BVwG - W274 2251055-1/5E

From GDPRhub
BVwG - W274 2251055-1/5E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(f) GDPR
Directive 2014/65
§ 33 WAG
Decided: 23.06.2023
Published: 31.08.2023
Parties:
National Case Number/Name: W274 2251055-1/5E
European Case Law Identifier: ECLI:AT:BVWG:2023:W274.2251055.1.00
Appeal from: DPA
no link available
Appeal to: Unknown
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: nho23

An Austrian court ruled that a bank recording all client calls could not rely on legitimate interest. European and national banking provisions do not allow controllers to indiscriminately record all calls, either. Data protection norms limit such a processing to what is strictly necessary.

English Summary[edit | edit source]

Facts[edit | edit source]

In the original case before the Austrian DPA, the data subject filed a complaint, claiming that the controller (a bank) recorded their phone calls and there was no possibility to opt-out from such a processing. Clients were informed about the recording by a tape announcement at the beginning of the call. The controller justified the processing as a legitimate interest pursuant to Article 6(1)(f) GDPR, stating that recording was necessary to ensure the best service quality for clients. The controller also referred to their obligations under EU law, especially Directive 2014/65/EU (MiFID II), and national banking laws, such as § 66(1) Payment Services Act (Zahlungsdienstegesetz - ZaDiG) and § 33(2) and (3) Securities Supervision Act 2018 (Wertpapieraufsichtsgesetz 2018 - WAG).

The DPA upheld the data subject's claim and issued a decision against the controller.

The controller appealed this decision before the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG). To the arguments mentioned above, the controller added that that it was impossible not to record all incoming calls. Furthermore, the controller questioned the DPA's competence, as the case allegedly fell under the WAG and not the GDPR.

Holding[edit | edit source]

The court rejected the controller's appeal.

The court confirmed that the DPA was competent. The data subject's complaint was about their right to confidentiality of personal data. The infringement of Article 6(1) GDPR could lead to an infringement of § 1(1) Austrian Data Protection Act (Datenschutzgesetz - DSG) which contains the fundamental right to data protection. The right to confidentiality lies within the DPA's competences.

Concerning legitimate interest, the court pointed out that the controller's interest to 'ensure quality' was not further explained by the controller. Therefore, Article 6(1)(f) GDPR could not be used as a valid legal basis.

The controller's argument representing the difficulty/impossibility of not recording all calls was also rejected by the Court. As a matter of fact, it is the controller's responsibility to design internal procedures in a way that provisions stemming from banking regulations do not interfere with data protection provisions.

§ 33(2) and (3) WAG defines which calls have to be recorded by certain legal entities, including banks. This provision says that only calls relating to investment services have to be recorded. The court thus assumed that it refers to investment services when it comes to the obligation to record phone calls. The court stated that the topic of an incoming phone call could be cleared up at the beginning of the conversation. Phone calls not covering investment services shall not be recorded.

In this case, the data subject only wanted to ask for general information. There was no sign of a relation to investment services. Thus § 33(2) and (3) WAG was not applicable and the processing was unlawful.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision date

June 23, 2023

standard

B-VG Art 133 Paragraph 4
DSG §1 Paragraph 1
GDPR Art5
GDPR Art6 Paragraph 1
Directive 2014/65/EU Financial Market Directive Art16
Directive 2014/65/EU Financial Market Directive Art78
WAG 2018 §33
ZaDiG §1 Paragraph 1
ZaDiG §66

B-VG Art. 133 today B-VG Art. 133 valid from January 1st, 2019 to May 24th, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from May 25, 2018 to December 31, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from August 1, 2014 to May 24, 2018 last changed by Federal Law Gazette I No. 164/2013 B-VG Art by BGBl amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934

DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from January 1st, 2014 last changed by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from January 1st, 2000 to December 31st, 2013

WAG 2018 § 33 today WAG 2018 § 33 valid from June 15, 2018 last changed by Federal Law Gazette I No. 37/2018 WAG 2018 § 33 valid from January 3, 2018 to June 14, 2018

ZaDiG § 1 valid from January 1, 2014 to May 31, 2018 repealed by BGBl May 21, 2010 to April 29, 2011 last changed by Federal Law Gazette I No. 28/2010 ZaDiG § 1 valid from November 1, 2009 to May 20, 2010

ZaDiG § 66 valid from January 3, 2018 to May 31, 2018 repealed by BGBl 04/30/2011 to 01/31/2013 last amended by BGBl. I No. 107/2010 ZaDiG § 66 valid from 05/21/2010 to 04/29/2011 last amended by BGBl May 20, 2010

saying

W274 2251055-1/5E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag. Lughofer as chairman and the expert lay judges Prof. KommR POLLIRER and Mag. SCHACHNER as assessors, hears the complaint of XXXX, represented by SCHÖNHERR Rechtsanwälte GmbH, Schottenring 19, 1010 Vienna, against the decision of the data protection authority, Barichgasse 40-42, 1030 Vienna from November 19th, 2021, GZ: D124.422 2020-0.591.897, co-participant XXXX, due to violation of the right to secrecy, in a non-public session rightly: The Federal Administrative Court recognizes through the judge Mag. Lughofer as Chairman and the expert lay judges Prof. KommR POLLIRER and Mag. SCHACHNER as assessors on the complaint of Roman XXXX, represented by SCHÖNHERR Rechtsanwälte GmbH, Schottenring 19, 1010 Vienna, against the decision of the data protection authority, Barichgasse 40-42, 1030 Vienna from November 19th. 2021, GZ: D124.422 2020-0.591.897, co-participant Roman XXXX, due to violation of the right to secrecy, rightly so in a non-public meeting:

The complaint will not be followed.

The revision is not permitted in accordance with Article 133, Paragraph 4, B-VG.The revision is not permitted in accordance with Article 133, Paragraph 4, B-VG.

text

Reasons for decision:

1.1. XXXX (hereinafter: co-participant, MB) first contacted the data protection authority (hereinafter: the authority concerned) by email on April 23, 2019 with the following question: 1.1. Roman XXXX (hereinafter: co-participant, MB) first contacted the data protection authority (hereinafter: the authority concerned) by email on April 23, 2019 with the following question:

“I have just called the hotline of XXXX (hereinafter: complainant, BF) ( XXXX ). I would be informed by a tape that the phone call would be recorded. However, I was not asked for my permission or given the option to object! “I have just called the hotline of Roman XXXX (hereinafter: complainant, BF) (Roman XXXX). I would be informed by a tape that the phone call would be recorded. However, I was not asked for my permission or given the option to object!

Are banks now allowed to intercept phone calls on their own initiative?”

After a written notice from the data protection authority that it was unable to make legal assessments on the application and interpretation of legal provisions or content-related advisory services, the BF lodged the following data protection complaint against MB by email on May 2nd, 2019. He considers that the right under Article 6 Para. 1 GDPR has been violated. On April 23, 2019, he called the BF hotline on the phone number XXXX. At the beginning of the conversation he was informed on a tape that the phone call would be recorded. The tape did not present any option to speak out against this recording. After a written notice from the data protection authority that it was unable to make legal assessments on the application and interpretation of legal provisions or content-related advisory services, the BF lodged the following data protection complaint against MB by email on May 2nd, 2019. He considers that the right under Article 6, paragraph one, GDPR has been violated. On April 23, 2019, he called the BF hotline on the phone number Roman XXXX. At the beginning of the conversation he was informed on a tape that the phone call would be recorded. The tape did not offer an option to speak out against this recording.

By saving the tape recording of the telephone call with the MB on April 23, 2019, the BF processed personal data without his consent and thereby violated Article 6 Para. 1 GDPR. Even if the BF had hidden a corresponding clause somewhere in the small print, this would not meet the conditions for consent according to Art. 7 Para. 2 and Art. 7 Para. 4 GDPR. Such a clause would also be immoral or void according to Section 879 ABG in conjunction with Section 93 Paragraph 3 TKG 2003. It is requested that the alleged infringement be established. By saving the tape recording of the telephone call with the MB on April 23, 2019, the BF processed personal data without his consent and thereby violated Article 6, paragraph one, GDPR. Even if the BF had hidden a corresponding clause somewhere in the small print, this would not meet the conditions for consent according to Article 7, paragraph 2 and Article 7, paragraph 4, GDPR. Such a clause would also be immoral or void according to paragraph 879, ABG in connection with paragraph 93, paragraph 3, TKG 2003. It is requested that the alleged infringement be established.

1.2. The BF initially commented on this request on May 27, 2019 to the effect that there was no release from banking secrecy by the MB, so that only a general description of the situation in question follows.

The BF records incoming telephone conversations from customers at the telephone number in question as part of the “telephone banking” service after verbally informing the person concerned in this regard using a tape recording at the beginning of the telephone call. This processing of personal data is carried out in accordance with Article 6 (1) (f) GDPR to protect the legitimate interests of BF as the controller. The processing does not take place on the basis of any consent of the data subject. As a payment service provider according to the ZaDiG in accordance with Section 66 Paragraph 1, if the authorization is disputed by the payment service user or claims were not carried out properly, the BF must prove that the payment transaction was authenticated, properly recorded and accounted for and was not affected by a technical breakdown or other disruption became. Since the BF is required in particular to provide proof of authentication and special risks are associated with order processing via telephone banking (hearing, understanding or transmission errors as well as misuse of telecommunications means), the recording of such a telephone call is intended to protect the BF's overriding legitimate interests carried out in accordance with Art. 6 Para. 1 lit f GDPR. The BF records incoming telephone conversations from customers at the telephone number in question as part of the “telephone banking” service after verbally informing the person concerned in this regard using a tape recording at the beginning of the telephone call. This processing of personal data is carried out in accordance with Article 6, paragraph one, letter f, GDPR to protect the legitimate interests of BF as the controller. The processing does not take place on the basis of any consent of the data subject. As a payment service provider according to the ZaDiG in accordance with paragraph 66, paragraph one, if the authorization is disputed by the payment service user or claims of improper execution, the BF must prove that the payment transaction was authenticated, properly recorded and accounted for and not due to a technical breakdown or other disruption was impaired. Since the BF is required in particular to provide proof of authentication and special risks are associated with order processing via telephone banking (hearing, understanding or transmission errors as well as misuse of telecommunications means), the recording of such a telephone call is intended to protect the BF's overriding legitimate interests made in accordance with Article 6, paragraph one, litera f, GDPR.

Furthermore, the BF also has an overriding legitimate interest in recording the telephone call for quality assurance purposes.

Based on the information mentioned, the person concerned can see that the processing is carried out for documentation and proof of the content of the order. If he does not agree with the voice recording, he can cancel the telephone call before the recording begins and choose one of the alternative commissioning methods available to him (branch, my XXXX Online Banking). The encroachment on fundamental rights to be weighed up by the voice recording is also justified in the sense of strengthening the interests of the customer himself. The voice recording also takes place in fulfillment of the BF's legal obligations according to Section 66 Paragraph 1 ZaDiG 2018 in accordance with Article 6 Paragraph 1 lit c GDPR. Based on the information mentioned, the person concerned can see that the processing is carried out for documentation and proof of the content of the order. If he does not agree with the voice recording, he can cancel the telephone call before the recording begins and choose one of the alternative commissioning methods available to him (branch, my Roman XXXX Online Banking). The encroachment on fundamental rights to be weighed up by the voice recording is also justified in the sense of strengthening the interests of the customer himself. The voice recording also takes place in fulfillment of the BF's legal obligations according to paragraph 66, paragraph one, ZaDiG 2018 in accordance with Article 6, paragraph one, Litera c, GDPR.

Section 93 TKG 2003 does not apply to BF because it is not an operator of a public communications network or service. The processing of the recording of the telephone conversations is therefore lawful. Paragraph 93, TKG 2003 does not apply to the BF because it is not an operator of a public communications network or service. The processing of the recording of the telephone conversations is therefore lawful.

1.3. The MB took a position on this on July 24th, 2020 on behalf of the authority concerned and initially released the BF from the authority concerned with regard to all circumstances relating to the telephone call on April 23rd, 2019 at 1:41 p.m., lasting 1.52 minutes from banking secrecy in accordance with Section 38 Para. 2 Z 5 BWG. In any case, the telephone number in question (general number of the bank branch XXXX) serves, in addition to telephone banking (which is unusual in times of e-banking), also for general inquiries for which there can be no relevant interest in documentation. 1.3. The MB took a position on this on July 24th, 2020 on behalf of the authority concerned and initially released the BF from the authority concerned with regard to all circumstances relating to the telephone call on April 23rd, 2019 at 1:41 p.m., lasting 1.52 minutes from banking secrecy in accordance with paragraph 38, paragraph 2, number 5, BWG. In any case, the telephone number in question (general number of the bank branch in Roman XXXX) serves, in addition to telephone banking (which is unusual in times of e-banking), also for general inquiries for which there can be no relevant interest in documentation.

