BVwG - W274 2237071-1

From GDPRhub
Revision as of 08:29, 29 September 2021 by FA (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W274 2237071-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 12(2) GDPR
Article 12(6) GDPR
Decided: 21.06.2021
Published: 22.09.2021
Parties:
National Case Number/Name: W274 2237071-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W274.2237071.1.00
Appeal from:
Appeal to: Not appealed
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: n/a

The Federal Administrative Court of Austria (BVwG) decided that a union which terminated the membership of a data subject also had to comply with the data subject's request for erasure without additional proof of identity.

English Summary[edit | edit source]

Facts[edit | edit source]

After multiple years as a member of a union the data subject decided to quit and sent the union a letter requesting termination of the membership and the deletion of personal data. Among other information the letter contained the membership number and the handwritten signature of the data subject.

The union immediately terminated the membership of the data subject. In terms of the erasure request, however, the union asked for a copy of the ID of the data subject in order to progress with the deletion. Although the name and membership number were known to the union, it could not verify that also the signature on the letter was from the data subject.

The union argued that although the data subject stated to be known to the union due to their long membership, the size of the union with over 1.2 million members and different administrative responsibilities did not constitute a personal relationship with the data subject. Moreover, the consequences of the data deletion would be severe compared to a resignation given that the data was necessary for a later re-entry in the union to continue the data subject’s membership. Therefore, and in accordance with Article 12(6) GDPR additional measures of identification were required.

The data subject refused to provide a copy of the ID seeing a contradiction in providing even more data to achieve its deletion. The data subject argued that sending a copy of the ID does not mean any higher degree of reliability or proof of identity since it could be stolen, forged or used by another person. According to the GDPR additional information may only be requested if there are reasonable doubts about the identity of the natural person which does not allow for routine identity checks in all data subjects' rights.

Holding[edit | edit source]

The BVwG ruled that the union unjustifiably requested proof of identity of the data subject and had not dealt with the latter's request for deletion. In this regard, it followed a previous position of the Austrian DPA according to which the union had not informed the data subject about why it had reasonable doubts regarding their identity.

The Court held that since the union did not doubt the identity of the person with regard to their resignation, it cannot raise such doubts regarding to the deletion of personal data in terms of Article 12(6) GDPR. A bona fide recipient can be either be in doubt with the identity of the declarant or not.

Any further request for proof of identity contradicts the facilitation requirement of exercising data subjects right pursuant to Article 12(2) GDPR. The union had therefore violated the data subject's right to erasure by not dealing with the content of the data subject's request for erasure pursuant to Article 17 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

court
Federal Administrative Court


Decision date
June 21, 2021


Business number
W274 2237071-1


Saying
W274 2237071-1 / 10E

IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court recognizes through the judge Mag.LUGHOFER as chairman and the expert lay judges Prof. KommR POLLIRER and Mag.PORICS as assessors on the complaint of the XXXX represented by FREIMÜLLER / OBEREDER / PILZ Rechtsanwältin GmbH, Alserstraße 21, 1080 Vienna, against the decision of Data protection authority, Barichgasse 40-42, 1030 Vienna, from October 9th, 2020, GZ: D124.1474 / 0003-DSB / 2019, participant XXXX, represented by Dr. Mag. XXXX, lawyer, Kolingasse 11/15, 1090 Vienna, due to violation of the right to erasure, right after a public hearing:
The complaint will not be followed.
The revision is not permitted according to Art. 133 Para. 4 B-VG.



