BVwG - W274 2225135-1/3E

From GDPRhub
Revision as of 16:55, 27 December 2020 by Maïlys Lemaître (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_With_Country=BVwG (Austria) |Case_Number_Name=W274 22251...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W274 2225135-1/3E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4 GDPR
Article 133(4) of the national consitutional law
§ 17(1) of the national school teaching law
§ 19 of the national school teaching law
§ 24(2) of the national data protection law
§ 4 of the performance assessment regulation
§ 56 of the national school teaching law
Decided: 30.09.2020
Published: 16.12.2020
Parties: A student (defendant)
A teacher (plaintiff)
National Case Number/Name: W274 2225135-1/3E
European Case Law Identifier: ECLI:AT:BVWG:2020:W274.2225135.1.00
Appeal from: Austrian Data Protection Supervisory Authority
GZ DSB-D123.594/003-DSB/2019
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: Maïlys Lemaître

The Federal Administrative Court of Austria held that a teacher cannot be considered data controller as defined in Article 4(7) GDPR and that a complaint lodged against him as such, in order to hold him liable for a violation of data protection principles, is therefore inadmissible.

English Summary

Facts

A student, the defendant, had allegedly told her teacher, the plaintiff, that she did not want her examination grades to be published or otherwise communicated to third parties other than herself. Nonetheless, the plaintiff had released the grades of all his students, the defendant's included, to their class representatives in order for them to communicate the results to their classmates in a common WhatsApp group. As a result, the defendant lodged a complaint before the Austrian data protection authority, claiming that the disclosing of her grades constituted a violation of confidentiality, to which she considered her teacher to be subject to.

The data protection authority sustained the defendant's - plaintiff before them - complaint and held that the teacher - defendant before them - had violated his student's right to confidentiality, arguing that a grade constitutes a personal data such as defined in Article 4(1) GDPR and had to be protected according to the applicable principles of the law, such as confidentiality. The disclosing of grades from the teacher to the class representatives had in view thereof to be considered a breach of confidentiality of the data.

This decision was appealed by the teacher before the Federal Administrative Court of Austria, primarily arguing that it should not be him as teacher but the competent authority he was acting on behalf of, the Ministry of education, that should be held responsible as data controller.

Dispute

Can a teacher be considered data controller as defined in Article 4(7) GDPR and therefore be held liable in case of a breach of the applicable data protection principles?

Holding

The Federal Administrative Court of Austria amended the data protection authority's decision by holding that the plaintiff could not be considered data controller since he was only teaching as part of the school's organisation and under official and professional supervision of the headmaster (§ 56 of the national school teaching law). This would also apply in matters of data processing, since the basic framework as to why, how and how long data should be processed or to whom it should be transferred, would not fall within the scope of responsibility of individual teachers but rather of the school they teach at. Hence, the plaintiff could not be held personally liable in matters of data protection and lacked a passive legitimacy for an underlying complaint, resulting in an amendment of the data protection authority's decision to the effect that the complaint was rejected. Lastly, the Court held that the legal question of whether the plaintiff's actions should be qualified as a violation of data protection principles or not, did not need to be examined further since the plaintiff's status as a possibly liable party was denied.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, by Judge LUGHOFER as Chairman and the expert lay judges Prof. KommR POLLIRER and Dr. GOGOLA, rules on the appeal of Mag. XXXX , p. A. XXXX , represented by STÖGERER PREISINGER Rechtsanwälte OG, Mariahilfer Straße 76/2/23, 1070 Vienna, against the decision of the Data Protection Authority, Barichgasse 40-42, 1030 Vienna, of 02. 08.2019, GZ DSBNächster Suchbegriff-D123.594/003-Vorheriger SuchbegriffDSBNächster Suchbegriff/2019, respondent XXXX , XXXX , on the grounds of violation of the right to confidentiality, in closed session:

The complaint is upheld and the decision under appeal is amended to read:

"The complaint is dismissed."

