BVwG - W258 2247028-1

From GDPRhub
BVwG - W258 2247028-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 58(2) GDPR
§ 24 DSG
Decided: 29.04.2022
Published: 03.06.2022
Parties: anonymous
DSB
National Case Number/Name: W258 2247028-1
European Case Law Identifier: ECLI:AT:BVWG:2022:W258.2247028.1.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Heiko Hanusch

The Federal Administrative Court of Austria held that the Austrian Data Protection Authority only has the power to declare processing activities unlawful in proceedings following a complaint, and not when they were initiated by the DSB itself.

English Summary

Facts

The controller is an employer who allegedly surveilled its employees work phones and work email accounts from January until March 2021. The DSB (Austrian Data Protection Authority) heard of this conduct in media reports and initiated an ex officio investigation into the matter on 31 March 2021. On 29 July 2021 the DSB adopted an administrative act in which it declared the processing of the controller unlawful.

The controller initiated court proceedings against the act claiming that its conduct was lawful and that the DSB - neither under national law nor under the GDPR - had the power to declare the processing unlawful. It argued that Article 58(2) GDPR does not provide a DPA with such a power, because "declaring the unlawfulness" is not listed there. Moreover, § 24 DSG (Austrian Data Protection Act) which provides the DPA with the power to make such a declaration only applies to proceedings which were initiated by a complaint and not by the DSB itself.

Holding

The Federal Administrative Court (Bundesverwaltungsgericht – BVwG) decided in favour of the controller and set the administrative act aside. It found that there is no provision in national law or the GDPR that gave the DSB the power to declare the processing unlawful.

The court first established that § 24 DSG, which provides the DSB with such a power, only applies to complaint proceedings and not ex officio proceedings. The court also rejected an analogous application of § 24 DSG, because it found that the legislator purposefully regulated complaint and ex officio proceedings differently so that there is no room for an analogous application. Moreover, it reasoned that in a complaint proceeding there is a data subject who may have a legal interest in the declaration in order to pursue further individual claims against the controller like a claim for damages; in ex officio proceedings no such interest exists.

The court further found that there is no legal basis in the GDPR either, since Article 58(2) GDPR does not include a power to declare the processing unlawful, but only the power to issue a reprimand or to fine the controller.

Comment

The BVwG mainly based its holding on a decision (Ro 2020/04/0032-8) by the Supreme Administrative Court of Austria (Verwaltungsgerichtshof – VwGH) regarding the same subject matter. However, in my opinion, both Austrian courts were incorrect. German Courts and scholars (see Grittmann in Taeger/Gabel, DSGVO - BDSG – TTDSG, Art. 58 Para 24) are of the opinion that a reprimand under Article 58(2)(b) GDPR entails a declaration of unlawfulness. According to this view a reprimand consists of two parts: The declaration that the processing was unlawful and the warning that the controller should not violate the GDPR again. Therefore, by way of an argumentum a fortiori (a maiore ad minus), it may be concluded that a DPA actually has the power to declare the processing unlawful.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                                                                               Postal address:
                                                                      Erdbergstrasse 192 – 196
                                                                                 1030 Vienna
                                                                         Phone: +43 1 601 49-0
                                                                  Fax: + 43 1 711 23-889 15 41
                                                               Email: einlaufstelle@bvwg.gv.at
                                                                            www.bvwg.gv.at


                    DECISIONS D A T U M

                                2 9 . 0 4 . 2 0 2 2

                           BUSINESS NUMBER




                      W 2 5 8 2 2 4 7 0 2 8 - 1 / 1 1 E



                I M N A M E N D E R E P U B L I K !


The Federal Administrative Court has judge Mag. Gerold PAWELKA-SCHMIDT as

Chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB
as assessor on the complaint of XXXX, represented by CERHA HEMPEL Rechtsanwälte

GmbH, 1010 Vienna, against the decision of the data protection authority of July 29, 2021, GZ DSB-
D213.1303 2021-0.412.072, in circulation on a data protection matter

rightly recognised:


A) The complaint will be followed and the notice will be removed without replacement.

