely the number of parcels received during a certain period of time (parcel frequency) and the frequency of relocations of persons concerned within the scope of the trade of "address publishers and direct marketing companies"; This is done by not obtaining the consent of the data subjects and the data processing cannot otherwise be based on any of the legality facts finally listed in Art 6 Para 1 GDPR and the data relating to the frequency of parcels and the frequency of relocation are changed to a purpose not covered by Art 6 Para 4 GDPR were;
 
IV. The inaccuracy of the data protection impact assessment for the application "XXXX - target group addresses", since in this the processing of special categories of personal data was denied, although the "party affinity" had been calculated and processed, and yet the result was a high risk in any case it was denied,
 
V. the flawedness of the directory for processing activity "XXXX - target group addresses", since according to this
 
a) processing of particularly sensitive data, including political opinion, as well as
 
b) extensive processing of sensitive data is denied and
 
VI. the inadequacy of the directory for processing activities “XXXX - target group addresses”, since it did not list all the data categories actually processed and so it was not drawn up in sufficient detail.
 
The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.
 
As a result, the person responsible violated the following legal provision (s):
 
Re I .: Art. 5 Para. 1 lit. a, Art. 9 in conjunction with Art. 83 Para. 5 lit. a GDPR
 
Re II.a): Art. 5 Para. 1 lit. a and lit. b, Art. 6 Para. 1 and Para. 4 in conjunction with Art. 83 Para. 5 lit. a GDPR
 
On IV .: Art. 35 in conjunction with Art. 83 Para. 4 lit. a GDPR
 
Re V. and VI .: Art. 30 in conjunction with Art. 83 Para. 4 lit. a GDPR.
 
A fine of EUR 18,000,000.00 is therefore imposed on them in accordance with Article 83 (5) (a) GDPR and the reimbursement of procedural costs in the amount of EUR 1,800,000.00 is imposed.
 
On the other hand, the procedure with regard to the charge
 
II b) unlawful processing through the storage and sale of personal data of the categories
 
- Affinity for donations
 
- bioaffinity
 
- partnership
 
- annual income
 
- type of acquisition
 
- qualification
 
- Consumption-oriented basis
 
- Night owls
 
- investment affinity
 
- phase of life,
 
III. The accused had thereby violated her obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" by not doing the data protection impact assessment in the period from March to June 2018, but at a later point in time, but in any case after May 25, 2018 , was carried out,
 
VII. According to which the accused (wrongly) failed to conduct a consultation in accordance with Art 36 GDPR,
 
VIII. According to which the accused has not fulfilled her obligations under Art. 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties sold or otherwise made available -
 
each set in accordance with Section 45 Paragraph 1 Item 1 (1st case) VStG.
 
5. The complaint in question of November 25, 2019 is directed against this finding because of deficiencies in the assessment, incorrect legal assessment, unlawful measurement of fault and assessment of the amount of the penalty and requested, with more detailed reasons, to remedy the penal decision without replacement and to proceed with the procedure in accordance with Section 38 VwGVG in conjunction with Section 45 (1) VStG to discontinue the procedure according to § 38 VwGVG in conjunction with § 45 Paragraph 1 Z 4 VStG in conjunction with § 11 DSG with issuance of a warning or in conjunction with § 33a VStG through advice or in conjunction with § 45 Paragraph 1 Z 1 VStG with a warning to suspend the penalty to reduce a measure appropriate to the act and guilt. Among other things, for the imposition of a fine according to the GDPR on a legal person such as the person concerned, it is not sufficient to fulfill a criminal offense, it must be for you as a legal person,who cannot act themselves, the actions of a natural person can also be attributed. The authority concerned omitted this attribution, which must be carried out in accordance with § 30 DSG.
 
6. With the submission of files dated January 7th, 2020, received on April 16, 2020, the authority in question submitted the complaint to the Federal Administrative Court, including the administrative act, disputed the complaint and applied for the complaint to be dismissed with a detailed explanation. Among other things, the authority in question stated that since fines under the GDPR are an association responsibility model of its own, which would not reduce procedural guarantees required under fundamental law, there would be no room for an attribution rule such as Section 30 of the GDPR.
 
7. With the parties to be heard on July 17, 2020, the authority in question was held up to the decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, which had been made in the meantime, according to which it was necessary to impose a fine on a legal person under the GDPR to demonstrate factual, illegal and culpable behavior of a natural person, which is to be attributed to the legal person and such a defect cannot be remedied by the administrative court, if the natural persons for whose behavior the legal person is to be held responsible for the first time specifies in the complaint procedure would.
 
8. With statements of July 29th, 2020, August 13th, 2020 and November 12th, 2020, the authority in question submitted that the criminal conviction showed that the board or its members, i.e. representatives within the meaning of Section 9 VStG, had been informed about data protection processes and referred In this regard, to the findings under point 4.7 of the penal decision, according to which the project "Fitness for the GDPR" had been decided by the board, the board had been reported to the board on all data protection-relevant aspects by the relevant natural persons in a managerial function and on the board's part XXXX was responsible has been.
 
Furthermore, the authority in question submitted that there was no “acte claire” in the sense of the case law of the European Court of Justice because, in deviation from the decision of the Austrian Administrative Court, the Conseil d'État, the highest French administrative court, in its decision of June 19, 2020, N ° 430810, assuming that it is not necessary for the imposition of fines according to the GDPR on legal persons to name natural persons whose behavior can be attributed to the legal person. Due to the different opinions of two highest courts from different Member States, this question must therefore be interpreted by the ECJ. Furthermore, the authority concerned referred to a - orally announced but not yet executed - judgment of the Bonn Regional Court of 11.11.2020,GZ 29 OWi-430 Js-OWi 366 / 20-1 / 20 LG, in Section 30 of the Administrative Offenses Act - OWiG, a regulation comparable to Section 30 DSG, according to which, for the imposition of a fine on a legal person, the attribution of the actions of a natural person Person needs to be partially incompatible with the imposition of fines according to Art 83 GDPR and the authority does not have to specifically determine which employee has committed acts.
 
The authority in question therefore applied for the cited judgment of the Bonn Regional Court to be obtained, as well as to obtain a preliminary ruling from the ECJ in accordance with Art. 267 TFEU on the question of whether a decision imposing a fine under Art. 83 GDPR on a legal person is an infringement and culpable behavior of a natural person is to be shown, which should be attributed to the legal person.
 
9. Mit Stellungnahme vom 04.09.2020 replizierte die Beschwerdeführerin zusammengefasst ua, dass auch mit dem ergänzenden Vorbringen der belangten Behörde kein tatbestandsmäßiges, schuldhaftes und rechtswidriges Verhalten einer natürlichen Person dargetan werde, das ihr als juristische Person zugerechnet werden könne. Mit der Anregung auf Vorabentscheidung durch den EuGH verlange die belangte Behörde vom EuGH eine unzulässige Auslegung einer nationalen Rechtsnorm, § 30 DSG, und Überprüfung der Rechtsprechung des VwGH. Die Umsetzung der Sanktionsnorm des Art 83 DSGVO sei – unter Verweis auf die Rechtsprechung des VwGH und weiterer näherer Begründung – dem nationalen Recht überlassen, weshalb es zu Unterschieden zwischen einzelnen Mitgliedstaaten kommen könne. Auch das strafrechtliche Beschleunigungsgebot spreche gegen eine Vorlage an den EuGH.
 
Evidence was obtained through inspection of the administrative file and the decision of the Conseil d'État of June 19, 2020, N ° 430810.
 
II. The Federal Administrative Court has considered:
 
1. The following is certain:
 
1.1. The authority concerned has carried out administrative criminal proceedings against the complainant, a legal person set up in the legal form of a stock corporation, for AZ DSB-D550.148.
 
1.2. In this process were
 
 apart from the summons of witnesses, addressed letters from the authorities concerned to the complainant, for the attention of XXXX,
 
 only accused the complainant of the administrative violations and
 
 Ms. XXXX as representative of the accused questioned as accused and all other natural persons questioned as witnesses.
 
1.4. In the criminal decision of the authority concerned dated October 23, 2019, GZ DSB-D550.148 / 0017-DSB / 2019, the following is carried out insofar as this is relevant to the procedure:
 
"Accused: XXXX (FN XXXX)
 
The XXXX with its seat in XXXX, XXXX, has [...]
 
as the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 for the protection of natural persons in the processing of personal data, for the free movement of data and for the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter: GDPR ), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:
 
[...]
 
The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.
 
[...]
 
Reason:
 
I. The following facts relevant to the decision are certain on the basis of the evidence procedure carried out: [...]
 
1.1. XXXX (hereinafter: XXXX) has been operating the business of address publishers and direct marketing companies since XXXX and sells personal data as part of the “XXXX” product that it receives from address dealers or that it has collected itself.
 
[...]
 
2.1. As of January 2016, a name allocation of so-called "XXXX" took place within the "Address Publishing and Direct Marketing" division. "
 
[...]
 
3.1. The XXXX transmits personal real data from the XXXX division, namely the XXXX division, to the “Address Publishing and Direct Marketing” division in order to assign the selection criterion of the XXXX to individual people by name and then market it.
 
[...]
 
4. Regarding the company's internal responsibilities:
 
4.1. On the part of the board, XXXX was responsible for the business area of ​​address publishing and direct marketing until XXXX, then XXXX. Below the executive board level, XXXX is responsible as the division manager of the XXXX division; it is the area in which all business activities related to addressed advertising take place. XXXX, around 800 employees of XXXX and departments that are employed in outsourced companies and group subsidiaries report. Including the head of the specialist department "XXXX" (short: XXXX, XXXX - internal term for the specialist area that deals with address and direct marketing), Mr. XXXX. The latter has held this position since XXXX, before that XXXX was in charge of this department until XXXX.The trade “address and direct marketing” within the meaning of § 151 GewO is located at XXXX in the “XXXX” department. This department belongs to the area of ​​"XXXX".
 