The appeal is not admissible pursuant to Article 133 para. 4 B-VG.

Grounds for decision:

By email of 09.10.2018 to the data protection authority (hereinafter: the authority concerned), XXXX (hereinafter: the respondent - BG) claimed that after several contacts with the police, the public prosecutor's office and the data protection authority, she had now ended up at this email address. She was 19 years old and was in her final year of school at XXXX. There had been several exams in the subject XXXX. She had stressed several times that she did not want her grades from the whole school year to be made public. However, she had then learned from a WhatsApp message that her teacher Mag. XXXX (hereinafter: complainant - BF) had communicated the grades in detail to the class representatives on a day when she had not been at school. He had specially taken them out of another lesson in order to give them a breakdown of their marks. She sees this as a breach of data protection by the BF. She also knows that her classmates should not have made their grades public in this group, but the BF's intuition was to make their grades public as soon as possible. She did not want to involve the students in this matter. She asked that consequences be taken.

Attached, the BG sent a WhatsApp message of the following content:

"Sodala people, in the Latin lesson XXXX took D... and me in Latin class to explain at least one thing and I want to pass it on to everyone. Da XXXX has not changed anything in his grading system and has calculated the grades of XXXX ... calculated. In writing ... is better in writing, but he has three cooperation pluses and 4 out of 5 hourly repetitions negative. XXXX has one 1.75 and one 1.5 in the ... repetitions and 12 extra marks because she tries to cooperate more often, which is not the case with ... is not the case. When added up, XXXX has 48% and can reach the required 50% with 2 points in a normal repetition of lessons, which may also take place tomorrow. The ... is far from the 50% because of his cooperation and cannot reach 50% with a repetition of the lesson. They both do not get another examination."

By way of an order to remedy deficiencies dated 21.11.2018, the authority responsible instructed the BG to supplement its complaint with a description of the right deemed to have been violated, the legal entity or body to which the alleged violation of the law was attributed, a request and information on the timeliness of the complaint. 

In a submission dated 23 November 2018, the BG - as BF before the previous search term DPO - supplemented its complaint to the effect that it considered its right to confidentiality under section 1 of the DPA to have been violated. The complaint was directed against Mag. XXXX, XXXX. She requested that the violation of section 1 of the DPA be established and had become aware of the event that took place on 18 April 2018.

The BF (before the BVwG) commented on 09.01.2019 as follows:

The BG had taken an oral examination in accordance with section 5 of the Performance Assessment Ordinance (LBVO) on 17.04.2018 in the fourth lesson in the subject XXXX, whereupon the overall assessment had been "not sufficient" in the subject XXXX for the school year 2017/18. The BF had been contacted by the BG and her mother at school at 13:30 hours and asked for another chance to improve the grade, which he gave her on Thursday 19.04.2018 in the form of a repeat lesson. On Wednesday 18 April 2018, he was informed by a colleague that there was a lack of understanding in the class about the fact that a fellow pupil of the BG, who had also received the overall assessment "not sufficient" in the subject XXXX for the said school year, had not been given another chance to improve the mark in the form of a lesson repetition, in contrast to the BG. In order to de-escalate the situation in the class, the BF had asked the elected class representatives, whose function was to represent the whole class as well as individual pupils, to have a short discussion outside the classroom by explaining to them the reasons for the different approach. The BG had not been able to contribute to the clarification of the class situation due to their absence. As a basis for his explanation, he had pointed to the different teaching performance of the pupils concerned.

According to § 2 (6) of the LBVO, performance assessments such as lesson repetitions always had to be carried out in regular lessons and in the class. The class representatives had therefore not received any significant new information. Subsequently, the class representatives, in their function as representatives of the entire class, had made the content of the conversation available in their private WhatsApp class group. The BG's allegation that it had repeatedly asked the BF not to make her marks public in class was rejected. Moreover, the principle existed that a fair and transparent assessment of performance, which was also comprehensible for fellow pupils, must always be guaranteed.