text
Reasons for the decision:
With a complaint dated October 1, 2019, XXXX (hereinafter: participant, MB) turned to the data protection authority (hereinafter: authority concerned) and claimed that when he terminated his membership in XXXX, he had asked for his personal data to be deleted and for confirmation thereof . In addition, he stated in his letter of July 11, 2019 that he saw no reason to doubt his identity. In the relevant reply from XXXX, doubts about the identity were again reported and he was asked to submit a new copy of his ID.
As a decade-long member of the XXXX, the MB is known from frequent earlier contacts, for example from proceedings at the labor and social court, the granting of legal protection by the XXXX, legal advice, etc. On the occasion of his termination, the XXXX immediately implemented his revocation regarding the authorization to have the membership fee withheld by his pension-paying office. The MB sees a contradiction to the applicable data protection law to have to provide further data in order to be able to obtain a deletion.
At the request of the authority concerned, the XXXX (hereinafter: complainant, BF) - represented by a lawyer - commented on November 5, 2019 as follows:
The XXXX does not have its own legal personality, which is why the BF is responsible for the data applications in question in its sub-union.
In the course of the implementation of the GDPR, the BF adjusted the process organization for the correspondence of deletion requests within the meaning of Art. 17 GDPR. He continues to insist on providing suitable proof of identity before irretrievably deleting membership data and other special categories of personal data in accordance with Art. 9 GDPR.
The BF had a manually signed request for deletion. The XXXX asked the BF to send a copy of an official photo ID in order to be able to comply with the request for deletion. In fact, the XXXX knew a person with the name of the MB, but the XXXX had decided not to comply with a request for deletion without submitting a copy of the ID, as it could not be ruled out that the present signature came from another person. If the person concerned states that the XXXX / XXXX must be known to the XXXX / XXXX as a decade-long member from previous contacts, the size of the organization and the different responsibilities should be pointed out. Even if the data of the MB can be called up through the name or the membership number, nothing can be deduced from the identity of the MB. Membership administration and data deletion take place centrally, the persons involved have no personal relationship with the BF. The BF has 1.2 million members, a personal acquaintance of the responsible persons in the member administration to each individual member is to be excluded.
With regard to "the objection to the suspension of the withholding of the membership fee", it is an internal decision of the association. The consequences of an exit - in which the identity is not checked more closely - appeared to be much smaller than the consequences of data deletion. After leaving, a re-entry with crediting of the previous membership is possible without any problems; data deletion is final. A restoration and crediting of previous memberships would no longer be possible, whereby all benefit claims associated with the duration of the membership expire. In the event of a re-entry after deleting the data, this person would have to start “from scratch”. Against this background, it is justified to forego proof of identity in the event of a mere termination of membership, but to insist on proof of identity in the event of irrevocable data deletion.
Since the question of whether requests for deletion with regard to special categories of personal data must only be complied with after submission of suitable proof of identity does not only concern the BF, but is also of general interest, the BF is requesting advice within the meaning of Art. 57 Para. 1 lit.
The MB had already asked a similar question in proceedings DSB-D123.918 / 0003-DSB / 2019, namely in relation to requests for information. In its decision of August 1, 2019, the authority in question determined that the person responsible could request additional information in accordance with Art. 12 (6) GDPR that was necessary to confirm the identity of the person concerned, if he had reasonable doubts about the identity of the person concerned when the person responsible can assign data in the inventory to the person concerned, but it is unclear whether the applicant is this person concerned. According to the case law of the VwGH, a high degree of reliability with regard to proof of identity is required. The indication of the name and address in connection with the mention of the membership number indicates a certain probability that the request for information is that of the complainant. However, a high degree of reliability cannot be assumed. This decision has become legally binding.
In the opinion of the BF, the principles of this decision can be freely transferred to the present case, which is why the BF has not been obliged to delete data so far. However, the BF is always ready to comply with the request for deletion as soon as the MB has proven his identity beyond any doubt.
