BVwG - W292 2267784-1
From GDPRhub
| BVwG - W292 2267784-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 56(1) GDPR Article 60 GDPR Article 60(7) GDPR Article 60(9) GDPR Article 65 GDPR |
| Decided: | 18.12.2023 |
| Published: | 09.01.2024 |
| Parties: | |
| National Case Number/Name: | W292 2267784-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2023:W292.2267784.1.00 |
| Appeal from: | DSB (Austria) |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | co |
An Austrian court held, on appeal, that the DSB's communication to a data subject informing them of a decision of the Lead Supervisory Authority in the context of an Article 60 GDPR procedure does not constitute a decision. Rather, the communication was a mere information in accordance with Article 60(7) GDPR against which an appeal is not admissible.
English Summary
Facts
In May 2018, a data subject, respresented by noyb - European Centre for Digital Rights, filed a complaint with the Austrian DPA. The latter referred the case to the Irish DPC as lead supervisory authority under Article 56 GDPR and a cooperation procedure under Article 60 GDPR was initiated.
On 11 January 2023, the DSB transmitted to the data subject the final decision by the DPC in accordance with Article 60(7) GDPR and informed her that the EDPB’s binding decision under Article 65(1)(a) GDPR would be published thereafter. Two days later, on 13 January 2023, the DSB transmitted the binding decision of the EDPB of 5 December 2022 to the data subject. The DSB informed the data subject that the parts of the original complaint that were not addressed by the DPC's decision are still pending before the DPC.
On 7 February 2023, the data subject filed an appeal with the BVwG, claiming that the transmission of the DPC’s decision by the DSB should be considered a partially dismissing or rejection decision within the meaning of Article 60(9) GDPR. Since the DPC and the EDPB failed to address some of the points raised in the complaint, the communications of the DSB, together with the decision of the DPC could not be interpreted as a positive decision in accordance with Article 60(7). In the complainant's view, the communication by the DSB therefore constitutes an official decisions within the meaning of section 58 et seqq. of the Austrian General Law on Administrative Procedures (Allgemeines Verwaltungsverfahrensgesetz, AVG).
In its submissions, the DSB argued that Article 60(7) GDPR applied in this case and the DPC would still be handling the case.
Holding
The BVwG first of all assessed whether the pronouncement of the DSB constituted a decision within the meaning of section 58 et seqq. of the Austrian General Law on Administrative Procedures (Allgemeines Verwaltungsverfahrensgesetz, AVG). In this, the court took into account objective criteria and giving importance to the form and content of the decision. Further, it considered that attention should be given to the language used and whether this undoubtedly had a normative character, making reference to Austrian case law.
The BVwG held, with respect to the letters of the DSB of 11 and 13 January 2023, that they lacked the formal and content-related requirements to be considered a decision, instead, they merely constituted communications of the DSB to the data subject. If the court were to consider the DSB’s communications as decisions, this would mean that the BVwG would have to decide on the legality of a decision by the Irish DPC. In this context the BVwG referred to its case-law in asylum law matters, whereby the decisions of national authorities cannot be reviewed by the courts of another state as this would go against the principle of national sovereignty of international law. The BVwG held that this principle is transferable to data protection cases. Hence, the BVwG concluded that it cannot review the legitimacy of a decision by a lead supervisory authority in accordance with Article 60(7).
Further, the BVwG considered that it would violate the constitution and higher administrative case-law by carrying out a task that is not within its competences provided for by law.
The court specified that the DPC's decision constitutes a decision in accordance with Article 60(7) for which the DPC and not the DSB is the competent authority.
For these reasons, the court dismissed the appeal.
Comment
It is worth noting that the data subject in this case believed that the communication of the DSB should be considered a decision in itself because the DPC and the EDPB failed to acknowlegde certain parts of the complaint in their respective decisions. In this way, the data subject would also be able to appeal the decision, which would otherwise not be possible.
This decision is not final as the data subejct will file an appeal with the Austrian Supreme Administrative Court.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date
December 18, 2023
standard
B-VG Art 130 Paragraph 1 Z1
B-VG Art 133 Paragraph 4
GDPR Art4
GDPR Art51
GDPR Art56
GDPR Art60
GDPR Art65
GDPR Art77
VwGVG §28 Paragraph 1
VwGVG §31 Paragraph 1
B-VG Art. 130 today B-VG Art. 130 valid from February 1, 2019 last changed by Federal Law Gazette I No. 14/2019 B-VG Art. 130 valid from January 1, 2019 to January 31, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 130 valid from January 1, 2019 to May 24, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 130 valid from May 25, 2018 to December 31, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art by BGBl last amended by BGBl .1997 last amended by BGBl. No. 685/1988 B-VG Art. 130 valid from July 1st, 1976 to December 31st, 1990 last amended by BGBl .1976 last amended by BGBl. No. 215/1962 B-VG Art. 130 valid from December 25th, 1946 to July 17th, 1962 last amended by BGBl .1946 last changed by StGBl. No. 4/1945 B-VG Art. 130 valid from January 3, 1930 to June 30, 1934
B-VG Art. 133 today B-VG Art. 133 valid from January 1st, 2019 to May 24th, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from May 25, 2018 to December 31, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from August 1, 2014 to May 24, 2018 last changed by Federal Law Gazette I No. 164/2013 B-VG Art by BGBl amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934
VwGVG § 28 today VwGVG § 28 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 138/2017 VwGVG § 28 valid from January 1st, 2014 to December 31st, 2018
VwGVG § 31 today VwGVG § 31 valid from September 1st, 2018 last amended by BGBl from January 1, 2014 to December 31, 2016
saying
W292 2267784-1/3E
DECISION
The Federal Administrative Court, through the judge Mag. Herwig ZACZEK as chairman and the expert lay judges, Mag.a Martina CHLESTIL and Mag. René BOGENDORFER as assessors, heard the complaint from XXXX, represented by noyb - European Center for Digital Rights, against the execution of the Data protection authority of January 11th, 2023 and January 13th, 2023 decided: The Federal Administrative Court represented by the judge Mag. Herwig ZACZEK as chairman and the expert lay judges, Mag. Martina CHLESTIL and Mag. René BOGENDORFER as assessors, on the complaint from Roman XXXX decided by noyb - European Center for Digital Rights, against the orders of the data protection authority from January 11th, 2023 and January 13th, 2023:
A)
The complaint is rejected as inadmissible in accordance with Section 28 Paragraph 1 and Section 31 Paragraph 1 VwGVG, in conjunction with Article 130 Paragraph 1 Z 1 B-VG. The complaint is rejected as inadmissible in accordance with paragraph 28, paragraph one and paragraph 31, paragraph one, VwGVG, in conjunction with Article 130, paragraph one, number one, B-VG.