4.2. Within this area, Ms. XXXX is again the head of product and quality management; In the course of this, Ms. XXXX is also managing director for the trade of address publishers and direct marketing according to § 151 GewO. Her tasks include product development, process control and answering data protection queries from those affected. In addition, Ms. XXXX is responsible for coordinating with the data protection officer of XXXX. Ms. XXXX's position is referred to as the “data protection manager” within the corporate structure. Ms. XXXX is the company-wide data protection officer for XXXX. In addition, there are the aforementioned data protection managers in each business area.
 
4.3. Within the XXXX, preparatory measures for the coming into force of the GDPR began in 2017. This project intensified in autumn 2017 and an external, internationally operating consulting company was brought in. These preparatory measures were referred to by XXXX as the GDPR project "Fitness for the GDPR". From December 2017 so-called "steering committees" took place regularly:
 
4.4. The project client was the board of directors of XXXX (XXXX). The steering committee itself consisted of the following people:
 
- XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
 
The extended steering committee also included the members of the Board of Management.
 
4.5. The project management was the responsibility of the data protection officer of XXXX, Ms. XXXX.
 
4.6. So-called project team jour fixes, project management jour fixes each week, steering committee meetings at least monthly and extended steering committee meetings took place every two months, the latter taking place monthly from March 2018. In addition, issues related to specific cases were dealt with in board meetings. XXXX took part in the project management jour fixes.
 
4.7. In summary, according to statements by XXXX, the aim of this project was to create the conditions for a holistic implementation of the GDPR through risk-oriented prioritization in several phases. This project order was decided and implemented by the board of directors and the steering committee. A project management team made up of representatives from the legal department and revision was used to implement the project. Regular reports on the progress of the project were made to the board of directors and management.
 
4.8. The head of the group-wide legal department of XXXX is XXXX, this is the authorized signatory of XXXX. In this function, she is also responsible for compliance with data protection law throughout the group.
 
[...]
 
4.9. The respective product responsibility lies with the respective heads of the respective departments. The legal department is involved in legal issues and legally relevant documents (e.g. submissions and applications to authorities and courts) must be approved by the head of the legal department.
 
4.10. With regard to the processing of data relating to "party affinities", the department heads, the head of the legal department and the data protection officer did not recognize any legal risk with regard to the entry into force of the GDPR on May 25, 2018; This is not because - contrary to our own practice in the case of requests for information according to Art 15 GDPR - it was assumed that it is not personal data but statistical extrapolations. Ms. XXXX was employed as data protection manager (DSM) in the area of ​​direct marketing; according to the assessment of XXXX, she has expertise in data protection law and she assessed the data processing as uncritical. As a result, no independent external legal assessment was sought.
 
4.11. The data protection officer, Ms. XXXX, did not express any concerns with regard to the legal risk of data processing for the creation and sale of the selection criterion of "party affinities" as part of the preparatory project for the GDPR. The same applies to the head of the group-wide legal department of XXXX.
 
4.12. As part of the entire investigation before the data protection authority, XXXX did not submit any documents from which a detailed legal dispute and examination of the legal question as to whether the data processing in connection with the creation and sale of the selection criterion of the "party affinities" within the scope of the product range of the Business "address publishing and direct marketing" with a view to the coming into force of the GDPR are in line with this or can be brought into line. There are no relevant meeting minutes for the above-mentioned preparatory meetings for the GDPR, as they were not prepared by the relevant managers of the departments of XXXX.At the related meetings, PowerPoint presentations were created and individual transcripts were made. Open points were addressed at the next meeting.
 
4.13. XXXX products were not discussed as part of the GDPR preparation. According to the head of the legal department, the aim was to provide general information to the board of directors about the GDPR with the mandate that the respective organizational units deal with it and report any necessary changes. Framework conditions were specified such as: the directory of processing activities and regular jour fixes for data protection managers. Regarding the XXXX in relation to party affinities, the assessment was that there was no need to change. A need for change would have been reported to the board; this, for example, if a change would have had an expected impact on sales or there would have been a need for investment.
 
[...]
 
III. Legally it follows from this:
 
[...]
 
2.17. [...] Specifically, the subjectively reproachable behavior of the accused consists in the fact that there is no legally detailed and well-founded discussion of any legal risks in connection with the product range of this business area in general and the selection criterion of the alleged party affinities in particular and the strict ones made available to political groups for a fee Requirements of the GDPR - more precisely their understanding of the term, the processing principles in Art. 5 and the processing prohibition in Art. 9 (1) - with the aim of bringing all processing operations in line with data protection requirements.
 
In the course of the investigation, neither the data protection officer nor the head of the legal department (an authorized signatory of the company), the head of the "XXXX" division or the head of the department for product and quality management within this division (she is the long-standing commercial manager for the trade of § 151 GewO), written evidence can be provided from which an appropriate legal analysis of this business area could be derived - corresponding to the size of the company and the enormous number of data records processed, and considering the large number of potentially affected persons would.
 
For example, no (albeit internal) legal opinion or a legal problem outline could be submitted that dealt with the legal opinion represented by the accused.
 
[...]
 
However, this expresses the subjectively reproachable behavior on the part of the accused and with regard to lawful alternative behavior the following would have been indicated:
 
- The data protection officer should have subjected the product range of the party affinities - but also the other product offerings of the business areas in question in connection with direct marketing - to a detailed examination and based on the considerations of the project "Fit for the GDPR" as a basis, if necessary with the consultation of an independent external data protection expert ;
 
- In the absence of such a check, the head of the legal department and the head of the "XXXX" division should have carried out or initiated such an examination;
 
- Ultimately, the board of directors should have initiated such a review with the aim of ensuring that all the business areas of XXXX in question were in compliance with data protection law.
 
The omission of all of this is to be regarded as grossly negligent behavior with regard to the scope of the data processing, the number of people affected and the resulting dangers for their legally protected legal positions.
 
2.18. In summary, it would have been reasonable for the accused - if only because of their size, their market position, the available knowledge and the available human capacities - to deal substantially with the legal question of the data protection qualifications of the party affinities they market and, as a result, the product range of the “Address Publishing and Direct Marketing” division with the legal requirements of the GDPR. The accused can be reproached for the simple assumption that there is no data protection problem or the failure to recognize one. [...]
 
3. Regarding ruling point II.a):
 
[...]
 
3.12. Regarding the subjective factual side, reference can be made to the relevant justification for point I. In summary, it would be the under point I.4. In any case, it was reasonable for the accused persons to be responsible for dealing with the legal question of the data protection admissibility of the (further) processing operations carried out by them and, as a result, the product range of the "Address Publishing and Direct Marketing" division in accordance with the legal requirements of the GDPR bring to.
 
[...]
 
6. Re point IV: [...]
 
6.2. In the data protection impact assessment, the accused denies the processing of special categories of personal data, in particular the potential political opinion, even though “party affinity” is mentioned in Appendix 2D. Consequently, this date was not included in the assessment.
 
6.3. Because the accused comes to the conclusion in the data protection impact assessment that no special categories of personal data within the meaning of Art. 9 GDPR are processed and that the risk assessment within the meaning of Art. c GDPR was carried out incorrectly, the data protection impact assessment "XXXX target group addresses" is incorrect. The accused thereby has the objective factual side of the sanction norm of Art. 83 Para. 4 lit. a GDPR fulfilled.
 
6.4. The accused can also be subjectively reproached for this violation: it would be the duty of the data protection officer and the others in point I.4. Those responsible have been to make a correct data protection assessment of the data quality in relation to party affinity and to incorporate it into the risk assessment according to Art. 35 (7) GDPR and to draw the necessary conclusions from this. With regard to the degree of fault, it is assumed in this context that the behavior is simply negligent, as the behavior in this regard is a consequence of the general misjudgment of party affinities, according to which these are not to be assigned to the special types of data listed in Art 9 (1) GDPR.
 
7. Regarding the ruling points V. and VI .:
 
[...]
 
7.6. Due to the inadequate keeping of the list of processing activities, the accused was informed about the objective facts of the sanction norm of Art. 83 (4) lit. a GDPR fulfilled.
 
7.7. The accused can also be subjectively reproached for this behavior, since the persons responsible should have ensured compliance with the requirements of a faultless and complete list of processing activities. With regard to point V. grossly negligent behavior is assumed. Failure to list the categories of personal data in sufficient detail is regarded as simply negligent behavior.
 
8. Regarding the imputability of the violations to the accused:
 
[...]
 
8.6. For the present situation, this means the following: The alleged violations are in any case attributable to the accused. They were committed by natural persons who were authorized to act on behalf of the legal person and consequently could act on their behalf. Nor can it be said that those responsible for the accused knew nothing about it; this results from the investigations carried out comprehensively for this purpose and the resulting from point I.4. stated findings. Accordingly, both the board of directors, the authorized signatories and all other executives up to the data protection officer were fully aware of all data processing operations, and they were also involved in the work project specifically carried out for this purpose in preparation for the coming into force of the GDPR.Ultimately, it would be within the competence of the board of directors to ensure that business operations are compatible with the applicable data protection law.
 
8.7. In the period of the offense, the acting natural persons belonged to the economic unit formed by the accused. The accused never denied this in the proceedings before the data protection authority.
 