In a letter dated November 8, 2019, the authority concerned informed the MB of the results of the investigation and pointed out that it seemed justified for the respondent there (now the BF) to request a copy of a suitable proof of identity in order to assign reasonable doubts about an identity remove. According to the preliminary legal opinion of the authority concerned, the complaint would have to be dismissed.
In a letter dated November 30, 2019, the MB stated that the clerk could be a new tenant or roommate at the address in question, who had found his data and copies of his ID and had now approached the BF "in his name". Even if the writer sends a copy of an official ID card, there is in no way a high degree of reliability with regard to proof of identity from his point of view. An ID card could also have been alienated or forged. Incidentally, in his multiple letters, the BF never substantiated the doubts he harbored about identity. The BF explained that he had adjusted the organization of the process so that when membership data and other special categories of personal data were requested to be deleted, there was a "general" insistence on the submission of proof of identity. For the purposes of the GDPR, however, additional information may only be requested if there are reasonable doubts about the identity of the natural person. This therefore implies a case-by-case examination. Art. 12 GDPR does not aim to ensure that identity checks are routinely provided for every case of the assertion of data subject rights.
Incidentally, according to the legal opinion of the MB, a termination of membership, which has already occurred, also implies the legal obligation to delete data if it is no longer necessary for the purpose for which it was collected. In this regard, it is irrelevant whether a person re-enters "from scratch". Incidentally, in the sense of the case law of the VwGH, a copy of the document is not suitable in order to be able to assume a high degree of reliability with regard to identifiability. It is therefore also inappropriate for the BF to request a copy of the ID in order to remove doubts about the identity. The XXXX sent their letter to the MB dated July 25, 2019 by means of registered RECO as a priority letter, consignment number R0588075870AT. This was delivered and documented against I-proof and signature. At this point in time, XXXX could already assume that proof of identity had been provided. The MB still sees a contradiction to the applicable data protection law to have to provide further additional data.
With the contested decision, the authority in question upheld the complaint and found that the BF had thereby violated the MB's right to erasure by unjustifiably requesting proof of identity from the MB and not dealing with his request for deletion.
The BF is also instructed to comply with the MB's request for deletion within a period of four weeks or to inform the MB of the reasons for not complying with the request for deletion. 
The authority in question first established that the MB had been a member of the XXXX for years, which was part of the BF's organization without legal personality. It also determined the content of the letter of the MB to the BF dated May 14, 2019 and that of the BF to the MB dated June 17, 2019. Legally, she then stated that the BF was the person responsible within the meaning of Art 4 Z 7 GDPR.
According to Art. 17 Para. 1 GDPR, every person concerned has the right to request the deletion of their personal data from a person responsible. The right to erasure in accordance with Art. 17 GDPR is one of the rights of the data subject. The modalities for exercising the rights of the data subject are regulated in Art. 12 GDPR. According to Art. 12 (2) GDPR, the person responsible has to make it easier for the data subject to exercise his or her rights. If the person responsible has justified doubts about the identity of the natural person making the application, he can request additional information required to confirm the identity of the person concerned in accordance with Art. 12 (6) GDPR.
The VwGH held on the requirement of proof of identity in relation to the legal situation according to the DSG 2000: The provision of § 26 DSG 2000 has the clearly recognizable purpose of preventing any abuse of the right to information by third parties to obtain information. Without proof of identity, a client may not transmit any data to the information applicant - from whom he can only assume at this moment that he is actually the person concerned - because otherwise he could violate data secrecy in accordance with Section 15 (1) DSG 2000.
Proof of identity must be provided in a form that enables the client to check the identity of the information seeker with the person whose data is the subject of the information. With regard to the objectives of the law and to prevent abuse, a high degree of reliability with regard to proof of identity is required (VwSlg 19.411A / 2016).
These considerations could be transferred to the new legal situation, since nothing has changed in the purpose of the counterpart regulation for establishing identity according to Art. 12 (6) GDPR.
