BVwG - W292 2248134-1

BVwG - W292 2248134-1

Court:	BVwG (Austria)
Jurisdiction:	Austria
Relevant Law:	Article 15 GDPR Article 57(4) GDPR
Decided:	27.02.2023
Published:
Parties:
National Case Number/Name:	W292 2248134-1
European Case Law Identifier:
Appeal from:	DSB (Austria)
Appeal to:	Pending appeal
Original Language(s):	German
Original Source:	BVwG (Austria) (in German)
Initial Contributor:	mg

The Federal Administrative Court of Austria held that the Austrian DPA did not violate Article 57(4) GDPR by refusing to act on a complaint lodged in the context of 16 similar claims by the same data subject.

English Summary

Facts

A data subject sent an access request to 16 different controllers in multiple countries pursuant to Article 15 GDPR. Deeming the reply of these controllers not sufficient, the data subject lodged several complaints with the Austrian DPA. In the context of one of these complaints, the supervisory authority held that the request was excessive and dismissed it pursuant to Article 57(4) GDPR. The data subject appealed the decision before the Austrian federal administrative court supported by the non-profit noyb.

Holding

The data subject lodged a complaint with the Austrian DPA for an alleged violation of Article 15 GDPR by one of the controllers. The DPA dismissed the claim on the basis of Article 57(4) GDPR. According to such provision, a DPA may charge a reasonable fee or refuse to act when a data subject’s request is either manifestly unfounded or excessive. Article 57(4) GDPR specifically mentions the case of repetitive claims.

The federal administrative court pointed out to the fact that 16 almost identical complaints by the same data subject and in a time span of 7 months was a considerable amount of work for the supervisory authority.

Another relevant point in assessing whether the claim was excessive was the fact that several controllers were based outside Austria and sometimes outside the EU. Due to the cooperation mechanisms envisaged by Articles 56 and following GDPR, the Austrian DPA would be forced to invest a large amount of resources in dealing with the data subject’s request. Concerning the controllers that were not based in the EU, the DPA was instead fully dependent on the availability to cooperate of other (when existent) supervisory authorities.

The fact that in some cases only one day elapsed between the month envisaged by Article 12(3) GDPR as a deadline for the controller’s reply and the complaints was also an element suggesting that the request was excessive.

In light of the above, the federal administrative court endorsed the supervisory authority’s assessment and dismissed the appeal brought by the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

02/27/2023

standard

B-VG Art133 Para.4
DSG §18 paragraph 1
DSG §24 paragraph 1
DSG §24 paragraph 5
DSG §24 paragraph 8
GDPR Art51 Para
GDPR Art57 Para.1 litf
GDPR Art57 Para
GDPR Art77 Para
VwGVG §28 paragraph 2

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 2 § 18 today DSG Art. 2 § 18 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 18 valid from January 1st, 2014 to May 24th, 2018 last changed by Federal Law Gazette I No. 83/2013 DSG Art. 2 § 18 valid from 01.04.2005 to 31.12.2013 last changed by Federal Law Gazette I No. 13/2005 DSG Art. 2 § 18 valid from 01.01.2000 to 31.03.2005

DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009

VwGVG § 28 today VwGVG § 28 valid from 01/01/2019 last amended by Federal Law Gazette I No. 138/2017 VwGVG § 28 valid from 01/01/2014 to 12/31/2018

saying

W292 2248134-1/5E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag. Herwig ZACZEK as chairman and the expert lay judges Mag. René BOGENDORFER and Mag.a Martina CHLESTIL as assessors, on the complaint from XXXX in XXXX Vienna, represented by NOYB - European Center for Digital Rights, Goldschlagstraße 172 /4/3/2 in 1140 Vienna, against the decision of the data protection authority of August 31, 2021, Zl. D124.4538 (2021-0.574.522), rightly recognized in a closed session:

a)

The complaint is dismissed as unfounded in accordance with Section 28 (2) of the Administrative Court Procedure Act, Federal Law Gazette I No. 33/2013 as amended (VwGVG).

b)

The revision is permissible according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

1. In his submission (data protection complaint) to the Austrian data protection authority (responsible authority) of August 2nd, 2021, the complainant alleged a violation of the right to information under Art. 15 GDPR and summarized that the respondent (the party involved in the published proceedings ) was not fully responded to his request for information.

2. With a contested decision dated August 31, 2021, the relevant authority refused to deal with the complaint within the meaning of Art. 57 (4) GDPR. In justification, the authority concerned explained that - since the complainant submitted a total of 16 similar complaints against different persons responsible for data protection law, mostly based abroad, between February and August 2021 - the complainant's use of the authority was to be qualified as excessive and the treatment of the complaint was to be rejected.