B)
The revision is permissible in accordance with Article 133, Paragraph 4, B-VG.The revision is permitted in accordance with Article 133, Paragraph 4, B-VG.
text
Reasons for the decision:
I.Roman one. Process:
I.1.Roman one.1. The complainant XXXX lodged a complaint with the data protection authority (responsible authority) through her representative on May 25, 2018 in accordance with Art. 77 GDPR against XXXX (hereinafter also “participating party”). The data protection authority has forwarded the complaint to the Irish Data Protection Commission as the lead authority under Article 56 (1) GDPR, which initiated a cooperation procedure under Article 60 GDPR. On May 25, 2018, the complainant roman XXXX submitted a complaint pursuant to Article 77 of the GDPR against roman XXXX (hereinafter also “participating party”) to the data protection authority (responsible authority) through its representative on May 25, 2018. The Data Protection Authority has referred the complaint to the Irish Data Protection Commission as lead authority under Article 56, paragraph one, GDPR, thereby initiating a cooperation procedure under Article 60, GDPR.
I.2.Roman one.2. On January 11, 2023, the authority concerned sent the final decision of the responsible lead supervisory authority (Ireland) to the complainant in accordance with Article 60 (7) GDPR and informed the complainant that the European Data Protection Board had adopted its binding decision Within the meaning of Art. 65 Para. 1 lit. a GDPR in accordance with Art. 65 Para. 5 leg. cit. will publish. On January 11, 2023, the relevant authority sent the complainant the final decision of the responsible lead supervisory authority (Ireland) in accordance with Article 60, Paragraph 7, GDPR and informed the complainant that the European Data Protection Board had adopted its binding decision Within the meaning of Article 65, paragraph one, letter a, GDPR in accordance with Article 65, paragraph 5, leg. cit. will publish.
I.3.Roman one.3. In a communication dated January 13, 2023, the authority concerned transmitted the European Data Protection Board's binding decision of December 5, 2022 to the complainant. She pointed out that the final decision of the lead supervisory authority in accordance with Article 60 (7) GDPR had already been delivered. In addition, the authority concerned stated that, in its view, the decision of the lead supervisory authority was a partial decision, as the lead supervisory authority had been instructed by the European Data Protection Board to continue the procedure selectively. In a communication dated January 13, 2023, the authority concerned transmitted the European Data Protection Board's binding decision of December 5, 2022 to the complainant. She pointed out that the final decision of the lead supervisory authority in accordance with Article 60, paragraph 7, GDPR had already been delivered. In addition, the authority concerned stated that, in its view, the decision of the lead supervisory authority was a partial decision, as the lead supervisory authority had been instructed by the European Data Protection Board to continue the procedure selectively.
I.4.Roman one.4. The complaint in this regard is currently pending with the Data Protection Commission.
I.5.Roman one.5. In her complaint dated February 7, 2023, the complainant stated that she had received an English-language, final decision from the Irish data protection authority (Data Protection Commission), which acts as the lead supervisory authority in accordance with Art ) has been transmitted. The authority concerned assumes that this is a decision in accordance with Article 60 (7) GDPR. In the complainant's opinion, when viewed objectively, this is not a decision according to Art. 60 Para. 7 GDPR, but rather a partially rejecting/rejecting decision within the meaning of Art. 60 Para. 9 GDPR. The complainant looks at the two transactions from January 11th. and dated January 13, 2023 in conjunction with the DPC decision and the EDPB decision as a whole as a decision within the meaning of Sections 58ff AVG, even if the formal requirements [of the AVG] are not met. In her complaint dated February 7, 2023, the complainant stated that she had received an English-language, final decision from the Irish data protection authority (Data Protection Commission), which acts as the lead supervisory authority in accordance with Article 56, paragraph one, GDPR, on January 11, 2023 from the authority concerned ) has been transmitted. The authority concerned assumes that this is a decision in accordance with Article 60, paragraph 7, GDPR. In the complainant's opinion, when viewed objectively, this is not a decision according to Article 60, paragraph 7, GDPR, but rather a partially rejecting/rejecting decision within the meaning of Article 60, paragraph 9, GDPR. The complainant looks at the two transactions from January 11th. and dated January 13, 2023 in conjunction with the DPC decision and the EDPB decision as a whole as a decision within the meaning of paragraphs 58 f, f, AVG, even if the formal requirements [of the AVG] are not met.
I.6.Roman one.6. The authority concerned submitted the complaint in question, including the related administrative files, to the Federal Administrative Court (BVwG) with a file dated March 13, 2023.
In summary, the authority concerned, like the Data Protection Commission, stated that it was a case under Article 60 (7) GDPR. In this case, the BVwG has no jurisdiction as an appeal authority. In summary, the authority concerned, like the Data Protection Commission, stated that it was a case under Article 60, Paragraph 7, GDPR. In this case, the BVwG has no jurisdiction as an appeal authority.