However, the obligation of the data subject to disclose their identity when requesting information has not been incorporated into the GDPR. The request for additional information is only permissible if there are reasonable doubts about the identity of the information seeker. Since both the right to information and the right to deletion are part of the rights of the data subject and therefore Art. 12 GDPR is equally relevant for both rights, the case law cited in this context on the right to information is also applicable to the right to deletion. It follows from this that the general request for the submission of proof of identity is not permissible, but that it always has to be a decision on a case-by-case basis. This also applies if it concerns data of special categories according to Art. 9 GDPR.
The MB had submitted his request for deletion in writing by letter, which he personally signed and in which he had given his membership number in the subject. The termination of the MB had been complied with without further proof of identity. The BF also did not inform the MB why there were reasonable doubts about the identity. In the present case, therefore, it cannot be assumed that there were justified doubts about the identity of the MB within the meaning of Art. 12 (6) GDPR, which is why the further request for proof of identity contradicted the relief requirement under Art. 12 (2) GDPR. The BF therefore violated the MB's right to erasure by not dealing with the content of its request for deletion in accordance with Art. 17 GDPR, thus not complying or not giving the MB any reasons why the request for deletion was not being complied with.
The BF's complaint against this notification is directed against the incomplete determination of the facts and an incorrect legal assessment with the request to rectify the notification and establish that the BF is not responsible for any violation of the rights of the person concerned.
The authority concerned submitted the complaint, including the electronic administrative file, with the application to reject the complaint, to the administrative court on November 19, 2020. Reference is made in full to the contested decision.
In a communication dated December 22nd, 2020, the BF "repeated" his application for an oral hearing, which was made by a witness in the complaint.
With the completion of March 9, 2021, the BF was instructed to disclose within the deadline those person (s) as witness (s) who had doubts as to whether the letter of July 11, 2019 was signed or sent by the MB.
An announcement was not made.
With a - now legal - statement of March 25, 2021, the MB submitted that a comparison of the letter regarding termination or deletion on the one hand and the membership application did not reveal any differences in the names that could arouse justified doubts.
Furthermore, the BF sent the MB a registered letter on July 25, 2019, which the MB received with proof of his identity, which the BF had also become aware of, so that the BF had confirmation of the MB's identity at the latest with the successful delivery in this regard obtain.
With the acceptance of the termination, the membership relationship between the MB and the BF ended. This also meant that the BF's legal interest and thus the right to store the data were no longer applicable. The legal consequences of the termination weigh much more heavily than those of a deletion, since the rights to support of the MB ended with it. The argumentation of the BF would make countless requests for data deletion difficult or delay, because deleting the data in the event of a renewed business relationship could lead to disadvantages for the customer.
On April 22nd, 2021, a public hearing took place before the administrative court, in which the case was discussed and the witness Mag. XXXX was questioned.
In addition, the BF submitted that the delivery of a registered letter was not suitable for establishing an identity, because such a letter could be accepted by anyone living in the same household. The deletion of the data is more important than the mere acceptance of the termination, because a termination wrongly pronounced by a third party is at best reversible. The deletion of data is irrecoverable and the associated claims are lost forever. It concerns sensitive data within the meaning of Art. 9 GDPR, which is why special care is associated with it.
The procedure at issue here is the one generally used by the BF, because deletion is irretrievable. One invokes the legal interest that, in the event of a re-entry, the previous times are taken into account. However, if a termination is accepted without deletion, access to this data will be administratively restricted.
Due to the intervention of the representative of the MB, the doubts about the identity of the MB were in any case dispelled, because the MB representative was obliged for professional reasons to check the identity of his client. There is therefore no longer any doubt. However, the data have not yet been deleted because if the MB were to dismiss the legal protection interests, the BF could be interested in a final legal clarification.
The MB also submitted that if the termination were accepted, the BF's right to data storage would be lost. If the BF were of the opinion that it would have been entitled to such an identity verification procedure, this would have to have taken place before acceptance of the termination of membership.
A possible legal interest in the consideration of past times is a legal interest of the member, but not of the XXXX. Here the data protection officer is referring to a legal interest of the data protection officer.