The specific subject of the telephone call did not represent a transaction within the meaning of Section 66 Paragraph 1 ZaDiG, but was an inquiry of secondary evidentiary relevance for the MB. His question was whether a later planned transfer of a larger sum (cooperative contribution) above the e-banking limit would require a personal visit, whereby the employee recommended dividing the sum into several e-banking transfers up to the limit . Due to the importance of the matter, there was no possibility for the MB to end the telephone call immediately after the recording and not to ask for the required information. The specific subject of the phone call did not represent a transaction within the meaning of paragraph 66, paragraph one, ZaDiG, but was a request of secondary evidence relevance for the MB. His question was whether a later planned transfer of a larger sum (cooperative contribution) above the e-banking limit would require a personal visit, whereby the employee recommended dividing the sum into several e-banking transfers up to the limit . Due to the importance of the matter, there was no possibility for the MB to end the telephone call immediately after the recording and not to ask for the required information.

The recording of the spoken word represents the most serious conceivable encroachment on the fundamental right to data protection. The consideration claimed by the BF according to Art. 6 Para. 1 lit f GDPR cannot turn out in their favour, especially since they not only connect data, but also the content of the telephone conversation. In this respect, the justification “quality assurance” weighs much less heavily than the justification of combating terrorism, which the ECJ rejected in connection with the invalidation of data retention. If, as claimed by the BF, customer interests were the main motivation for recording the telephone calls, the customer could be given an option to object or consent (opt in). The recording of the spoken word represents the most serious conceivable encroachment on the fundamental right to data protection The balancing claim according to Article 6, paragraph one, letter f, GDPR claimed by the BF cannot turn out in their favour, especially since they record not only connection data but also the content of the telephone conversation. In this respect, the justification “quality assurance” weighs much less heavily than the justification of combating terrorism, which the ECJ rejected in connection with the invalidation of data retention. If, as claimed by the BF, customer interests were the main motivation for recording the telephone calls, the customer could be given an option to object or consent (opt in).

In any case, the principle of necessity and proportionality is not respected. The BF's practice of recording every incoming telephone call without consent, regardless of the relevance and subject matter, does not represent the mildest means of meeting the existing requirements under Section 66 ZaDiG. You can let the caller decide whether to record at the start of a phone call by actively pressing a button. It would also be possible to have an automatic switch menu, set up a separate hotline only for transfers ordered by telephone, or have the recording only actively activated by the telephone operator after notification of such a request. In any case, the principle of necessity and proportionality is not respected. The BF's practice of recording every incoming telephone call without consent, regardless of the relevance and subject matter, does not represent the mildest means of meeting the existing requirements under Paragraph 66 of the ZaDiG. You can let the caller decide whether to record at the start of a phone call by actively pressing a button. It would also be possible to have an automatic switch menu, set up a separate hotline only for transfers ordered by telephone, or have the recording only actively activated by the telephone operator after notification of such a request.

Section 93 (3) TKG is applicable. This provision regulates the ban on listening in, tapping, recording, intercepting or monitoring messages directed at anyone. Paragraph 93, paragraph 3, TKG is applicable. This provision regulates the ban on listening in, tapping, recording, intercepting or monitoring messages directed at anyone.

With this submission, the MB submitted proof of the individual conversation and other documents.

1.4. With completion on August 6th, 2020, the authority concerned sent the BF the aforementioned statement on the reply and, with reference to the obligation to justify pursuant to Art. 5 Para. 2 DSGVO, requested the BF to answer the following questions: 1.4. With completion on August 6th, 2020, the authority concerned sent the BF the aforementioned statement on the reply and, with reference to the obligation to justify pursuant to Article 5, paragraph 2, GDPR, requested the BF to answer the following questions:

1. Is the statement by the MB correct that the phone number used in the present case was XXXX and that it is assigned to a specific branch and is not specifically intended for transactions such as telephone transfer orders or orders for securities transactions "telebanking"?1. Is the MB's assertion correct that the phone number used in the present case was Roman XXXX and that it is assigned to a specific branch and is not specifically intended for transactions such as telephone transfer orders or orders for securities transactions "telebanking"?

2. Is the analogous statement by the MB correct that all telephone calls from customers to BF employees, regardless of the respective business relevance, in particular the possibility of your obligation to provide evidence according to § 66 ZaDiG, are recorded and there is no possibility for the customer as the person concerned, to prevent this data processing?2. Is the analogous assertion by the MB correct that all telephone calls from customers to employees of BF are recorded, regardless of the respective business relevance, in particular the possibility of your obligation to provide evidence in accordance with Paragraph 66, ZaDiG, and for the customer as the person concerned there is no possibility of this Prevent data processing?

3. In his statement, the MB also explains which precautions (including selection options during the call, setting up special telephone numbers for telebanking) he believes could be made in accordance with the principle of data minimization or a milder means in order to ensure that every customer telephone call is recorded to be able to do without; A response to this submission is requested.”

1.5. The BF commented on this on September 9th, 2020 as follows:

The BF is divided into XXXX and XXXX. Customers could reach their customer advisors in the XXXX directly by telephone with the respective extension or contact the respective XXXX via a general number, where calls would be accepted by the customer advisors depending on availability. If the customer advisor does not answer the call (overflow), the customer will be forwarded to the central XXXX. Calls to XXXX would be forwarded directly to XXXX. This ensures that the bank can be reached at all times, even if the responsible customer advisor is temporarily unavailable. The BF is divided into Roman XXXX and Roman XXXX. Customers could reach their customer advisors in Roman XXXX directly by telephone with the respective extension or contact the respective Roman XXXX via a general number, where calls would be accepted by the customer advisors depending on availability. If the customer advisor does not answer the call (overflow), the customer will be forwarded to the central Roman XXXX. Calls to Roman XXXX would be forwarded directly to Roman XXXX. This ensures that the bank can be reached at all times, even if the responsible customer advisor is temporarily unavailable.

BF offers customers comprehensive telephone advice and services. A necessary part of this is the XXXX, which, for example, looks after the service line for private customers (XXXX), the service line for private banking (XXXX), the XXXX securities hotline (XXXX) and the overflow from the XXXX. There is a single XXXX behind the various phone numbers, which is why a selection with regard to telephone recordings for individual conversations is not possible. BF offers customers comprehensive telephone advice and services. A necessary part of this is the Roman XXXX, which, for example, looks after the service line for private customers (Roman XXXX), the private banking service line (Roman XXXX), the Roman XXXX securities hotline (Roman XXXX) and the overflow from the Roman XXXX. There is therefore a single Roman XXXX behind the various phone numbers, which is why a selection with regard to telephone recordings for individual conversations is not possible.

The conversation is recorded for all telephone calls that are accepted by XXXX. This does not include the direct call to the customer advisor's (mobile) phone and is therefore not recorded. The conversation is recorded for all telephone calls that are accepted by Roman XXXX. This does not include the direct call to the customer advisor's (mobile) phone and is therefore not recorded.

As a licensed credit institution, BF is subject to the provisions of the ZaDiG and the WAG.

According to Section 33 Paragraph 2 WAG, the BF must keep records of telephone conversations relating to the provision of investment services relating to the acceptance, transmission and execution of customer orders. This provision was issued as a result of the 2009 financial crisis in accordance with the provisions of Directive 2004/39/EC (MiFID II) in Article 16 Paragraph 7. The obligation to record applies to all conversations between the credit institution and customers, provided that the content of the conversation relates to the potential provision of an investment service or a securities transaction and is conducted in this direction. It therefore refers to every customer conversation that has a connection to the processing of customer orders in the securities sector. The recording obligation cannot therefore be rigidly limited or limited to certain types of conversations, the content of which is already schematically determined in advance. A record should always be made when the customer is informed about the opportunities and risks of a transaction or about the characteristics of a recommended financial instrument. According to paragraph 33, paragraph 2, WAG, the BF must keep records of telephone conversations relating to the provision of investment services relating to the acceptance, transmission and execution of customer orders. This provision was issued as a result of the 2009 financial crisis in accordance with the provisions of Directive 2004/39/EC (MiFID Roman II) in Article 16, Paragraph 7. The obligation to record applies to all conversations between the credit institution and customers, provided that the content of the conversation relates to the potential provision of an investment service or a securities transaction and is conducted in this direction. It therefore refers to every customer conversation that has a connection to the processing of customer orders in the securities sector. The recording obligation cannot therefore be rigidly limited or limited to certain types of conversations, the content of which is already schematically determined in advance. A record should always be made when the customer is informed about the opportunities and risks of a transaction or about the characteristics of a recommended financial instrument.

Since it is impossible to estimate in advance whether a conversation needs to be recorded, the European Securities and Markets Authority (ESMA) has stipulated that the entire telephone conversation, from start to finish, must be recorded. ESMA also explains that conversations are subject to the recording obligation even if the respective distribution channel is not intended to provide investment services.

Since the BF cannot estimate in advance whether a specific telephone conversation will be held in relation to the provision of investment services or whether the opportunities, risks and characteristics of a banking transaction or financing instrument will be discussed, it must keep recordings of the conversation. If individual communication channels, such as XXXX, were excluded from the call recording requirement, there would be a risk of violating the obligations imposed on BF. Since the BF cannot estimate in advance whether a specific telephone conversation will be held in relation to the provision of investment services or whether the opportunities, risks and characteristics of a banking transaction or financing instrument will be discussed, it must keep recordings of the conversation. If individual communication channels, such as the Roman XXXX, were excluded from the call recording requirement, there would be a risk of violating the obligations imposed on the BF.

The BF also referred again to the obligations pursuant to Section 66 Paragraph 1 ZaDiG. The conversation recording is therefore lawful within the meaning of Article 6 Paragraph 1 Letter c GDPR. The BF also referred again to the obligations according to Paragraph 66, Paragraph One, ZaDiG. The conversation recording is therefore lawful within the meaning of Article 6, paragraph one, letter c, GDPR.

The BF is also subject to a high quality mandate, which requires high quality assurance of the order. This quality assurance also serves the consumer position. Recordings would only be retrieved and reproduced in justified cases and after going through a multi-stage approval process based on the dual control principle.

Customers would be informed about the call recording. If they do not agree, they can avoid the conversation being recorded by contacting their customer service representative or the employees in the bank branches directly. The quality assurance inherent in the conversation recording is in the legitimate interest of BF in accordance with Art. 6 Para. 1 lit f GDPR. Customers would be informed about the call recording. If they do not agree, they can avoid the conversation being recorded by contacting their customer service representative or the employees in the bank branches directly. The quality assurance inherent in the conversation recording is in the legitimate interest of BF in accordance with Article 6, paragraph one, letter f, GDPR.

For all telephone calls to be recorded, inform the BF at the beginning of the conversation that the conversation is being recorded with the following announcement text before an employee accepts the call:

“Welcome to XXXX. The following conversation will be recorded to document the content for quality assurance." "Welcome to Roman XXXX. The following conversation will be recorded to document the content for quality assurance.”

If the customer has any questions about the conversation recording, they will receive the following standardized information from the employees:

“We are entitled to automatically record the conversation to provide evidence of the content of the conversation in the event of a complaint and for internal quality assurance. We are obliged by data protection law to inform you in advance about the recording of the telephone call. For further information on the processing of your data, we may refer you to the XXXX website.” “We are entitled to automatically record the conversation to provide evidence of the conversation content in the event of a complaint and for internal quality assurance. We are obliged by data protection law to inform you in advance about the recording of the telephone call. For further information on the processing of your data, we can refer you to the Roman XXXX website.”

If the customer does not agree to the conversation being recorded, the employees will refer them to their customer advisor or bank branch with the following standardized information:

“If you do not agree to the recording of the telephone call, we may ask you to contact your customer advisor/your bank branch/your XXXX personally.”“If you do not agree to the recording of the telephone call, we may ask you to to contact your customer advisor/bank branch/roman XXXX personally.”

The BF also informs customers about the conversation recording in the information on data processing and the general terms and conditions. It would not be possible to give the XXXX the option of interrupting the conversation recording at individual request and starting it again at advanced points in the conversation. This would give the BF opportunities for manipulation, endanger documentation security and ultimately impair consumer protection. The mentioned “push-button solution” is not to be considered legal for a banking institution both in terms of revision and in accordance with the statement of the European Securities and Markets Authority. The BF also informs customers about the call recording in the information on data processing and the general terms and conditions. It would not be possible to give Roman XXXX the option of interrupting the conversation recording at individual request and starting it again at advanced points in the conversation. This would give the BF opportunities for manipulation, endanger documentation security and ultimately impair consumer protection. The mentioned “push-button solution” is not to be considered legal for a banking institution, both in terms of the audit and in accordance with the opinion of the European Securities and Markets Authority.

