BVwG - W274 2233705-1
| BVwG - W274 2233705-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 133 (4) Austrian Constitution (B-VG) §§ 1, 24 Austrian Data Protection Act (Datenschutzgesetz - DSG) |
| Decided: | 04.12.2020 |
| Published: | 12.02.2021 |
| Parties: | Tenant Municipality of the City of Vienna (Wiener Wohnen) |
| National Case Number/Name: | W274 2233705-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2020:W274.2233705.1.00 |
| Appeal from: | DSB (Austria) GZ D 124.1364 2020-0.202.645 |
| Appeal to: | Not appealed |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS (in German) |
| Initial Contributor: | Fabian Schuster |
The Federal Administrative Court found that the necessity criterion in Article 6 GDPR must be interpreted narrowly. The decisive factor for necessity is therefore whether the data processing is objectively necessary for the purpose pursued.
The Court also held that even if such transfer was necessary, this would not necessarily lead to an authorisation to pass on such data.
English Summary
Facts
The complainant is the Municipality of the City of Vienna (Wiener Wohnen) and the respondent is a tenant of the complainant.
On 31 August 2019, the tenant informed the police that children had broken a window. In addition, he informed the complainant about the damage to the general parts of the property (window in the staircase). On the phone, the complainant stated that they would commission an emergency service and have the damage repaired. Shortly afterwards, an "electrician" called the respondent, saying he had been commissioned to repair the damage.
Since the respondent generally had a secret number and had changed it for security reasons he never allowed to pass on his telephone number to third parties (electricians). He had not been asked about this, nor had he been informed of the transfer, so that he could have objected to it. When the respondent complained via telephone, he was told that the complainant usually compared the data and passed it on to technicians so that they could contact the detector.
The tenant then submitted a complaint to the Data Protection Authority (DSB) which found that the respondent's right to secrecy had been violated by unlawfully transmitting personal data of him to a commissioned company and disclosing it to the latter.
The complainant then appealed against this decision at the Federal Administrative Court claiming that it followed from the obligations arising from sections 1096 and 1097 of the General Civil Code that the landlord may use vicarious agents to remedy the reported defects "and may therefore also provide them with the telephone number of the tenant who has reported a defect". Therefore, the justification of Article 6(1)(b) of the GDPR would be given.
Dispute
Was the transmission of personal data (mobile number) to the commissioned company considered to be necessary for the performance of a contract and did it comply with the conditions laid down in Articles 5 and 6 GDPR?
Holding
The Federal Administrative Court held that the extent to which processing is considered necessary is determined on the basis of a case-by-case assessment of the purpose of the contract (at least the essentialia negotii, i.e. the basic data of the contracting parties and the essential content of the contract) and what is necessary for the performance of the contractual obligations or the exercise of rights or for the implementation of pre-contractual measures. In order to assess this, not only the perspective of the controller must be taken, but also the perspective of the data subject. There must be a direct connection between the processing and the specific purpose of the obligation. The obligations may also include ancillary contractual obligations. However, the standard of necessity should not be understood as a strict proportionality test in private law transactions (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO Rz 36).
This necessity criterion must be interpreted narrowly. Processing of personal data that is not really necessary cannot be based on this ground. It is only permissible if it is necessary for the performance of the rights and obligations arising from the contract or for the performance of pre-contractual measures. Necessity is in any case fulfilled if the contract cannot be fully performed without the data processing. A controller must therefore ascertain the exact content and intentions why a contract was concluded. For these purposes thus established, the processing of personal data can be based on the legal basis of the performance of the contract. The limit to be considered is determined by the principles of data processing, in particular Art. 5(1)(b) and (c) GDPR and Art. 6(4) GDPR.