B) The revision is not permitted according to Art. 133 Para. 4 B-VG.







                                Reasons for decision:


I. Procedure:


1. Based on media reports that the complainant (in the proceedings before the
Data protection authority "responsible") company mobile phones and company e-mail accounts

some of their employees is said to have been monitored by the relevant authority on March 31, 2021
ex officio investigation proceedings initiated against the complainant and asked her, - 2 -


within three weeks, various questions about the procedure and the extent of the monitoring as well as
to answer about a obtained consent and to present related documents.


2. In a letter dated April 28, 2021, the complainant submitted various documents

Declarations of consent and non-disclosure clauses and answered the questions
summarized as follows: In the course of the sale of a business unit, a

competitive bidding process lasting several months. Just before the end of

Negotiations there was a "leak" in which strictly confidential information of the
bidding process had become public, causing the complainant damage in

millions had been created. The board of the complainant then had a

internal investigation initiated. The purpose of the investigation is to clarify the facts and
the relief of the suspected employees. For this are the

official e-mail accounts - after obtaining the consent of the persons concerned

certain keywords, as well as in the partially anonymous
Individual call records of the employees involved have been inspected. the

Complainant was under company law to an investigation of the facts

been obliged to comply with data protection regulations
have performed.


3. With a decision dated July 29, 2021, the relevant authority stated that "the ex officio
Inspection method was authorized and it is found that processing

personal data of 73 individuals between January and March 2021 for purposes

internal investigations based on the stated justification facts (§1 Abs.2 DSG,
Article 6 paragraph 1 lit. a and alternatively lit. f GDPR) was unlawful.”


As a reason, the relevant authority summarized the consent obtained

was due to the imbalance between the complainant as an employer and
the employees as their employees is not made voluntarily and is therefore invalid. Since the

If the legal basis for the processing cannot be changed later, the

Complainant also does not base the data processing on the permission of the
"legitimate interest" according to Art 6 Para 1 lit f GDPR. The data processing can

but in any case not based on Art. 6 Para. 1 lit f GDPR, because relevant

Legislation should have been complied with, which was not the case. So
is subject to the investigation carried out as a control measure which the

touch human dignity, the consent of the works council, which the complainant
have not caught up., - 3 -


4. The present complaint of August 27, 2021 is directed against this decision
Procedural errors and substantive illegality in which the complainant

requested that the Federal Administrative Court decide in the matter itself and

determine that the processing by the complainant was lawful, in eventu
revoke the contested decision and issue a new decision

referred back to the relevant authority.


In essence, the complainant submitted that the authority concerned had the
Facts insufficiently determined and incorrectly legally assessed, especially in relation

on the voluntariness of the consent obtained from the employees. Also have the

competent authority violated the surprise ban because for the
Complainant had not been foreseeable that the last of 18

questions asked will be particularly relevant to the decision and they also have

the proceedings are expected to be discontinued after the questions have been answered. About that
Furthermore, the verdict of the notice was too vague. Contrary to the view of those concerned

Authority it is also permissible to process data with several permissions

to secure. There was also no company agreement or
The works council's consent is required, which the complainant claims with a

have substantiated legal opinions. Regarding the admissibility of several
Justification reasons, the necessity of a works agreement and the admissibility

of consent to data processing in employment relationships encourage them to do so

to request a preliminary ruling from the ECJ.

5. The data protection authority submitted the complaint to the adjudicating court

Connection of the administrative act with a brief dated October 4th, 2021, received on

05.10.2021, and stated in summary that the complainant had
relevant time of data collection from the staff exclusively on the

Justification of the consent under Art 6 Para 1 lit a GDPR supported. the

Officials could not have expected that the consent would only be "pro forma"
will be obtained and processing, regardless of consent - based on a

legitimate interest according to Art 6 Para 1 lit f GDPR -, nevertheless takes place. It is inadmissible

in the event of problems with the consent, subsequently refer to other justifications
to support. In this respect, the complainant's arguments are justified

Interest according to Art 6 Para 1 lit f GDPR and the explanations of the submitted
legal opinion into emptiness. Furthermore, the Respondent is all

investigation results essential to the decision have been disclosed and they have to do so

be able to comment on why the objection of the ban on surprises is misguided., - 4 -


6. In a brief dated November 18, 2021, the complainant summarized that
not all affected employees would be subject to the ArbVG. The authority concerned

have the decision-relevance of the existence of a works agreement is not sufficient

communicated, as a result of which the complainant had been deprived of the opportunity to
to submit an expert opinion on this subject, which was already available before the decision was issued.