The BF then answered the questions presented above by the authority concerned:

To 1:

The number mentioned is that of XXXX. Conversations relating to the provision of an investment service or a securities transaction could also be made via this number. The number mentioned is that of the Roman XXXX. This number could also be used to make calls that relate to the provision of an investment service or a securities transaction.

Regarding 2:

The customer conversations presented in points 3 and 4 of the written statement dated September 9, 2020 would be recorded.

To 3:

The solution proposals for the telephone system presented by the MB negated the supervisory and regulatory requirements as well as the requirements of the customers for modern, agile and customer-oriented as well as tamper-proof order processing. According to the requirements of the Austrian Banking Supervision and the ESMA, a “push-button solution” is not legal.

1.6. Most recently, the MB commented on this again on September 15, 2020 and stated that it was incomprehensible why it should not be technically possible to separate communication in relation to transactions carried out in trading for own account and the provision of services relating to the acceptance, transmission and execution of customer orders (telephone trading in securities) and all other telephone calls.

A list of questions and answers from ESMA cannot derogate from the GDPR or Art. 16 TFEU or Art. 8 GRC simply because of the tiered structure of the European legal system. The legal nature of this catalog of questions and answers is that of a “new practical tool” in accordance with Article 29 Paragraph 2 of Regulation 1095/2010/EU. ESMA expressed its legal opinion on October 10, 2016 and July 10, 2017, before the GDPR came into force. The GDPR is a lesser legal act compared to MiFID II, which is just a directive. The implementation provision of § 33 WAG should remain unapplied as contrary to Union law if it was assumed to contain content that violated the GDPR or primary law. Also according to the interpretation of the ESMA, § 33 WAG is only applicable if the telephone call has a factual connection to one of the investment services and activities listed in Annex 1 Section A MiFID II. A list of questions and answers from ESMA cannot derogate from the GDPR or Article 16 TFEU or Article 8 GRC simply because of the tiered structure of the European legal system. The legal nature of this list of questions and answers is that of a "new practical tool" according to Article 29, paragraph 2, VO 1095/2010/EU. ESMA expressed its legal opinion on October 10, 2016 and July 10, 2017, before the GDPR came into force. The GDPR is a lesser legal act compared to MiFID II, which is just a directive. The implementation provision of paragraph 33, WAG, as contrary to Union law, should remain unapplied if it was assumed to contain content that violated the GDPR or primary law. Also according to the interpretation of the ESMA, paragraph 33, WAG is only applicable if the telephone call has a factual connection to one of the investment services and activities listed in Annex 1 Section A MiFID Roman II.

Furthermore, the BF's procedure with regard to the alleged non-recording of telephone calls with the customer advisor was inconsistent, especially since the customer advisor in particular would be expected to actively advise the customer on questions relating to the securities market.

According to the opinion of the European Data Protection Commissioner on MiFID II (OJ C 147 of May 25, 2012), the conversations and communications to be recorded should be clearly defined and limited to those that are necessary for the purpose of the recording. According to the opinion of the European Data Protection Commissioner on MiFID Roman II (OJ C 147 of May 25, 2012), the conversations and communications to be recorded should be clearly defined and limited to those that are necessary for the purpose of the recording.

Furthermore, the exclusive purpose of Section 33 WAG is to enable the supervisory authority to carry out its control activities. There would be no legal basis for the legal entity to be able to view and evaluate the records themselves. Furthermore, the exclusive purpose of paragraph 33, WAG, is to enable the supervisory authority to carry out its control activities. There would be no legal basis for the legal entity to be able to view and evaluate the records themselves.

1.7. With the contested decision, the relevant authority followed the complaint and found that the BF had violated the MB’s right to secrecy by answering the MB’s telephone call on April 23, 2019 at 1:41 p.m. using the number XXXX with a Employees of the branch (branch) of the BF with the designation "XXXX" recorded in XXXX and process (save) the data of the conversation content.1.7. With the challenged decision, the relevant authority followed the complaint and found that the BF had violated the MB's right to secrecy by recording the MB's telephone call on April 23, 2019 at 1:41 p.m. using the Roman XXXX number an employee of the branch (branch) of BF with the designation “Roman XXXX” recorded in Roman XXXX and processes (saves) the data of the conversation content.

The authority concerned made the following findings (the names of the parties have already been adjusted):

“BF, which is organized as a stock corporation, registered in the commercial register for FN XXXX by the Vienna Commercial Court, has banking licenses in accordance with, among other things, Section 1 Para. 1 Z 1 BWG (deposit business), Section 1 Para. 1 Z 2 BWG (Giro business ), Section 1 Para. 1 Z 5 BWG (custody business) and Section 1 Para. 1 Z 7 BWG (foreign exchange and currency transactions, money market instruments business, futures and options transactions, securities transactions). “The BF, which is a stock corporation, is registered in the commercial register FN Roman XXXX is organized by the Commercial Court of Vienna, has banking licenses in accordance with, among other things, paragraph one, paragraph one, number one, BWG (deposit business), paragraph one, paragraph one, number 2, BWG (giro business), paragraph one, paragraph one , Number 5, BWG (custody business) and paragraph one, paragraph one, number 7, BWG (foreign exchange and currency business, money market instrument business, futures and options business, securities business).

The MB is or was a customer of the BF on April 23, 2019. On that day, at 1:41 p.m., he dialed the phone number XXXX that he knew, which is assigned to the BF branch with the designation “XXXX” in XXXX. Before the call connection was established, he was greeted by an automatic recording with the wording “Welcome to XXXX. The following conversation will be recorded to document the content and for quality assurance.” draws attention to the fact that all calls to branches and to central BF service numbers, including the general service number for private customers XXXX and the XXXX securities hotline XXXX, are recorded in full. Calls to the personal (mobile) numbers of individual customer advisors are excluded from this rule. The MB is or was a customer of the BF on April 23, 2019. On that day, at 1:41 p.m., he dialed the phone number he knew in Roman XXXX, which is assigned to the branch of the BF with the designation “Roman XXXX” in Roman XXXX. Before the call was established, an automatic recording with the wording “Welcome to Roman XXXX . The following conversation will be recorded to document the content and for quality assurance.” We draw attention to the fact that all calls to branches and to central BF service numbers, including the general service number for private customers Roman XXXX and the Roman XXXX securities hotline Roman XXXX, are in full content to be recorded. Calls to the personal (mobile) numbers of individual customer advisors are excluded from this rule.

The conversation that the MB then had with an employee of “ XXXX ” lasted 1:52 minutes and dealt with the question of how the MB could best order a money transfer that exceeded the limit for orders via online banking. The conversation was recorded and the content data is processed (saved) by the MB. The subsequent conversation lasting 1:52 minutes, which the MB had with an employee of the “roman XXXX”, dealt with the question of how the MB could best get an over-the-top Limit for money transfer orders via online banking. The conversation has been recorded and the content data is processed (saved) by the MB.

As part of the legal assessment, the authority concerned first presented the legal basis of Section 1 Paragraph 1 and 2 DSG, Article 5 Letters a and c GDPR as well as Article 6 Paragraph 1 Letters c and f GDPR, as well as Article 1 Paragraph 3 Z 1 ZaDiG 2018, Section 66 Paragraph 1 ZaDiG 2018, Section 33 WAG 2018 as well as Article 16 Paragraphs 6 and 7 MIFID II and further explained. A violation of the right to secrecy must be examined, as an unauthorized recording of the contents of a telephone conversation would constitute this offense. Since the MB inquired about options for carrying out a payment transaction after the factual findings, but did not order or authenticate a payment transaction, the BF in no way relied on Section 66 (1) ZaDiG 2018 in conjunction with the recording of telephone conversations. Art. Litera c and f GDPR, further paragraph one, paragraph 3, number one, ZaDiG 2018, paragraph 66, paragraph one, ZaDiG 2018, paragraph 33, WAG 2018 as well as Article 16, paragraph 6 and 7 MIFID Roman II and further stated. A violation of the right to secrecy must be examined, as an unauthorized recording of the contents of a telephone conversation would constitute this offense. Since the MB inquired about options for carrying out a payment transaction after the factual findings, but did not order or authenticate a payment transaction, the BF in no way relied on paragraph 66, paragraph one, ZaDiG 2018 in conjunction with Article 16 with regard to the recording of telephone conversations , paragraph one, litera c, GDPR can support.

From § 33 WAG 2018, a direct obligation of the BF can be derived to record the content of telephone conversations when certain circumstances are met. Such a recording is an interference with the national fundamental data protection law in accordance with Section 1 of the DSG as well as with the Union's fundamental right in accordance with Article 8 GRC, so that this provision, taking into account the underlying Union law (Article 16 Para. 6 and 7 MIFID II), complies with fundamental rights A direct obligation of the BF to record the content of telephone conversations can be derived from paragraph 33, WAG 2018. Such a recording is an interference with the national fundamental data protection law according to paragraph one, DSG as well as with the Union fundamental right according to Article 8, GRC, so that this provision takes into account the underlying Union law (Article 16, paragraphs 6 and 7 MIFID Roman II) must be interpreted in accordance with fundamental rights.

The MiFID II directive (May 14, 2014) is a legislative act that predates the GDPR. The core fact of Section 33 Paragraph 2 WAG 2018 shows that these are telephone conversations at least with regard to the provision of services relating to the acceptance, transmission and execution of customer orders. This refers to telephone orders in the context of securities business, a customer's purchase and sale orders, as well as telephone conversations intended to arrange for the provision of services relating to the acceptance, transmission and execution of customer orders, even if these conversations and communications are not for the purposes of the transaction the conclusion of such transactions or the provision of such services. This means that initiation and consultation discussions are also subject to the obligation to record, regardless of which side the initiative came from. The wording of the cited provisions of the WAG 2018 is identical to Article 16 paragraph 7 first and second subparagraph MIFID II. The decisive sentence from the recitals of the Union legislature on MIFID II can be found at the end of recital 57. There it says after reference to procedural provisions : “For these reasons, this Directive should contain the principles of a general regulation with regard to the recording of telephone conversations and electronic messages in response to customer orders.” It can therefore not be assumed that the legislators of the European Union have authorized investment service providers with this provision wanted to grant or oblige them to record all telephone conversations that were made between them and their customers, including those without “reference to customer orders”. It certainly cannot be assumed that a bank like the BF company, which offers a range of services that goes beyond investment services, should be obliged to record all calls. Such an interpretation would assume that this provision has unintended, excessive content and therefore violates fundamental rights. The MiFID Roman II directive (May 14, 2014) is a legislative act that predates the GDPR. The core fact of paragraph 33, paragraph 2, WAG 2018 shows that these are telephone conversations at least in relation to the provision of services relating to the acceptance, transmission and execution of customer orders. This refers to telephone orders in the context of securities business, a customer's purchase and sale orders, as well as telephone conversations intended to arrange for the provision of services relating to the acceptance, transmission and execution of customer orders, even if these conversations and communications are not for the purposes of the transaction the conclusion of such transactions or the provision of such services. This means that initiation and consultation discussions are also subject to the obligation to record, regardless of which side the initiative came from. The wording of the quoted provisions of the WAG 2018 is identical to Article 16, paragraph 7, first and second subparagraph MIFID Roman II. The decisive sentence from the recitals of the Union legislators on MIFID Roman II can be found at the end of recital 57. There it says after reference on transaction provisions: "For these reasons, the principles of a general regulation regarding the recording of telephone calls and electronic communications in relation to customer orders should be contained in the present directive." It is therefore not to be assumed that the legislators of the European Union with this provision securities service providers wanted to authorize or oblige them to record all telephone conversations between them and their customers, including those not "related to customer orders". It is certainly not to be assumed that a bank like BF's company, which offers a range of services that goes beyond investment services, should be obliged to record all calls. Such an interpretation would imply that this provision has unintended, excessive content and therefore violates fundamental rights.