For each of the legal bases listed in Art. 6 (1) of the GDPR (except consent according to lit a), the data processing must be necessary for a specific purpose. What is to be understood by this, however, is not explicitly specified. Art. 5(1)(c) GDPR (data minimisation) requires that personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing. The decisive factor for necessity is therefore whether the data processing is objectively necessary for the purpose pursued, i.e. if there is a direct connection between the intended processing and the specific purpose of use. This assessment must be carried out for each data processing operation, taking into account the respective legal basis. In this regard, Recital 39 of the GDPR states that personal data may only be processed if the purpose of the processing cannot reasonably be achieved by other means. In such a consideration, the effort (e.g. time, costs, work, risks associated with the conversion, etc.) must be compared to the extent of the less intrusive or less data processing. If the assessment shows that other means are reasonable for the controller, then the processing of data must be changed, i.e. new software or other data processing must be introduced (Braun/Hasenauer, Die Rechtmäßigkeit der Verarbeitung gemäß Art 6 DSGVO 22 ff).
Pursuant to section 8 subsection 1 MRG, if the repair of serious damage to the house becomes necessary, the main tenant is obliged to notify the landlord without delay, otherwise he will be liable for damages. Likewise, § 1097 ABGB stipulates an immediate obligation of the tenant to notify the landlord if repairs are necessary which are the responsibility of the landlord. According to § 1096 para. 1 ABGB, the landlord is obliged to maintain the property.
When assessing the admissibility of the disclosure of the telephone number, only the time of the disclosure itself can be taken into account. The nature and circumstances of the use (for which the technician then contacted the tenant) is irrelevant to the legal question of the permissibility of the disclosure. It is true that the complainant agrees that the landlord's duty of maintenance is a secondary contractual obligation and that the purpose of the contract - which is evident from the content of the contract - also includes ensuring that the rented property, i.e. the general parts, are free of defects. Nevertheless, the concept of necessity must be interpreted narrowly in the sense of the above. The processing of personal data is only permissible if it is necessary for the performance of the contract, for example if the contract cannot be fully performed without data processing.
According to the findings, it was not necessary for the technician to contact the respondent to enable the damage to be repaired. Even if such contact had been necessary, this would not necessarily have led to an authorisation for the complainant to pass on the data, especially since he could have acted as an intermediary. In principle, if the complainant had considered direct contact between the technician and the reporting tenant to be necessary or expedient, it would have been up to him to obtain consent for the transfer of data.
Even in the event that it had not been a secret number, no evidence emerged during the proceedings that the respondent's telephone number had been generally available data. As further shown, the circumstances of how the number was actually used by the technician cannot matter.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, with Judge LUGHOFER as Chairman and the experts Prof. KR POLLIRER and Dr. GOGOLA as Associate Judges, rules on the appeal of the Municipality of the City of Vienna, Wiener Wohnen, Rosa-Fischer-Gasse 2, 1030 Vienna, represented by Municipal Department 63 - Trade Law, Data Protection and Personal Status, Neutorgasse 15/2. Floor, 1010 Vienna, against the decision of the data protection authority, Barichgasse 40 - 42, 1030 Vienna, of 30.03.2020, GZ D 124.1364 2020-0.202.645, co-participant XXXX , due to violation of the right to secrecy, in closed session:
A)
The appeal is not upheld.
B)
The appeal is not admissible pursuant to Art. 130 para. 4 B-VG.
Reasons for decision:
Using a form of the data protection authority (hereinafter: the authority concerned), XXXX (hereinafter: co-participant before the Administrative Court, MB) submitted a complaint by e-mail on 31.8.2019 against the City of Vienna - Wiener Wohnen (hereinafter: complainant, BF) for violation of the fundamental right to secrecy pursuant to section 1 of the Data Protection Act and argued:
On 31 August 2019, he had informed the police on the telephone number XXXX that children had broken a window. The BA was supposed to report the damage. He did not issue any further order for repair, as this was probably in the interest of the BA itself. On the phone, BF stated that they would commission an emergency service and have the damage repaired.
Shortly afterwards, an "electrician" called him, saying he had been commissioned by the BF to repair the damage.
Since he generally had a secret number and had changed it for security reasons (federal employee in an increased danger area), he had never allowed the Federal Office for Migration and Refugees to pass on his telephone number to third parties (electricians). He had not been asked about this by telephone, nor had he been informed of the transfer, so that he could have objected to it. When he complained to BF by telephone, he was told that BF usually compared the data and passed it on to technicians so that they could contact the detector. It seemed that this was not just an individual case of unauthorised data transfer to third parties, but a general and continuous violation of the applicable data protection regulations.