8.8. As a result, there is a sufficient connection between the acting natural persons and the legal person, which allows the illegal and culpable behavior to be attributed to them.
 
8.9. A specific designation of the natural persons who acted culpably within the accused or who should have been made responsible for the possibly incorrect organization of the accused is not necessary in order to impose a fine on a legal person. [...] "
 
1.5. Further explanations on the actions of natural persons can not be found in the criminal judgment.
 
2. The findings result from the following assessment of evidence:
 
The findings are based on the harmless administrative act.
 
3. Legally it follows from this:
 
3.1. The admissible complaint is justified.
 
3.2. The complainant argues against the conviction that it is not sufficient to impose a fine under the GDPR on a legal person, such as the person concerned, to fulfill a criminal offense; as a legal person who cannot act itself, the actions of a natural person can also be attributed. The authority in question had omitted this attribution, which must be carried out in accordance with Section 30 of the DSG. With this argument, the complainant is in the right:
 
3.3. According to Section 30 (1) GDPR, the authority concerned can impose fines on legal persons, among other things, if violations of provisions of the GDPR have been committed by persons who have acted either alone or as part of a body of the legal person and have a management position within the legal person due to the Have the authority to represent the legal person, the authority to make decisions on behalf of the legal person, or have a power of control within the legal person.
 
Legal persons can also be held responsible in accordance with Section 30 (2) GDPR for violations of provisions of the GDPR and Section 1 or Article 2, main part, if there is a lack of supervision or control by a person named in Section 1, the commission of these violations by a for the legal person, provided that the act does not constitute a criminal offense falling under the jurisdiction of the courts.
 
3.4. For the imposition of a fine according to the GDPR on a legal person, the findings necessary to assess a factual, illegal and culpable behavior, which also meet any additional requirements of criminal liability, must be made in the criminal judgment and in the verdict all necessary elements for a punishment of the natural Person (§ 44a VStG), with the addition that the behavior of the natural person is attributed to the legal person. (VwGH 05/12/2020, Ro 2019/04/0229 with reference to VwGH 03/29/2019, Ro 2018/02/0023)
 
3.5. Applied to the specific situation, this means:
 
3.6. In the verdict of the judgment, the authority concerned did not name the natural person whose violation of the GDPR is to be attributed to the complainant. The penalty decision therefore proves to be illegal.
 
3.7. The administrative court is not allowed to cure this deficiency. Although the administrative court is authorized and obliged to correct an incorrect verdict and, if necessary, to make any missing determinations, it is not allowed to exchange the alleged act.
 
An inadmissible exchange of the accusation represents an extension of the accusation made by the administrative court in the complaints procedure or the use of facts other than the original basis of the punishment § 50 VwGVG does not exist. If the allegation is directed against the complainant as a legal person, then - due to the dependency of the legal person's criminal liability on the violation of the natural person attributable to it - the accusation against the natural person to be named therein is also included. (for the whole see VwGH 12.05.2020 Ro 2019/04/0229)
 
3.8. The authority concerned did not name a natural person, neither in the administrative evidence procedure nor in the verdict, whose behavior should have been attributed to the complainant. Also in the justification of the penal decision, which could be used to interpret the verdict, no factual, illegal or culpable behavior of a natural person is set out, which should be attributed to the legal person. It is true that the authority concerned establishes various responsibilities; However, there are no determinations as to who ultimately made the decisionto carry out the data processing recognized as unlawful or to create the data protection impact assessment and the list of processing activities in the manner recognized as unlawful or which lack of monitoring or control should have made the unlawfulness possible.
 
3.9. Thus, in the administrative criminal proceedings against the legal person, the specification of the natural person for whose behavior the legal person is held responsible would only constitute an inadmissible change in the allegation and the matter of the proceedings within the meaning of Section 50 VwGVG in the complaint procedure.
 
3.10. Since the lack of concrete definition of the allegation represents a procedural obstacle to a review by the Federal Administrative Court (see Honeder / Praschl-Bischler, case and factual decision in the case of an imprecise verdict in administrative criminal proceedings, ZVG 2016, 294), the criminal proceedings in question had to be discontinued.
 
3.11 The suggestion made by the authority concerned to submit the question to the ECJ for a preliminary ruling as to whether a natural person had to be shown to have acted as constitutive, illegal and culpable in order to impose a fine according to the GDPR was not to be complied with. The cited decisions of the French Conseil d'État and the Bonn Regional Court do not show any inconsistent application of European law in the individual member states:
 
According to Art 83 (8) GDPR, the procedural regulations of the member states must also be observed when imposing fines.
 
The requirement for the imposition of a fine on a legal person to specifically name a natural person whose behavior is to be attributed to the legal person is based on such a procedural provision, namely § 44a Z 1 VStG.
 
According to § 44a Z 1 VStG, it is legally necessary to describe the act with regard to the perpetrator and the circumstances so precisely that the assignment of the behavior to the administrative regulation that was violated by the act is made possible with regard to all elements of the offense (VwGH 13.12. 2019 Ra 2019/02/0184). Since legal persons cannot act themselves, their criminal liability is a consequence of the actions of a natural person. If a certain group of natural persons comes into question, whose behavior could justify the criminal liability of the legal person, according to the case law of the Administrative Court with regard to § 44a Z 1 VStG it is not sufficient to determine that any person from this group has committed the act - for example Any manager - the person acting must be specifically identified (see Section 99d BWG VwGH 29.03.2019 Ro 2018/02/0023 and to § 30 DSG VwGH 12.05.2020 Ro 2019/04/0229).
 
Before proceedings before the ECJ, against the background of the decision of the Bonn Regional Court - in the event of its confirmation by the highest court - it could be questionable whether a substantive provision such as § 30 DSG, which attributes the behavior of natural persons to the legal person to be punished, is in accordance with Art.83 GDPR, which is directly applicable in the member states.
 
But even if § 30 DSG were not applicable, the position of the authority concerned would not be of any help. In this case - in the present case - the attribution of the behavior of natural persons to the legal person would depend on whether through the actions of one or more natural persons, the legal person as the person responsible within the meaning of Art 4 (7) GDPR or, if necessary, as a processor within the meaning of Art 4 (8) GDPR to qualify or not.
 
Since, however, according to the case law of the VwGH according to § 44a Z 1 VStG, it is necessary to precisely determine the natural person whose behavior is to be attributed to the legal person and a reference to a potential group of possible natural persons would not be sufficient even then, if all persons from the group were active for the legal person, it would also be necessary in the case of the inapplicability of § 30 DSG due to the national procedural law of Art 44a Z 1 VStG, which is permissible under European law in accordance with Art 83 (8) GDPR To specifically name the acting persons.
 
Any different conditions under which fines can be imposed on legal persons in the individual member states are therefore due to the European law admissibility of different procedural rights. The judgments of other member states cited by the authority in question, which are supposedly in contradiction to the relevant decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, could therefore not show any contradicting application of the GDPR in the individual member states ECJ would have to be clarified.
 
3.12. It was therefore to be decided according to the ruling.


Article 11
3.13. A negotiation could be dispensed with in accordance with Section 44 (2) VwGVG.
processing operations for which identification of the data subject is not necessary


Where the purposes for which a controller processes personal data do not or no longer require the identification of the data subject by the controller, the controller shall not be obliged to keep, obtain or process additional information to identify the data subject for the sole purpose of complying with this Regulation.
Regarding point B) inadmissibility of the revision:
2. In cases referred to in paragraph 1 of this Article, where the responsible person can demonstrate that he is not able to identify the data subject, he shall inform the data subject thereof, where possible. In such cases, Articles 15 to 20 shall not apply unless the data subject provides, for the purpose of exercising his or her rights under those Articles, additional information enabling the data subject to be identified.


Article 12
Pursuant to Section 25a (1) VwGG, the administrative court has to pronounce in the verdict of its decision or decision whether the revision is permissible according to Article 133 (4) B-VG. This statement must be justified briefly.
transparent information, communication and procedures for exercising the rights of the data subject


1. The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and with all the notifications referred to in Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, comprehensible and easily accessible form, in clear and simple language, in particular information specifically aimed at children. The information shall be provided in writing or in any other form, including, where appropriate, by electronic means. If requested by the data subject, the information may be given orally, provided that the identity of the data subject has been established in some other form.
The revision is inadmissible because there were no legal issues to be resolved which are of fundamental importance within the meaning of Art. On the question of whether it is necessary for the imposition of a fine under Art 83 GDPR on a legal person to demonstrate an offense, illegal and culpable behavior of a natural person attributable to it and to include it in the verdict of the penal decision, and under what conditions such a deficiency in administrative court proceedings can be cured, there is the cited case law of the Administrative Court.
2. The controller shall facilitate the exercise of the rights of the data subject pursuant to Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his rights pursuant to Articles 15 to 22 only if he establishes that he is unable to identify the data subject.
(3) - (5) (…)
6. Without prejudice to Article 11, where the responsible person has reasonable doubts as to the identity of the natural person making the request in accordance with Articles 15 to 21, he may request any additional information necessary to confirm the identity of the data subject.
(7) (…).