II.Roman II. The Federal Administrative Court considered:
II.1.Roman II.1. Findings:
On May 25, 2018, the complainant filed a complaint pursuant to Art. 77 GDPR against the party involved. The authority concerned forwarded the complaint to the Irish data protection authority (Data Protection Commission) as the lead authority in accordance with Article 56 (1) of the GDPR, which initiated a cooperation procedure in accordance with Article 60 of the GDPR. On May 25, 2018, the complainant lodged a complaint under Article 77, GDPR against the participating party. The authority concerned has forwarded the complaint to the Irish Data Protection Commission as the lead authority under Article 56, paragraph one, GDPR, which initiated a cooperation procedure under Article 60, GDPR.
On January 11, 2023, the authority concerned sent the final decision of the responsible lead supervisory authority (Ireland) to the complainant in accordance with Article 60 (7) GDPR and informed the complainant that the European Data Protection Board had adopted its binding decision Within the meaning of Art. 65 Para. 1 lit. a GDPR in accordance with Art. 65 Para. 5 leg. cit. will publish. On January 11, 2023, the relevant authority sent the complainant the final decision of the responsible lead supervisory authority (Ireland) in accordance with Article 60, Paragraph 7, GDPR and informed the complainant that the European Data Protection Board had adopted its binding decision Within the meaning of Article 65, paragraph one, letter a, GDPR in accordance with Article 65, paragraph 5, leg. cit. will publish.
In a communication dated January 13, 2023, the authority concerned transmitted the decision of the European Data Protection Board ("binding decision") of December 5, 2022 to the complainant and pointed out that the final decision of the lead supervisory authority in accordance with Article 60 (7) GDPR had already been delivered had been. In addition, the authority concerned stated that, from its point of view, the decision of the lead supervisory authority was a partial decision, since the lead supervisory authority had been instructed by the European Data Protection Board to continue the procedure selectively. The authority concerned stated in a communication dated January 13th. In 2023, the decision of the European Data Protection Board ("binding decision") of December 5, 2022 was sent to the complainant and pointed out that the final decision of the lead supervisory authority in accordance with Article 60, paragraph 7, GDPR had already been delivered. In addition, the authority concerned stated that, in its view, the decision of the lead supervisory authority was a partial decision, as the lead supervisory authority had been instructed by the European Data Protection Board to continue the procedure selectively.
The complainant's (data protection) complaint is currently still pending with the Irish Supervisory Authority (DPC) with regard to the outstanding objections.
II.2.Roman II.2. Assessment of evidence:
The findings are based on the harmless content of the administrative and court act in this regard.
II.3.Roman II.3. Legal assessment:
According to Section 6 BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for the decision by senates. According to Paragraph 6, BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for the decision by senates.
Although there is no decision on a case-by-case basis - which will be discussed below - but only a simple letter of notification from the data protection authority, in the opinion of the adjudicating Senate, there is Senate jurisdiction for legal protection reasons in accordance with Section 27 DSG. This is particularly because the question of the qualification of the data protection authority's actions complained about is claimed to be a decision by the complainant and this question therefore forms the subject of the legal assessment to be carried out. Although there is no decision on a case-by-case basis - which will be discussed below - but only a simple letter of notification from the data protection authority, in the opinion of the adjudicating Senate, the Senate has jurisdiction for legal protection reasons in accordance with Paragraph 27, DSG. This is particularly because the question of the qualification of the data protection authority's actions complained about is claimed to be a decision by the complainant and this question therefore forms the subject of the legal assessment to be carried out.
II.3.1. Regarding point A) – rejection of the complaint: Roman II.3.1. Regarding point A) – rejection of the complaint:
II.3.1.1.Roman II.3.1.1. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, BGBl. I 2013/33 as amended by BGBl. I 2013/122 (§ 1 leg.cit.). According to Section 58 Paragraph 2 VwGVG, conflicting provisions that were already announced at the time this federal law came into force remain in force. The procedure of the administrative courts with the exception of the Federal Finance Court is governed by the VwGVG, BGBl. Roman one 2013/33 in the version BGBl. Roman one 2013/122, regulated (paragraph one, leg.cit.). According to paragraph 58, paragraph 2, VwGVG, conflicting provisions that were already announced at the time this federal law came into force remain in force.
According to § 17 VwGVG, unless otherwise provided in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 as well as Part IV and others apply to the complaint procedure in accordance with Article 130 Paragraph 1 B-VG to apply the laws mentioned (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws that the authority applied or would have applied in the proceedings preceding the proceedings before the administrative court. According to paragraph 17, VwGVG, unless otherwise provided in this federal law, the procedures for complaints in accordance with Article 130, paragraph one, B-VG are subject to the provisions of the AVG with the exception of paragraphs one to 5 as well as Roman Part IV and others to apply the laws specified in more detail (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws that the authority applied or would have had to apply in the proceedings preceding the proceedings before the administrative court.
If the complaint is not to be rejected or the proceedings are to be discontinued, the Federal Administrative Court must, in accordance with Section 28 (1) VwGVG, settle the case by ruling. If the complaint is not to be rejected or the proceedings are to be discontinued, the Federal Administrative Court must, in accordance with paragraph 28, paragraph one, VwGVG, settle the legal matter by ruling.
Unless a ruling has to be made, the decisions and orders of the Federal Administrative Court are made by resolution in accordance with Section 31 Paragraph 1 VwGVG. Unless a decision has to be made, the decisions and orders of the Federal Administrative Court are made by resolution in accordance with paragraph 31, paragraph one, VwGVG.