On behalf of the authority concerned, the BA commented on the matter for the first time in a letter dated 2 October 2019 from the Municipal Department 63, Trade Law, Data Protection and Personal Status, stating in summary that on 31 August 2019, the BA had been contacted by the MB on its service hotline because children had broken a window of a flat and he requested that a damage report be recorded in this regard. BF then informed the MB by telephone that an emergency service would be commissioned to repair the damage. Shortly afterwards, the MC was contacted by a technician who had received the MC's telephone number from the BA and had wanted to contact him regarding the repair of the damage.
There was a tenancy relationship between the BF and the MB, so that data processing was justified for the fulfilment of a contract within the meaning of Art. 6(1)(b) of the GDPR. The landlord was obliged to repair any damage to the property. In order to fulfil its contractual obligations, the landlord may also use vicarious agents (technicians) to carry out the activities owed by it. The administration of the property in which the MC lived was carried out by the BF. The transfer of the MB's telephone number by the property management had taken place in the context of the landlord's fulfilment of his primary obligations under the tenancy agreement - to maintain the transferred property in a usable condition. Without the disclosure of the telephone number, it would not have been possible for the technician to contact the landlord and subsequently repair the damage, which is why no violation of the GDPR could be identified.
The MB commented on this on 21.10.2019, stating that the damage had not affected his flat and that the location of the damage was on another staircase. The repair of the property by BF could have been carried out without contacting him. The transfer of his personal data had therefore not been necessary for the fulfilment of the contract. The BF had received a precise description of the damage from the MC. The BA should have informed the MC at the time of the call that it intended to pass on his data to third parties, so that he could have objected. According to the BF, the staff on the service telephone of the BF actually forced the person reporting the damage to agree to the data being passed on to third parties, as otherwise, according to the BF, reported damage could not be processed and defects could not be repaired. Moreover, the MB had only been contacted by the technician to tell him what work was being done. This information was irrelevant for the MC. He had not been contacted in order to find the location of the damage, which was freely accessible from the outside.
Upon request, the BA commented again on 4 November 2019 and stated that it had now come to light that the damage reported by the MB was to the general parts of the house, specifically to the entrance door to staircase 7. Legally, this did not change anything, since according to § 8 (1) MRG in conjunction with § 1079 ABGB the tenant had a duty to notify the landlord if repairs to the rented property were necessary, which were the landlord's responsibility. This duty of notification did not only cover the rented property itself, but also the general parts of the house. In these cases, too, the landlord could use vicarious agents to remedy the reported defects. The telephone number of the MC could also be passed on to them. It had been necessary to pass on the MB's telephone number in order to clarify where the damage to the general parts was actually located and which areas had been affected by it.
After the parties had been given the opportunity to be heard, the MC again stated on 13 November 2019 that the location of the damage (entrance door to staircase 7) had already been clearly documented and could be found in the report. The vicarious agent had also only called the MC for the purpose of informing him that he would now start repairing the damage. The telephone number had been passed on because, according to previous experience, BF always passed on the personal data of the person reporting the damage to the commissioned vicarious agent.
The authority concerned forwarded this statement "together with new factual arguments" to the BA for a further statement:
On 5 December 2019, the BF added that the fact that the landlord's vicarious agent had only notified the landlord that the general parts of the house were free of defects did not change the fact that the transfer of data from the landlord's obligations to fulfil the tenancy agreement was justified by Art. 6 para. 1 lit. b of the GDPR. The MB overlooked the fact that the tenant was also subject to the obligation to notify defects in general parts of the house, which required the landlord to take action under section 1096(1) of the General Civil Code. The landlord had informed the tenant through his vicarious agent of the fulfilment of the obligation incumbent on him. The notification by the landlord or his vicarious agents of the repair of defects in the rented property or the general parts of the property was to be seen as an inherent part of the obligation to maintain the general parts of the property arising from section 1096(1) of the General Civil Code. The notification of the rectification of defects was also covered by the justification of Article 6(1)(b) of the GDPR.
In the contested decision, the authority allowed the complaint and found that the BF had violated the MB’s right to secrecy by unlawfully transmitting personal data of the MB (secret telephone number) to a commissioned company and disclosing it to the latter.