Article 15
Right of access of the data subject


1.    The data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed; if this is the case, he or she shall have the right to be informed of such personal data and to receive the following information:
(a) the processing purposes;
(b) the categories of personal data processed
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
(d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining that duration;
(e) the existence of a right to rectify or erase personal data concerning him or her or to have it processed by the controller, or a right to object to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) if the personal data are not collected from the data subject, all available information on the origin of the data;
(h) the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in those cases, relevant information about the logic involved and the scope and intended impact of such processing on the data subject
(2) (…)
3. The controller shall provide a copy of the personal data being processed. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be provided in a standard electronic format, unless the data subject indicates otherwise.
(4) (…).
3.3.2 Responsibility
In accordance with the subject matter of these administrative proceedings established in the facts above, the administrative proceedings relate to a period of time between the receipt of the request for information on 30.10.2015 and the repeated reply letter of 24.02.2016. The contracting authority (now the responsible party) was Google Inc. as the respondent before the data protection authority during this period.
In the meantime, Google has undergone an organisational or corporate change. Since 22.01.2019, Google Ireland Limited has been the data controller for users who are habitually resident in the European Economic Area or Switzerland, according to the current Google data protection declaration.
In the hearing before the Federal Administrative Court (see p. 3 and p. 10 below of the minutes of the hearing), the data protection authority took the view that - due to the organisational or corporate change within Google - Google Inc. (now Google LLC), but Google Ireland Limited was competent to provide the information in question to XXXX. In several written submissions to the Federal Administrative Court (as well as to the data protection authority, see annex to the minutes of the hearing), the complainant also argued in a similar direction, but not with the same clarity as the data protection authority.
The liability of a person is inseparably linked to the act itself, which at best constitutes a data protection violation. This is because, according to the administrative criminal proceedings under the DSGVO, (administrative) criminal prosecution can only take place if a crime can be attributed to a natural person as the perpetrator - even in the case of a legal entity, as the Administrative Court explained in detail in its ruling of 12 May 2020, Ro 2019/04/0229. Consequently, the question of liability also relates exclusively to the period (here: receipt of the request for information from 30.10.2015 to 24.02.2016) in which the act of a possible data protection violation was committed.
With this interpretation, the Senate follows the remarks of the Administrative Court in the said ruling.
Any other interpretation - including the above-mentioned interpretation by the data protection authority - would lead to the absurd result that a legal person as the responsible party (perpetrator) could evade its responsibility for the act of a data protection violation (in administrative criminal proceedings its criminal prosecution) by subsequently changing its organisational or corporate structure.
In accordance with the rules of civil law applicable in the event of a transfer of undertakings, Google LLC, as successor in title to Google Inc.
In this context, it should not be left unmentioned that, for example, the European Court of Justice also ruled in a preliminary ruling procedure under Art. 267 TFEU that "Google LLC" was the "legal successor of Google Inc." (see ECJ of 24 September 2019 in Case C-507/17).
Although it is not covered by the subject matter of the complaint procedure, it should be mentioned for the sake of completeness that (administrative) criminal prosecution is excluded for acts of data protection infringement committed before the DSGVO entered into force on 25 May 2018. Until the entry into force of the DSGVO and its (direct applicability) and the DSG, legal persons were not subject to direct criminal liability and sanctions for violations of the DSG 2000 by natural persons attributable to them, as the Administrative Court expressly stated in the aforementioned ruling of 12 May 2020, margin no. 12.
For these reasons, the complainant, as a legal person, is a controller as defined in Article 4 (7) DSGVO, because it alone had to decide (during the period of the offence) on the purposes and means of processing personal data (of the XXXX ).
3.3.3 Right of access
According to Art. 15 para. 1 DPA, the data subject ( XXXX ) has the right to obtain confirmation from the controller as to whether personal data relating to him/her are being processed; if this is the case, he/she has the right to be informed of this personal data and to receive information in accordance with letters a) to h).
3.3.3.1 Identifiability in advance of the reply
According to the definition in Art. 4 No. 1 DPA, personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is deemed to be any natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
According to Ehmann/Selmayr (Ed., Datenschutz-Grundverordnung, 2nd edition, 2018, Art. 4 margin no. 16), this definition is to be understood in a meaningful way analogous to Art. 2 c and Art. 9 of Directive 202/58/EC, i.e. as a sequence of determinations of the geographical location and time of a device or person. Such a sequence of coordinates is already unambiguous at relatively high resolution and can thus serve to identify an individual. In addition to such dynamic location data, more static information, such as residential or office addresses, or other geographical information could also help to identify the person concerned.
It is clear from recital (64) that the data controller should use all reasonable means to verify the identity of a data subject seeking information, in particular in the context of on-line services and in the case of on-line identifiers.
On the question of identifiability, reference should also be made to the case law of the Administrative Court, according to which the identity of a data subject may also be clear from the situation. This can be the case, for example, if the contracting authority (note: now responsible) - without doubting the identity of the person concerned - has already agreed to a longer correspondence with the person concerned after an immediately preceding legal dispute (VwGH v. 04.07.2016, Ra 2016/04/0014; see also BVwG v. 27.05.2020, Zl. W214 2228346-1/16E).
In the light of the above, it has already been established above that, in the run-up to reply XXXX, the complainant was identifiable as a data subject for the complainant on the basis of the existing identity references and previous correspondence in 2014, possibly in combination with an appropriate location of the data subject's computer.
3.3.3.2 Reference to inspection of the online tools versus written form regarding personal data within the user account
As already stated above, the complainant XXXX referred, in a first step, to the access to the online tools provided by her to the user account.
The reference to the access to the online tools of the user account has already been assessed as legal by the data protection authority in the notification with regard to the personal data accessible there.
In its statement of 3 January 2020, XXXX, as a co-involved party, argued that even after the DSGVO was in force, there was a right to written information (cf. Article 15 (3) DSGVO). Only if the party requesting the information submitted requests for information electronically would information have to be provided in a standard electronic format. Even in this case, however, information seekers can demand that information be provided in writing. Referring to online tools would contradict the wording of the DSGVO in the absence of an electronic application.
It is true that this opinion is held in the literature, including Ehmann (in Ehmann/Selmayr, Hrsg, Datenschutz-Grundverordnung, 2nd edition, 2018, Art. 15 Rz 32) to which XXXX also referred. From the point of view of the recognising senate, however, this must be countered in several respects:
First of all, the requirement of electronic attachment as defined in Art. 15 (3) DSGVO (argument: "If the person concerned submits the application electronically, ...") can only apply to those attachments that were or will be made after the DSGVO came into force on 25 May 2018, which is not the case here because the request for information was submitted on 30 October 2015.
A recital in recital (59) explicitly states that the responsible person should also ensure that applications can be made electronically, in particular where personal data are processed electronically. This implies, according to one interpretation of the text, that applications may, but need not, be made electronically.
When writing the passages in margin no. 32 ("Indirectly, it follows that copies must also be made available in the case of an 'application on paper'"), Ehmann as author obviously had (older) persons in mind who have no computer access at all. In the last sentence of Rz 32 - also quoted by XXXX - Ehmann writes that the exercise of the right of access only makes sense for the person concerned if he receives the copies in a form "which enables him to read and evaluate the copies on the basis of his technical and other possibilities".
XXXX is computer savvy and has computer equipment at home; he also did not dispute in the hearing that, due to his computer equipment, he basically has the possibility to have access to the online tools of his user account.
In this context, it should also be noted that recital (63) explicitly mentions Where possible, the data controller should be able to provide remote access to a secure system which would give the data subject direct access to his personal data.
It follows from these considerations in the present case that XXXX, as the holder of a user account with the complainant, had the opportunity to inspect the online tools, and in this respect he is not entitled to receive, in addition to this type of information, additional information in written form about the personal data within his user account. Therefore XXXX must be referred to the inspection of the online tools with regard to these personal data.
3.3.3.3 Request for clarification and impossibility of further identification regarding other data inside and outside the user account
The right of access in itself does not take absolute precedence over the rights and freedoms of other persons, but respect for the rights and freedoms of others must not lead to a data subject being denied any information. In other words, it is a practical concordance between the fundamental rights of a data subject and the fundamental rights of the person responsible or of third parties whose legal positions are affected (cf. Ehmann in Ehmann/Selmayr, ed., Datenschutz-Grundverordnung, 2nd edition 2018, Art. 15 Rz 10 and 36).
Art. 15 DSGVO itself does not contain any statement as to whether and in what way a data subject must contribute to facilitating the fulfilment of the duty of disclosure by providing the responsible party with information of his own. From this it can be concluded that, from the point of departure, it is solely the responsibility of the data controller how he or she fulfils the legal requirements for information. In any case, a general duty of cooperation of a data subject does not arise from this provision. In order to establish a practical concordance in the above sense, the overall situation of a responsible person must be taken into account, even if there is in principle no obligation of a data subject to cooperate.
The international company Google LLC (the complainant) processes an exorbitantly large amount of data on data subjects because there is hardly a larger data processor than it exists on the world market. In view of the overall situation of the complainant as the person responsible for such a large amount of data, the following recital (63) in the last sentence applies here:
Where the controller processes a large amount of information relating to the data subject, he should be able to require the data subject to specify to which information or which processing operations his request for information relates before providing him with it.
Referring to this recital, Ehmann states that only in this case can a responsible person demand a specification of a request for information (Ehmann in Ehmann/Selmayr, ed., Datenschutz-Grundverordnung, 2nd edition, 2018, Art. 15 Rz 24). This did not restrict the right to information, but was merely intended to avoid the person responsible having to make unnecessary efforts.
Feiler/Fórgo also refer to the last sentence in recital (63) and even say at this point that the data subject is under an obligation to clarify this (Feiler/Fórgo, EU Data Protection Basic Regulation, 2017, Art. 15 margin no. 1).
During the hearing, the complainant made it clear that some of the information requested by XXXX, such as the automated individual decisions, could not be provided without further clarification by XXXX.
The reason for the request for clarification - namely the protection of other persons known as " XXXX " - was mentioned by the complainant several times during the ongoing procedure, even in the reply itself. As the person responsible for the processing of data, the complainant is obliged under Article 15 DSGVO to protect other persons whose legal positions may be affected by keeping their data confidential. Since the complainant is responsible for processing an exorbitantly large amount of data, she must protect all the more other persons with the same name.
When weighing up the interests, therefore, the requirement to keep data of other persons with the same name confidential - the complainant speaks of about 3,910,000 search hits at www.google.at as of 10 December 2019 - is much more important than the individual right of the XXXX to be informed of all the requested information about his data.
For the purposes of further clarification, the complainant has requested (in a second step) that, in order to authenticate his identity in the wake of XXXX - in accordance with the requirements of Article 12 paragraph 6 DSGVO - he should log on to his user account in order to access the corresponding web form and fill in this form with further information on information still required.
However, XXXX did not comply with this request for or obligation to specify this, as has already been said several times.
For the data in question, account should also be taken of the last sentence in recital 57, which states that "identification should include the digital identification of a data subject, for example by means of authentication procedures using roughly the same credentials as those used by the data subject to register for the on-line service provided by the data controller".
It is precisely through such an authentication procedure that the complainant has asked XXXX for further clarification. However, since the latter had not complied with this request, it was not possible to establish a personal link between the complainant's data and him for further information.
Subsequently, the complainant, as the person responsible pursuant to Art. 12 Para. 2 DSGVO, demonstrated that she was not in a position to (further) identify XXXX with regard to all other data of XXXX that cannot be viewed via the online tools.
Therefore, pursuant to Art. 11 para. 2 last sentence in conjunction with Art. 12 para. 2 DSGVO, Art. 15 DSGVO does not apply to the relevant data of XXXX. Under these circumstances, the complainant was not obliged to provide XXXX with information on these data.
3.3.4 It follows from all of the above that XXXX has received from the complainant part of the information requested, namely his personal data within the user account by enabling access to the online tools made available, and has refused to provide further information in the absence of any other means of identification by XXXX.
Since the contested parts of the above-mentioned decision are unlawful on these grounds within the meaning of Article 130(1)(1) of the Federal Constitution, the appeal lodged against them was unlawful under Paragraph 28(2) of the VwGVG in conjunction with Paragraph 24(1) and (1) and (2) of the B-VG. 5 DSG as amended, with the provisos that part 1. of the ruling concerning the data protection complaint of 1 February 2016 was dismissed as unfounded to the extent challenged and part 2. was therefore to be set aside without substitution.
3.4 B) Admissibility of the appeal:
Pursuant to § 25a (1) VwGG, the Administrative Court must state in its ruling or order whether the appeal is admissible under Article 133 (4) B-VG. The statement must briefly state the reasons for the ruling.
The appeal is admissible under Art. 133 (4) B-VG, because the decision depends on the solution of a legal question of fundamental importance. The largely missing case law of the Administrative Court on the legal situation under the DSG and the DSGVO (here: Articles 11 and 15), which has been in force since 25 May 2018, is of great significance in this context.
European Case Law Identifier
ECLI:AT:BVWG:2020:W101.2132183.1.00