II.3.1.2.Roman II.3.1.2. Applicable law
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC ("GDPR") – Definitions – reads: Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) – definitions – reads:
"For the purposes of this Regulation, the term means:
21. “supervisory authority” means an independent public body established by a Member State in accordance with Article 51;21. "supervisory authority" means an independent public body established by a Member State in accordance with Article 51;
22. “supervisory authority concerned” means a supervisory authority that is affected by the processing of personal data because
(a) the controller or processor is established in the territory of the Member State of that supervisory authority,
b) this processing has or may have a significant impact on data subjects residing in the Member State of that supervisory authority or
c) a complaint has been lodged with that supervisory authority;
(23) “cross-border processing” either
(a) processing of personal data carried out in more than one Member State in the context of the activities of establishments of a controller or processor in the Union, where the controller or processor is established in more than one Member State, or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or a processor in the Union but which has or may have a significant impact on data subjects in more than one Member State;
(24) "relevant and reasoned objection" means an objection to a draft decision as to whether there is a breach of this Regulation or whether proposed measures against the controller or processor are in accordance with this Regulation, the scope of the risks arising from that objection clearly shows the implications of the draft decision with regard to the fundamental rights and freedoms of data subjects and, where appropriate, the free movement of personal data within the Union;"
Article 51 GDPR – supervisory authority – reads:Article 51, GDPR – supervisory authority – reads:
“[...]
2. Each supervisory authority shall contribute to the uniform application of this Regulation throughout the Union. To this end, the supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII. 2. Each supervisory authority shall contribute to the uniform application of this Regulation throughout the Union. For this purpose, the supervisory authorities cooperate with each other and with the Commission in accordance with Chapter VII.
[...]“
Article 56 GDPR – Responsibility of the lead supervisory authority – reads:Article 56, GDPR – Responsibility of the lead supervisory authority – reads:
"(1) Without prejudice to Article 55, the supervisory authority of the main or sole establishment of the controller or processor shall, in accordance with the procedure referred to in Article 60, be the competent lead supervisory authority for the cross-border processing carried out by that controller or processor."(1) Without prejudice of Article 55, the supervisory authority of the main or sole establishment of the controller or processor in accordance with the procedure referred to in Article 60 is the relevant lead supervisory authority for the cross-border processing carried out by that controller or processor.
2. By way of derogation from paragraph 1, each supervisory authority shall be competent to deal with a complaint lodged with it or any infringement of this Regulation where the subject matter relates only to an establishment in its Member State or significantly affects data subjects only in its Member State.
3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall immediately inform the lead supervisory authority of the matter. Within three weeks of the notification, the lead supervisory authority shall decide whether or not to deal with the case in accordance with the procedure referred to in Article 60, taking into account whether the controller or the processor is located in the Member State whose supervisory authority informed it , has an establishment or not. (3) In the cases referred to in paragraph 2 of this Article, the supervisory authority shall immediately inform the lead supervisory authority of this matter. Within three weeks of the notification, the lead supervisory authority shall decide whether or not to deal with the case in accordance with the procedure referred to in Article 60, taking into account whether the controller or processor is located in the Member State whose supervisory authority informed it , has a branch or not.
(4) If the lead supervisory authority decides to deal with the case, the procedure in accordance with Article 60 applies. The supervisory authority that informed the lead supervisory authority may submit a draft decision to the lead supervisory authority. The lead supervisory authority shall take this draft into account as far as possible when preparing the draft decision pursuant to Article 60 paragraph 3. (4) If the lead supervisory authority decides to deal with the case, the procedure pursuant to Article 60 shall apply. The supervisory authority that informed the lead supervisory authority may submit a draft decision to the lead supervisory authority. The lead supervisory authority takes this draft into account as far as possible when preparing the draft decision in accordance with Article 60, paragraph 3.
5. If the lead supervisory authority decides not to deal with the case itself, the supervisory authority that informed the lead supervisory authority shall deal with the case in accordance with Articles 61 and 62.
(6) The lead supervisory authority is the sole contact person of the controller or processor for questions relating to cross-border processing carried out by that controller or processor."
Article 60 GDPR - Cooperation between the lead supervisory authority and the other supervisory authorities concerned - reads: Article 60, GDPR - Cooperation between the lead supervisory authority and the other supervisory authorities concerned - reads:
“(1) The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article and endeavor to reach a consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
(2) The lead supervisory authority may at any time request administrative assistance from other supervisory authorities concerned in accordance with Article 61 and carry out joint measures in accordance with Article 62, in particular to carry out investigations or to monitor the implementation of a measure in relation to a controller or a processor who is in established in another Member State. (2) The lead supervisory authority may at any time request assistance from other supervisory authorities concerned in accordance with Article 61 and carry out joint actions in accordance with Article 62, in particular to carry out investigations or to monitor the implementation of a measure in relation to a controller or a processor established in another Member State.
(3) The lead supervisory authority shall immediately communicate relevant information on the matter to the other supervisory authorities concerned. It shall immediately submit a draft decision to the other supervisory authorities concerned for their comments and shall take due account of their views.
(4) If one of the other supervisory authorities concerned submits a relevant and reasoned objection to this draft decision within four weeks of being consulted in accordance with paragraph 3 of this Article and the lead supervisory authority does not join in the relevant and reasoned objection or is the If one of the other supervisory authorities concerned considers that the objection is not relevant or not justified, the lead supervisory authority shall initiate the consistency procedure referred to in Article 63 for the matter has been consulted, lodges a relevant and reasoned objection to that draft decision and if the lead supervisory authority does not agree with the relevant and reasoned objection or considers that the objection is not relevant or not well-founded, the lead supervisory authority shall initiate the consistency procedure in accordance with Article 63 , for the matter.
(5) If the lead supervisory authority intends to join the relevant and reasoned objection, it shall submit a revised draft decision to the other supervisory authorities concerned for comment. The revised draft decision will be subject to the procedure referred to in paragraph 4 within two weeks.