In any case, there could currently no longer be any legal interest in data storage relating to the MB. The interest in the clarification of a legal question could in no way mean a legitimate interest in the further storage of the data in the situation described by the BFV, according to which the BFV itself now considers the data to be ready for deletion, even according to its strict conception.
The complaint is not justified:
The following facts are established:
The XXXX is a branch union of the BF without its own legal personality.
The MB registered on June 28, 2006 as a member of the branch union of the BF XXXX on a form from the XXXX. There it appears with the data "XXXX, born XXXX, XXXX, department XXXX". The membership registration is signed by hand. "Joined from July 1st, 2006" is filled out.
Attached to the membership registration is an authorization of the MB, directed to the accounting department of XXXX, to transfer the union contribution from its earnings to the XXXX. The MB also signed the declaration that in this context necessary data of the MB will be forwarded to XXXX with automated support (Enclosure ./B).
In a letter sent by post and signed by hand on May 14, 2019, the MB informed the XXXX, stating its membership number, that it was terminating its membership and, in the course of this, requested the deletion of its data:
 XXXX.
May 14, 2019.
To XXXX.
Regards:
Termination of membership no. XXXX.
Ladies and gentlemen!
I am canceling my membership at XXXX. At the same time, I revoke the authorization granted to withhold the union contribution from my pension and have it transferred by my pension-paying office.
After termination of my membership, please delete all of my stored personal data in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act (DSG).
Please send me a written confirmation.
Best regards
 XXXX "
The signature is illegible.
On May 17th, 2019, the membership administration of XXXX sent a letter to the MB with the following content:
“Dear colleague XXXX!
We take note of your resignation with regret. We will initiate the implementation of your concerns immediately.
With union greetings "
The XXXX informed the BF in a letter dated June 17, 2019 that his termination had been carried out and asked for a copy of his ID card and his membership number to be sent:
The membership number is already listed on the letter of XXXX above the address of the BF:
"XXXX,
Mr. XXXX
06/17/2019
Leaving and deleting data.
Dear colleague XXXX!
We regret that you are leaving the XXXX. However, we immediately complied with your request to note your withdrawal. Since the union must treat member data as particularly sensitive personal data in accordance with the statutory provisions, it is necessary that you clearly identify yourself to implement the deletion request so that we can comply with your request for data deletion.
We therefore ask you to enclose a copy of your ID with your new written request for data deletion and to state your membership number. Only then can we consider your request for deletion as having been made and check its content.
A copy of your ID must therefore be sent together with your data deletion request either via email to datenschutzmanager XXXX or by post to XXXX.
We would like to point out that if data can be deleted, we will no longer be able to credit you for pre-membership periods in the future in the event of a new entry. Any claims that may otherwise arise or exist, such as legal protection or support services, therefore expire without exception.
With the request for information, we remain with union greetings
 XXXX
Head of Member Administration
 XXXX Head of Organization and Economy. "
On July 11, 2019, the MB sent a letter to XXXX with the following content:
"Subject: renewed request for data deletion - XXXX,
Your letter dated June 17th, 2019.
Ladies and gentlemen!
According to the General Data Protection Regulation, the request for proof of identity in the form of a copy of an ID is no longer provided. This is only possible in exceptional cases, e.g. if there are clear doubts about the identity. In this case, you would have to justify and prove this clear doubt about your identity.
I have sent you my resignation letter, quoting the membership number, handwritten signature and the revocation of the authorization to withhold the union contribution from my pension.
Since this revocation has now also been implemented (the pension-paying office will no longer retain anything for the XXXX), I see no reason to argue against data deletion.
In addition, it is somewhat surprising that, after this implementation, I should now provide you with further personal data in order to be able to comply with my request for deletion.
Sending a copy of your ID card by email, among other things, would have to be viewed critically from a data protection point of view anyway.
Thus, my renewed request for the deletion of all of my personal data in accordance with the General Data Protection Regulation and the Data Protection Act is issued.
Please send me a confirmation that it has been carried out. "
In a letter dated July 25, 2019, the data protection manager of XXXX replied as follows:
"Your letter from 07/11/2019.
Dear Mr. XXXX!
You have requested the deletion of all data stored about you, which we have responded to by asking you to submit an official photo ID to prove your identity. In a letter dated July 11, 2019, you informed us that sending photo ID is not a formal requirement for deletion and that you do not want to send us any ID.