The authority made the following findings of fact (adapted with regard to the names of the parties):
"The MB reported damage to general parts of the BF's occupied portfolio property to the BF on 31 August 2019.
The BF subsequently passed on the MB's secret telephone number to the vicarious agent charged with repairing the damage. The vicarious agent then contacted the MC by telephone to inform him that the damage to the general parts of the property would now be repaired.
In legal terms, the authority stated that the MB had designated BF as the person responsible for the alleged data protection violation. The BF was an enterprise of the City of Vienna within the meaning of section 71(1) of the Vienna Data Protection Act (WStV), which did not have its own legal personality. Pursuant to section 106(1) of the Vienna Administrative Procedure Act, undertakings were organisationally part of the municipal authorities, which was why the alleged infringement was attributed to them.
After presenting Section 1 (1) of the Data Protection Act and Article 4 (1) of the Data Protection Regulation as well as Recital 26 of the Data Protection Regulation, it was stated that, from the perspective of the vicarious agent, traceability to the MB did not seem to exist per se solely due to the knowledge of the secret number. However, the possibility of identification, e.g. by contacting the BA, does not seem to be excluded, which is why the existence of personal data within the meaning of Article 4(1) of the GDPR must be assumed. Irrespective of the assessment of this vicarious agent as the BF's own controller or processor pursuant to Article 4(7) or (8) of the GDPR, the disclosure of the MB's telephone number to the vicarious agent qualified as disclosure and thus as processing within the meaning of Article 4(2) of the GDPR. It was irrelevant whether the disclosure of the personal data by the BA had taken place in writing, electronically or orally, especially since an encroachment on the fundamental right to secrecy could take place in almost any form and thus also through oral transmission.
An interest worthy of protection in keeping this personal data secret was to be affirmed.
The BA was renting out existing properties within the framework of private economic administration. In the present case, there was nothing to suggest that the BF was not acting in the context of private economic administration, but in a sovereign capacity. The reservation of the right to intervene stipulated in Article 1(2) of the Data Protection Act, according to which an intervention by state authorities may only take place on the basis of a qualified legal basis, does not apply in the context of private economic administration.
Therefore, it had to be examined whether the intervention in question had been covered by the MB's consent, in his vital interest or due to overriding legitimate interests of another.
The transmission of the MB's secret telephone number was neither in his vital interest nor with his consent. Even if one were to assume that the content of §§ 1096, 1097 of the General Civil Code, which had been invoked, was as represented by the BA, there would still be a violation of § 1 (1) of the Data Protection Act: It was not evident to what extent the disclosure of the MB's secret telephone number had been necessary for the fulfilment of the BF's duties - repairing damage to general parts of the MB's property - especially since the recipient of the data had merely used it to inform the MB of the repair of the damage and thus the prior disclosure of the MB's telephone number to the vicarious agent had taken place without any concrete reason, such as clarifying the location of the damage.
The authority did not overlook the fact that data protection law was not conceived as a general prohibition of communication and that informing the MC as the person reporting the damage that the damage would now be repaired could therefore certainly be regarded as a service provided by the BA as the provider.
However, as a palliative measure, the disclosure of the MC's telephone number to the vicarious agent in charge of repairing the damage could have been considered only on the specific occasion of clarifying the location of the damage in case of doubt on the part of the vicarious agent. In the sense of the transparency requirement according to Art 5 (1) lit DSGVO, it would have been necessary to ask the MC about the disclosure of his telephone number, since even point 2.3 of BF's data protection declaration, available at www.wienerwohnen.at/datenschutz.html, states that the provision of personal data (including the telephone number) for damage reports is merely voluntary.
In this respect, there was a violation of the principle of data minimisation pursuant to Article 1(2), last sentence, DSG in conjunction with Art. 5(1)(c) DSGVO and thus a violation of the right to secrecy. Article 5(1)(c) of the GDPR and thus a violation of the right to confidentiality.
The appeal of the Municipal Authority of the City of Vienna against this decision on the grounds of unlawfulness of its content is directed primarily at the request to decide on the merits of the case and to amend the contested decision to the effect that the data protection complaint is dismissed. In the alternative, a motion to set aside is filed.