(6) If none of the other supervisory authorities concerned lodges an objection to the draft decision submitted by the lead supervisory authority within the time limit set out in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to have agreed to the draft decision and shall be in agreement bound him.
7. The lead supervisory authority shall adopt the decision and notify it to the main or sole establishment of the controller or, where applicable, the processor, and inform the other supervisory authorities concerned and the Board of the decision concerned, including a summary of the relevant facts and reasons. The supervisory authority to which a complaint has been submitted will inform the complainant of the decision.
(8) If a complaint is rejected or dismissed, the supervisory authority to which the complaint was submitted, notwithstanding paragraph 7, issues the decision, communicates it to the complainant and informs the person responsible.
(9) If the lead supervisory authority and the relevant supervisory authorities agree to reject or dismiss parts of the complaint and to take action with respect to other parts of that complaint, a separate decision shall be made in this matter for each of those parts. The lead supervisory authority shall adopt the decision for the part concerning the action in relation to the controller, communicate it to the principal or only establishment of the controller or the processor in the territory of its Member State and inform the complainant thereof, while the decision for the complainant competent supervisory authority adopts the decision for the part relating to the rejection or dismissal of this complaint and communicates it to this complainant and informs the controller or the processor thereof.
10. After being informed of the decision of the lead supervisory authority in accordance with paragraphs 7 and 9, the controller or processor shall take the necessary measures to bring the processing activities of all its establishments in the Union into compliance with the decision. The controller or processor shall notify the lead supervisory authority of the measures taken to comply with the decision; This in turn informs the other supervisory authorities concerned.
(11) If - in exceptional cases - an affected supervisory authority has reason to believe that there is an urgent need for action to protect the interests of data subjects, the emergency procedure in accordance with Article 66 shall apply. (11) If - in exceptional cases - an affected supervisory authority has reason If it is assumed that there is an urgent need for action to protect the interests of data subjects, the emergency procedure in accordance with Article 66 applies.
(12) The lead supervisory authority and the other supervisory authorities concerned shall communicate to each other the information required under this Article electronically using a standardized format."
Art. 65 GDPR – Dispute resolution by the committee – reads: Article 65, GDPR – Dispute resolution by the committee – reads:
"(1) In order to ensure the correct and uniform application of this Regulation in individual cases, the Committee shall adopt a binding decision in the following cases:
a) if, in a case under Article 60 paragraph 4, a supervisory authority concerned has lodged a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as not relevant or not well-founded. The binding decision concerns all matters that are the subject of the relevant and reasoned objection, in particular the question of whether there has been a violation of this Regulation; draft decision of the lead authority or the lead authority has rejected such an objection as not relevant or unfounded. The binding decision concerns all matters that are the subject of the relevant and reasoned objection, in particular the question of whether there has been a breach of this Regulation;
b) if there are conflicting views as to which of the supervisory authorities concerned is responsible for the head office,
c) if a competent supervisory authority does not seek the opinion of the Committee or does not follow the opinion of the Committee in accordance with Article 64 in the cases referred to in Article 64(1). In this case, any supervisory authority concerned or the Commission may refer the matter to the Committee. In this case, any supervisory authority concerned or the Commission may refer the matter to the Committee.
(2) The decision referred to in paragraph 1 shall be adopted by a majority of two-thirds of the members of the Committee within one month of the matter being referred to it. This deadline may be extended by another month due to the complexity of the matter. The decision referred to in paragraph 1 shall be justified and communicated to and shall be binding on the lead supervisory authority and all supervisory authorities concerned.
(3) If the committee was unable to adopt a decision within the deadlines referred to in paragraph 2, it shall adopt its decision within two weeks after the end of the second month referred to in paragraph 2 by a simple majority of the members of the committee. In the event of a tie between the members of the committee, the chair's vote has the casting vote.
4. The supervisory authorities concerned shall not adopt a decision on the matter submitted to the Committee before the expiry of the deadlines referred to in paragraphs 2 and 3.
(5) The Chair of the Committee shall immediately inform the supervisory authorities concerned of the decision referred to in paragraph 1. He informs the Commission of this. The decision shall be published on the Board's website immediately after the supervisory authority has notified the final decision referred to in paragraph 6.
6. The lead supervisory authority or, where applicable, the supervisory authority to which the complaint was lodged shall take the final decision on the basis of the decision referred to in paragraph 1 of this Article without undue delay and no later than one month after the European Data Protection Board has notified its decision. The lead supervisory authority or, where applicable, the supervisory authority to which the complaint was lodged shall inform the Board at the time when its final decision is communicated to the controller or processor or data subject. The final decision of the supervisory authorities concerned is adopted in accordance with Article 60 paragraphs 7, 8 and 9. The final decision shall refer to the decision referred to in paragraph 1 and stipulate that the decision referred to in paragraph 1 of this Article shall be published on the Committee's website in accordance with paragraph 5. The final decision shall be accompanied by the decision referred to in paragraph 1 of this Article."(6) The lead supervisory authority or, where applicable, the supervisory authority to which the complaint was lodged shall take the final decision on the basis of the decision referred to in paragraph 1 of this Article immediately and no later than one month after the European Data Protection Board has communicated its decision. The lead supervisory authority or, where applicable, the supervisory authority to which the complaint was lodged shall inform the Board at the time when its final decision is communicated to the controller or processor or data subject. The final decision of the supervisory authorities concerned shall be adopted in accordance with Article 60, paragraphs 7, 8 and 9. The final decision shall refer to the decision referred to in paragraph 1 and stipulate that the decision referred to in paragraph 1 of this Article shall be published on the Committee's website in accordance with paragraph 5. The decision referred to in paragraph 1 of this Article shall be annexed to the final decision."