3. In a letter dated November 8, 2021, the authority concerned submitted the complaint to the Federal Administrative Court, followed by a statement and the administrative file.

II. The Federal Administrative Court considered:

1. Findings:

1.1. Between February 2021 and August 2021, the complainant brought a total of 16 complaints to the relevant authority.

1.2. In the majority of his submissions, the complainant submitted that he had submitted a request for information to the person responsible for data protection and that the person responsible had not answered his request for information after the period of one month had expired. An exemplary representation of the pending proceedings at the relevant authority gives the following picture:

- 13130.631: Complaint against the controller " XXXX " based in the Netherlands; On January 6, 2021, the complainant submitted a request for information in German to the person responsible and lodged a complaint with the relevant authority on February 7, one day after the one-month period had expired.

- 13130.634: Complaint against the controller " XXXX " based in the Netherlands; On January 6, 2021, the complainant submitted a request for information in German to the person responsible and lodged a complaint with the relevant authority on February 7, one day after the one-month period had expired.

- 13130.632: Complaint against the controller " XXXX " located in the United States; On January 6, 2021, the complainant submitted a deletion request in German to the person responsible and lodged a complaint with the relevant authority on February 7, one day after the one-month period had expired.

- 13130.645: Complaint against the data controller "XXXX" based in Italy; On January 13, 2021, the complainant submitted a deletion request in Italian to the person responsible and on February 25, 2021, about one and a half weeks after the one-month period had expired, lodged a complaint with the relevant authority.

- 13130.647: Complaint against the person responsible " XXXX " based in Germany; On January 21, 2021, the complainant sent a request for information to the person responsible by registered letter and lodged a complaint with the relevant authority on February 26, 2021, a few days after the one-month period had expired.

- 13130.687: Complaint against controller "XXXX" believed to be located in Ireland; the complainant submitted an erasure request in English to the controller on February 20, 2021 and on April 26. 2021 Complaint to the relevant authority.

- 13130.743: Complaint against Controller "XXXX" located in Australia; On April 16, 2021, the complainant submitted a request for information in English to the person responsible and on May 26, 2021, about one and a half weeks after the one-month period had expired, lodged a complaint with the relevant authority.

1.3. The data protection complaint in the present case was based on the (alleged) facts that the person responsible did not complete a request for information from the complainant dated July 2nd, 2021 within one month, whereas the complainant submitted the application to initiate the procedure to the data protection authority on August 2nd, 2021.

2. Evidence assessment:

The findings result from the harmless administrative files and hg. Procedural files, whereby the complainant did not contest the factual findings of the authority concerned.

3. Legal assessment:

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.

Since the object of the complaint is a decision by the Austrian data protection authority, the Senate has jurisdiction in the present case in accordance with § 27 DSG.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

to A)

3.1. Applicable law:

The authority concerned based its decision on the following legal provisions:

Article 51 paragraph 1, Article 57 paragraph 1 letter f and Article 77 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of data and to repeal Directive 95/46/EC (General Data Protection Regulation - GDPR) OJ L 119 of May 4th, 2016, Sections 18 (1) and 24 of the Data Protection Act - DSG, Federal Law Gazette I No. 165/1999 as amended. These provisions were also to be used in the present complaints procedure before the Federal Administrative Court.

Art. 51, 57 and 77 GDPR read in extracts:

"Art. 51

supervisory authority

1. Each Member State shall provide for one or more independent authorities to be responsible for supervising the application of this Regulation in order to protect the fundamental rights and freedoms of individuals with regard to processing and to facilitate the free movement of personal data within the Union."

"Art. 57 GDPR

Tasks

(1) Without prejudice to other tasks set out in this Regulation, each supervisory authority in its territory

[...]

f) dealing with complaints from a data subject or complaints from a body, organization or association in accordance with Article 80, investigating the subject matter of the complaint to an appropriate extent and informing the complainant of the progress and the result of the investigation within a reasonable period of time, in particular, if further investigation or coordination with another supervisory authority is necessary;

[...]

(4) In the case of manifestly unfounded or - in particular in the case of frequent repetition - excessive requests, the supervisory authority may charge a reasonable fee based on the administrative costs or refuse to act on the request. 2In this case, the supervisory authority bears the burden of proof that the application is manifestly unfounded or excessive.

"Art. 77 GDPR

Right to lodge a complaint with a supervisory authority

(1) Without prejudice to any other administrative or judicial remedy, each data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement, if the data subject believes that the processing of the personal data concerning them violates this regulation."