Furthermore, neither the verdict nor the reasoning indicated “which

Processing(s) of which personal data […] with regard to which employees
due to which specific circumstances should have been unlawful”, whereby this

be too vague.


With the consent obtained from the employees, the relevant authority only
selectively and in a generalizing manner, without considering the circumstances of the

to enter into individual cases that would speak in favor of the voluntary nature of the consent.


The complainant does not have the legal basis for the use of the data
later changed, rather all employees are the internal ones

Data protection guidelines known, which inform that the complainant at

Violations of laws or company policies Inspection of documents and
can take correspondence.


7. The authority concerned responded with a brief about hearings from the parties on November 26, 2021
December 20, 2021, essentially as before.


8. Based on the decree of the hg business allocation committee of December 16, 2021

the case was taken from Judicial Division W211 and Judicial Division W258
reassigned as of 01/03/2022.


9. With a hearing of April 11, 2022, the authority concerned was informed of the

decision of the Administrative Court of December 14, 2021, Ro
2020/04/0032, that she did not have any in an officially initiated examination procedure

Competence to determine infringements in a manner capable of having legal force, why

the notice would have to be remedied without replacement.

9. In a brief dated April 25, 2022, the authority concerned submitted that

The finding cited is not applicable to the case in question because the

decision of the data protection authority on an ongoing infringement
reason. In the present case, however, the infringement has already been completed and

thus (also) a violation of § 1 DSG has been agreed. It is not justifiable,, - 5 -


which is why, in the case of identical facts, one in the past and already
Completed violation of rights in the case of an individual complaint according to § 1 in conjunction with § 24 DSG,

cannot, however, be determined in an official examination procedure.


It is typical for violations of the fundamental right to data protection according to § 1 DSG that they already
Are completed. However, the Austrian (constitutional) legislature could not

be assumed to issue a provision that cannot be enforced ex officio,

because Article 58 (2) GDPR does not provide for a corresponding right to remedy the situation. Therefore have the
Decision of the competent authority - in contrast to the decision, which said knowledge

of the Administrative Court is based - also contain only one ruling

and not several. In general, Art 58 GDPR only applies to currently existing or
to interpret possible legal infringements in the future.


Ultimately, a violation of the GDPR should be discussed in the form of a notification, so that

both in official proceedings and in individual proceedings for those subject to the law
the possibility of an appeal in the sense of legal protection is open.


Evidence was collected by inspecting the administrative file.


II. The Federal Administrative Court considered:

1. The following facts are established:


With a decision dated July 29, 2021, the relevant authority spoke in an officially initiated manner
Examination procedure on the admissibility of data use by the complainant

away.


The statement of the notice reads:

       "The official examination procedure was justified and it is determined that the

       Processing of personal data of 73 individuals between January and March

       2021 for the purposes of internal investigations based on the information provided
       Justification facts (§ 1 Abs. 2 DSG, Art. 6 Abs. 1 lit. a and alternatively lit. f

       GDPR) was unlawful."


2. The findings result from the following assessment of evidence:

The findings are based on the harmless administrative act., - 6 -


3. Legally it follows:

The admissible complaint is justified.


