BVwG - W292 2259696-1

From GDPRhub
Revision as of 14:05, 25 April 2023 by MB (talk | contribs) (→‎Facts)
BVwG - W292 2259696-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 9(2)(f) GDPR
Decided: 27.02.2023
Published: 29.03.2023
Parties:
National Case Number/Name: W292 2259696-1
European Case Law Identifier: ECLI:AT:BVWG:2023:W292.2259696.1.00
Appeal from: DSB (Austria)
2022-0.370.130
Appeal to: Unknown
Original Language(s): German
Original Source: BVwG (Austria) (in German)
Initial Contributor: mg

The Austrian Federal Administrative Court found that the necessity requirement in Article 9(2)(f) GDPR shall not be interpreted narrowly.

English Summary

Facts

A woman (the controller) used intimate photos of her husband (the data subject) and his lover in a divorce proceeding. According to the data subject, the controller also shared this material with a third party, namely the husband of the other woman involved. The pictures were originally uploaded on a cloud service by the data subject himself. Credentials to access the cloud were noted down in a notebook kept next to the computer, which was accessible to all the members of the family.

The data subject filed a complaint with the Austrian DPA (Datenschutzbehörde - DSB).

The DSB dismissed the complaint. On the one hand, disclosure before the civil court was necessary to prove the data subject’s responsibility in the divorce dispute. On the other hand, disclosure to third parties could not be proved.

Holding

The Federal Administrative Court confirmed that a disclosure to third parties could not be proved. As a matter of fact, the former husband of the data subject’s lover got the pictures only indirectly from an anonymous email addressed to his lawyer. In particular, the Court pointed out to the fact that credentials to access the data subject’s account on the cloud were easily available to everybody living in the house.

Concerning the disclosure in the civil proceeding, the pictures were undoubtedly special categories of personal data under Article 9(1) GDPR, whose processing is in principle prohibited. However, in this case processing was covered by the exception under Article 9(2)(f). The Court stressed that, for the exception to apply, processing should be “necessary” to the purpose stated in this provision, which means that a judicial claim or defence would not be possible without the processing. Nevertheless, such a requirement shall not be interpreted too strictly. In the Court’s opinion, when disclosure in judicial proceeding is deemed not relevant by the judge, this does not automatically entail a violation of Article 9 GDPR. The only case in which Article 9(2)(f) does not apply is when a party in the proceeding consciously and arbitrarily discloses sensitive data unrelated to the facts at issue.

Therefore, the Federal Administrative Court upheld the DPA’s decision and considered the processing lawful.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

02/27/2023

standard

B-VG Art133 Para.4
DSG §1
DSG §24
GDPR Art17
GDPR Art5
DSGVO Art6 Abs1 litf
GDPR Art9 Para
GDPR Art 9 Para. 2 lita
GDPR Art9 Para.2 litf
VwGVG §28 paragraph 2

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01.01.2014 last changed by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from 01.01.2000 to 31.12.2013

DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art. 2 § 24 valid from January 1st, 2010 to May 24th, 2018 last changed by Federal Law Gazette I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009

VwGVG § 28 today VwGVG § 28 valid from 01/01/2019 last amended by Federal Law Gazette I No. 138/2017 VwGVG § 28 valid from 01/01/2014 to 12/31/2018

saying

W292 2259696-1/9E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag. Herwig ZACZEK as chairman and the expert lay judges Mag. Kristina VENTURINI, lawyer in 1010 Vienna, against the decision of the data protection authority of July 29, 2022, 2022-0.370.130 / D124.3886, rightly recognized after an oral hearing:

a)

The complaint is dismissed as unfounded in accordance with Section 28 (2) VwGVG.

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

1.1. With the contested decision, the data protection authority (responsible authority) rejected the data protection complaint of the complainant (hereinafter also referred to as BF for short) of April 1, 2021. The object of the complaint was therefore the question of whether the respondent and divorced wife (participating party in the administrative court proceedings) violated the complainant's right to secrecy by accessing intimate photos in the cloud used by the complainant and presenting them in the context of the divorce, and also made the photos in question available to a third party, the then husband of the complainant's new partner.

1.2. The subject of the administrative procedure was also the question of whether the respondent violated the complainant's right to deletion under Article 17 GDPR.

1.3. The authority concerned rejected the complainant's data protection complaint on the grounds that the use of the image files to be subsumed under Art. 9 GDPR for evidence purposes in its own divorce proceedings was covered by Art. 9 (2) GDPR or that a transmission of the data in question to third parties cannot be ascertained. In addition, there was no request for deletion under Art. 17 GDPR, which is why the complaint had to be dismissed on this point as well.