The authority submitted the complaint together with a file containing the administrative act to the Federal Administrative Court on 4 August 2020, where it was received on 5 August 2020. The authority requested that the complaint be dismissed.
In this regard, she stated that according to Art. 6(1)(b) of the GDPR, the processing of personal data is lawful if it is necessary for the performance of a contract to which the data subject is a party. A strict standard had to be applied to the criterion of necessity. The European Data Protection Board assumed that it was only possible to invoke Art. 6(1)(b) of the GDPR if the data processing was objectively necessary to fulfil the contract. The controller must provide proof of this necessity. Due to the case constellation to be assessed here, the use of data for the fulfilment of an inventory contract was not objectively necessary. The BF could have asked in advance whether the telephone number would be passed on, especially in light of its privacy policy.
The BF also had nothing to gain from invoking the primacy of application of Union law over section 1 of the FADP, because it was not evident that section 1(1) of the FADP did not meet the criteria defined by the ECJ regarding further protection of fundamental rights by the Member States.
The BF had therefore violated the principles of transparency and data minimisation.
The complaint is not justified:
The following facts are established:
1. on 31 August 2019, the MB reported damage to general parts of the BF's portfolio property occupied by him to the BF's service hotline.
The BF subsequently passed on the (secret) telephone number of the MB to the technician charged with repairing the damage. The technician then contacted the MB by telephone.
3. it was not necessary for the technician to contact the BF to enable the damage to be repaired.
Appraisal of evidence:
Re 1: This finding - already made by the authority concerned - is undisputed.
Regarding 2: This finding is also undisputed in the result. In its appeal, the BA notes that, as with other findings, "the determination of the facts and the evaluation of the evidence did not appear to be completely consistent". The BF refers - as far as this finding concerning a secret number is concerned - to the fact that the prosecuting authority limited the assessment of evidence in this regard exclusively to the submission of the MB and an internet search.
However, the findings and the assessment of evidence by the prosecuting authority in this regard are unobjectionable: The BA did not counter this argument of the BA in the data protection complaint in any of its three statements. The prosecuting authority was also unable to find the AA's telephone number in the course of an online search in two common online telephone directories. Even in the complaint, the BA does not claim anything to the contrary. This does not constitute a substantiated denial of the findings of fact within the meaning of § 24 VwGVG.
Re 3: This finding is also - ultimately - also based on the concurrent submissions. It is true that the BF claimed the opposite in its first two statements (the fulfilment of the BF's obligation would not have been possible without the technician contacting the MB - SS 2.10.2019, p. 2; the disclosure of the MB's telephone number had been necessary in order to clarify where the damage to the general parts had actually been and which areas had been affected by it - SS 4.11.2019, p. 2). After the MB had contested each case, the BF stated in its written statement of 5.12.2019 that this was "additional" to the statements already submitted. However, when the BF then states "that now only the notification of the successful restoration of the freedom from defects of the general parts of the house had been made by the vicarious agent of the landlord, this does not change anything, that the transmission of the data was justified in fulfilment of the BF's obligations as landlord and that the landlord had informed the tenant through its vicarious agent of the fulfilment of this obligation incumbent on it", it thus unequivocally admits that it now also assumes - in agreement with the MB's submission - that the technician's contact with the MB no longer has anything to do with clarifying the location of the damage. In the following letter, the BF also only refers to the fact that she was informed of the successful repair.
In these statements, a modification of the argument is to be seen ("that now only the notification of the successful restoration of the freedom from defects of the general parts of the house had been made by the vicarious agent of the landlord"), according to which a necessity of the direct contact of the technician with the notifier was no longer claimed.
Admittedly, in its appeal (p. 5), the BF again refers to this no longer current argument in its statement of 4 November 2019 and, referring to it, wants to show a contradiction between the findings of fact of the public authority and the assessment of evidence. However, this statement disregards the modification of the BF's submission as described above. However, it is not apparent from the BF's complaint that it intended to deviate from the above-mentioned submission of 5 December 2019, because its legal arguments are not even aimed at the necessity of contacting the authorities in order to locate the damage.