Catchwords
Elimination of the decision Data protection Data protection officer Data protection authority Data protection procedure Data processing Data transfer Direct advertising Management function Fines Legal person Specification Control Cost bearing natural person Affinity for parties Personal data Political party illegality Criminal proceedings - setting of allegations of proceedings Termination of power of representation Administrative criminal proceedings Imputability
European Case Law Identifier (ECLI)
ECLI: AT: BVWG: 2020: W258.2227269.1.00
In RIS since
02.12.2020
Last updated on
02.12.2020
Document number
BVWGT_20201126_W258_2227269_1_00
</pre>
</pre>

Latest revision as of 09:41, 10 September 2021

BVwG - W258 2227269-1/14E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(7) GDPR
Article 4(8) GDPR
Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 6(4) GDPR
Article 9 GDPR
Article 30 GDPR
Article 35 GDPR
Article 83(4)(a) GDPR
Article 83(5)(a) GDPR
Article 83(8) GDPR
Article 133(4) Federal Constitution (Bundes-Verfassungsgesetz - B-VG)
§ 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 30 Austrian Data Protection (Datenschutzgesetz - DSG)
§ 44a Austrian Adminstrative Penal Act (Verwaltungsstrafgesetz - VStG)
§ 45(1) Austrian Adminstrative Penal Act (Verwaltungsstrafgesetz - VStG)
Decided: 26.11.2020
Published: 02.12.2020
Parties: Austrian Postal Service (fined controller)
National Case Number/Name: W258 2227269-1/14E
European Case Law Identifier: ECLI:AT:BVWG:2020:W258.2227269.1.00
Appeal from: DSB (Austria)
DSB-D550.148/0017-DSB/2019 (not published)
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Marco Blocher

The Austrian Federal Administrative Court (BVwG) overturned the 18 million Euro fine imposed on the Austrian Postal Service: the Austrian DPA had failed to establish that the natural persons acting on behalf of the Austrian Postal Service had engaged in culpable conduct.

English Summary

Facts

The facts and cirumstances that lead to the fine can be read in the summary of BVwG - W258 2217446-1, another decision of the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) dealing with different legal issues of the same case.

Based on the unlawful processing of data on the "affinity for a political party", the DSB imposed a 18 Mio Euro fine on the Austrian Postal Service. In detail, the DSB held the Austrian Postal Service responsible for violating

  • Article 5(1) GDPR
  • Article 6 (1) GDPR
  • Article 6(4) GDPR
  • Article 9 GDPR
  • Article 14 GDPR
  • Article 30 GDPR
  • Article 35 GDPR and
  • Article 36 GDPR.

The fine was issued directly against the Austrian Postal Service as controller under Article 4(7) GDPR without establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. Based on this omission, the Austrian Postal service appealed against the fine.

Dispute

Can the DSB impose a fine under Article 83 GDPR directly on a legal person, without having to investigate and establish culpable conduct of natural persons acting on behalf of the legal person?

Are the national rules of administrative penal law of any relevance to this question or is it to be answered solely under the rules of the GDPR?

Holding

The BVwG held that the provisions of the Austrian Administrative Penal Act (Verwaltungsstrafgesetz - VStG) and the Austrian Data Protection Act (Datenschutzgesetz - DSG) apply on fines imposed by the DSB under Article 83 GDPR: Pursuant to Article 83(8) GDPR, the exercise by the supervisory authority of its powers under Article 83 GDPR shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process. In light of this provision, the BVwG held, that national procedural rules are in fact to be applied when imposing a fine for a GDPR violation.

According to the BVwG, the DSB had violated § 44a and § 45 VStG and § 30 DSG by not establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. In order to impose a fine on the Austrian Postal Service, the DSB would have had to establish that natural persons who have

  • the authority to represent the Austrian Postal Service,
  • the power to take decisions on behalf of the Austrian Postal Service, or
  • the authority to exercise control within the Austrian Postal Service

violated the GDPR. Therefore the fine was overturned.

Comment

It must be noted that the fine was only overturned due formal mistakes by the DSB. In the desision BVwG - W258 2217446-1 the BVWG considered the processing of the data on the"affinity for a political party" by the Austrian Postal Service unlawful.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court appointed the judge Mag. Gerold PAWELKA-SCHMIDT as chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB as assessors about the complaint of XXXX, represented by Schönherr Rechtsanwälte GmbH, 1010 Vienna, against the criminal judgment of the data protection authority of 23.10.2019, GZ DSB-D550.148 / 0017-DSB / 2019, rightly in a closed session recognized:

A)

I. The complaint will be followed, the contested conviction will be corrected and the proceedings will be discontinued according to § 45 Abs 1 Z 3 VStG.

II. According to Section 52 (8) VwGVG, the complainant does not have to bear any costs.

B)

The revision is not permitted in accordance with Art. 133 Paragraph 4 B-VG.





text

Reasons for the decision:

I. Procedure:

1. On the basis of media reports on the alleged sale of personal data, in particular information about the "political affinity" of certain people, the authority in question initiated an official investigation procedure against the complainant on January 8, 2019, which with the decision of February 11, 2019 on the GZ DSB-D213.747 / 0002-DSB / 2019 has ended.

2. On the basis of the investigation results of the official investigation procedure, the authority concerned initiated administrative criminal proceedings against the complainant and, with a request for justification on February 20, 2019, charged her with the following administrative violations: The complainant is suspected

1. to have unlawfully processed special categories of personal data in accordance with Art. 9 GDPR (“party affinities”) in the course of exercising the trade “address publishers and direct marketing companies” by not obtaining the consent of the data subjects and otherwise not relying on any of the data processing in Art 9 DSGVO conclusively listed facts can be supported,

2. personal data such as

- Affinity for donations

- bioaffinity

- partnership

- annual income

- type of acquisition

- qualification

- Consumption-oriented basis

- Night owls

- Package frequency (number of packages in a certain period of time)

- Affinity for moving

- Investment affinity

- phase of life

to have unlawfully processed "address publishers and direct marketing companies" (storage and sale to third parties) in the course of exercising the trade, by not having obtained the consent of the data subjects and otherwise not based the data processing on any of the legality facts listed in Art 6 (1) GDPR could be

3. To have violated their obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" (note: XXXX stands for XXXX) by failing to carry out the data protection impact assessment within the period, contrary to the time specified in the data protection impact assessment March to June 2018, but at a later date, but in any case after May 25, 2018,

4. To have created the data protection impact assessment for the application "XXXX - target group addresses" incorrectly because it denies the processing of special categories of personal data, although according to Annex 2D the "party affinity" is calculated, and as a result the existence of a high risk therefore I will in any case deny

5. To have created the directory for processing activity "XXXX - target group addresses" incorrectly because it contained

- a. processing of particularly sensitive data, including political opinion, as well as

- b. extensive processing of sensitive data

will be denied

6. To have created the directory for processing activity "XXXX - target group addresses" inadequately because it did not list all of the data categories actually processed,

7. to have failed to carry out a consultation in accordance with Art 36 GDPR and

8. Not having fulfilled their obligations under Art 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties - e.g. sold or on made available in another way -

so administrative offenses according to

To 1): Art 5 Paragraph 1, Art 9 in conjunction with Art 83 Paragraph 5 lit a GDPR

To 2): Art 5 para 1, Art 6 para 1 in conjunction with Art 83 para 5 lit a GDPR

Re 3) + 4): Art 35 in conjunction with Art 83 Para 4 lit a GDPR

Re 5 + 6): Art 30 in conjunction with Art 83 Para 4 lit a GDPR

To 7): Art 36 in conjunction with Art 83 Para 4 lit a GDPR

Re 8): Art 14 in conjunction with Art 83 Para 5 lit b GDPR

to have committed.