From the heading before Art. 16 MIFID II (organizational requirements) it can also be concluded that securities service providers not only have an obligation to take certain intervention actions, i.e. to make records, but that they also have an obligation in the light of the later issued GDPR to design their internal organization in such a way that the encroachments on the fundamental rights of the data subjects required by Article 16 MIFID II pursuant to Article 5 (1) (c) and Article 6 (3) GDPR are limited to what is necessary for the purposes of the processing remain. The purpose is, on the one hand, to enable the competent authority to fulfill its duty of supervision and, on the other hand, to preserve evidence in the interests of customers. From the heading before Article 16, MIFID Roman II (organizational requirements), it can also be concluded that securities service providers not only have an obligation to take certain interventional actions, i.e. to make records, but that they also have an obligation in the light of the GDPR, which was issued later to design their internal organization in such a way that the encroachments on the fundamental rights of the data subjects required by Article 16, MIFID Roman II, in accordance with Article 5, paragraph one, litera c and Article 6, paragraph 3, GDPR to the extent necessary for the purposes of the processing remain limited. The purpose is, on the one hand, to enable the competent authority to fulfill its duty of supervision and, on the other hand, to preserve evidence in the interests of customers.

The BF should therefore have set up its organization in such a way that telephone calls that are subject to a recording obligation, in particular those pursuant to Section 33 WAG 2018, are kept separate from other customer calls. It is reasonable for those customers of a bank who want to process purchase and sale orders for securities by telephone or receive appropriate advice to use a specially set up telephone number for such calls, the contents of which are recorded without any gaps. BF's argument that every telephone conversation with a customer could develop into a conversation that must be recorded is not convincing, since in this case all conversations conducted by BF employees - from the porter to the CEO - would have to be recorded, which, however, does not happen and in the would be even more excessive. The BF should therefore have set up its organization in such a way that telephone calls that are subject to a recording obligation, in particular those under paragraph 33, WAG 2018, are kept separate from other customer calls. It is reasonable for those customers of a bank who want to process purchase and sale orders for securities by telephone or receive appropriate advice to use a specially set up telephone number for such calls, the contents of which are recorded without any gaps. BF's argument that every telephone conversation with a customer could develop into a conversation that must be recorded is not convincing, since in this case all conversations conducted by BF employees - from the porter to the CEO - would have to be recorded, which, however, does not happen and in the would be excessive to an even greater degree.

The same applies to telephone conversations that could be covered by the BF's authorization to preserve evidence in accordance with Section 66 (1) ZaDiG 2018. The same applies to telephone conversations that could be covered by the BF's authorization to preserve evidence in accordance with paragraph 66, paragraph one, ZaDiG 2018.

With regard to the BF's submissions regarding other legitimate interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR, in particular that in quality assurance, the BF did not provide any further explanation as to why this interest, which was not explained in more detail, was protected by the fundamental rights in accordance with Article 8 GAC and § 1 para. 1 DSG protected interest of the MB in the secrecy of its data should outweigh. With regard to the BF's argument regarding other legitimate interests pursuant to Article 6, paragraph one, letter f, GDPR, in particular that of quality assurance, the BF did not provide any further explanation as to why this unspecified interest is protected by the fundamental rights pursuant to Article 8, GAC and Paragraph one, paragraph one, DSG protected interest of the MB in the secrecy of its data should outweigh.

In accordance with Article 5 Paragraph 2 of the GDPR, the BF has therefore failed to ensure compliance with the principles for the processing of personal data in accordance with Article 5 Paragraph 1 lit. a (legality, processing in good faith, transparency) as part of its accountability obligation. and c (data minimization). The BF therefore interfered with the MB's fundamental right to secrecy of his personal data (not recording his conversation with a bank employee that was not related to securities transactions or issuing payment orders). The BF thus failed to fulfill its accountability obligations in accordance with Article 5, Paragraph 2, GDPR to demonstrate compliance with the principles for the processing of personal data set out in Article 5, paragraph one, letter a (lawfulness, fair processing, transparency) and c (data minimization). The BF therefore interfered with the MB's fundamental right to secrecy of his personal data (not recording his conversation with a bank employee that was not related to securities transactions or issuing payment orders).

1.8. The complaint is directed against this decision due to “lack of interest in making a determination” and incorrect legal assessment with the requests to annul the decision after an oral hearing has been held, or alternatively, to refer the case back to the authority concerned for a new decision.

1.9. The authority concerned submitted the administrative act together with the complaint with reference to this to the BVwG on January 27th, 2022.

The complaint is not justified:

2. The BVwG initially takes as a basis the findings of the authority concerned, which are not disputed by the BF, and supplements them as follows:

2.1. The BF is divided into XXXX and XXXX. 2.1. The BF is divided into Roman XXXX and Roman XXXX.

Customers can contact their customer advisors in the XXXX directly by telephone using the respective extension number or contact the respective XXXX via a general number, where calls are accepted by the customer advisors, subject to availability. If the customer advisor does not answer the call (overflow), the customer is forwarded to the central XXXX. Calls to the XXXX are forwarded directly to the XXXX. Customers can reach their customer advisors in the Roman XXXX directly by telephone using the respective extension number or contact the respective Roman XXXX via a general number, where calls will be accepted by the customer advisors, subject to availability. If the customer advisor does not answer the call (overflow), the customer is forwarded to the central Roman XXXX. Calls to Roman XXXX are forwarded directly to Roman XXXX.

The XXXX offers comprehensive telephone advice and services. For example, it manages the service line for private customers (XXXX), the private banking service line (XXXX), the XXXX securities hotline (XXXX) and the overflow from the XXXX. Calls are recorded for all calls accepted by the XXXX. The Roman XXXX offers comprehensive telephone advice and services. For example, it looks after the service line for private customers (Roman XXXX), the service line for private banking (Roman XXXX), the Roman XXXX securities hotline (Roman XXXX) and the overflow from the Roman XXXX. The conversation is recorded for all telephone calls that are accepted by Roman XXXX.

2.2. If customers have questions about call recording, they will receive the following standardized information from employees:

“We are entitled to automatically record the conversation to provide evidence of the content of the conversation in the event of a complaint and for internal quality assurance. We are obliged by data protection law to inform you in advance about the recording of the telephone call. For further information on the processing of your data, we may refer you to the website XXXX." "We are entitled to automatically record the conversation to provide evidence of the conversation content in the event of a complaint and for internal quality assurance. We are obliged by data protection law to inform you in advance about the recording of the telephone call. For further information on the processing of your data, we can refer you to the Roman XXXX website.”

If the customer declares that he does not agree with the recording of the call, the employees will refer him to his customer advisor or his bank branch with the standardized information: “If you do not agree with the recording of the telephone call, we can ask you to contact your Customer advisor/your bank branch/your XXXX personally."If the customer declares that he does not agree with the recording of the call, the employees will refer him to his customer advisor or his bank branch with the standardized information: "You should agree to the recording of the telephone call If you do not agree, we may ask you to contact your customer advisor/bank branch/roman XXXX personally.”

3. The additional findings follow the information provided by the BF in its statement of September 9, 2020 and were not questioned in terms of content by the MB.

4. From this it follows legally:

4.1. The relevant legal provisions are excerpted as follows:

4.1.1. According to Section 1 Paragraph 1 DSG, everyone has the right to confidentiality of personal data concerning them, particularly with regard to respect for their private and family life, provided there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the data subject.4.1.1. According to paragraph one, paragraph one, of the DSG, everyone has the right to confidentiality of personal data concerning them, particularly with regard to respect for their private and family life, to the extent that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the data subject.

According to Article 5 of the GDPR, personal data must be collected. According to Article 5 of the GDPR, personal data must be

a)       processed lawfully, in accordance with the principle of fairness and in a manner that is understandable to the data subject (“lawfulness, fair processing, transparency”);

b)       collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes; Further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not deemed to be incompatible with the original purposes in accordance with Article 89(1) ("purpose limitation");

c)       adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing (“data minimization”);

d)       be factually accurate and, where necessary, up to date; all reasonable measures must be taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are deleted or corrected without delay (“accuracy”);

e)       stored in a form that allows the identification of data subjects only for as long as is necessary for the purposes for which they are processed; Personal data may be stored for a longer period of time to the extent that the personal data is used exclusively for archival purposes in the public interest or for scientific and historical research purposes, subject to the implementation of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the data subject processed for statistical purposes in accordance with Article 89(1) ("storage limitation");

f)       processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through appropriate technical and organizational measures (“integrity and confidentiality”);

(1)      The person responsible is responsible for compliance with paragraph 1 and must be able to demonstrate compliance (“accountability”).”

Art. 6 GDPR: Article 6, GDPR:

According to Article 6 Paragraph 1 of the GDPR, processing is only lawful if at least one of the following conditions is met: According to Article 6, Paragraph 1 of the GDPR, processing is only lawful if at least one of the following conditions is fulfilled:

a)       the data subject has given his or her consent to the processing of personal data concerning him or her for one or more specific purposes;

b)       processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract at the request of the data subject;

c)       processing is necessary for compliance with a legal obligation to which the controller is subject;

d)       processing is necessary to protect the vital interests of the data subject or another natural person;

e)       processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

f)       processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh them, in particular if the data subject is a child acts.

4.1.2. According to Section 1 Paragraph 1 of the Payment Services Act 2018 (ZaDiG 2018), the ZaDiG specifies the conditions under which persons may provide payment services commercially in Austria (payment service providers). It regulates the rights and obligations of payment service providers and payment service users in connection with payment services.4.1.2. According to paragraph one, paragraph one, Payment Services Act 2018 (ZaDiG 2018), the ZaDiG specifies the conditions under which persons may provide payment services commercially in Austria (payment service providers). It regulates the rights and obligations of payment service providers and payment service users in connection with payment services.

§ 66. (1) If a payment service user denies having authorized an executed payment transaction or claims that the payment transaction was not properly executed, its payment service provider must prove that Section 66, (1) If a payment service user denies having authorized an executed payment transaction or claims that the payment transaction was not carried out properly, its payment service provider must prove that

1. the payment transaction was authenticated,

2. was properly recorded and accounted for and

3. was not affected by a technical error or other disruption to the service provided by the payment service provider.

(2) If the payment transaction is initiated via a payment initiation service provider, the payment initiation service provider must prove that the payment transaction was authenticated within its area of responsibility, was properly recorded and was not affected by a technical error or other disruption in connection with the payment service for which it is responsible.

(3) Proof of the use of a payment instrument alone is not necessarily sufficient to prove that the payer has authorized the payment transaction, that there has been an intentional or grossly negligent breach of the duty of care in accordance with Section 63, or that the payer has acted with fraudulent intent. The payment service provider, including, if applicable, the payment initiation service provider, must provide supporting evidence to prove fraud or gross negligence on the part of the payment service user."(3) Evidence of the use of a payment instrument is in itself sufficient to prove the authorization of the payment transaction by the payer, an intentional one or grossly negligent breach of the duty of care in accordance with paragraph 63, or an act by the payer with fraudulent intent. The payment service provider, including where applicable the payment initiation service provider, must provide supporting evidence to prove fraud or gross negligence on the part of the payment service user."

Directive 2014/65/EU of the European Parliament and of the Council of May 15, 2014 on markets in financial instruments and amending Directives 2002/92/EC and 2011/61/EU (Financial Markets Directive, MiFID II) Directive 2014/65/EU of European Parliament and of the Council of May 15, 2014 on markets in financial instruments and amending Directives 2002/92/EC and 2011/61/EU (Financial Markets Directive, MiFID Roman II)

Article 16

“Organizational requirements
6. An investment firm shall ensure that records are kept of all its services, activities and transactions sufficient to enable the competent authority to carry out its supervisory obligations and as provided for in this Directive, in Regulation (EU) No 600/ 2014, Directive 2014/57/EU and Regulation (EU) No 596/2014 and, in particular, to ensure that the investment firm complies with all obligations, including those towards clients or potential clients and with regard to on the integrity of the market.

(7) The records include the recording of telephone conversations or electronic communications at least in relation to transactions carried out when trading on own account and the provision of services relating to the acceptance, transmission and execution of customer orders.

These telephone conversations and electronic communications also include those intended to initiate transactions in the context of trading for one's own account or the provision of services relating to the acceptance, transmission and execution of customer orders, even if these conversations and communications do not finalize such transactions or the provision of such services.

For this purpose, an investment firm shall take all reasonable measures to record relevant telephone conversations and electronic communications created on or sent or received from equipment provided by the firm to an employee or freelancer or the use thereof by an employee or freelancer employee has been approved or permitted by the company.

An investment firm advises new and existing clients that telephone conversations or communications between the investment firm and its clients that result or may result in transactions are being recorded.

It is sufficient to notify new and existing customers of this once before the investment services are provided.

An investment firm that has not informed its clients in advance that their telephone conversations or communications will be recorded may not provide telephone investment services to them or carry out telephone investment activities if such investment services and investment activities relate to the acceptance, transmission and execution of client orders.