Thus - as a clarification - the finding under 3. was to be made.
Legally follows:
The authority first correctly stated that BF was the controller and that the data in question - including the secret telephone number - was personal data of an at least identifiable natural person within the meaning of Article 4(1) of the GDPR. Furthermore, the transfer of this telephone number to the vicarious agent constituted disclosure and thus processing within the meaning of Article 4(2) of the GDPR.
These qualifications remain uncontested in the complaint. The administrative court also considers this to be correct.
Subsequently, the public authority examined the permissibility of the data transfer solely under the aspect of § 1 (1) and (2) of the Data Protection Act and denied - neither vital interests had been affected nor had consent been given - an overriding interest of the BA, because it was not apparent to what extent the data transfer had been necessary to repair damage to general parts. Only with reference to Article 5(1)(a) and (c) (requirement of transparency and data minimisation) did the authority also consider the GDPR to be affected or violated.
The BF's main point of complaint is the assertion that it follows from the obligations arising for the BF from sections 1096 and 1097 of the General Civil Code that the landlord may use vicarious agents to remedy the reported defects "and may therefore also provide them with the telephone number of the tenant who has reported a defect". Therefore, the justification of Article 6(1)(b) of the GDPR was given.
In its statement on the submission of the file, the authority concerned referred to Article 6(1)(b) of the GDPR, now affirmed its applicability (in addition to the GDPR) and essentially stated that even if the contents of Sections 1096 and 1097 of the General Civil Code (ABGB), as alleged by the BA, were to be assumed, it could not be deduced from this that the data processing in question had been objectively necessary for the fulfilment of the tenancy agreement, especially since the BA could at most have consulted with the MC.
To this end, it must be stated:
According to Article 4(11) of the GDPR, consent of a data subject is any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing.
Pursuant to Art. 5 of the GDPR, the following principles must be observed for the processing of personal data:
(1) Personal data must
(a) processed lawfully, fairly and in a manner comprehensible to the data subject ('lawfulness, fairness, transparency');
…
(c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ('data minimisation');
…
(2) The responsible person shall be responsible for compliance with paragraph 1 and shall be able to demonstrate such compliance ("accountability").
According to Art. 6 (1) DSGVO, processing is lawful if at least one of the following conditions is met:
(a) the data subject has given consent to the processing of personal data relating to him or her for one or more specified purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject's request;
…
The extent to which processing is considered necessary is determined on the basis of a case-by-case assessment of the purpose of the contract (at least the essentialia negotii, i.e. the basic data of the contracting parties and the essential content of the contract) and what is necessary for the performance of the contractual obligations or the exercise of rights or for the implementation of pre-contractual measures. In order to assess this, not only the perspective of the controller must be taken, but also the perspective of the data subject. There must be a direct connection between the processing and the specific purpose of the obligation. The obligations may also include ancillary contractual obligations. However, the standard of necessity should not be understood as a strict proportionality test in private law transactions (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO Rz 36).
This necessity criterion must be interpreted narrowly. Processing of personal data that is not really necessary cannot be based on this ground. It is only permissible if it is necessary for the performance of the rights and obligations arising from the contract or for the performance of pre-contractual measures. Necessity is in any case fulfilled if the contract cannot be fully performed without the data processing. A controller must therefore ascertain the exact content and intentions why a contract was concluded. For these purposes thus established, the processing of personal data can be based on the legal basis of the performance of the contract. The limit to be considered is determined by the principles of data processing, in particular Art. 5(1)(b) and (c) DSGVO and Art. 6(4) DSGVO.
For each of the legal bases listed in Art. 6 (1) of the GDPR (except consent according to lit a), the data processing must be necessary for a specific purpose. What is to be understood by this, however, is not explicitly specified. Art. 5(1)(c) GDPR (data minimisation) requires that personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing. The decisive factor for necessity is therefore whether the data processing is objectively necessary for the purpose pursued, i.e. if there is a direct connection between the intended processing and the specific purpose of use. This assessment must be carried out for each data processing operation, taking into account the respective legal basis. In this regard, Recital 39 of the GDPR states that personal data may only be processed if the purpose of the processing cannot reasonably be achieved by other means. In such a consideration, the effort (e.g. time, costs, work, risks associated with the conversion, etc.) must be compared to the extent of the less intrusive or less data processing. If the assessment shows that other means are reasonable for the controller, then the processing of data must be changed, i.e. new software or other data processing must be introduced (Braun/Hasenauer, Die Rechtmäßigkeit der Verarbeitung gemäß Art 6 DSGVO 22 ff).