4. After carrying out evidence proceedings and an oral hearing on September 23, 2019, the authority in question pronounced a penalty on October 23, 2019,

The accused had been responsible as the person responsible within the meaning of Art 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons in the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : GDPR), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:

to I .: from May 25, 2018 to February 21, 2019,

re II .: from May 25, 2018,

to IV .: from May 25, 2018,

to V .: from May 25, 2018 and

to VI .: from May 25th, 2018,

I. the unlawful processing of special categories of personal data within the meaning of Art 9 GDPR ("party affinities") within the scope of the business of "address publishers and direct marketing companies"; this by not obtaining the consent of the persons concerned and the data processing cannot otherwise be based on any of the facts conclusively listed in Art 9 GDPR;

II.

a) the unlawful further processing of personal data, namely the number of parcels received during a certain period of time (parcel frequency) and the frequency of relocations of persons concerned within the scope of the trade of "address publishers and direct marketing companies"; This is done by not obtaining the consent of the data subjects and the data processing cannot otherwise be based on any of the legality facts finally listed in Art 6 Para 1 GDPR and the data relating to the frequency of parcels and the frequency of relocation are changed to a purpose not covered by Art 6 Para 4 GDPR were;

IV. The inaccuracy of the data protection impact assessment for the application "XXXX - target group addresses", since in this the processing of special categories of personal data was denied, although the "party affinity" had been calculated and processed, and yet the result was a high risk in any case it was denied,

V. the flawedness of the directory for processing activity "XXXX - target group addresses", since according to this

a) processing of particularly sensitive data, including political opinion, as well as

b) extensive processing of sensitive data is denied and

VI. the inadequacy of the directory for processing activities “XXXX - target group addresses”, since it did not list all the data categories actually processed and so it was not drawn up in sufficient detail.

The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.

As a result, the person responsible violated the following legal provision (s):

Re I .: Art. 5 Para. 1 lit. a, Art. 9 in conjunction with Art. 83 Para. 5 lit. a GDPR

Re II.a): Art. 5 Para. 1 lit. a and lit. b, Art. 6 Para. 1 and Para. 4 in conjunction with Art. 83 Para. 5 lit. a GDPR

On IV .: Art. 35 in conjunction with Art. 83 Para. 4 lit. a GDPR

Re V. and VI .: Art. 30 in conjunction with Art. 83 Para. 4 lit. a GDPR.

A fine of EUR 18,000,000.00 is therefore imposed on them in accordance with Article 83 (5) (a) GDPR and the reimbursement of procedural costs in the amount of EUR 1,800,000.00 is imposed.

On the other hand, the procedure with regard to the charge

II b) unlawful processing through the storage and sale of personal data of the categories

- Affinity for donations

- bioaffinity

- partnership

- annual income

- type of acquisition

- qualification

- Consumption-oriented basis

- Night owls

- investment affinity

- phase of life,

III. The accused had thereby violated her obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" by not doing the data protection impact assessment in the period from March to June 2018, but at a later point in time, but in any case after May 25, 2018 , was carried out,

VII. According to which the accused (wrongly) failed to conduct a consultation in accordance with Art 36 GDPR,

VIII. According to which the accused has not fulfilled her obligations under Art. 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties sold or otherwise made available -

each set in accordance with Section 45 Paragraph 1 Item 1 (1st case) VStG.

5. The complaint in question of November 25, 2019 is directed against this finding because of deficiencies in the assessment, incorrect legal assessment, unlawful measurement of fault and assessment of the amount of the penalty and requested, with more detailed reasons, to remedy the penal decision without replacement and to proceed with the procedure in accordance with Section 38 VwGVG in conjunction with Section 45 (1) VStG to discontinue the procedure according to § 38 VwGVG in conjunction with § 45 Paragraph 1 Z 4 VStG in conjunction with § 11 DSG with issuance of a warning or in conjunction with § 33a VStG through advice or in conjunction with § 45 Paragraph 1 Z 1 VStG with a warning to suspend the penalty to reduce a measure appropriate to the act and guilt. Among other things, for the imposition of a fine according to the GDPR on a legal person such as the person concerned, it is not sufficient to fulfill a criminal offense, it must be for you as a legal person,who cannot act themselves, the actions of a natural person can also be attributed. The authority concerned omitted this attribution, which must be carried out in accordance with § 30 DSG.

6. With the submission of files dated January 7th, 2020, received on April 16, 2020, the authority in question submitted the complaint to the Federal Administrative Court, including the administrative act, disputed the complaint and applied for the complaint to be dismissed with a detailed explanation. Among other things, the authority in question stated that since fines under the GDPR are an association responsibility model of its own, which would not reduce procedural guarantees required under fundamental law, there would be no room for an attribution rule such as Section 30 of the GDPR.

7. With the parties to be heard on July 17, 2020, the authority in question was held up to the decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, which had been made in the meantime, according to which it was necessary to impose a fine on a legal person under the GDPR to demonstrate factual, illegal and culpable behavior of a natural person, which is to be attributed to the legal person and such a defect cannot be remedied by the administrative court, if the natural persons for whose behavior the legal person is to be held responsible for the first time specifies in the complaint procedure would.

8. With statements of July 29th, 2020, August 13th, 2020 and November 12th, 2020, the authority in question submitted that the criminal conviction showed that the board or its members, i.e. representatives within the meaning of Section 9 VStG, had been informed about data protection processes and referred In this regard, to the findings under point 4.7 of the penal decision, according to which the project "Fitness for the GDPR" had been decided by the board, the board had been reported to the board on all data protection-relevant aspects by the relevant natural persons in a managerial function and on the board's part XXXX was responsible has been.

Furthermore, the authority in question submitted that there was no “acte claire” in the sense of the case law of the European Court of Justice because, in deviation from the decision of the Austrian Administrative Court, the Conseil d'État, the highest French administrative court, in its decision of June 19, 2020, N ° 430810, assuming that it is not necessary for the imposition of fines according to the GDPR on legal persons to name natural persons whose behavior can be attributed to the legal person. Due to the different opinions of two highest courts from different Member States, this question must therefore be interpreted by the ECJ. Furthermore, the authority concerned referred to a - orally announced but not yet executed - judgment of the Bonn Regional Court of 11.11.2020,GZ 29 OWi-430 Js-OWi 366 / 20-1 / 20 LG, in Section 30 of the Administrative Offenses Act - OWiG, a regulation comparable to Section 30 DSG, according to which, for the imposition of a fine on a legal person, the attribution of the actions of a natural person Person needs to be partially incompatible with the imposition of fines according to Art 83 GDPR and the authority does not have to specifically determine which employee has committed acts.

The authority in question therefore applied for the cited judgment of the Bonn Regional Court to be obtained, as well as to obtain a preliminary ruling from the ECJ in accordance with Art. 267 TFEU on the question of whether a decision imposing a fine under Art. 83 GDPR on a legal person is an infringement and culpable behavior of a natural person is to be shown, which should be attributed to the legal person.

9. Mit Stellungnahme vom 04.09.2020 replizierte die Beschwerdeführerin zusammengefasst ua, dass auch mit dem ergänzenden Vorbringen der belangten Behörde kein tatbestandsmäßiges, schuldhaftes und rechtswidriges Verhalten einer natürlichen Person dargetan werde, das ihr als juristische Person zugerechnet werden könne. Mit der Anregung auf Vorabentscheidung durch den EuGH verlange die belangte Behörde vom EuGH eine unzulässige Auslegung einer nationalen Rechtsnorm, § 30 DSG, und Überprüfung der Rechtsprechung des VwGH. Die Umsetzung der Sanktionsnorm des Art 83 DSGVO sei – unter Verweis auf die Rechtsprechung des VwGH und weiterer näherer Begründung – dem nationalen Recht überlassen, weshalb es zu Unterschieden zwischen einzelnen Mitgliedstaaten kommen könne. Auch das strafrechtliche Beschleunigungsgebot spreche gegen eine Vorlage an den EuGH.

Evidence was obtained through inspection of the administrative file and the decision of the Conseil d'État of June 19, 2020, N ° 430810.

II. The Federal Administrative Court has considered:

1. The following is certain:

1.1. The authority concerned has carried out administrative criminal proceedings against the complainant, a legal person set up in the legal form of a stock corporation, for AZ DSB-D550.148.