Customers may place their orders through other channels, but such communications must be made via a durable medium, such as. B. E-mail, fax or records of customer orders made during a meeting. In particular, the content of the relevant personal conversations may be recorded by making written minutes or notes. These orders are considered equivalent to orders received by telephone.

An investment firm shall take all reasonable measures to prevent an employee or freelancer from creating, sending or receiving telephone conversations or electronic communications using personal devices that the firm cannot record or copy.

Records stored in accordance with this paragraph will be made available to relevant customers upon request and will be retained for five years. If required by the competent authority, they will be kept for up to seven years.

Article 78

data protection

The processing of personal data collected in the exercise or exercise of surveillance powers, including investigative powers, under this Directive shall be carried out in accordance with national law transposing Directive 95/46/EC and, where applicable, with Regulation (EC) No 45/2001.

Recital 57

Commission Directive 2006/73/EC (1) allows Member States to require, as part of the organizational requirements for investment firms, the recording of telephone conversations or electronic communications relating to client orders. The recording of telephone conversations or electronic communications relating to client orders is compatible with the Charter of Fundamental Rights of the Union (hereinafter “Charter”) and is justified in order to strengthen investor protection, improve market surveillance and ensure legal certainty in the interests of investment firms and their increase customers. The Committee of European Securities Regulators also pointed out the importance of such records in its technical opinion to the Commission of July 29, 2010. These records should ensure that the terms of all orders placed by clients and their conformity with the transactions carried out by investment firms can be demonstrated and that any conduct that may be relevant to market abuse is detected, including when Companies trade for their own account.

This requires records of all conversations in which a company's representatives are involved when they are trading or intend to trade for their own account. If customers communicate their orders through channels other than telephone, such communications should be made via a durable medium, such as a mailbox. B. E-mail, fax or records of customer orders made during a meeting. For example, the content of the relevant personal conversations could be recorded by making written minutes or notes. These orders should be considered equivalent to orders received by telephone. When minutes of personal conversations with customers are drawn up, Member States should ensure that appropriate safeguards are in place to ensure that the customer is not harmed if the minutes inaccurately reflect communications between the parties. Such safeguards should not result in the customer incurring any liability.

In order to provide legal certainty as to the scope of the obligation, it should apply to all equipment provided by the company or the use of which has been approved by the company; At the same time, investment firms must be required to take reasonable precautions to ensure that privately owned devices are not used in connection with transactions. These records should be available to competent authorities when carrying out their supervisory tasks and taking enforcement measures of this Directive, Regulation (EU) No 600/2014, Regulation (EU) No 596/2014 and Directive 2014/57/ EU of the European Parliament and of the Council (1) to enable competent authorities to use these records to identify conduct that is not in line with the legal framework governing the activities of investment firms. The records should also be available as evidence to investment firms and their clients to enable them to monitor their relationship with regard to orders placed by clients and transactions concluded by firms. For these reasons, this Directive should contain the principles of a general regime regarding the recording of telephone conversations or electronic communications relating to customer orders.

Commission Delegated Regulation (EU) …/… of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to the organizational requirements for investment firms and the conditions for the exercise of their activities and with regard to the Definition of certain terms for the purposes of said policy

Article 76Article 76,

Recording of telephone conversations or electronic communications

(Article 16(7) of Directive 2014/65/EU)

1.       Investment firms shall establish, implement and maintain, in writing, effective telephone and electronic communications record-keeping policies, taking due account of the size and organization of each firm and the nature, scope and complexity of its business. The principles include the following content:

a)       Information on telephone conversations and electronic communications, which includes relevant internal telephone conversations and electronic communications to which the recording requirements of Article 16(7) of Directive 2014/65/EU apply; and

(b) details of the procedures to be followed and measures to be taken to ensure that the investment firm complies with the third and eighth subparagraphs of Article 16(7) of Directive 2014/65/EU in the event of exceptional circumstances and the firm's inability to do so to record the conversation or communication on Company-issued, approved, or approved equipment. Evidence of these circumstances will be kept for the competent authorities to access.

2.       Investment firms shall ensure that the management body can ensure effective supervision and control of the policies and procedures relating to the investment firm's records of telephone calls and electronic communications.

3. Investment firms shall ensure that recordkeeping compliance provisions are technology neutral. Investment firms shall make periodic assessments of the effectiveness of their policies and procedures and adopt any necessary and appropriate alternative or additional measures and procedures. This adoption of alternative or additional measures always occurs when the investment firm approves or permits use of a new means of communication.

4. Investment firms shall maintain and regularly update records of all persons who have company or privately owned equipment approved for use by the investment firm.

5. Investment firms are responsible for the training and development of their employees in procedures covered by the provisions of Article 16(7) of Directive 2014/65/EU.

6. In order to verify compliance with the record-keeping and retention requirements set out in Article 16(7) of Directive 2014/65/EU, investment firms shall regularly inspect the business and order records subject to these requirements, including relevant conversations. This review is risk-based and proportionate.

7.       Investment firms shall, upon request, clearly demonstrate to the relevant competent authorities the policies, procedures and the management body's oversight of record-keeping requirements.

8.       Before investment firms provide investment services and activities related to the acceptance, routing and execution of orders for new and existing clients, inform the client of the following:

a)       that the conversations and communications are recorded; and

b)       that a copy of the records of such discussions and communications with the customer will be available upon request for a period of five years and, if requested by the competent authority, for a period of seven years.

The information referred to in the first subparagraph shall be presented in the same language(s) used when providing investment services to clients.

9.       Investment firms shall record on a durable medium all relevant information relating to relevant face-to-face meetings with clients. The information recorded must include at least the following:

a)       Date and time of meetings;

b)       Place of meetings;

c)       personal details of those present;

d)       Initiator of the meetings; and

e) important information about the customer order, such as: Price, scope, order type and time of forwarding or execution.

10. Recordings will be stored on a durable medium so that they can be replayed or copied and must be maintained in a format that cannot alter or delete the original recording.

The recordings are stored on a disk so that they are easily accessible and available to customers upon request.

Investment firms ensure the quality, accuracy and completeness of records of all telephone conversations and all electronic communications.

11. The retention period for a recording begins at the time it was created.

According to Section 33 Paragraph 1 of the Securities Supervision Act 2018 (WAG), a legal entity must keep records of all its services, activities and transactions, on the basis of which the FMA can fulfill its supervisory obligation and which are set out in this federal law, in the BörseG 2018, in Regulation (EU) No 600/2014 and Regulation (EU) No 596/2014 and, in particular, to ensure that the legal entity has complied with all obligations, including those towards its customers or potential customers and with regard to the integrity of the market .According to paragraph 33, paragraph one, of the Securities Supervision Act 2018 (WAG), a legal entity must keep records of all its services, activities and transactions on the basis of which the FMA can fulfill its supervisory obligation and which are set out in this federal law, in the Stock Exchange Act 2018, in the regulation ( EU) No. 600/2014 and Regulation (EU) No. 596/2014 and, in particular, ascertain whether the legal entity is able to fulfill all obligations, including those towards its customers or potential customers and with regard to the integrity of the market has complied with.

(2) The records referred to in paragraph 1 must contain the recording of telephone conversations and electronic communications at least with regard to transactions carried out when trading for own account and the provision of services relating to the acceptance, transmission and execution of customer orders .(2) The records referred to in paragraph one shall include the recording of telephone conversations and electronic communications at least in relation to transactions carried out when trading on own account and the provision of services relating to the acceptance, transmission and execution of customer orders contain.

(3) Telephone calls and electronic communications in accordance with paragraph 2 also include those with which transactions are to be carried out in the context of trading for one's own account or the provision of services relating to the acceptance, transmission and execution of customer orders, even if these Conversations and communications do not lead to the conclusion of such transactions or the provision of such services. (3) Telephone conversations and electronic communications in accordance with paragraph 2 also include those with which transactions are intended to be carried out in the context of trading for one's own account or the provision of services relate to the acceptance, transmission and execution of customer orders, even if these discussions and communications do not lead to the conclusion of such transactions or the provision of such services.

(4) A legal entity shall, for the purposes set out in paragraphs 2 and 3, take all reasonable measures to record relevant telephone conversations and electronic communications created with or sent or received from devices that the legal entity provides to an employee or freelancer has made available or the use of which by an employee or freelancer has been approved or permitted by the legal entity. (4) A legal entity must, for the purposes set out in paragraphs 2 and 3, take all reasonable measures to record relevant telephone conversations and electronic communications, created using, or sent or received from, devices that the Entity has made available to an employee or freelancer or whose use by an employee or freelancer has been approved or permitted by the Entity.

(5) A legal entity must inform new and old customers that telephone conversations or electronic communications between the legal entity and its customers that lead or may lead to business are being recorded. It is sufficient to inform new and old customers of this once before the investment services are provided, but at least once a year.

(6) A legal entity that has not informed its customers in advance about the recording of their telephone conversations or communications is not permitted to provide them with telephone investment services or to carry out telephone investment activities if these investment services and investment activities relate to the acceptance, transmission and Execution of customer orders.

(7) Customers may place their orders through other channels, but such communications must be made via a durable medium, such as email, fax or records of customer orders created during a meeting. In particular, the content of the relevant personal conversations may be recorded by making written minutes or notes. These orders are considered equivalent to orders received by telephone.

(8) An entity shall take all reasonable measures to prevent an employee or freelancer from creating, sending or receiving telephone conversations or electronic communications using personal devices that the entity cannot record or copy.

(9) A legal entity must make the records stored in accordance with paragraphs 2 to 8 available to the relevant customer free of charge upon request and store them for five years. The FMA can order longer retention periods by regulation after a thorough examination of their necessity and proportionality if this is necessary for evidentiary purposes due to the special circumstances of certain types of legal entities. The retention periods may not exceed seven years. (9) A legal entity must make the records stored in accordance with paragraphs 2 to 8 available to the relevant customers free of charge upon request and store them for five years. The FMA can order longer retention periods by regulation after a thorough examination of their necessity and proportionality if this is necessary for evidentiary purposes due to the special circumstances of certain types of legal entities. The retention periods may not exceed seven years.

(10) The FMA is responsible for monitoring compliance with paras. 1 to 9 with regard to transactions conducted by domestic branches of investment firms and credit institutions domiciled in a Member State or a third country. This does not affect the possibility for the competent supervisory authority of the home Member State of the legal entity to have direct access to these records. (10) The FMA is responsible for monitoring compliance with paragraphs one to 9 in relation to domestic branches of investment firms and credit institutions domiciled in a Member State or transactions carried out in a third country. This does not affect the possibility for the competent supervisory authority of the legal entity’s home Member State to have direct access to these records.

4.1.3. Regarding Section 33 WAG 2018: 4.1.3. Regarding paragraph 33, WAG 2018:

A significant innovation compared to the previous MiFID I provisions is the recording obligations of telephone conversations and electronic communication in relation to proprietary trading transactions as well as the provision of services to customers in the context of accepting, transmitting and executing customer orders (in the following, only the second case can be relevant here). ). In its mandate to ESMA, the Commission justifies the importance of such records in particular by saying that they represent evidence of compliance with the MiFID II obligations, but also lead to the detection and proof of acts of market abuse. Recital 57 of MiFID II cites the justification for recording telephone conversations and electronic communications as strengthening investor protection, improving market surveillance and increasing legal certainty in the interests of investment firms and customers. It is also pointed out that these records should enable supervisory authorities to identify behavior that is not in accordance with the legal framework with regard to the activities of investment firms (Ortner-Wolf in Brandl/Saria, WAG 20182 § 33 Rz 2, as of March 1, 2018, rdb.at).A significant innovation compared to the MiFID Roman one previous provisions is the recording obligations of telephone conversations and electronic communication in relation to proprietary trading transactions as well as the provision of services to customers within the framework of the acceptance, transmission and execution of customer orders (in the following, only the second case can be relevant here). In its mandate to ESMA, the Commission justifies the importance of such records in particular by the fact that they represent evidence of compliance with the MiFID Roman II obligations, but also lead to the detection and proof of acts of market abuse. Recital 57 of MiFID Roman II cites strengthening investor protection, improving market surveillance and increasing legal certainty in the interests of investment firms and customers as justification for recording telephone conversations and electronic communications. It is also pointed out that these records should enable supervisory authorities to identify conduct that is not consistent with the legal framework relating to the activities of investment firms (Ortner-Wolf in Brandl/Saria, WAG 20182 Paragraph 33, Rz 2, as of March 1, 2018, rdb.at).

In this context, recording obligations are no longer exclusively in the interest of control or administrative criminal prosecution by the FMA or other supervisory or administrative criminal authorities, the public law courts and the criminal courts, as was the case after the WAG AF, but rather have a lot of goals more on investor protection interests (as above, paragraph 3).