After the parties had been given the opportunity to be heard, the BG stated in its letter of 5 February 2019 that the AA had again violated section 1 of the Data Protection Act in his statement because he had "insufficiently" informed the authorities of the overall assessment. The AA had not fulfilled his responsibility as a teacher and had asked the class representatives to take over tasks for him. It was a matter of deliberately passing on the BG's overall marks without her consent. As a result, she had been belittled and humiliated several times.

In the contested decision, the authorities upheld the complaint and found that the BA had violated the BG's right to confidentiality by unlawfully disclosing personal data about the BG to the class representatives, namely the exact composition of the school grade in the subject XXXX. 

After outlining the course of the proceedings, the authority concerned made the following findings:

"The BG is taught by the BF in the subject XXXX. There was a lack of understanding in the class about the fact that a fellow pupil of the BG, in contrast to the BG itself, had not been given another chance to improve the grade in the form of a repetition of the lesson. In order to calm the situation down, the BF asked the class representatives for a short discussion to explain the reasons for the different approach. In this conversation, the different teaching performance was pointed out and the exact composition of the grade was communicated. Subsequently, the content of the conversation was shared by the class representatives in the class WhatsApp group."

In the following, the authority in question reproduced the content of the WhatsApp message - already described above.

It further stated:

"Whether the BG's allegation that she had asked the BF several times not to make the marks in class public is true cannot be determined."

Legally, the authority concluded that school grades are personal data pursuant to Article 4(1) of the Regulation, citing Section 1(1) of the Data Protection Act and Article 4(1) of the Regulation. With regard to this personal data, there was in principle an interest in secrecy worthy of protection on the part of the BG pursuant to section 1(1) of the Data Protection Act. It could not be assumed that the data communicated to the class representative was generally available, because it was clear from the communication sent by the class representative that the subject of the discussion had not only been the BG's school grade and that of a third party per se, but that detailed information had been provided on how the school grades had come about. Such a procedure was not covered by § 6 para. 2 LBVO. If the AA argued that he had not passed on any significant new information, it had to be countered that the class representative had certainly not known the exact composition and that the communication did contain new information. Therefore, the data is worthy of protection. By informing the class representatives about the detailed composition of the grades, the constitutionally guaranteed right of the BG to confidentiality of their personal data had been infringed. The authority did not overlook the fact that the communication to the class representatives had been motivated by the understandable intention to resolve discrepancies within the class. However, informing the two pupils concerned about the exact composition of the grade would have been a less severe measure.

The BF's appeal against this decision, recognisably on the grounds of incorrect legal assessment, is directed at the request to annul the contested decision without replacement.

The authority concerned submitted the appeal on 5 November 2019 together with the electronic administrative act with the request to dismiss the appeal. It reached this court on 6.11.2019.

The appeal is justified in the result:

The BF states in summary under point 1 of the complaint that the allegations raised by the BG were directed against the BF as a teacher who had acted as a civil servant in execution of the school law. The competent authority, the Federal Ministry of Education, Science and Research, would have had to be prosecuted as the responsible party in the sense of the GDPR and the Data Protection Act.

In this regard, the authority in question stated that if the respondent to the complaint was expressly named by the AA, it was not up to the data protection authority to change such a designation and to exchange the party with whom the AA wished to engage in the proceedings for another party not named by him. Irrespective of this, the present AA would in any case have had to be regarded as the responsible party and thus as the respondent to the complaint, because his conduct, which did not comply with the law, could neither be attributed to the service authority (Education Directorate) nor to the competent Federal Ministry - which, contrary to the AA's opinion, could not be considered at all. 

It must be stated in this regard:

The BG expressly directed its complaint against its teacher, the BF, as the respondent within the meaning of section 24(2) of the DPA, in accordance with the order to remedy deficiencies of 21 November 2018.