1.2. In this process were

 apart from the summons of witnesses, addressed letters from the authorities concerned to the complainant, for the attention of XXXX,

 only accused the complainant of the administrative violations and

 Ms. XXXX as representative of the accused questioned as accused and all other natural persons questioned as witnesses.

1.4. In the criminal decision of the authority concerned dated October 23, 2019, GZ DSB-D550.148 / 0017-DSB / 2019, the following is carried out insofar as this is relevant to the procedure:

"Accused: XXXX (FN XXXX)

The XXXX with its seat in XXXX, XXXX, has [...]

as the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 for the protection of natural persons in the processing of personal data, for the free movement of data and for the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter: GDPR ), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:

[...]

The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.

[...]

Reason:

I. The following facts relevant to the decision are certain on the basis of the evidence procedure carried out: [...]

1.1. XXXX (hereinafter: XXXX) has been operating the business of address publishers and direct marketing companies since XXXX and sells personal data as part of the “XXXX” product that it receives from address dealers or that it has collected itself.

[...]

2.1. As of January 2016, a name allocation of so-called "XXXX" took place within the "Address Publishing and Direct Marketing" division. "

[...]

3.1. The XXXX transmits personal real data from the XXXX division, namely the XXXX division, to the “Address Publishing and Direct Marketing” division in order to assign the selection criterion of the XXXX to individual people by name and then market it.

[...]

4. Regarding the company's internal responsibilities:

4.1. On the part of the board, XXXX was responsible for the business area of ​​address publishing and direct marketing until XXXX, then XXXX. Below the executive board level, XXXX is responsible as the division manager of the XXXX division; it is the area in which all business activities related to addressed advertising take place. XXXX, around 800 employees of XXXX and departments that are employed in outsourced companies and group subsidiaries report. Including the head of the specialist department "XXXX" (short: XXXX, XXXX - internal term for the specialist area that deals with address and direct marketing), Mr. XXXX. The latter has held this position since XXXX, before that XXXX was in charge of this department until XXXX.The trade “address and direct marketing” within the meaning of § 151 GewO is located at XXXX in the “XXXX” department. This department belongs to the area of ​​"XXXX".

4.2. Within this area, Ms. XXXX is again the head of product and quality management; In the course of this, Ms. XXXX is also managing director for the trade of address publishers and direct marketing according to § 151 GewO. Her tasks include product development, process control and answering data protection queries from those affected. In addition, Ms. XXXX is responsible for coordinating with the data protection officer of XXXX. Ms. XXXX's position is referred to as the “data protection manager” within the corporate structure. Ms. XXXX is the company-wide data protection officer for XXXX. In addition, there are the aforementioned data protection managers in each business area.

4.3. Within the XXXX, preparatory measures for the coming into force of the GDPR began in 2017. This project intensified in autumn 2017 and an external, internationally operating consulting company was brought in. These preparatory measures were referred to by XXXX as the GDPR project "Fitness for the GDPR". From December 2017 so-called "steering committees" took place regularly:

4.4. The project client was the board of directors of XXXX (XXXX). The steering committee itself consisted of the following people:

- XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX
XXXX

The extended steering committee also included the members of the Board of Management.

4.5. The project management was the responsibility of the data protection officer of XXXX, Ms. XXXX.

4.6. So-called project team jour fixes, project management jour fixes each week, steering committee meetings at least monthly and extended steering committee meetings took place every two months, the latter taking place monthly from March 2018. In addition, issues related to specific cases were dealt with in board meetings. XXXX took part in the project management jour fixes.

4.7. In summary, according to statements by XXXX, the aim of this project was to create the conditions for a holistic implementation of the GDPR through risk-oriented prioritization in several phases. This project order was decided and implemented by the board of directors and the steering committee. A project management team made up of representatives from the legal department and revision was used to implement the project. Regular reports on the progress of the project were made to the board of directors and management.

4.8. The head of the group-wide legal department of XXXX is XXXX, this is the authorized signatory of XXXX. In this function, she is also responsible for compliance with data protection law throughout the group.

[...]

4.9. The respective product responsibility lies with the respective heads of the respective departments. The legal department is involved in legal issues and legally relevant documents (e.g. submissions and applications to authorities and courts) must be approved by the head of the legal department.

4.10. With regard to the processing of data relating to "party affinities", the department heads, the head of the legal department and the data protection officer did not recognize any legal risk with regard to the entry into force of the GDPR on May 25, 2018; This is not because - contrary to our own practice in the case of requests for information according to Art 15 GDPR - it was assumed that it is not personal data but statistical extrapolations. Ms. XXXX was employed as data protection manager (DSM) in the area of ​​direct marketing; according to the assessment of XXXX, she has expertise in data protection law and she assessed the data processing as uncritical. As a result, no independent external legal assessment was sought.

4.11. The data protection officer, Ms. XXXX, did not express any concerns with regard to the legal risk of data processing for the creation and sale of the selection criterion of "party affinities" as part of the preparatory project for the GDPR. The same applies to the head of the group-wide legal department of XXXX.

4.12. As part of the entire investigation before the data protection authority, XXXX did not submit any documents from which a detailed legal dispute and examination of the legal question as to whether the data processing in connection with the creation and sale of the selection criterion of the "party affinities" within the scope of the product range of the Business "address publishing and direct marketing" with a view to the coming into force of the GDPR are in line with this or can be brought into line. There are no relevant meeting minutes for the above-mentioned preparatory meetings for the GDPR, as they were not prepared by the relevant managers of the departments of XXXX.At the related meetings, PowerPoint presentations were created and individual transcripts were made. Open points were addressed at the next meeting.

4.13. XXXX products were not discussed as part of the GDPR preparation. According to the head of the legal department, the aim was to provide general information to the board of directors about the GDPR with the mandate that the respective organizational units deal with it and report any necessary changes. Framework conditions were specified such as: the directory of processing activities and regular jour fixes for data protection managers. Regarding the XXXX in relation to party affinities, the assessment was that there was no need to change. A need for change would have been reported to the board; this, for example, if a change would have had an expected impact on sales or there would have been a need for investment.

[...]

III. Legally it follows from this:

[...]

2.17. [...] Specifically, the subjectively reproachable behavior of the accused consists in the fact that there is no legally detailed and well-founded discussion of any legal risks in connection with the product range of this business area in general and the selection criterion of the alleged party affinities in particular and the strict ones made available to political groups for a fee Requirements of the GDPR - more precisely their understanding of the term, the processing principles in Art. 5 and the processing prohibition in Art. 9 (1) - with the aim of bringing all processing operations in line with data protection requirements.

In the course of the investigation, neither the data protection officer nor the head of the legal department (an authorized signatory of the company), the head of the "XXXX" division or the head of the department for product and quality management within this division (she is the long-standing commercial manager for the trade of § 151 GewO), written evidence can be provided from which an appropriate legal analysis of this business area could be derived - corresponding to the size of the company and the enormous number of data records processed, and considering the large number of potentially affected persons would.

For example, no (albeit internal) legal opinion or a legal problem outline could be submitted that dealt with the legal opinion represented by the accused.

[...]

However, this expresses the subjectively reproachable behavior on the part of the accused and with regard to lawful alternative behavior the following would have been indicated:

- The data protection officer should have subjected the product range of the party affinities - but also the other product offerings of the business areas in question in connection with direct marketing - to a detailed examination and based on the considerations of the project "Fit for the GDPR" as a basis, if necessary with the consultation of an independent external data protection expert ;

- In the absence of such a check, the head of the legal department and the head of the "XXXX" division should have carried out or initiated such an examination;

- Ultimately, the board of directors should have initiated such a review with the aim of ensuring that all the business areas of XXXX in question were in compliance with data protection law.

The omission of all of this is to be regarded as grossly negligent behavior with regard to the scope of the data processing, the number of people affected and the resulting dangers for their legally protected legal positions.

2.18. In summary, it would have been reasonable for the accused - if only because of their size, their market position, the available knowledge and the available human capacities - to deal substantially with the legal question of the data protection qualifications of the party affinities they market and, as a result, the product range of the “Address Publishing and Direct Marketing” division with the legal requirements of the GDPR. The accused can be reproached for the simple assumption that there is no data protection problem or the failure to recognize one. [...]

3. Regarding ruling point II.a):

[...]

3.12. Regarding the subjective factual side, reference can be made to the relevant justification for point I. In summary, it would be the under point I.4. In any case, it was reasonable for the accused persons to be responsible for dealing with the legal question of the data protection admissibility of the (further) processing operations carried out by them and, as a result, the product range of the "Address Publishing and Direct Marketing" division in accordance with the legal requirements of the GDPR bring to.

[...]

6. Re point IV: [...]

6.2. In the data protection impact assessment, the accused denies the processing of special categories of personal data, in particular the potential political opinion, even though “party affinity” is mentioned in Appendix 2D. Consequently, this date was not included in the assessment.

6.3. Because the accused comes to the conclusion in the data protection impact assessment that no special categories of personal data within the meaning of Art. 9 GDPR are processed and that the risk assessment within the meaning of Art. c GDPR was carried out incorrectly, the data protection impact assessment "XXXX target group addresses" is incorrect. The accused thereby has the objective factual side of the sanction norm of Art. 83 Para. 4 lit. a GDPR fulfilled.

6.4. The accused can also be subjectively reproached for this violation: it would be the duty of the data protection officer and the others in point I.4. Those responsible have been to make a correct data protection assessment of the data quality in relation to party affinity and to incorporate it into the risk assessment according to Art. 35 (7) GDPR and to draw the necessary conclusions from this. With regard to the degree of fault, it is assumed in this context that the behavior is simply negligent, as the behavior in this regard is a consequence of the general misjudgment of party affinities, according to which these are not to be assigned to the special types of data listed in Art 9 (1) GDPR.