3.1. Regarding the relevant legal provisions:


Article 58 GDPR entitled “Powers” reads:

       “[…] (2) Each supervisory authority shall have all of the following remedial powers that

       allow her


       a) to warn a controller or a processor that
       intended processing operations are likely to violate this regulation

       violate


       b) to warn a controller or a processor if he is using
       processing operations has violated this regulation,


       c) instruct the controller or the processor to comply with the requests of the

       data subject to exercise the rights to which they are entitled under this regulation
       correspond to,


       d) instruct the controller or the processor to
       Processing operations, if necessary, in a specific way and within a

       to bring them into line with this regulation within a certain period of time,


       e) to instruct the person responsible of a breach of protection
       to notify the data subject of personal data accordingly,


       f) a temporary or permanent restriction of processing, including

       a ban on imposing

       g) the correction or deletion of personal data or the

       Restriction of processing pursuant to Articles 16, 17 and 18 and the

       Informing the recipients to whom these personal data pursuant to Article
       17 paragraph 2 and Article 19 were disclosed to order such measures,


       h) to revoke a certification or to instruct the certification body to

       revoke the certification granted in accordance with Articles 42 and 43, or the
       instruct certification bodies not to issue certification if the

       Requirements for certification are not or no longer met, - 7 -


       i) to impose a fine pursuant to Article 83, in addition to or instead of in
       measures referred to in this paragraph, depending on the circumstances of the individual case,


       j) the suspension of the transfer of data to a recipient in a third country

       or to an international organization. […]

       (6) Any Member State may provide by law that its

       Supervisory authority in addition to the powers listed in paragraphs 1, 2 and 3

       has additional powers. The exercise of these powers shall not be effective
       impair the implementation of Chapter VII.”


Section 24 DSG entitled “Complaint to the data protection authority” reads:


       "Section 24. (1) Every data subject has the right to lodge a complaint with the
       Data Protection Authority when it considers that the processing of you

       personal data concerned against the GDPR or against § 1 or article

       2 1. Chapter violates.

       (2) The complaint must contain:


       […]

       5. the desire to determine the alleged infringement [...]


       (5) If a complaint proves to be justified, it must be followed. Is a

       Injury to be attributed to a person responsible for the private sector, so is this
       to comply with the complainant's requests for information, correction,

       deletion, restriction or data transfer to the extent

       which is required to eliminate the identified infringement. As far as the
       If the complaint proves to be unjustified, it must be dismissed."


3.2. Applied to the situation, this means:


The authority concerned has to deal with the challenged decision in an ex officio manner
initiated test procedure agreed that the ex officio test procedure is justified

had been and established that the processing of personal data by 73

Persons between January and March 2021 for the purpose of internal investigations based on various
stated facts of justification was unlawful., - 8 -


However, the authority concerned has no legal basis for a self-employed person
Objection to the possible authorization to carry out a procedure within the meaning of

Art 58 para 2 GDPR or the possible illegality of the respective cause

Processing operation: Art 58 DSGVO contains no express legal basis for
an independent determination of the possible illegality of a data protection law

relevant processing operation in a procedure initiated ex officio by the

Data Protection Authority. § 24 DSG in turn regulates what you think in your opinion
Right to protection of the personal data concerning them

Individual complaint and is thus officially on the of the data protection authority

initiated proceedings not directly applicable. (VwGH 14.12.2021, Ro 2020/04/0032)

Also an analogous application of § 24 DSG, which the data protection authority

Competence grants, in the case of individual complaints, violations of data protection law

legally binding, on examination procedures initiated ex officio, separates
in the absence of an unplanned gap, because the legislature has the powers of

Data protection authority aware of individual complaints and official intervention

has regulated differently (see also VwGH 14.12.2021, Ro 2020/04/0032 mwN).

3.3. The objections of the authority concerned are not convincing.


3.3.1. If the authority concerned believes that the previously cited finding of
Administrative Court of December 14, 2021, AZ Ro 2020/04/0032, on the subject matter

case is not applicable because the Administrative Court in this decision only

has dealt with ongoing violations of the law, which
Infringements of rights in the case in question have already been completed is her

to counter that the Verwaltungsgerichtshofin the above-mentioned decision also

dealt with infringements that had already been completed, namely with
the transfer of personal data to third parties (margin no. 3).