Pursuant to Art 2(1), the GDPR is only materially applicable in the area of wholly or partly automated processing of personal data as well as non-automated processing of personal data which are or are to be stored in a filing system. This does not include the circumstances of the teaching performance or the exact composition of the grades, which, according to the uncontested findings, were only communicated to two persons in one conversation. The communication of the content of the conversation in the class WhatsApp group is not subject to complaint, according to the BG's explicit submission.

Pursuant to section 24(2)(2) of the FADP, every complaint must contain, to the extent reasonable, the name of the legal entity or body to which the alleged infringement is attributed (respondent).

This obligation is subject to the restriction of reasonableness. The authority concerned apparently considered this to be reasonable and ordered the BA to name the legal entity and body. In this regard, the LA communicated the person of the RA and "as a summonable address" the address of the school at which the RA teaches the LA. The authority concerned considered itself bound by this party designation.

The DPA does not contain any explicit provisions like the GDPR, which generally clarify the roles of the data controller. However, the terms of the GDPR ("controller", "processor") are mentioned in various places (e.g. §§ 6, 8, 22, 29, 42, 44, 46) and legal effects are attached to these terms. It can therefore be assumed that the DPA adopts the term "controller" as defined in Article 7 of the GDPR - also for the scope of application of the DPA outside the material scope of application of the GDPR - so that the legal question to be solved here is based on the term "controller" of the GDPR.

The relevant legal provisions and the commentaries on them are as follows:

Art 4 GDPR:

For the purposes of this Regulation, the term:

(1) 'personal data' means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(7) 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law;

(8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

The term "controller" replaces the term "principal" under the DSG 2000 (Hödl in Knyrim, DatKomm Art 4 DSGVO, Rz 76 (as of 1.12.2018, rdb.at).

The controller is the person or institution responsible for ensuring compliance with the data protection provisions of the GDPR. The controller is thus the addressee of the obligations under the GDPR and the term is used to assign responsibilities (see Art 24 para 1). The controller is the addressee of claims by the data subject and is considered the point of contact for measures by the supervisory authority (see Art 24; Recital 74) (see above, para 77).

The controller must take appropriate measures to ensure that all data processing complies with the GDPR and the implementing or supplementary provisions of national data protection laws. He or she is therefore responsible for compliance with relevant barriers, compliance with the rights of the data subjects and is the subject of responsibility for specific data processing. Claims for damages by the data subject (Art 82) and sanctions (Art 83) are linked to this (margin note 78).

The concept of the data controller is therefore essential for the exercise of data subjects' rights. Therefore, it is the controller and not the data subject who must prove that personal data have been processed lawfully (obligation to provide evidence according to Art 5(2); see Art 5 para 57 ff).

The role of the controller is defined by three characteristics:

1. any natural or legal person, public authority, agency or any other body (personal aspect),

2. acting alone or jointly with others (pluralistic control),

3. decides on the purposes and means of the processing of personal data (decision-making function) (para 80).

Since any natural or legal person, public authority, institution or other body can be a controller, it is clear that the organisational form is irrelevant and that both natural and legal persons and comparable groups of persons can be controllers under the GDPR, regardless of whether they are organised under public or private law. In practice, it must always be determined to whom an action is to be attributed; the acting persons themselves, or the organisation for which a natural person may be acting (margin note 81).

Decision-making function: Responsibility is assigned to the person who has the decision-making power. The decisive factor for attributing responsibility is therefore who decides on the essential aspects of the means of processing. For the attribution of the controller property, it is not necessary that the controller himself processes data, is in possession of the processed data or has physical dominion. If the controller decides that data is to be processed, all persons and bodies that carry out data processing steps under the controller's supervision or instruction (auxiliary bodies) are functionally attributed to the controller (margin note 83).

The means are not only the technical and organisational methods, but also the "how" of the processing. This means decisions on how data are processed, to whom they are transmitted or when they are deleted. It follows from Article 4(7) that the controller has the sole decision on data processing. This does not change if the controller commissions a service provider (processor) to process the data (Article 4(8)) (margin note 84).