7. Regarding the ruling points V. and VI .:

[...]

7.6. Due to the inadequate keeping of the list of processing activities, the accused was informed about the objective facts of the sanction norm of Art. 83 (4) lit. a GDPR fulfilled.

7.7. The accused can also be subjectively reproached for this behavior, since the persons responsible should have ensured compliance with the requirements of a faultless and complete list of processing activities. With regard to point V. grossly negligent behavior is assumed. Failure to list the categories of personal data in sufficient detail is regarded as simply negligent behavior.

8. Regarding the imputability of the violations to the accused:

[...]

8.6. For the present situation, this means the following: The alleged violations are in any case attributable to the accused. They were committed by natural persons who were authorized to act on behalf of the legal person and consequently could act on their behalf. Nor can it be said that those responsible for the accused knew nothing about it; this results from the investigations carried out comprehensively for this purpose and the resulting from point I.4. stated findings. Accordingly, both the board of directors, the authorized signatories and all other executives up to the data protection officer were fully aware of all data processing operations, and they were also involved in the work project specifically carried out for this purpose in preparation for the coming into force of the GDPR.Ultimately, it would be within the competence of the board of directors to ensure that business operations are compatible with the applicable data protection law.

8.7. In the period of the offense, the acting natural persons belonged to the economic unit formed by the accused. The accused never denied this in the proceedings before the data protection authority.

8.8. As a result, there is a sufficient connection between the acting natural persons and the legal person, which allows the illegal and culpable behavior to be attributed to them.

8.9. A specific designation of the natural persons who acted culpably within the accused or who should have been made responsible for the possibly incorrect organization of the accused is not necessary in order to impose a fine on a legal person. [...] "

1.5. Further explanations on the actions of natural persons can not be found in the criminal judgment.

2. The findings result from the following assessment of evidence:

The findings are based on the harmless administrative act.

3. Legally it follows from this:

3.1. The admissible complaint is justified.

3.2. The complainant argues against the conviction that it is not sufficient to impose a fine under the GDPR on a legal person, such as the person concerned, to fulfill a criminal offense; as a legal person who cannot act itself, the actions of a natural person can also be attributed. The authority in question had omitted this attribution, which must be carried out in accordance with Section 30 of the DSG. With this argument, the complainant is in the right:

3.3. According to Section 30 (1) GDPR, the authority concerned can impose fines on legal persons, among other things, if violations of provisions of the GDPR have been committed by persons who have acted either alone or as part of a body of the legal person and have a management position within the legal person due to the Have the authority to represent the legal person, the authority to make decisions on behalf of the legal person, or have a power of control within the legal person.

Legal persons can also be held responsible in accordance with Section 30 (2) GDPR for violations of provisions of the GDPR and Section 1 or Article 2, main part, if there is a lack of supervision or control by a person named in Section 1, the commission of these violations by a for the legal person, provided that the act does not constitute a criminal offense falling under the jurisdiction of the courts.

3.4. For the imposition of a fine according to the GDPR on a legal person, the findings necessary to assess a factual, illegal and culpable behavior, which also meet any additional requirements of criminal liability, must be made in the criminal judgment and in the verdict all necessary elements for a punishment of the natural Person (§ 44a VStG), with the addition that the behavior of the natural person is attributed to the legal person. (VwGH 05/12/2020, Ro 2019/04/0229 with reference to VwGH 03/29/2019, Ro 2018/02/0023)

3.5. Applied to the specific situation, this means:

3.6. In the verdict of the judgment, the authority concerned did not name the natural person whose violation of the GDPR is to be attributed to the complainant. The penalty decision therefore proves to be illegal.

3.7. The administrative court is not allowed to cure this deficiency. Although the administrative court is authorized and obliged to correct an incorrect verdict and, if necessary, to make any missing determinations, it is not allowed to exchange the alleged act.

An inadmissible exchange of the accusation represents an extension of the accusation made by the administrative court in the complaints procedure or the use of facts other than the original basis of the punishment § 50 VwGVG does not exist. If the allegation is directed against the complainant as a legal person, then - due to the dependency of the legal person's criminal liability on the violation of the natural person attributable to it - the accusation against the natural person to be named therein is also included. (for the whole see VwGH 12.05.2020 Ro 2019/04/0229)

3.8. The authority concerned did not name a natural person, neither in the administrative evidence procedure nor in the verdict, whose behavior should have been attributed to the complainant. Also in the justification of the penal decision, which could be used to interpret the verdict, no factual, illegal or culpable behavior of a natural person is set out, which should be attributed to the legal person. It is true that the authority concerned establishes various responsibilities; However, there are no determinations as to who ultimately made the decisionto carry out the data processing recognized as unlawful or to create the data protection impact assessment and the list of processing activities in the manner recognized as unlawful or which lack of monitoring or control should have made the unlawfulness possible.

3.9. Thus, in the administrative criminal proceedings against the legal person, the specification of the natural person for whose behavior the legal person is held responsible would only constitute an inadmissible change in the allegation and the matter of the proceedings within the meaning of Section 50 VwGVG in the complaint procedure.

3.10. Since the lack of concrete definition of the allegation represents a procedural obstacle to a review by the Federal Administrative Court (see Honeder / Praschl-Bischler, case and factual decision in the case of an imprecise verdict in administrative criminal proceedings, ZVG 2016, 294), the criminal proceedings in question had to be discontinued.

3.11 The suggestion made by the authority concerned to submit the question to the ECJ for a preliminary ruling as to whether a natural person had to be shown to have acted as constitutive, illegal and culpable in order to impose a fine according to the GDPR was not to be complied with. The cited decisions of the French Conseil d'État and the Bonn Regional Court do not show any inconsistent application of European law in the individual member states:

According to Art 83 (8) GDPR, the procedural regulations of the member states must also be observed when imposing fines.

The requirement for the imposition of a fine on a legal person to specifically name a natural person whose behavior is to be attributed to the legal person is based on such a procedural provision, namely § 44a Z 1 VStG.

According to § 44a Z 1 VStG, it is legally necessary to describe the act with regard to the perpetrator and the circumstances so precisely that the assignment of the behavior to the administrative regulation that was violated by the act is made possible with regard to all elements of the offense (VwGH 13.12. 2019 Ra 2019/02/0184). Since legal persons cannot act themselves, their criminal liability is a consequence of the actions of a natural person. If a certain group of natural persons comes into question, whose behavior could justify the criminal liability of the legal person, according to the case law of the Administrative Court with regard to § 44a Z 1 VStG it is not sufficient to determine that any person from this group has committed the act - for example Any manager - the person acting must be specifically identified (see Section 99d BWG VwGH 29.03.2019 Ro 2018/02/0023 and to § 30 DSG VwGH 12.05.2020 Ro 2019/04/0229).

Before proceedings before the ECJ, against the background of the decision of the Bonn Regional Court - in the event of its confirmation by the highest court - it could be questionable whether a substantive provision such as § 30 DSG, which attributes the behavior of natural persons to the legal person to be punished, is in accordance with Art.83 GDPR, which is directly applicable in the member states.

But even if § 30 DSG were not applicable, the position of the authority concerned would not be of any help. In this case - in the present case - the attribution of the behavior of natural persons to the legal person would depend on whether through the actions of one or more natural persons, the legal person as the person responsible within the meaning of Art 4 (7) GDPR or, if necessary, as a processor within the meaning of Art 4 (8) GDPR to qualify or not.

Since, however, according to the case law of the VwGH according to § 44a Z 1 VStG, it is necessary to precisely determine the natural person whose behavior is to be attributed to the legal person and a reference to a potential group of possible natural persons would not be sufficient even then, if all persons from the group were active for the legal person, it would also be necessary in the case of the inapplicability of § 30 DSG due to the national procedural law of Art 44a Z 1 VStG, which is permissible under European law in accordance with Art 83 (8) GDPR To specifically name the acting persons.

Any different conditions under which fines can be imposed on legal persons in the individual member states are therefore due to the European law admissibility of different procedural rights. The judgments of other member states cited by the authority in question, which are supposedly in contradiction to the relevant decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, could therefore not show any contradicting application of the GDPR in the individual member states ECJ would have to be clarified.

3.12. It was therefore to be decided according to the ruling.

3.13. A negotiation could be dispensed with in accordance with Section 44 (2) VwGVG.

Regarding point B) inadmissibility of the revision:

Pursuant to Section 25a (1) VwGG, the administrative court has to pronounce in the verdict of its decision or decision whether the revision is permissible according to Article 133 (4) B-VG. This statement must be justified briefly.

The revision is inadmissible because there were no legal issues to be resolved which are of fundamental importance within the meaning of Art. On the question of whether it is necessary for the imposition of a fine under Art 83 GDPR on a legal person to demonstrate an offense, illegal and culpable behavior of a natural person attributable to it and to include it in the verdict of the penal decision, and under what conditions such a deficiency in administrative court proceedings can be cured, there is the cited case law of the Administrative Court.



Catchwords
Elimination of the decision Data protection Data protection officer Data protection authority Data protection procedure Data processing Data transfer Direct advertising Management function Fines Legal person Specification Control Cost bearing natural person Affinity for parties Personal data Political party illegality Criminal proceedings - setting of allegations of proceedings Termination of power of representation Administrative criminal proceedings Imputability
European Case Law Identifier (ECLI)
ECLI: AT: BVWG: 2020: W258.2227269.1.00
In RIS since
02.12.2020
Last updated on
02.12.2020
Document number
BVWGT_20201126_W258_2227269_1_00