1.4. On January 17, 2023, the Federal Administrative Court conducted an oral complaint hearing in the case at hand, during which the factual and legal situation in the case at hand was discussed with the parties to the proceedings.

II. The Federal Administrative Court considered:

1. Findings:

1.1. XXXX , applicant in the proceedings before the competent authority and complainant in the administrative court proceedings, and XXXX , co-involved party, were married from 1999 and lived in a single-family house with their two children until January 2021. The complainant had requested a divorce since autumn 2020.

1.2. The complainant already had an extramarital relationship with XXXX, an Austrian citizen, kindergarten teacher, residing in XXXX while the marriage was still in force. XXXX was married to XXXX at the time of the incident at issue and the complainant's application to the data protection authority to initiate the proceedings; this marriage was dissolved with the judgment of the District Court of Bruck/Leitha on Zl. XXXX of XXXX 09.2022 through the sole fault of XXXX.

1.3. Photos of the complainant and XXXX were stored on the complainant’s Google account – at least until October 2020. These were several hundred photographs that the complainant himself had produced with his mobile phone and that shared the complainant and XXXX, in show intimate situations. XXXX , the complainant's extramarital partner, is a mutual acquaintance of the complainant and his then wife XXXX .

1.4. The access data for the complainant's Google account in question was noted in a book prior to October 3, 2020, which was kept next to the computer - shared by the family - and was accessible to all family members and other people staying in the family's house .

1.5. It cannot be established that the complainant submitted a written or oral request for deletion within the meaning of Art. 17 GDPR to the party involved on or after October 3, 2020.

1.6. The party involved logged into the Google account in question on October 3, 2020 with the access data of the complainant and subsequently downloaded photos showing the complainant and his partner and subsequently sent them to their lawyer for evidence in the submitted their own divorce proceedings. The photographs in question were suitable for proving an extramarital sexual relationship between the complainant and XXXX.

1.7. It cannot be ascertained exactly which and how many photos the co-involved party downloaded from the applicant's Google account and sent to their divorce lawyer as evidence in preparation for their own divorce proceedings.

1.8. It cannot be established that the co-involved party sent photos taken from the applicant's Google account showing him with XXXX in intimate situations, except to her divorce attorney for evidence in his own divorce proceedings, also to the then-husband of the disturber of marriage, XXXX ( now XXXX ), or has transmitted it to its legal representative or otherwise disclosed it.

2. Evidence assessment:

2.1. The finding that the complainant did not submit an application for deletion within the meaning of Art. 17 GDPR to the party involved in the matter at hand, results from the clear situation in the files in this regard and the statements made by the legal representative of the complainant, who made a statement in the context of the oral hearing verbatim as follows:

“RV: I spoke to the BF's legal representative yesterday. She was not able to provide me with any information about this beyond the available files (criminal complaint to the police because of § 118 StGB). My client, Mr. XXXX, did not provide me with any further information as to whether an application for deletion had been made to the ex-wife beyond the police report."

2.2. The findings on 1.6 to 1.8 result from the statements made by the complainant during the oral hearing before the Federal Administrative Court in conjunction with the available file documents. The complainant was only able to speculate as to whether and how the photos in question from his Google account, which show him and the marriage disrupter XXXX together in intimate situations, came within the sphere of disposal of XXXX ( XXXX ) or his legal representative are [cf. P. 4 of the negotiation document - VHS]. Otherwise, in the course of the evidentiary proceedings before the Federal Administrative Court, no circumstances arose according to which the party involved transmitted or otherwise disclosed intimate photographs that they had previously downloaded from the complainant's Google account to XXXX ( XXXX ) or his legal representative. The party involved was questioned about this allegation during the oral hearing under the obligation to tell the truth, although it admitted the fact that it had selectively downloaded some photographs from the complainant's Google account and sent it to its divorce lawyer in preparation for its (own) divorce action. However, when asked whether they also sent the same or other photographs showing the complainant and the marital disordered woman in intimate situations to XXXX ( XXXX ) or his legal representative in the divorce proceedings there, XXXX , the party involved remains the same to have only informed XXXX on the occasion of several personal meetings of the existence of such photographs, but at no time to have transmitted or otherwise disclosed the photographs in question to him or his legal representative. Even if the statements of the party involved on this key issue seemed vague, evasive and sometimes contradictory, they correspond to the statements made by XXXX ( XXXX ), who was questioned as a witness. According to the truthful recollection, the witness denies that he ever looked at the photographs in question himself or that he received them from the party involved. When asked how the witness or his divorce lawyer obtained solid evidence that XXXX was solely at fault for the breakdown of the marriage, the witness stated that his divorce lawyer had been sent the relevant photographs from an unknown (and not personalized) e-mail sender - and as a result, in the divorce proceedings for line XXXX, XXXX alone was at fault for the breakdown of the marriage [cf. p. 18, 19 of the VHS).