§§ 18 paragraph 1 and 24 paragraphs 1, 5 and 8 DSG read:

"Art. 2 § 18

2nd section

Data Protection Authority

Furnishings

§ 18. (1) The data protection authority is set up as a national supervisory authority in accordance with Art. 51 GDPR.

3rd section

Remedies, Liability and Penalties

Complaint to the data protection authority

Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2, Part 1.

[...]
(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sphere, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.

[...]

(8) Any data subject may appeal to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or the outcome of the complaint within three months.

3.2. The following is stated in the scientific literature on Article 57 (4) GDPR:

"An exception can be made to the exemption from the fee for those affected in the case of manifestly unfounded or excessive requests, but the fee may only be charged on the basis of administrative costs. The fee must not exceed the administrative burden of processing, as it is not an abuse fee, but a processing fee.

In these cases, the supervisory authority can also refuse to act on the basis of the request. In this case, the supervisory authority bears the burden of proving the manifestly unfounded or excessive nature of the request. However, a refusal does not mean that the supervisory authority can simply ignore a request. She can only refuse to take action on the content. At least in the case of obviously unfounded inquiries, an improvement order will first have to be issued in accordance with Section 13 (3) AVG. After the deadline set by the DSB for the improvement has expired without result, the request can be rejected by resolution. Inquiries in the sense of applications in which the applicant has no individual entitlement to a service from the supervisory authority (e.g. general consulting services) can be rejected without further ado, since paragraph 4 does not apply in such cases" (Zavadil in Knyrim, DatKomm Art. 57 GDPR, paragraph 27, as of March 1st, 2021, rdb.at).

In the following, literature on excessiveness is cited, which refers to Art. 57 Para. 4 GDPR, but also partly to the almost word-identical provision of Art. 12 Para. 5 GDPR aimed at the person responsible:

The supervisory authority can only reject applications if they are manifestly unfounded or disproportionate, with the number of applications playing an important role (Nguyen in Gola, DS-GVO, 2nd edition, Art 57 margin no. 22).

The frequent repetition of the application is only considered excessive within the meaning of the norm [Art. 12 para. 5 sentence 2] if this is done without a legitimate reason. Therefore, this case group comes into consideration if the applicant submits further (almost) identical applications despite lawful information being provided or refusal by the person responsible. By using the word "in particular", the legislator also shows that he would also like other forms of excessive applications to be recorded. For example, abusive applications are conceivable, solely with the aim of harassing the person responsible ((Heckmann/Paschke in Ehmann/Selmayr, General Data Protection Regulation, 2nd edition, Art. 12 margin no. 43).

Examples are:

 Drugs who provide nonsensical or repeatedly inquiries, so that the activity of the supervisory authority is seriously impaired or even paralyzed (Selmayr in Ehmann/Selmayr, General Data Protection Regulation, 2nd edition, Art. 57 Rz 24)

An application is not excessive simply because it causes a lot of processing work. Rather, what is required is abusive behavior on the part of the applicant. [Art. 12] Paragraph 5 Sentence 2 Alt. 2 cites the frequent repetition of the application as an example of this. The vexatious assertion of a data subject's right with the aim of harming the person responsible also falls under [Art. 12] para. 4 sentence 2 alternative 2 (Bäcker in Kühling/Buchner, DS-GVO • BDSG, 2nd edition, Art. 12 Rz 37).

The excessive character is fulfilled if the processing of the inquiries clearly exceeds the average effort and time required for comparable cases and the increased effort is also due to an excessive abundance of insubstantial or excessive explanations; it is not sufficient for a BF to make repeated appearances in comparable cases or for him to repeatedly lodge complaints against a specific data processing operation at regular intervals; the high time required for processing or the comparatively banality of the legal assessment alone does not permit classification as excessive (Polenz in Simitis|Hornung|Spiecker [ed.], data protection law, GDPR with BDSG, Art. 57 margin no. 58).

Applied to the present case, this means the following:

3.3. On the excessiveness of the complaint:

3.3.1. The authority concerned considered the factual requirement of excessiveness of Art. 57 Para. 4 GDPR to be met.

As noted, between February and August 2021, the complainant brought sixteen complaints proceedings before the competent authority, with those responsible for data protection mostly being companies or organizations based in other Member States, but also in some cases in the USA and Europe have Australia; Subsequently, the complainant lodged a complaint with the relevant authority after the expiry of the period specified in Art. 12 (3) 1st sentence GDPR for the person responsible to reply - this is generally one month - whereby in many cases the one-month period at the time only one day has elapsed since the complaint was lodged with the relevant authority.