According to the provisions of the GDPR, we are obliged to use all reasonable means to check the identity of the person who is asserting a right to be affected. The standard of care will be higher, the more sensitive the data recorded by a deletion request are.
It is therefore necessary, in those cases in which the identity of (the) data subject is not fully proven, to request a copy of their ID or a similar type of identification, as provided by the data protection authority itself in its templates. We therefore assume that the transmission of a copy of your ID is an appropriate, target-oriented and necessary measure in order to fulfill our obligations and to protect your interests.
You have signed your letter by hand, but we cannot assign the signature to you with a high degree of certainty. Therefore, we must continue to insist on a secure identification of you.
We therefore have to ask you again for a copy of your ID and remain with best regards
Mag. XXXX, Mag. XXXX, data protection manager "
It could not be ascertained that in the course of the processing of this matter, the BF's administrators had concrete doubts at any point that the author of the submissions from May 14, 2019 and July 11, 2019 was not the former member XXXX.
At least since becoming aware of the intervention of the representative of MB Dr. Mag. XXXX, at the latest in the hearing on April 22nd, 2021, the BF no longer has any doubts about the identity of the MB as the author of the letters of May 14th, 2019 and July 11th, 2019.
The BF promptly complied with the MB's resignation request on May 14, 2019. The revocation of the MB vis-à-vis its employer to withhold union fees and transfer them to XXXX has been implemented.
Evidence assessment:
The letters reproduced in the statements are in the file.
The fact that the BF complied with the MB's membership termination promptly was expressly acknowledged in the letter from XXXX dated June 17, 2019. In this context, as well as based on the letter of the MB dated July 11, 2019, which was not opposed by the BF, it is also credible that the MB has revoked the withholding and transfer of the union fees by the employer and these debits were discontinued.
The negative finding in relation to the fact that the BF's administrators had specific doubts that the letters dated May 14, 2019 or July 11, 2019 actually came from the MB, is based on the fact that, despite the BF's submission and an order, corresponding witnesses for the To name the hearing, the only named witness, Mag. XXXX, could not give any information about which organ administrator would have doubts about the identity of the intervener in relation to a signature comparison: "I am aware of the XXXX and departments for signature comparison not known. ”(Protocol from April 22nd, 2021, page 5). In addition, the BF disclosed that it was not concrete doubts about the signature of the letter of the MB, but the lived practice of the BF that was responsible for requesting an identification document from the MB before deleting the data (complaint page 3, last paragraph as well as Testimony of the witness Mag. XXXX, protocol page 6). The argument at the oral hearing that the data had not yet been deleted because the legal protection interest might have been lost if the MB were dismissed, but the BF might be interested in a final legal clarification, shows that there are no concrete doubts the identity of the MB but a legal clarification of the previous general procedure of the BF to delete data only after sending proof of identity, which was the reason for the previously refused deletion by the BF. Ultimately, the fact that the BF already took note of the resignation based on the letter of May 14, 2019 (letters of May 17, 2019 and June 17, 2019) and the request of the MB “complied” with concrete doubts about the identity of the MB because even in the event that the BF assesses the consequences of an exit as lower than those of a final data deletion, in the case of concrete doubts about the identity of the intervener, an implementation of the termination without further clarification of such doubts would not be assumed.
The fact that the BF has had no doubts about the identity of the MB as the author of the letters of 11.07.2019 and 14.05.2019, at least since the oral hearing, is based on the express submissions of the BF during the hearing.
Legally follows:
According to Art. 6 Para. 1 GDPR, the processing is lawful if at least one of the following conditions is met:
a) The person concerned has given their consent to the processing of their personal data for one or more specific purposes.
b) The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures that are carried out at the request of the data subject;
c) The processing is necessary to fulfill a legal obligation to which the person responsible is subject;
d) the processing is necessary to protect the vital interests of the data subject or another natural person;
e) The processing is necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority that has been assigned to the person responsible;
f) The processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh this.
According to Art. 9 Para. 1 GDPR, the processing of personal data from which racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership emerge is prohibited.
Paragraph 2 regulates the relevant exceptions, in particular letter a in the case of express consent.