The obligation (according to Section 33 Paragraph 1) is made more concrete to the effect that the recording obligation primarily serves the purpose of enabling the FMA to fulfill its supervisory obligation and to take supervisory measures in the event of violations... The authority should be responsible for checking compliance with the provisions of the Stock Exchange Act , MiFI R and MAR standardized obligations can be made possible (as above, paragraph 7). The obligation (according to paragraph 33, paragraph one) is specified to the effect that the primary purpose of the recording obligation is to enable the FMA to fulfill its supervisory obligation and to take supervisory measures in the event of violations... The authority should be responsible for verifying compliance with the provisions in BörseG, the MiFI R and the MAR standardized obligations can be made possible (as above, paragraph 7).

Section 33 Paragraph 2 regulates special recording obligations with regard to telephone conversations and electronic communication. This covers both the legal entity's own trading transactions and the provision of services relating to the acceptance, transmission and execution of customer orders (as above, paragraph 10). Paragraph 33, paragraph 2, regulates special recording obligations with regard to telephone conversations and electronic communication. This covers both the legal entity's own trading transactions and the provision of services relating to the acceptance, transmission and execution of customer orders (as above, paragraph 10).

According to paragraph 3, the recording obligation also explicitly covers those telephone conversations and electronic communications with which transactions and services are to be initiated in accordance with paragraph 2, even if these ultimately do not lead to the conclusion of such transactions or services. This makes it clear that the obligation to record is broadly understood. Rather, in addition to conversations about proprietary trading activities, all conversations with customers - regardless of whether a transaction is concluded - must be recorded, provided that the content of the conversation relates to the potential provision of an investment service or a securities transaction or is conducted in this direction (such as above, paragraph 12). According to paragraph 3, the recording obligation also explicitly covers those telephone conversations and electronic communications with which transactions and services are to be initiated in accordance with paragraph 2, even if these ultimately do not lead to the conclusion of such transactions or services. This makes it clear that the obligation to record is broadly understood. Rather, in addition to conversations about proprietary trading activities, all conversations with customers - regardless of whether a transaction is concluded - must be recorded, provided that the content of the conversation relates to the potential provision of an investment service or a securities transaction or is conducted in this direction (such as above, paragraph 12).

ESMA already points out in the final report that, although the recording obligations do not explicitly relate to the investment advisory service, any related communication is still subject to the recording obligation if this could result in the acceptance, transmission and execution of customer orders or proprietary trading transactions (as above , Rz 13).

The very broad scope of application of the recording obligations is also confirmed by ESMA in the questions and answers. In ESMA's opinion, it is also irrelevant whether the services mentioned are only permitted for a legal entity via certain distribution channels, so that the scope of application is actually very broad. Since a delineation of conversations worthy of recording will not be possible from the outset, all telephone calls or electronic communication that could potentially lead to the conclusion of proprietary trading transactions, customer transactions or the provision of services that could lead to the acceptance, transmission or execution of customer orders , must be recorded by the legal entities. By setting up call centers specializing in WAG-relevant customer conversations or by specifying specific extension numbers for such conversations, the legal entity could at least make an (organizational) distinction from conversation content that cannot be recorded in accordance with WAG 2018 (other banking services) (paragraph 14).

Neither MiFID II nor the WAG 2018 specify when the recording obligation begins and when it ends. ESMA's answers in its questions and answers show that the European legislator wants the recording obligation to be understood very comprehensively. ESMA assumes that the entire telephone call or electronic communication must be recorded from start to finish and justifies this on the basis that it is impossible to estimate in advance whether the conversation will lead to the conclusion of a customer order. However, this is excessive if, for example, a conversation contains both WAG-relevant and non-WAG-relevant conversation content. The recording obligation can only relate to the actually relevant content (i.e. communication in connection with trading for one's own account and the provision of services relating to the acceptance, transmission and execution of customer orders). To ensure that the WAG-relevant conversation content is recorded, various technical solution options are conceivable, such as full recording of the conversations, automatic rooting by dialing an extension to a consultant or having the consultant record the recording (at the push of a button) (paragraphs 21 and 22 ). Neither the MiFID Roman II nor the WAG 2018 specify when the recording obligation begins and when it ends. ESMA's answers in its questions and answers show that the European legislator wants the recording obligation to be understood very comprehensively. ESMA assumes that the entire telephone call or electronic communication must be recorded from start to finish and justifies this on the basis that it is impossible to estimate in advance whether the conversation will lead to the conclusion of a customer order. However, this is excessive if, for example, a conversation contains both WAG-relevant and non-WAG-relevant conversation content. The recording obligation can only relate to the actually relevant content (i.e. communication in connection with trading for one's own account and the provision of services relating to the acceptance, transmission and execution of customer orders). To ensure that the WAG-relevant conversation content is recorded, various technical solution options are conceivable, such as full recording of the conversations, automatic rooting by dialing an extension to a consultant or having the consultant record the recording (at the push of a button) (paragraphs 21 and 22 ).

In principle, the confidentiality interests worthy of protection with regard to data are not violated if, among other things, there is an express legal authorization or obligation to process or use the data, there are overriding legitimate interests of the client or a third party or the person concerned has consented (see §§ 7 and 8 DSG or Art. 6 and 7 DSGVO). The Commission considers the recording of telephone conversations or electronic communications to be compatible with the Charter of Fundamental Rights of the Union and justified in order to strengthen investor protection, improve market surveillance and increase legal certainty in the interests of investment firms and their clients. At the same time, however, the Union legislature emphasizes that data processing must be carried out in compliance with the data protection directive (cf. Art. 78 MiFID II Directive), which will be replaced by the GDPR in the future. Recitals 39 and 129 of delegated regulation (EU) 2017/565 additionally state that the rights to private and family life as well as the protection of personal data must be taken into account when collecting and processing customer data. The far-reaching recording obligations of MIFID II and the preservation of data protection are therefore in tension (as above, paragraph 51). In principle, the confidentiality interests worthy of protection with regard to data are not violated if, among other things, there is an express legal authorization or obligation to process or use the data, there are overriding legitimate interests of the client or a third party or the person concerned has consented (see paragraphs 7 and 8). DSG or Articles 6 and 7 GDPR). The Commission considers the recording of telephone conversations or electronic communications to be compatible with the Charter of Fundamental Rights of the Union and justified in order to strengthen investor protection, improve market surveillance and increase legal certainty in the interests of investment firms and their clients. At the same time, the Union legislature emphasizes that data processing must be carried out in compliance with the data protection directive (see Article 78, MiFID Roman II Directive), which will be replaced by the GDPR in the future. Recitals 39 and 129 of delegated regulation (EU) 2017/565 additionally state that the rights to private and family life as well as the protection of personal data must be taken into account when collecting and processing customer data. The far-reaching recording obligations of MIFID Roman II and the protection of data protection are therefore in tension (as above, paragraph 51).

In practice, it can hardly be avoided that conversation content that does not fall under the statutory recording obligation, for example of a private nature, is often recorded. In practice, various difficulties arise with regard to such a far-reaching recording obligation. There also remain legitimate doubts as to whether the EU legislature, in determining the far-reaching MiFID II recording obligations, has adequately addressed the points already criticized by the ECJ in connection with data retention and has possibly exceeded the limits of a proportionate interference with fundamental rights (paragraph 52). . In practice, it can hardly be avoided that conversation content that does not fall under the statutory recording obligation, for example of a private nature, is often recorded. In practice, various difficulties arise with regard to such a far-reaching recording obligation. There also remain legitimate doubts as to whether the EU legislature, in determining the far-reaching MiFID Roman II recording obligations, has adequately addressed the points already criticized by the ECJ in connection with data retention and has possibly exceeded the limits of a proportionate interference with fundamental rights (paragraph 52 ).

In its jurisprudence, the Constitutional Court has specified the content requirements regarding the determination of customer data in the course of the FMA's supervisory measures. Ultimately, it depends on whether or to what extent the intervention is necessary, appropriate and proportionate in accordance with the supervisory objective. When assessing this question, the interest of those affected in secrecy and the interest in state intervention must be compared and weighed up (paragraph 54).

4.1.4. In its Questions and Answers On MiFID II and MiFIR investor protection and intermediaries topics - Recording of telephone conversations and electronic communications (last update: October 3, 2017), ESMA states - as far as case-related -: 4.1.4. In its Questions and Answers On MiFID Roman II and MiFIR investor protection and intermediaries topics - Recording of telephone conversations and electronic communications (last update: October 3, 2017), ESMA states - as far as case-related -:

Question 5: What types of electronic communications are within the scope of the new requirements?

Answer 5:

(Art. 16 Para. 7) MiFID II requires the recording of telephone conversations or electronic communications. Any electronic communications involving transactions when dealing on own account or in the provision of client order services that relate to the reception, transmission and execution of client orders will fall within the rules. (Article 16, paragraph 7,) MiFID Roman II requires the recording of telephone conversations or electronic communications. Any electronic communications involving transactions when dealing on own account or in the provision of client order services that relate to the reception, transmission and execution of client orders will fall within the rules.

…

Question 8: Do relevant telephone conversations and electronic communications need to be recorded by the company from start to end?

Answer 8:

In ESMA's view, the scope of the requirements requires firms to record the entirety of telephone conversations and electronic communications. This is because it is impossible to appreciate upfront whether the conversation will lead to the conclusion of a transaction.

Therefore ESMA expects firms to record all relevant telephone conversations or electronic communications from start to end.

Question 11: What telephone conversations and electronic communications should be recorded in accordance with Art. 16 7 MiFID II? Question 11: What telephone conversations and electronic communications should be recorded in accordance with Article 16, 7 MiFID II?

Answer11:

In ESMA's view, the following stages of conversations and electronic communications that relate to he provision of client order services or dealing on own account will be caught by the rules:

        Conversations or communications with the client, or a person acting on behalf of such a client, which relates to an agreement by the firm to carry out one of the activities, whether as principal or agent.

        Conversations or communications with any other person, which relate to transactions concluded with dealing on own account and the provision of client order services that relate to the reception, transmission and execution of client orders. This should include telephone conversations or electronic communications such as: transmitting an order to a broker or placing an order with an entity for execution, conversations or communications relating to the handling of an order.

Also included are any other conversations or communications which are carried out by the firm with the view to reach an agreement to carry out one of the covered activities, whether as principal or agent, even if those conversations or communications do not lead to the conclusion of look for an agreement. This should include conversations and communications regarding prices, solicitations, bits, offers, indications of interest and requests for quotes. Firms should have in place policies and procedures to ensure that no relevant telephone conversations or electronic communications are done through communication systems which are not recorded.

…

4.2. It follows:

4.2.1. It should be noted first that the BF - albeit before the MB's release of banking secrecy - based its "general presentation of the situation complained of" solely on its obligations as a payment service provider in accordance with Section 66 (1) ZaDiG 2018 and on what was essentially represented later The position that, in principle, all conversations should be recorded due to the obligation under Section 33 WAG was not referred to in any way. 4.2.1. It should be noted first that the BF - albeit before the MB's release of banking secrecy - based its "general presentation of the situation complained of" solely on its obligations as a payment service provider in accordance with paragraph 66, paragraph one, ZaDiG 2018 and on the later essentially The position taken that, in principle, all conversations should be recorded in no way due to the obligation under paragraph 33 to record WAG.

Furthermore, it can be seen from the presentation of the standardized announcement texts or information as part of the statement dated September 9, 2020 that there is no reference to obligations under the Securities Supervision Act or a reference to securities trading, but only to documentation for quality assurance or as evidence the content of conversations in complaints cases.

In its justification, the authority concerned excluded the applicability of Section 66 Paragraph 1 ZaDiG 2018 to justify a recording obligation because the MB had not commissioned or authenticated a payment transaction in a case-related manner. In its justification, the authority concerned excluded the applicability of paragraph 66, paragraph one, ZaDiG 2018 to justify a recording obligation because the MB had not commissioned or authenticated a payment transaction on a case-by-case basis.

The relevant authority also considered the reference to legal interests in the sense of quality assurance in accordance with Article 6 Paragraph 1 Letter f of the GDPR to have not been explained in more detail by the BF. The relevant authority also considered the reference to legal interests in the sense of quality assurance in accordance with Article 6, paragraph one, letter f, GDPR to have not been explained in more detail by the BF.

The authority concerned then devoted the essential part of its reasoning to a discussion of the applicability of Section 33, Paragraph 2, WAG 2018 to the established facts and denied its applicability. The authority concerned then devoted a discussion to the applicability of Section 33, Paragraph 2, WAG 2018 the facts established the essential part of their reasoning and denied its applicability.