If natural persons process data for their own purposes outside the scope of activity and possible control of their organisation, they may become data controllers themselves. However, an organisation acting negligently may be held jointly responsible and must prevent misuse of data (margin note 86).

The definition of the controller as the person or body that decides on the purpose(s) and means of the processing is a functionalist view, according to which responsibility is assigned on the basis of the actual influence on the decision. There may be an explicit legal basis for this, in which case the assignment of the controller and the purpose, including data categories and data recipients, is usually clearly identifiable. However, if a legal norm only provides for implicit legal obligations, the person or body that meets this legal obligation and processes personal data for this purpose is to be regarded as the controller (margin note 87).

The definition is - by its very nature - tailored to the material scope of application of the GDPR described above (automated data processing or data processing in files). In this respect, the term "controller" will have to be adapted for the scope of application of the DPA to the effect that it refers to the person or institution that is responsible for ensuring that the data protection provisions of the DPA are complied with. Thus, the controller is considered the addressee of the obligations under the DPA.

The following legal regulations and ordinances appear to be relevant to the question of whether, in concreto, the BF as a teacher can be the data protection law controller:

According to § 17 para 1 of the School Education Act (SchUG), the teacher has to fulfil the task of the Austrian school (§ 2 of the School Organisation Act) in independent and responsible teaching and educational work.

According to § 18 para 1 SchUG, the teacher has to assess the pupils' performance in the individual subjects by ascertaining the pupils' cooperation in class as well as by special oral, written and practical performance assessments integrated into the class work or based on other forms of work. The yardstick for performance assessment shall be the requirements of the curriculum, taking into account the respective level of instruction.

Pursuant to para 10, the competent Federal Minister shall, by decree, issue more detailed provisions for the structure and implementation of performance assessments and the evaluation of pupils' performance, in accordance with the tasks of the individual school types and the nature of the individual subjects taught.

Pursuant to § 19 para 1 SchUG, the legal guardians of pupils shall be informed of the assessment of the pupil's performance by means of school notices as defined in the following provisions. In addition, the legal guardians of these pupils shall be given the opportunity for individual discussions by means of two consultation days per school year at general compulsory schools, and at all other types of schools - with the exception of vocational schools - by means of the weekly consultation hour of the individual teacher and, if required, by consultation days. At compulsory general schools, teachers shall be available for individual consultations with the parents or guardians, at vocational schools with the parents or guardians and the teachers or guardians at their request.

Pursuant to § 20 SchUG, the teacher has to base the assessment of a pupil's performance in a subject at a whole school level on all performances achieved in the respective school year (§ 18), with the most recent level of performance being given the greater weight.

Pursuant to § 56 sub-section 1 SchUG, the headmaster is responsible for all matters under this Federal Act, unless this Act stipulates the responsibility of other school bodies or school authorities.

Pursuant to para 2, the headmaster is the immediate superior of all teachers working at the school.

Pursuant to para 4, the headmaster shall ensure compliance with all legal provisions and directives of the school authorities as well as the keeping of the official records of the school and order in the school.

Performance Assessment Ordinance

§ 1.

(1) The basis of the performance assessment shall be the performance assessments in accordance with the following provisions of this Ordinance.

§ 2.

(5) The performance assessments shall take into account the relationship of trust between teachers, pupils and parents/guardians and shall lead to objectively justified self-assessment.

(6) The assessment of individual pupils' performance shall be integrated into lessons in such a way that the other pupils in the class can also benefit from the assessment.

(7) Performance assessments shall be carried out during lessons. This does not apply to repeat and supplementary examinations. Schoolwork for individual pupils may also be made up outside lessons.

§ 4.

(1) The assessment of the pupil's cooperation in class shall cover the entire range of class work in the individual subjects ...

(2) Individual performances within the framework of cooperation shall not be graded separately.

(3) Records of these performances shall be made as often and in as much detail as is necessary for the assessment of performance.