According to Art. 12 Para. 1 GDPR, the person responsible shall take appropriate measures to provide the data subject with all information in accordance with Articles 13 and 14 and all communications in accordance with Art. 15 to 22 and Art. 34 that relate to the processing in a more transparent, understandable and easily accessible form in clear and simple language. The information is transmitted in writing or in another form, possibly also electronically. If requested by the person concerned, the information can be given orally, provided that the identity of the person concerned has been proven in another form.
According to Paragraph 2, the person responsible facilitates the exercise of the data subject's rights according to Articles 15 to 22. In the cases mentioned in Article 11 Paragraph 2, the person responsible may only refuse on the basis of the data subject's request for exercise of their rights to act according to Art. 15 to 22, if he proves credible that he is not able to identify the person concerned.
...
If the person responsible in accordance with Paragraph 6 has justified doubts about the identity of the natural person who makes the application in accordance with Articles 15 to 21, he can request additional information that is necessary to confirm the identity of the person concerned, without prejudice to Article 11 are.
According to Art. 17 Para. 1 GDPR, the person concerned has the right to demand that the person responsible delete personal data concerning them immediately and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:
a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
b) The data subject revokes their consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing.
c) The data subject objects to the processing in accordance with Art. 21 Paragraph 1 and there are no overriding legitimate reasons for the processing or the data subject objects in accordance with Art 21 Paragraph 2.
d) The personal data was processed unlawfully;
e) The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the member states to which the person responsible is subject.
f) The personal data was collected in relation to information society services offered in accordance with Art 8 Paragraph 1.
According to Paragraph 3, Paragraphs 1 and 2 do not apply if the processing is necessary in the cases of a) to e).
The person responsible must make it easier for the persons affected by data processing to exercise their rights to information, correction, deletion, restriction, data portability and objection. This means that no further hurdles may be set up for the provision of information according to Art. 13 and 14 and notifications must be carried out in accordance with the legal requirements (e.g. missing or limited availability, cost-intensive communication, imprecise contact addresses, content or linguistic requirements are not observed) . If the person responsible cannot (no longer) identify the data subject because the identification is no longer necessary for the processing purpose, the person responsible can refuse to take action. In this case, rights of data subjects can naturally no longer be exercised, unless the data subject provides additional information that enables them to be identified. In these cases, the person responsible must make himself credible that he is not able to identify the person concerned (Illibauer in Knyrim, DatKom, Art. 12 GDPR, margin nos. 71 and 72).
If the person responsible has justified doubts about the identity of the person making an application according to Art. 15-21 (whether an inquiring person is also the authorized person at the same time), he can request additional information that confirms the identity of the person concerned. According to the Austrian GDPR 2000, a form of identity determination that has been tried and tested, namely the obligation of the data subject to disclose his / her identity when requesting information, has not been incorporated into the GDPR. For the person responsible, it is difficult not only to have to determine the identity beyond doubt in advance, but also when there are well-founded doubts and when proof of identity can be requested. For all of this, he is also required to provide evidence. If he does not do this, personal data could have been disclosed in an inadmissible manner. If, for example, he asks for a copy of his ID without justified doubts, he could have made it more difficult to exercise the rights of the data subject and acted contrary to Art. 12 (2). In those cases in which the identity of the person concerned or inquirer is not completely clear, it is advisable to request a copy of the ID or a similar type of identification. Such an assessment will have to be carried out on a case-by-case basis (as above, margin nos. 75 to 77).
Down to business:
Legal relationships between an association and its members are of a private law nature. The prevailing view is that association membership is terminated by a unilateral declaration of resignation (1 Ob 176 / 98h mwN).
According to the findings, the BF or its branch union XXXX already took action after a letter from the MB containing his name and address, his membership number and his own signature, to the effect that he noted the withdrawal of the MB from the union, thus the termination took the necessary steps towards membership. Already from this action, with which the BF accepted the termination of the legal relationship with the BF, it follows that the BF had no concrete doubts about the identity of the intervener (acting in writing), since it cannot be assumed that in this case he would terminate the membership without would have accepted more.