II.3.1.3.Roman II.3.1.3. At the outset, it should be generally noted that the procedure for a complaint from a data subject in connection with (intra-community) cross-border data processing basically consists of three phases. In a first step, the supervisory authorities involved and their respective roles as lead or affected supervisory authorities are determined (Article 56 GDPR). Each supervisory authority basically determines its own role; However, as part of the general obligation to cooperate in accordance with Article 51 Paragraph 2 Sentence 2 of the GDPR, it is obliged to coordinate with the other supervisory authorities and strive for a consensus (cf. Polenz in Simitis, Hornung, Spiecker [ed.], Data Protection Law (2019 ) Art. 65 Rz 16). In a second step, the lead supervisory authority may conduct the consistency procedure in accordance with Art. 60 GDPR and issue a decision on the complaint - in the absence of an objection from another supervisory authority in accordance with Art. 60 (4) GDPR - which is binding for all supervisory authorities (Art. 60 Paragraph 6 GDPR). In the final step, this decision is issued by the supervisory authority to which the complaint was lodged with regard to negative or dismissive points made against it (Article 60 (8) GDPR). He will be informed about the content of other points by the supervisory authority to which the complaint has been submitted (Art. 60 Para. 7 GDPR). At the outset it should be noted in general that the procedure for the complaint of a data subject in connection with an (intra-Community ) cross-border data processing basically consists of three phases. In a first step, the supervisory authorities involved and their respective roles as lead or affected supervisory authorities are determined (Article 56, GDPR). Each supervisory authority basically determines its own role; However, as part of the general obligation to cooperate under Article 51, Paragraph 2, S 2 of the GDPR, it is obliged to coordinate with the other supervisory authorities and to strive for a consensus, see Polenz in Simitis, Hornung, Spiecker [ed.], Data Protection Law (2019) article 65, paragraph 16). In a second step, the lead supervisory authority may conduct the consistency procedure in accordance with Article 60, GDPR and issue a decision on the complaint - in the absence of an objection from another supervisory authority in accordance with Article 60, paragraph 4, GDPR - which is binding for all supervisory authorities (Article 60, Paragraph 6, GDPR). In the final step, this decision is issued by the supervisory authority to which the complaint was lodged with regard to negative or dismissive points against it (Article 60, Paragraph 8, GDPR). He will be informed about the content of other points by the supervisory authority to which the complaint was submitted (Article 60, paragraph 7, GDPR).
If the supervisory authorities involved do not agree on their respective jurisdiction or on the content of the decision, a dispute resolution procedure can be initiated as an interim step in accordance with Article 65 of the GDPR. In this case, the European Data Protection Board makes a binding decision on the disputed issue for the respective supervisory authorities (see also Jahnel, Commentary on the General Data Protection Regulation, Art. 65 GDPR). If the supervisory authorities involved do not agree on their respective competence or on the content of the decision agree, a dispute resolution procedure can be initiated as an interim step in accordance with Article 65, GDPR. In this case, the European Data Protection Board makes a binding decision on the disputed issue for the respective supervisory authorities (see also Jahnel, Commentary on the General Data Protection Regulation Article 65, GDPR).
II.3.1.4.Roman II.3.1.4. In the present case, the complainant, through her representation, lodged a complaint pursuant to Art. 77 GDPR against the party involved on May 25, 2018. The relevant authority subsequently forwarded the complaint to the Irish Supervisory Authority (DPC) as the responsible lead supervisory authority in accordance with Article 56 (1) GDPR, which initiated a cooperation procedure in accordance with Article 60 GDPR. In the present case, the complainant, through her representation, filed a complaint pursuant to Article 77 of the GDPR against the party involved on May 25, 2018. The relevant authority subsequently forwarded the complaint to the Irish Supervisory Authority (DPC) as the relevant lead supervisory authority in accordance with Article 56, paragraph one, GDPR, thereby initiating a cooperation procedure under Article 60, GDPR.
On December 31, 2022, the Irish supervisory authority (DPC) issued a final decision on the complainant's data protection complaint lodged with the relevant authority on May 25, 2018, which was served on the complainant by the relevant authority on January 11, 2023. This decision (the decision of the Irish supervisory authority) was preceded by a procedure under Article 60 GDPR, in which several supervisory authorities from other Member States each raised a significant and reasoned objection to the draft decision (which was considered to be inadequate) by the relevant supervisory authorities. On December 31, 2022, the Irish supervisory authority (DPC) issued a final decision on the complainant's data protection complaint lodged with the relevant authority on May 25, 2018, which was served on the complainant by the relevant authority on January 11, 2023. This decision (the decision of the Irish supervisory authority) was preceded by a procedure under Article 60, GDPR, in which several supervisory authorities from other Member States each raised a significant and reasoned objection to the draft decision (considered to be substantively deficient) by the relevant supervisory authorities.
However, since the Irish supervisory authority (DPC) did not join in the objections of the other supervisory authorities, a consistency procedure within the meaning of Article 60 (4) GDPR in conjunction with Article 63ff GDPR was initiated, which ultimately resulted in a dispute resolution procedure in accordance with Article 65 (4) GDPR. 1 GDPR resulted. The result of this dispute resolution procedure is the decision of the European Data Protection Board dated December 5, 2022. However, since the Irish supervisory authority (DPC) did not join the objections of the other supervisory authorities, a consistency procedure within the meaning of Article 60, paragraph 4, GDPR in conjunction with Article 63 f, f, GDPR was initiated, which ultimately resulted in a dispute resolution procedure in accordance with Article 65, paragraph one, GDPR resulted. The result of this dispute resolution procedure is the decision of the European Data Protection Board dated December 5, 2022.