The above comments on the concept of a data controller are aimed, on the one hand, at a person or organisation that can influence compliance with the data protection provisions. However, they do not exclude the possibility that persons who have decision-making power in their own area regarding data uses may themselves (also) be addressees of claims by the data subject and points of contact for measures by the supervisory authorities as data controllers. The decisive factor is that the responsibility is transferred to the person who has the decision-making power.

The authority concerned presupposed the BF's status as the responsible party in its statement of reasons for the decision without further argumentation, just as the BF denies it in the complaint. The explanations in the statement of the prosecuting authority also do not provide any further reasoning. The BF's responsibility is apparently inferred from the fact that his behaviour can neither be attributed to the service authority (Directorate of Education) nor to the "competent Federal Ministry".

If the AA states in the complaint, only in rudimentary justification, that he was active as a teacher "in the implementation of school law", this is not yet aimed at a specific data protection context, especially since the sovereign element per se has no significance for the status of controller under the GDPR or the DPA.

It is true that the provision of § 17 (1) SchUG ("in independent and responsible teaching and educational work") results in an independent and in a certain way autonomous position of the teacher in functional terms. The performance assessment by the teacher, which has to be carried out according to the principles described above, has the quality of an expert opinion according to settled case law (cf. VwGH 99/10/0240 of 20.12.1999 "It has no influence on the existence of a performance assessment as an expert opinion..."). § 19 SchUG sets the framework for the information obligations in connection with the provision of services.

In this case, it is about the data protection responsibility in connection with the performance appraisal itself and the related communication. It is true that the Performance Assessment Ordinance, especially with regard to the consideration of the pupils' cooperation, also assumes the necessity of the teacher's own records of the pupils' performance (§ 4) ("as often and as thoroughly as necessary"). These are non-public internal bases for the final "expert opinion" of the performance assessment itself.

However, as explained above, the teacher has to fulfil all related tasks in organisational integration into the school and under the official and professional supervision of the head teacher (§ 56 SchUG). The purpose of the "data controller" as defined by the GDPR, to be the addressee of the claims of the data subject and the point of contact for measures of the supervisory authority, would probably not be fulfilled by individual members of a teaching staff that usually consists of many members, even if their position in relation to performance assessment is very independent. The same applies to the requirement for the controller to take measures to ensure that data processing complies with data protection law. A teacher can probably not take such measures that go beyond the compliance of his or her person. The attribution of controller status is not quite so easy from the perspective of deciding the purposes and means of processing. Apart from the fixed forms of performance assessment in the form of school reports and certificates, the individual teacher certainly has a certain amount of leeway within the legal and regulatory framework as to how he or she communicates in connection with performance assessment. On the other hand, school directives that further concretise this framework are quite conceivable. However, the basic design of the framework, how which data is processed, to whom it is transmitted and when it is deleted (the latter is out of the question in the case of oral transmission, as is the case here), is in any case not the responsibility of the individual teacher.

Ultimately, taking into account all of the aspects described above, the answer to the question of who was responsible for the BF's actions in this case can only be answered in favour of the school organisation, not in favour of the BF himself, so that overall, the BF's status as the person responsible had to be denied.

However, the denial of the BF's responsibility means that the BF lacks passive legitimacy for the underlying data protection complaint of the BG, so that the complaint had to be upheld and the contested decision amended to the effect that the complaint was rejected.

Since the BF's status as the person responsible was denied, it was no longer necessary to address the question of whether the BF's actions could (at best) be qualified as a violation of the data protection rules.

Since the question of whether a data protection officer, the BA, was specifically held liable, only raised legal questions and there was no need for discussion in this regard, an oral hearing could be dispensed with.

The ruling on the inadmissibility of the appeal follows from the fact that the question of whether and when a teacher can be a "controller" within the meaning of the GDPR or the GDPR in connection with performance appraisals and the related communication has apparently not yet been clarified by the highest courts. However, individual case-related considerations are in the foreground, so that, based on the case constellation to be assessed here, no legal questions of fundamental importance had to be clarified.