The BF argues that the deletion of data due to its finality is of greater significance than the termination of membership, which is reversible. The comparative assessment of the scope of these two circumstances can, however, be left open: A honest recipient of the declaration can be expected to either doubt the identity of the declaring party with regard to legally relevant circumstances or not. Since the BF had no doubts about the identity of the MB with regard to the withdrawal from the association, he cannot raise such (concrete) doubts with regard to the MB's declaration, insofar as this concerns aspects of data protection law.
The BF rightly points out that union membership is a sensitive date. There are no doubts about the justification of the data processing by the BF with regard to data from the MB in the past due to the express consent of the person concerned (the MB) at the time. Regardless of whether the MB data still stored at the BF is qualified as such about union membership and thus sensitive data (Art. 9) or other data (Art. 6), the BF has repeatedly claimed that there are several legal bases for Storage of data from former members when membership no longer exists. However, these allegations were not made concrete (witness Mag. XXXX, pages 4 and 5). According to the BF's explicit procedural point of view of deleting the MB's data after submitting proof of identity, it follows that the BF itself assumes that the reason for processing the MB's data can only be its consent. Other reasons for justification within the meaning of Article 6 (1) b to f or Article 9 (2) b to j need not be dealt with. This means that Article 17 (1) (b) is relevant for deletion.
The BF's argumentation is not stringent if the BF, as the person responsible, accepts a declaration by a member that leads to termination of membership in the absence of any doubts about the identity of the declaring party, on the other hand the consequence of termination of membership of a no longer given justification for Processing of data is not implemented due to doubts about the identity of the declaring party. The BF cannot gain anything in this context from the sensitivity of the trade union data, because it protects against unauthorized processing.
As stated, according to the current legal situation and the relief requirement of Art. 12 Para. 2 GDPR, an individual examination must be carried out. A refusal to act on the basis of an application in accordance with Articles 15 to 22 can only be successful if the person responsible demonstrates credibly that he is unable to identify the person concerned. In view of the evidence presented above and the fact that the BF very well identified the MB within the framework of the acceptance of the termination, the latter was unable to make such a case-related credible.
On the other arguments in the complaint:
In the course of the oral hearing, it emerged that - as stated - no concrete doubts arose due to the signature of the officers of the BF. In this case, it cannot be assumed that the termination of membership would have been accepted. If the BF refers to the consequences of the irretrievable loss of data in the event of deletion, it must be pointed out again that he was unable to make the lack of identifiability of the MB credible. In its letter of 11.07.2019, the MB repeated its request for deletion. This declaration was made after reference to the possible negative consequences in this regard with a letter from the BF dated June 17, 2019.
Whether the sending of an official identification document is a "comparatively harmless requirement" for the person concerned cannot be assessed here: The BF must again be referred to the legal situation in accordance with Art. 12 (2), according to which a refusal to act can only be justified if if it is made credible that the data subject cannot be identified.
If the BF, under the aspect of Art. 32 GDPR, points out that an identity check must be carried out before deletion is carried out in order to maintain data accuracy and avoid unauthorized disclosure or unauthorized destruction of the data, Art. 32 is not applicable in the present case Relevant: Art. 32 regulates the obligations in connection with the level of protection of stored data at the processor. The question of further processing or deletion as well as the upstream question of which requirements are placed on the identity check for corresponding applications is based on the aforementioned regulations.
Overall, the complaint is therefore unsuccessful even after the facts have been supplemented in the context of the oral hearing requested.
The statement of the inadmissibility of the revision is based on the fact that individual assessments had to be made on the basis of Article 12 (2) GDPR, so that no legal question of any significance beyond the individual case had to be resolved. The requirements for the identification of a deletion applicant can typically only be assessed on a case-by-case basis with reference to the specific request for deletion and the knowledge of the person called about the deletion applicant.


European Case Law Identifier
ECLI: AT: BVWG: 2021: W274.2237071.1.00