In her complaint dated February 7, 2023, the complainant stated that, on January 11, 2023, the authority concerned had sent her an English-language, final decision from the Irish supervisory authority (DPC), which acts as the lead supervisory authority in accordance with Article 56 (1) GDPR been. The authority concerned assumes that this is a decision in accordance with Article 60 (7) GDPR. In the complainant's opinion, when viewed objectively, this is not a decision according to Art. 60 Para. 7 GDPR, but rather a partially rejecting/rejecting decision within the meaning of Art. 60 Para. 9 GDPR. The complainant considers the two decisions of January 11, 2023 and January 13, 2023 by the data protection authority, in conjunction with the decision of the Irish supervisory authority and the decision of the European Data Protection Board of December 5, 2022, to be a decision within the meaning of Sections 58ff AVG; This is true even though the formal requirements of the (Austrian) administrative procedural regulations are not met. In her complaint dated February 7, 2023, the complainant stated that on January 11, 2023, the authority concerned had sent her an English-language, final decision from the Irish supervisory authority (DPC), which acts as the lead supervisory authority in accordance with Article 56, paragraph one, GDPR been. The authority concerned assumes that this is a decision in accordance with Article 60, paragraph 7, GDPR. In the complainant's opinion, when viewed objectively, this is not a decision according to Article 60, paragraph 7, GDPR, but rather a partially rejecting/rejecting decision within the meaning of Article 60, paragraph 9, GDPR. The complainant considers the two decisions of January 11, 2023 and January 13, 2023 by the data protection authority, in conjunction with the decision of the Irish supervisory authority and the decision of the European Data Protection Board of December 5, 2022, to be a decision within the meaning of paragraphs 58 f, f, AVG; This is true even though the formal requirements of the (Austrian) administrative procedural regulations are not met.
II.3.1.5.Roman II.3.1.5. It should be noted at this point that, from the point of view of the Senate, it was not to be assumed that there was a decision with regard to the complaint made by the data protection authority:
According to the established case law of the Administrative Court, when assessing whether an official enunciation constitutes a notice, the objective characteristics are first of all important. The lack of an express designation of an official resolution as a notice alone does not exclude the existence of a legally binding decision with the character of a notice. However, an official decision that is not designated as a notice must be subject to a strict standard with regard to its content as a notice. The acceptance of the nature of such a decision requires that, according to its content, the normative character and the intention of the authority to make a binding agreement on the matter are clear and recognizable to everyone. If the linguistic design does not clearly express a normative content, there is no decision. The reproduction of a legal opinion, facts, reference to the proceedings, legal instructions, etc. cannot be viewed as a binding settlement, i.e. not as a ruling within the meaning of Section 58 Paragraph 1 AVG (see, for example, VwGH of December 15, 2022 Ra 2020/08/0116 and VwGH of January 14, 2013, 2012/08/0299, mwN ). According to the established case law of the Administrative Court, when assessing whether an official enunciation constitutes a notice, the objective characteristics are first of all important. The lack of an express designation of an official resolution as a notice alone does not exclude the existence of a legally binding decision with the character of a notice. However, an official decision that is not designated as a notice must be subject to a strict standard with regard to its content as a notice. The acceptance of the nature of such a decision requires that, according to its content, the normative character and the intention of the authority to make a binding agreement on the matter are clear and recognizable to everyone. If the linguistic design does not clearly express a normative content, there is no decision. The reproduction of a legal opinion, facts, reference to the proceedings, legal instructions, etc. cannot be viewed as a binding settlement, i.e. not as a ruling within the meaning of paragraph 58, paragraph one, AVG (see, for example, VwGH of December 15, 2022 Ra 2020/08/0116 and VwGH of January 14, 2013, 2012/08/0299, mwN) .
The quality of the decisions taken by the relevant authority on January 11, 2023 and January 13, 2023 was already negated due to the lack of the form and content requirements of a decision (see also Administrative Court of February 17, 2023, Ro 2023/08/0001). The letters were neither described as notices nor are they divided into rulings, reasons and information on legal remedies. Rather, the complaints made by the data protection authority are simply letters of communication in which the authority concerned, as stipulated in the last sentence of Article 60 (7) of the GDPR, is the supervisory authority to which the (data protection) complaint was submitted is, the complainant has been informed of the decision of the responsible lead supervisory authority (here: the Irish DPC). The quality of the notices issued by the relevant authority on January 11, 2023 and January 13, 2023 was negated due to the lack of formal and content requirements for a notice (see also Administrative Court of February 17, 2023, Ro 2023/08/0001). The letters were neither described as notices nor are they divided into rulings, reasons and information on legal remedies. Rather, the complaints made by the data protection authority are simply letters of communication in which the authority concerned, as stipulated in Article 60, Paragraph 7, last sentence of the GDPR, is the supervisory authority to which the (data protection) complaint was submitted is, the complainant has been informed of the decision of the responsible lead supervisory authority (here: the Irish DPC).
If, on the other hand, one assumes with the complainant that the actions of the data protection authority complained about (in conjunction with the decision of the Irish supervisory authority transmitted therein) are a decision from the data protection authority, this would mean that the Federal Administrative Court within the framework of its decision According to Article 130 Para. 1 Z 1 B-VG and Section 27 DSG, jurisdiction would have to assess the legality or illegality of the decision of the Irish supervisory authority. If, on the other hand, one assumes with the complainant that the actions of the data protection authority complained about (in conjunction with the decision of the Irish supervisory authority transmitted therein) are a decision from the data protection authority, this would mean that the Federal Administrative Court within the framework of its decision Jurisdiction under Article 130, paragraph one, number one, B-VG and paragraph 27, DSG would have to assess the legality or illegality of the decision of the Irish supervisory authority.
From the point of view of the ruling Senate, it seems conceivably possible that a national authority, such as the data protection authority and, downstream of it, the Federal Administrative Court, is called upon to exercise authority over the sovereign activities of an Irish supervisory authority in the context of a decision appeal procedure in accordance with Article 130 Para. 1 Z 1 B-VG - here the DPC - to make a review decision. From the point of view of the ruling Senate, it seems conceivably possible that a national authority, such as the data protection authority and, downstream of it, the Federal Administrative Court, within the framework of a decision appeal procedure according to Article 130, paragraph one, number one, B-VG is called upon to make a review decision on the sovereign activities of an Irish supervisory authority - here the DPC.