Pursuant to section 8 subsection 1 MRG, if the repair of serious damage to the house becomes necessary, the main tenant is obliged to notify the landlord without delay, otherwise he will be liable for damages.
Likewise, § 1097 ABGB stipulates an immediate obligation of the tenant to notify the landlord if repairs are necessary which are the responsibility of the landlord. According to § 1096 para. 1 ABGB, the landlord is obliged to maintain the property.
When assessing the admissibility of the disclosure of the telephone number, only the time of the disclosure itself can be taken into account. The nature and circumstances of the use (for which the technician then contacted the MB) is irrelevant to the legal question of the permissibility of the disclosure.
It is true that the BF agrees that the landlord's duty of maintenance is a secondary contractual obligation and that the purpose of the contract - which is evident from the content of the contract - also includes ensuring that the rented property, i.e. the general parts, are free of defects. Nevertheless, the concept of necessity must be interpreted narrowly in the sense of the above. The processing of personal data is only permissible if it is necessary for the performance of the contract, for example if the contract cannot be fully performed without data processing.
Nor can the BF be contradicted that it may use vicarious agents to remedy defects. However, it can by no means be deduced from this that in this context - this is how its assertion on p. 4 of the complaint is to be understood - it may transmit data of the tenant who reported the defect to these vicarious agents without further requirements and thus without being subject to the data protection provisions.
According to the findings, it was not necessary for the technician to contact the BA to enable the damage to be repaired. Even if such contact had been necessary, this would not necessarily have led to an authorisation to pass on the data, especially since the BF could have acted as an intermediary. In principle, if the BF had considered direct contact between the technician and the reporting tenant to be necessary or expedient, it would have been up to the BF to obtain consent for the transfer of data.
Concrete reasons according to which it would have been objectively necessary in the individual case to pass on the MB's data to the vicarious agent without such consent are not even remotely alleged in the complaint. It is also not apparent why, with regard to the tenant's duty of notification and the landlord's duty of maintenance as described above - especially in view of the fact that the location of the damage was obviously known to the BF - it would have been necessary to pass on the data, so that the contract between the BF and the MB could not have been completely fulfilled without this passing on of the data.
Regardless of this, the BF did not comply with the transparency requirement under Art. 5(1)(a) of the GDPR or the principle of data minimisation under Art. 5(1)(c) of the GDPR, especially since, if it had been necessary for the MB to contact the vicarious agent, it could and should have asked in advance whether the telephone number would be passed on.
Even based on the provisions of the GDPR, the BF therefore does not show that the data transfer would have been permissible.
The statements in the complaint on p. 4 below and 5 above have already been dealt with at the level of the assessment of evidence. In addition, the question of whether it was a secret number must be answered:
Even in the event that it had not been a secret number, no evidence emerged during the proceedings that the MB's telephone number had been generally available data.
As further shown, the circumstances of how the number was actually used by the technician cannot matter.
Pursuant to § 24 (1) VwGVG, the administrative court shall hold a public hearing upon request or, if it deems it necessary, ex officio. Pursuant to para 4 leg cit, the administrative court may refrain from holding a hearing, notwithstanding a party request, if the files indicate that the oral discussion does not lead to the expectation of a further clarification of the case and this does not contradict Art. 6 para 1 ECHR and Art. 47 CFR.
A corresponding application was not made by the BF.
The facts of the case were undisputed. Why this also applies to points 2 and 3 (clarifications compared to the findings of the authority) and why there is in any case no substantiated contestation of the factual findings in the complaint was presented above in the context of the assessment of evidence.
The ruling that the appeal is inadmissible is based on the fact that the question of whether the BF violated the right to secrecy in an individual case by disclosing the MB's telephone number is not a legal question of fundamental importance and thus not a revisable legal question.