In its complaint, the BF counters that the interest in establishing a breach of confidentiality obligation should be denied or that there is no authority to make a determination. As part of the objection of incorrect legal assessment, the BF essentially relies on Section 33 Paragraphs 2 and 3 WAG 2018 as the basis for a case-related recording authorization. In its complaint, the BF counters that the interest in establishing a breach of confidentiality obligation should be denied or . there is no authority to make a determination. As part of the objection of incorrect legal assessment, the BF essentially relies on paragraph 33, paragraphs 2 and 3 WAG 2018 as the basis for a case-related recording authorization.

Insofar as the BF has repeatedly and quite polemically denied the professional competence of the authority concerned with regard to a dispute with banking supervisory provisions, it should only be pointed out that the data protection authority, as the authority responsible in this case, undoubtedly had to decide and is therefore also responsible for it , if necessary, to include provisions that compete with data protection provisions (in this case securities supervision law) in their discussions.

Regarding the complaint in detail:

4.2.2. Insofar as the BF repeatedly states that “an unimplementable decision” was issued, it should first be pointed out that, based on all relevant legal provisions, it had to be examined as a matter of the decision whether the recorded recording of a telephone call violated the data protection right to secrecy has. In the event of such a determination, it is up to BF to design its internal processes in such a way that banking and securities regulatory provisions are applied in such a way that data protection violations are prevented. It is not relevant whether the telephone recordings were made against or in favor of the (other) interests of the MB, especially since the subject of the proceedings before the data protection authority is data protection. The fact that any securities regulatory obligations are also in the customer's interest does not in any way exclude the possibility that these conflict with data protection interests.

The complaint does not provide any indication that the decision cannot be implemented within the meaning of Section 68 AVG, especially since it is within the BF's discretion to record telephone conversations or not. The question of whether the obligation to record the specific facts of the case contradicts securities supervisory regulations is the subject of the following discussion. The complaint does not provide any evidence that the decision within the meaning of paragraph 68 of the AVG cannot be implemented, especially since it is within the BF's discretion whether or not to record telephone conversations. The question of whether the obligation to record the specific facts of the case contradicts securities supervisory regulations is the subject of the following discussion.

We also disagree with the statements in the complaint that the authority had inadmissibly adopted an ex-post assessment standard “with regard to the conversations reproduced in paragraph 25” and that it contradicts the laws of logical thought if it is postulated that the preliminary assessment of the recording obligation of a conversation should be based on a retrospective view of this conversation.

All that needs to be pointed out at this point is that Section 33 Paragraphs 2 and 3 WAG defines topics of conversation that are subject to the obligation to record. These are circumstances whose existence can in principle be clarified ex ante in relation to a conversation to be held. If such a conversation were to develop contrary to the original assessment in such a way that the topics mentioned in Section 33 Paragraphs 2 and 3 were touched upon, such an ex ante assessment would only have to be abandoned during the course of the conversation. However, the BF does not explain that, with regard to the specifically determined content of the telephone call, it would not have been possible to determine or clarify ex ante whether it was subject to Section 33 Paragraphs 2 and 3 WAG. This is all that is referred to at this point point out that paragraph 33, paragraphs 2 and 3 WAG defines topics of conversation that are subject to the recording obligation. These are circumstances whose existence can in principle be clarified ex ante in relation to a conversation to be held. If such a conversation were to develop contrary to the original assessment in such a way that the topics mentioned in paragraph 33, paragraphs 2 and 3 were touched upon, such an ex ante assessment would only have to be abandoned during the course of the conversation. However, the BF does not explain that with regard to the specifically determined content of the telephone call, it would not have been possible to determine or clarify ex ante whether it was subject to paragraph 33, paragraphs 2 and 3 WAG.

4.2.3. Case-wise, the statements are completely general and there is a threat of sanctions from the Austrian Financial Markets Authority (fines of up to €5 million). It is not clear why they should threaten to not record the phone call specifically mentioned in the findings of fact.

4.2.4. Regarding the authority of the authority concerned to make a determination:

Here the BF believes, among other things, that the determination of the violation of the MB's right to secrecy through the recording of the conversation is a necessary step in his legal prosecution, even though the legislature established this recording of the conversation precisely to protect his legal position. The fact that a person takes legal action against a law established for their protection or measures based on it is fundamentally alien to the legal system.

Here the BF apparently means that if individual legal norms protect the person concerned with regard to a legal position, the person concerned cannot rely on the violation of other legal norms.

However, the MB denies that the specific conversation with the BF would have been subject to a recording obligation. Under no circumstances can the abstract fact that call recording obligations under Union law or national law created thereunder are also in the customer's interest exclude the right to be granted with regard to data protection rights asserted.

Why, with the MiFID II regulations on the one hand and the GDPR, two protective laws should exist side by side, which fundamentally could not offer any scope for the officially accepted balancing of legal interests, remains open. Why with the MiFID Roman II regulations on the one hand and the GDPR two protective laws should exist side by side should, which fundamentally could not offer any scope for the officially accepted balancing of legal interests, remains open.

According to Section 24 Paragraph 1 DSG, every data subject has the right to lodge a complaint with the data protection authority if they are of the opinion that the processing of personal data concerning them (among other things) violates Section 1 DSG, which also protects the right to secrecy. violates. According to paragraph 24, paragraph one, of the DSG, every data subject has the right to lodge a complaint with the data protection authority if he or she is of the opinion that the processing of personal data concerning him or her (among other things) violates paragraph one of the DSG, which also includes the right to confidentiality protects, violates.

According to § 24 Para. 2 Z 5 DSG, the complaint must contain the request and establish the alleged violation of the law. If a complaint proves to be justified, it must be followed in accordance with Section 24 (5) first sentence DSG. According to paragraph 24, paragraph 2, number 5, DSG, the complaint must contain the request and establish the alleged violation of the law. If a complaint proves to be justified, it must be followed in accordance with paragraph 24, paragraph 5, first sentence of the DSG.

The law therefore explicitly provides for a legal remedy in the event of a data protection violation as part of the complaint, which must be followed in accordance with Section 24 (5) DSG if it proves to be justified. As a legal remedy in the event of a data protection violation, the law explicitly provides for a request for a declaratory judgment as part of the complaint, which must be followed in accordance with Section 24, Paragraph 5, DSG if it proves to be justified.

The Administrative Court therefore has no doubts that the data protection authority has the jurisdiction to determine, on the basis of a complaint that turns out to be justified, that a complainant has violated his right to confidentiality of personal data concerning him.

When determining the legal quality and content of an application, according to case law, it is not the designation by the intervener or “random verbal forms” (VwGH June 15, 2004, 2003/18/0321) that matters, but rather the content of the application Submission to (VwGH September 18, 2002, 2000/07/0086; November 6, 2006, 2006/09/0094; September 19, 2013, 2011/01/0146; VfSlg 17.082/2003; see also VwGH 11. 11. 2004, 2004/16/0043), i.e. to the recognizable and deducible goal (request [VwGH February 26, 2003, 2002/17/0279]) of the intervener (VwGH March 22, 2000, 99/04 /0203).When determining the legal quality and content of an application, according to case law, it is not the designation by the intervener or “random verbal forms” that matters (VwGH June 15, 2004, 2003/18/0321), but rather on the content of the submission (VwGH September 18, 2002, 2000/07/0086; November 6, 2006, 2006/09/0094; September 19, 2013, 2011/01/0146; VfSlg 17.082/2003; compare also VwGH 11/11/2004, 2004/16/0043), i.e. to the recognizable and deducible goal (request [VwGH 2/26/2003, 2002/17/0279]) of the intervener (VwGH 3/22/2000 , 99/04/0203).

In the case of administrative acts that require an application, it is inadmissible to give an interpretation to the party's request, contrary to the party's declared wishes, which cannot be deduced directly from the wording of the request, even if the request, as it was made, is hopeless or even inadmissible from the outset like (VwSlg 10.179 A/1980; VwGH 20. 10. 2004, 2004/04/0105; 20. 10. 2011, 2009/11/0269; see also VwGH 12. 9. 1996, 96/20/0530; 6. 11. 2006, 2006/09/0094; 3. 10. 2013, 2012/06/0185).In the case of administrative acts requiring an application, it is inadmissible to give an interpretation to their request that is not clear from the wording of the request, contrary to the party's declared will can be immediately deduced, even if the request, as it was made, may be hopeless or even inadmissible from the outset (VwSlg 10.179 A/1980; VwGH 20. 10. 2004, 2004/04/0105; 20. 10. 2011, 2009/11/0269; see also VwGH September 12, 1996, 96/20/0530; November 6, 2006, 2006/09/0094; October 3, 2013, 2012/06/0185).

In his data protection complaint, the MB relies on a violation of Art. 6 Para. 1 GDPR by the BF and justifies this, among other things, by the fact that by saving the tape recording of the telephone conversation with him, the BF is processing his personal data without his consent and thus violates Art. 6 Paragraph 1 GDPR. In his data protection complaint, the MB relies on a violation of Article 6, paragraph one, GDPR by the BF and justifies this, among other things, by the fact that by saving the tape recording of the telephone conversation with him, the BF is processing his personal data without his consent and thus Article 6 , paragraph one, GDPR violate.

The violation of Art. 6 Para. 1 GDPR leads to a possible violation of the right to secrecy according to Section 1 Para. 1 DSG. In the present case, the authority concerned therefore rightly assumed that the MB was seeking a determination of the violation of the right to secrecy. The violation of Article 6, paragraph one, GDPR results in a possible violation of the right to secrecy according to paragraph one , paragraph one, DSG. In the present case, the authority concerned therefore rightly assumed that the MB was seeking a determination of the violation of the right to secrecy.

Contrary to the BF's assertion, the determination of the authority concerned does not necessarily have to clarify a legal relationship for the future (in the civil procedural sense) in order to thereby eliminate any legal risk to the applicant. With regard to the authority concerned and the applicant's interest in making determinations, the Administrative Court (Ro 2022/04/0001, October 19, 2022) has raised the question of whether the data protection authority has the right to do so in accordance with Article 58 (2) of the GDPR remedial powers have the authority to make a legally binding declaration of their own motion regarding the illegality of the processing operation under investigation, it was decided, in connection with the distinction between the ex officio procedure pursuant to Article 58 Para. 2 GDPR and the individual complaint pursuant to Section 24 DSG, that § 24 DSG gives the person whose personal rights have been violated the opportunity to have the violation of rights that has occurred against them determined. Contrary to the BF's assertion, the determination of the authority concerned does not have to clarify a legal relationship for the future (in the civil procedural sense) in order to do so to eliminate any legal risk to the applicant. With regard to the authority of the authority concerned and the interest of an applicant in making the determination, the Administrative Court (Ro 2022/04/0001, October 19, 2022) has raised the question of whether the data protection authority has the right to do so in accordance with Article 58, Paragraph 2, GDPR remedial powers have the authority to make a legally binding declaration of their own motion regarding the illegality of the processing operation under investigation, decided in connection with the distinction between the ex officio procedure pursuant to Article 58, Paragraph 2, GDPR and the individual complaint pursuant to Paragraph 24, DSG. that Paragraph 24, DSG gives the person whose personal rights have been violated the opportunity to have the violation of their rights determined against them.

4.2.5. On the application of Section 33 Paragraphs 2 and 3 WAG:4.2.5. On the application of paragraph 33, paragraphs 2 and 3 WAG:

The BF's further argument on 6 (incorrect legal assessment) must be countered by the fact that it does not make any specific reference to the established (not in doubt) facts or the specific content of the telephone call. All of the BF's arguments, which generally refer to the existence of the obligations under Section 33 Paragraphs 2 and 3, can therefore remain uncommented insofar as their fundamental applicability is not in question and the only thing that needs to be assessed here is whether the person concerned is specifically affected The content of the telephone conversation with the MB as determined by the authority was subject to the recording obligation or not. In this respect, solving the case does not require addressing the considerations set out under 6.1 regarding derogation with regard to the GDPR and MiFID II refers to the facts established (not in doubt) and the specific content of the telephone call. All arguments of the BF, which generally refer to the existence of the obligations according to paragraph 33, paragraphs 2 and 3, can therefore remain uncommented insofar as their basic applicability is not in question and it is only to be assessed here whether the specifically affected by the The content of the telephone conversation with the MB as determined by the authority was subject to the recording obligation or not. In this respect, solving the case does not require addressing the considerations set out under 6.1 regarding derogation with regard to the GDPR and MiFID Roman II.