3.3.2. However, the authority concerned must be agreed that the

Administrative Court in this decision only on violations of the GDPR, but not
- as here - referred to a violation of § 1 DSG. But that means nothing to her

win, because the main considerations of the Administrative Court also refer to violations

can be taken over against § 1 DSG:

Regarding the procedural rules and the competence of the data protection authority

the Data Protection Act makes no difference whether a breach of the GDPR or the
§ 1 DSG is objective. With regard to violations of § 1 DSG, there is no - 9 -


express legal basis for the authority concerned, infringements in one
officially initiated procedures in a legally binding manner.


An analogous application of § 24 DSG (only there - apart from the one here not

relevant § 22 para. 6 DSG - a determination competence of the data protection authority standardized)
is excluded in the case of violations of § 1 DSG, because the statements of the VwGH, according to which the

Legislators of the possibility of Art. 58 Para. 6 GDPR, according to which each Member State through

Legislation can provide that its supervisory authority, in addition to the provisions of Art. 58 para
1, 2 and 3 GDPR has additional powers according to the

Materials on § 22 DSG deliberately not used (cf. AB 1761 BlgNR 25. GP, 14),

which is why he extends the powers of the data protection authority to individual complaints and
official intervention deliberately regulated differently, which is why an analogy

due to a lack of gaps contrary to the plan, also apply to procedures that refer to § 1 DSG

support.

With the same justification, the Administrative Court also has that in this decision

- argument now used by the authority concerned that it is not comprehensible

why the authority concerned in proceedings on individual complaints, but not
has a determination authority in procedures initiated ex officio.


If the authority concerned argues that it is typical for violations of § 1 DSG that they
have already been completed and it can be submitted to the Austrian (constitutional) legislature

not be assumed to enact a provision that is not carried out ex officio

can, it starts from the incorrect assumption that data protection law - here this
Fundamental right to data protection according to § 1 DSG - would only be enforceable if

Violations of rights can be determined in a way that is legally binding.


On the contrary, the determination competence of the data protection authority in
Complaints procedure according to §24DSG has not been standardized to a person responsible or

to cause a processor to behave in accordance with the law or to

to help enforce data protection law itself, but to allow those affected to do so
enable illegality in an official procedure that is simple for them

to have a binding determination of data processing in order to inform the data subject

based on this finding to allow further individual claims - about
Claims for damages - to be pursued (VwGH 14.12.2021, Ro 2020/04/0032 Rz 38 f).


Rather, the enforcement of data protection law is carried out by other legal institutions, such as
Remedial powers of the authority, in particular according to Art. 58 GDPR, or fines, - 10 -


ensured
or a restriction of data processing in accordance with Art 58 Para 2 lit f GDPR

comes - the authority concerned has the competence to be responsible according to Art. 58 para. 2 lit b

GDPR to issue a warning or a fine pursuant to Art. 83 GDPR, if necessary
to impose administrative penalties in accordance with § 62 DSG. If profit or damage intent

In addition, a violation of § 1 DSG is even threatened with criminal penalties (§ 63 DSG).


Ultimately, the authority concerned may argue that violations of the GDPR
(probably also meant against § 1 DSG) is to be agreed in the form of a notification in order to

Enabling the addressee of a decision to appeal is a suitable justification

be sure that performance orders have to be issued in the form of a notification, but not that the
DSB has a determination authority.


3.4. The contested decision was therefore issued without a legal basis, which is why the

Complaints directed against him already for this reason and the decision
could be repaired without replacement.


3.4. It was therefore to be decided accordingly.


3.5. According to § 24 para. 2Z 1 2nd case
VwGVG are disregarded.


Regarding point B) Inadmissibility of the revision:

According to § 25a Abs 1 VwGG, the administrative court in its decision or

Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. This

Statement must be briefly justified.

The revision is not admissible because there were no legal issues to be resolved, which were fundamental

importance within the meaning of Art. 133 Para. 4 B-VG. To answer the question of whether the

data protection authority in an ex officio initiated test procedure
is entitled to establish legal violations in a legally binding manner, or about the

To deny the authorization of the official examination procedure, that could be

Administrative Court based on the cited case law of the Administrative Court.
Although the citation cited did not expressly refer to violations of § 1 DSG, his

However, the underlying considerations could undoubtedly be transferred to violations of § 1 DSG

will.