Since from the point of view of the adjudicating Senate, on the basis of the available files and the contradictory statements of the complainant and the co-involved party, it could not be proven with sufficient probability that the co-involved party - as alleged by the complainant - photographs showing the complainant with the marital disruptor show, except for the preparation of the (own) divorce suit to their lawyer also to the XXXX ( XXXX ) or his lawyer, the judging Senate agrees with the relevant negative finding of the authority concerned. This was against the background that the complainant kept the password for his Google account openly accessible in the common household, while the marriage was upright he took several hundred photos showing him with his extramarital partner in intimate situations and failed to recognize that the same photos were also available for retrieval were stored in the Google account used by him. In addition, the adjudicating Senate could not make any determinations as part of the evidence procedure as to how many and which photos should have been sent from the complainant's Google account to XXXX ( XXXX ) or his legal representative and a questioning of the lawyers involved in the light of the legal confidentiality was not to be regarded as expedient.

3. Legal assessment:

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.

Based on § 27 DSG, the Senate is responsible in this case. In this case, the Senate is responsible.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

to A)

3.1. Applicable law:

The relevant provisions of the Federal Act for the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act - DSG) as amended by Federal Law Gazette I No. 24/2018 are as follows:

"Article 1

(constitutional provision)

fundamental right to data protection

§ 1. (1) Everyone has the right to confidentiality of their personal data, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data are not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.

(2) Insofar as personal data is not used in the vital interests of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time provide for appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.

(3) - (4) [...]

Complaint to the data protection authority

Section 24 (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2, Part 1.

(2) The complaint must contain:

1. the designation of the right deemed to have been infringed,

2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent party),

3. the facts from which the infringement is derived,

4. the grounds on which the allegation of illegality is based,

5. the desire to determine the alleged infringement and

6. the information required to assess whether the complaint was filed in a timely manner.

(3) A complaint may be accompanied by the application on which it is based and any response by the respondent. The data protection authority shall provide further assistance in the event of a complaint at the request of the data subject.

(4) […]

(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sphere, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.

(6) - (10) [...]"

The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation) OJ L 119 of 04.05.2016, hereinafter: GDPR, read:

"Article 5

Principles for the processing of personal data

(1) Personal data must

a) processed lawfully, fairly and in a manner that is transparent to the data subject ("lawfulness, fair processing, transparency");

b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");

c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");

d) accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay ("accuracy");

e) stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored for a longer period to the extent that the personal data are used exclusively for archiving purposes in the public interest or for scientific and historical research purposes, subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject, or processed for statistical purposes in accordance with Article 89(1) ("storage limitation");

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality");

(2) The person responsible is responsible for compliance with paragraph 1 and must be able to prove compliance with it (“accountability”).

Article 6

lawfulness of processing

(1) The processing is only lawful if at least one of the following conditions is met:

[...]

f) processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.

[...]"

Article 9

Processing of special categories of personal data

(1) The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or sex life or the sexual orientation of a natural person is prohibited.

(2) Paragraph 1 does not apply in the following cases:

a) the data subject has expressly consented to the processing of said personal data for one or more specified purposes, unless Union law or the law of the Member States does not allow the prohibition referred to in paragraph 1 to be lifted with the consent of the data subject,

[...]

f) the processing is necessary for the assertion, exercise or defense of legal claims or for court actions in the context of their judicial activities,

[...]

Article 17

Right to Erasure (“Right to be Forgotten”)

(1) The data subject has the right to demand that the person responsible delete personal data concerning them immediately, and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:

a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

b) The data subject withdraws their consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing.

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).

d) The personal data have been processed unlawfully.

e) The deletion of the personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

f) The personal data have been collected in relation to information society services offered pursuant to Article 8(1).

(2) […]

(3) Paragraphs 1 and 2 do not apply if processing is necessary

...

e) to assert, exercise or defend legal claims.”