However, if the BF states that any legal interpretation contrary to Union law (here contra the MiFID II Directive) must be carefully derived and justified, this must also refer to the data protection law established in Union law. However, if the BF states that any legal interpretation contrary to Union law (here contra the MiFID Roman II Directive) must be carefully derived and justified, this must also refer to the data protection law established in Union law.

If the BF subsequently considers the arguments of the authority concerned in relation to Recital 57, last sentence on MIFID II, to be too short-sighted and refers to other passages of Recital 57 presented under 6.1 of the complaint, the passages and references presented there also relate to customer orders, whereby, according to the established facts, it was not a specific securities-related customer order that was the topic of discussion, but the inquiry about a limit for orders via online banking, thus abstractly the question of transfer modalities without reference to securities law authority with regard to ErwG 57 last sentence to MIFID Roman II as too short and refers to further passages of ErwG 57 presented under 6.1 of the complaint, the passages and references presented there also relate to customer orders, whereby according to the established facts just The topic of discussion was not a specific securities-related customer order, but rather the question of a limit for orders via online banking, thus abstractly the question of transfer modalities without reference to securities law.

The further explanations of the BF to 6.2 on the content of the obligations from § 33 Para. 2 and 3 WAG 2018 are correct, although not relevant for the assessment of the case. The further statements of the BF to 6.2 on the content of the obligations from Paragraph 33, Para 2 and 3 WAG 2018 are correct, although not relevant to the assessment of the case.

If - again not with reference to the specific content of the telephone call - the BF subsequently wants to clarify ESMA's view of the interpretation of MiFID II, according to which all telephone calls (from start to end) must be recorded, the following should be stated: ESMA is currently taking in their Answer 8 this refers to “all relevant telephone conversations”. However, according to ESMA, “relevant telephone conversations” are only the contract-related calls mentioned in Answer 11 (see below). If - again not with reference to the specific content of the telephone call - the BF subsequently wants to clarify ESMA's view of the interpretation of MiFID Roman II, according to which all telephone calls (from start to end) must be recorded, the following should be stated: ESMA takes especially in your Answer 8 regarding “all relevant telephone conversations”. However, according to ESMA, “relevant telephone conversations” are only the contract-related calls mentioned in Answer 11 (see below).

The essential legal basis on which the BF relies in the proceedings remains the obligation of the legal entity implemented in Section 33 Paragraphs 2 and 3 WAG to keep records of the services mentioned there, which relate to the acceptance, transmission and execution of customer orders as well as those related thereto Initiation discussions. The main legal basis on which BF relies in the process remains the obligation of the legal entity to keep records of the services mentioned there, as implemented in Section 33, Paragraphs 2 and 3 WAG, which relate to the acceptance, transmission and execution of customer orders and the related services Initiation discussions.

The BF itself recognizes, among other things. in its statement of September 9, 2020, that the “services” mentioned in Article 33 Paragraphs 2 and 3 WAG are “investment services” (point 4, 2nd paragraph there). The BF itself recognizes, among other things. in its statement of September 9, 2020, that the “services” mentioned in Article 33, paragraphs 2 and 3 WAG are “investment services” (point 4, 2nd paragraph there).

Although the wording of Section 33 Paragraphs 1, 2 and 3 WAG itself does not contain the term “securities”, the legal basis of the WAG, as one of several legal bases for credit institutions such as the BF, is by definition related to securities (Section 1 Z 1 “ Investment firm”; § 1 Z 3 “Investment services” [those for third parties, Seggermann in Brandl/Saria, WAG 2018², § 1 Rz 13, as of March 1, 2018, rdb.at], “Investment activities”). The more detailed regulations regarding notification of the recording of telephone conversations (Section 33 Paragraph 5 WAG) as well as a ban on recording in the event of information not being provided in advance (Paragraph 6) already contain an explicit reference to “securities” services, whereby these provisions are inextricably linked to the Obligation to record in accordance with paragraphs 2 and 3. Although the wording of paragraph 33, paragraph one, 2 and 3 of the WAG itself does not contain the term “securities”, the legal basis of the WAG, as one of several legal bases for credit institutions such as the BF, is by definition related to securities (paragraph one, Number one, “Investment firm”; Paragraph one, Number 3, “Investment services” [those for third parties, Seggermann in Brandl/Saria, WAG 2018², Paragraph one, Rz 13, as of March 1, 2018, rdb.at], “Investment activities”) . An explicit reference to “securities” services emerges from the more detailed regulations regarding notification of the recording of telephone conversations (Section 33, Paragraph 5, WAG) and a ban on recording in the event that information has not been provided in advance (Section 6). relate inseparably to the recording obligation pursuant to paragraphs 2 and 3.

The same also applies to the obligation of investment firms to provide certain notifications regarding the acceptance and execution of orders for new and existing customers in accordance with Article 16 Paragraph 8 of Directive 2014/65/EU before carrying out investment services and activities. The same also applies to the obligation of investment firms to provide certain notifications regarding the acceptance and execution of orders to new and existing clients before carrying out investment services and activities in accordance with Article 16 paragraph 8 of Directive 2014/65/EU.

The administrative court therefore assumes that, both based on the directive and national implementation, the recording obligations of telephone conversations (Section 33 Paragraphs 2 and 3 WAG) relate to investment services of the type specified in more detail, whereby BF's own transactions (those "for its own account") are subject-related be disregarded. The administrative court therefore assumes that, based on both the directive and the national implementation, the recording obligations for telephone conversations (Section 33, Paragraphs 2 and 3 WAG) relate to investment services of the type specified in more detail, whereby BF's own transactions (those "for its own account") remain out of consideration in relation to the facts.

The content of the conversation was how the MB could best order a money transfer that exceeded the limit for online banking orders. He wanted to inquire how he could transfer larger amounts than was possible through online banking.

This matter has no apparent reference to an investment service. No such connection was claimed by either party. Direct application of the provisions of Section 33 Paragraphs 2 and 3 WAG is therefore ruled out as a basis for an obligation to record the underlying telephone call. The BF did not claim a European legal basis that could be assessed independently of this. This matter has no apparent reference to an investment service. No such connection was claimed by either party. Therefore, direct application of the provisions of Section 33, Paragraphs 2 and 3 WAG cannot be used as a basis for an obligation to record the underlying telephone call. The BF did not claim a European legal basis that could be assessed independently of this.

4.2.6. If the BF refers to the recording obligation according to ESMA “from start to end”, this can also only refer to securities order-related services (see 4.2.5. above and 4.2.9. below).

4.2.7. The BF must admit that it can actually pose a challenge for a credit institution with securities business to decide at the start of a telephone conversation whether content that requires recording is to be discussed or not. However, the existence of this problem does not per se justify extending the recording obligation to all telephone conversations, as the BF apparently assumed. However, it is by no means structurally possible or only possible retrospectively to distinguish between conversations that require recording on the one hand and conversations that do not require recording on the other. It is certainly possible to clarify the content of a conversation at the beginning to such an extent that one path or the other can be taken initially. If a conversation that is initially not considered to require recording in this way subsequently takes a course that leads to an obligation to record, it is at least possible to resort to a recording option in this case, taking into account today's technical possibilities.

See also draft of a second law amending financial market regulations based on European legal acts - Second Financial Market Amendment Act - 2nd FiMaNoG p. 244f, https://dserver.bundestag.de/btd/18/109/1810936.pdf:

“If the customer expressly does not request any advice and places the order for a specific financial instrument on his own responsibility (advice-free business), the summary of the transaction must be confirmed to the customer at the latest when the order is placed and it must be pointed out that the order is being placed without advice . This part of the conversation must be recorded.”

However, how such circumstances can be technically implemented in detail is not the subject of this procedure.

4.2.8. The BF also wrongly believes that a separation of customer conversations that require recording and those that do not require recording is legally inadmissible. The BF remains evidence of the relevant issues under 6.4. guilty of the claim made in the complaint and thus negates the essence of data protection, in particular the principle of data minimization.

If the BF were to implement the recording obligation to the extent that it assumes this to be a legal requirement in the context of its legal statements, it would not be understandable why conversations between customers and their customer advisors are generally excluded from recording, even though these conversations in particular are primarily serve to implement customer orders or to transmit information about later planned transactions.

The further considerations made there on investment services do not need to be commented on because no investment services are involved in this specific case.

4.2.9. When the BF states in 6.5 that national supervisory authorities, including the FMA, are expected to ensure that credit institutions and investment firms adhere to the requirements of the ESMA (which the MB describes as “non-legally binding soft law”), it does not show that these requirements require a complete recording of all telephone calls made between credit institutions and customers, but - as shown - only the “relevant telephone conversations”, which only includes the constellations mentioned in Section 33 Paragraphs 2 and 3. The BF also fails to explain why supervisory authorities do not have to apply legally binding regulations. 4.2.9. When the BF states in 6.5 that national supervisory authorities, including the FMA, are expected to ensure that credit institutions and investment firms adhere to the requirements of the ESMA (which the MB describes as “non-legally binding soft law”), it does not show that these requirements require a complete recording of all telephone calls made between credit institutions and customers, but - as shown - only the “relevant telephone conversations”, which only includes the constellations mentioned in paragraph 33, paragraphs 2 and 3. The BF also fails to explain why supervisory authorities do not have to apply legally binding regulations.

4.2.10. If the BF last states under 6.7 that all telephone conversations that are abstractly suitable for initiating a securities transaction or are related to a service that can lead to the acceptance, transmission or execution of a customer order must be recorded; The obligation to record applies to almost all telephone calls, so it differs from the above under 4.2.5. presented European and national regulatory regime, according to which it is said that such services relate to the acceptance, transmission and execution of customer orders that relate to investment services.

As shown, the MB inquired about the findings of the BF as to how he could transfer a certain amount of money (and thus above the online banking limit). As stated, this does not mean any service with any possible connection to securities law.

The BF's assumption that only conversations with porters about opening times or with the chairman of the board, who does not have customer conversations with customers, do not need to be recorded is therefore too narrow and not compatible with Section 33 WAG. The BF's assumption that only conversations with porters about opening times or with the CEO, who does not have customer conversations with customers, do not need to be recorded is therefore too narrow and not compatible with paragraph 33, WAG.

4.2.11. It may be that the implementation of a (partially) manual solution can lead to errors, incompleteness and conflicts of interest. However, this cannot lead to the data protection requirements being ignored and all customer conversations being recorded almost completely in an exaggerated interpretation of the recording obligations of Section 33 Paragraphs 2 and 3 WAG. This would be a serious interference with the right to informational self-determination by recording telephone conversations without consent. If the BF refers to the fact that all customer conversations are recorded by telephone, it is not clear to what extent it has “implemented the principle of proportionality under data protection law in the best possible way” through this approach. 4.2.11. It may be that the implementation of a (partially) manual solution can lead to errors, incompleteness and conflicts of interest. However, this cannot lead to data protection requirements being ignored and all customer conversations being recorded almost completely in an exaggerated interpretation of the recording obligations of Section 33, Paragraphs 2 and 3 WAG. This would be a serious interference with the right to informational self-determination by recording telephone conversations without consent. When the BF refers to the fact that all customer conversations are recorded by telephone, it is not clear to what extent it has “implemented the data protection principle of proportionality in the best possible way” through this approach.

4.2.12. The BF therefore failed to demonstrate in the complaint that there was an obligation to record the undisputed content of the telephone call, so that the relevant authority was right to determine a breach of confidentiality in this regard. In this respect, reference is made to the relevant legal assessment of the authority concerned.

Finally, it should be noted that the legal bases according to the Payment Services Act and a balancing in favor of BF according to Art 6 Paragraph 1 lit f GDPR, which were denied by the authority concerned in the administrative procedure, were no longer included in the complaint due to quality assurance and there is no evidence that this applies of this argument (in proceedings before the administrative authority). Finally, it should be noted that the legal bases according to the Payment Services Act, which were denied by the authority concerned in the administrative procedure or a balancing in favor of the BF according to Article 6, paragraph one, letter f, GDPR, were no longer included in the complaint due to quality assurance and there are no clues whatsoever for the validity of this argument (in the proceedings before the administrative authority).

5. The BF requested that an oral hearing be held, but left the established facts undisputed. Since ultimately only legal circumstances had to be discussed on the basis of established facts, there was no need for an oral hearing.

6. The ruling that the appeal is inadmissible is based on the fact that individual case-related considerations ultimately had to be made based on legal provisions, in particular Section 33 Paragraphs 2 and 3 WAG.6. The ruling that the appeal was inadmissible is based on the fact that individual case-related considerations ultimately had to be made based on legal provisions, in particular Section 33, Paragraphs 2 and 3 WAG.