3.3.2. With regard to the right of refusal within the meaning of Art. 57 (4) GDPR, the assessment of the existence of an “excessive use” of the official activity is, in the opinion of the Senate, an important factor in the assessment, in particular the total volume of complaints made by an individual complainant in a specifically defined area period of time. Otherwise, as the competent authority rightly points out, it will hardly be possible in administrative practice to determine excessiveness in the application. In any case, the number of applications made plays an important role in assessing whether the application by a particular complainant is disproportionate (cf. Nguyen in Gola [ed.], General Data Protection Regulation Commentary, Art. 57, para. 22) .

3.3.3. In relation to the case, it should therefore be noted that the filing of sixteen complaints during a period of only around seven months in similar cases with a foreign connection can be regarded as a considerable number of pending proceedings before the relevant authority.

In the present case constellation, this must be seen in particular against the background that in proceedings in which the persons responsible for data protection have their main office outside Austria, the authority concerned has complex tasks in the course of the cooperation mechanism according to Art. 56 et seq. GDPR: In cases within the meaning of the " According to the one-stop-shop principle, the national supervisory authority remains the complainant’s only point of contact, it initiates the cooperation procedure within the meaning of Art. 56 et seq. The national supervisory authority also has control rights (in particular in the form of a relevant and justified objection pursuant to Art. 60 (4) GDPR) before a decision is made by the lead supervisory authority. In the case of complaints against persons responsible based outside the EEA area, insofar as they are subject to the scope of the GDPR, it should also be pointed out that the authority concerned conducts the procedure itself - in the absence of partner authorities and a cooperation mechanism. In such cases, such as in the case of states such as the USA or Australia, the relevant authority – in the absence of international agreements – is dependent on the (voluntary) administrative assistance of the foreign authorities when it comes to the legally effective delivery of official documents. Contrary to the legal view expressed by the complainant, in light of the legal and factual requirements presented in connection with data protection complaint procedures against those responsible based outside of Austria, it was found that these require a far above-average use of time and human resources on the part of the authority concerned.

3.3.4. In the present case, this had to be contrasted with the fact that the data protection complaint – similar to the other proceedings brought before the relevant authority by the complainant – was based on an application for information pursuant to Art. 15 GDPR that was not dealt with within the one-month deadline for replying. In this regard, it should be noted that the non-compliance with the deadline for the person responsible to respond - in this case, the request for information to the person responsible dates from July 2nd, 2021 and the related complaint to the relevant authority from August 2nd, 2021 - affected the complainant as a person affected by data protection law to a relatively small extent affect his subjective rights. Accordingly, Section 24 (6) DSG enables the data protection authority to informally discontinue the official procedure in cases in which the person responsible – even after the deadline of Art. 12 (3) GDPR has expired – responds to a request for information or deletion.

3.3.5. As a result, in the opinion of the adjudicating Senate, in the light of the above statements, taking into account the comparatively minor exceeding of the deadline for responding to requests for information and deletion and the complexity of cross-border issues, on which the proceedings brought by the complainant before the relevant authority are based the processing of such cases, not to oppose the assessment of the authority concerned that in concrete terms it is an excessive exercise of rights within the meaning of Art. 57 Para. 4 DSGVO, which entitled the authority to refuse treatment.

Overall, the reasoning of the authority concerned, which is why the content of the data protection complaint could not be dealt with, was to be followed. This is against the background of the intention of the Union legislature, which intended with Art. 57 (4) GDPR to prevent a few complainants from seriously impairing or even paralyzing the activities of the supervisory authority through unfounded or excessive requests.

3.4. For the cancellation of an oral hearing:

Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.

According to § 24 para. 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's application, refrain from a hearing if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and Neither Art. 6 Para. 1 ECHR nor Art. 47 CFR preclude the omission of the hearing.

In the present case, the omission of an oral hearing could be based on the fact that the facts had been clarified from the file situation. The use of further evidence was not necessary to clarify the facts. There was also no party request for an oral hearing.

Regarding B) Admissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

The revision is permissible according to Art. 133 Para. 4 B-VG because the decision depends on the solution of a legal question that is of fundamental importance, since it is based on a case law of the Administrative Court on Section 24 Para. 8 DSG in conjunction with Art. 57 Para. 4 GDPR is missing.

There is no case law of the Administrative Court on the question of which quantitative and qualitative criteria are to be used to justify a refusal by the data protection authority to deal with complaints due to excessive requests within the meaning of the provision of Art. 57 (4) GDPR.