3.2. To process personal data to assert, exercise or defend legal claims:

3.2.1. The processing of special categories of personal data within the meaning of Art. 9 Para. 1 GDPR for evidence purposes in civil court proceedings, the digital photographs in question, which show the complainant with his extramarital partner in intimate situations, were undoubtedly to be subsumed under this provision in principle - if suitable and necessary - be covered by the exceptional circumstances of Art. 9 (2) lit.

3.2.2. For the special categories of data mentioned in paragraph 1, the legal basis for permission under Art. 9 (2) lit. f GDPR represents a special case of the general legal basis for legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The term legal claims is to be understood broadly and includes claims under both public and private law. What matters is that there is a legal conflict. However, the type of legal action taken is irrelevant. "Necessary" means that without the data, the assertion of the claim or a defense against it would not be possible or significantly more difficult (cf. Supreme Court of August 24, 2022, 7Ob121/22b, para. 22ff).

3.2.3. In the present case, it is undisputed that the party involved – as stated above under margin no. 1.6 – accessed a Google account used by the complainant and downloaded and subsequently displayed image data showing the complainant and his (illegal) partner in intimate situations her divorce attorney to bring an action for divorce based on the applicant's unlawful conduct. The pertinent legal justification of the relevant authority, according to which this process is covered by the exception of Art. 9 Para. 2 lit. For example, in the case of the necessity of processing sensitive data required in Art. 9 Para. If the submission of special categories of personal data by a party is assessed by the court as irrelevant, this does not under all circumstances also constitute a violation of Article 9. However, if sensitive data is disclosed arbitrarily and knowingly without any connection to the specific dispute, the party cannot, however, rely on the exceptional case of Article 9 (2) (f) GDPR (cf. Jahnel, Commentary on the General Data Protection Regulation, Article 9 GDPR, as of December 1st, 2020, paragraph 88, rdb.at).

3.2.4. In relation to the case, there were no indications that the party involved would have acted arbitrarily or excessively when processing the image data in question for the purpose of providing evidence in their own divorce proceedings. Rather, the submission of evidence of the complainant's extramarital relationship in the divorce proceedings was to be considered as possible and necessary in order to enable the legal position of the party involved to be enforced.

3.2.5. The authority concerned was also in relation to the finding, according to which it could not be proven that the party involved also gave the intimate photographs in question to third parties, namely the spouse of the disturber of the marriage at the time or his legal representative in the divorce proceedings there, transmitted or otherwise disclosed, not to oppose. As above under margin no. 1.8 determined, it could not be proven in the course of the administrative court evidence proceedings - despite personal questioning of the parties to the dispute and the potential recipient of the intimate photographs in question as witnesses - that the party involved also transmitted the image data at issue to third parties or otherwise disclosed it, It it was therefore to be assumed that this circumstance did not exist (VwGH June 16, 1992, 92/08/0062; June 29, 2000, 2000/07/0024).

3.3. Regarding the alleged violation of the right to erasure in accordance with Art. 17 GDPR:

As above under margin no. 1.5, the complainant did not apply to the party involved for deletion within the meaning of Art. 17 GDPR, but only reported to the police after the incident became known because of the suspicion of inspecting Section 118 of the Criminal Code. The authority concerned therefore had to agree in full on this point as well. It should be noted in this regard that the complainant, as the person affected by data protection law, is at liberty to submit an application for the deletion of the image data in question to the party involved, as the person responsible for data protection law; Subsequently, the complainant would be free - in the event of the alleged violation of the right to erasure - to contact the data protection authority again by means of a complaint in accordance with Section 24 DSG in conjunction with Article 17 GDPR. The requirement of Section 24 (3) DSG to submit applications that were addressed to the person responsible for data protection in advance of a data protection complaint procedure or the content requirements of Section 24 (2) DSG should be pointed out at this point.

3.4. It had to be decided accordingly.

Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. If the legal situation is clear and unambiguous according to the standards in question, then there is no legal question of fundamental importance within the meaning of Art. 133 Para. 4 B-VG, even if the VwGH has not yet issued any case law on an applicable standard (VwGH September 11, 2020, Ra 2018/04/0157). There are also no other indications of a fundamental importance of the legal question to be solved.

As far as can be seen, there is no case law of the VwGH on the standards to be applied in the present case - more specifically on Article 9 (2) (f) GDPR - but the wording of the exception in Article 9 (2) (f) GDPR is clear and clear with regard to the fact that Art. 9 Para. 1 leg. cit. collected special data categories - if suitable and necessary - may be processed for the assertion, exercise or defense of legal claims.

It had to be decided accordingly.