In this regard, reference should be made to the case law of the Administrative Court on asylum law; in the given context, this can be applied analogously to official activity in the area of data protection law, according to which the authorities' own sovereign investigations abroad contradict general principles of international law. According to this, states are fundamentally obliged not to carry out any official acts in foreign territories without the permission of the territorial state. This principle is usually strictly applied and does not even allow sovereign activity that has no direct impact in the territorial state, such as police inquiries or official summonses (cf. VwGH March 27, 2023, Ra 2023/18/0082, mwN, VwGH dated October 6th. 2023, Ra 2023/18/0338). A review of resolutions of a responsible lead supervisory authority (Article 56 Paragraph 1 GDPR) within the meaning of Article 60 Paragraph 7 first sentence GDPR via the detour of the qualification of a simple letter of notification for information regarding a decision of a (foreign) supervisory authority in accordance with Art. 60 Para. 7 last sentence GDPR as a decision from the data protection authority is, from the point of view of the adjudicating Senate, out of the question for the reasons mentioned above. In this regard, reference should be made to the case law of the Administrative Court on asylum law; in the given context, this can be applied analogously to official activity in the area of data protection law, according to which the authorities' own sovereign investigations abroad contradict general principles of international law. According to this, states are fundamentally obliged not to carry out any official acts in foreign territories without the permission of the territorial state. This principle is usually handled strictly and does not even allow sovereign activity that has no direct impact in the territorial state, such as police inquiries or official summonses see VwGH March 27, 2023, Ra 2023/18/0082, mwN, VwGH dated October 6, 2023, Ra 2023/18/0338). A review of decisions of a responsible lead supervisory authority (Article 56, paragraph one, GDPR) within the meaning of Article 60, paragraph 7, first sentence of the GDPR via the detour of the qualification of a simple notification letter for information regarding a decision of a (foreign) supervisory authority in accordance with Article 60 , Paragraph 7, last sentence of the GDPR as a decision from the data protection authority, is not considered by the Senate for the reasons mentioned above.
Furthermore, in the present context, reference should be made to Art 83 Para. 2 B-VG, which norms the right to proceedings before a statutory judge at the constitutional level (Mayer/Kucsko-Stadlmayer/Stöger Rz 1514). The Constitutional Court interprets this right - contrary to the wording and the systematic classification in the section "ordinary jurisdiction" - extensively and understands the "statutory judge" to mean any state authority (VfSlg 1443, 2048); This results in a constitutionally guaranteed right to protect and preserve the legally established authority's jurisdiction (VfSlg 2536, 12.111); see Muzak, B-VG6 Art 83 Rz 2). Furthermore, in the present context, reference should be made to Article 83, Paragraph 2, B-VG, which norms the right to proceedings before a statutory judge at the constitutional level (Mayer/Kucsko-Stadlmayer/Stöger Rz 1514). The Constitutional Court interprets this right - contrary to the wording and the systematic classification in the section "ordinary jurisdiction" - extensively and understands the "statutory judge" to mean any state authority (VfSlg 1443, 2048); This results in a constitutionally guaranteed right to protect and preserve the legally established authority's jurisdiction (VfSlg 2536, 12.111); see Muzak, B-VG6 Article 83, paragraph 2).
According to the Rsp of the Constitutional Court, Art 83 Paragraph 2 B-VG is in any case violated if an administrative authority or a court claims a competence that is not covered by the law (e.g. VfSlg 15.372/1998, 15.738/2000, 16.066/2001, 16,298/2001, 16,717/2002). This can be the case in various constellations, for example if there is no material basis for claiming administrative or judicial authority (VfSlg 11.073/1986, 15.240/1998, 17.387/2004); see Zußner in Kahl/Khakzadeh/Schmid, Commentary on Federal Constitutional Law B-VG and Fundamental Rights Art. 83 B-VG. According to the Rsp of the Constitutional Court, Article 83, Paragraph 2, B-VG is in any case violated if an administrative authority or a court claims a competence that is not covered by the law (e.g. VfSlg 15.372/1998, 15.738/2000, 16.066/2001, 16.298/2001, 16.717/2002). This can be the case in various constellations, for example if there is no material basis for claiming administrative or judicial authority (VfSlg 11.073/1986, 15.240/1998, 17.387/2004); compare Zußner in Kahl/Khakzadeh/Schmid, commentary on federal constitutional law B-VG and fundamental rights Article 83, B-VG.
In the given context, the material and local jurisdiction of a supervisory authority within the meaning of Article 51 GDPR is regulated by Union law, more specifically by Articles 56, 60, 63 and 65 GDPR. In the present case, the Irish supervisory authority, as the responsible lead supervisory authority (Article 56 (1) GDPR), after carrying out a dispute resolution procedure within the meaning of Article 65 GDPR, issued a decision in accordance with Article 60 (7), first sentence, GDPR. This decision was made in accordance with a binding decision in accordance with Article 65 Para. 1 lit Participate in the issuance of a resolution in accordance with Article 65 Paragraph 1 Letter a of the GDPR. Due to the relevant jurisdiction rules in Articles 56, 60 and 65 of the GDPR, the competent authority in question, which in the case was not the responsible supervisory authority, is responsible for issuing a binding decision, i.e. a notice that will conclude the procedure in a meritorious manner. In the given context, the material and territorial jurisdiction of a supervisory authority within the meaning of Article 51, GDPR, is regulated by Union law, more specifically by Articles 56, 60, 63 and 65 GDPR. In the present case, the Irish supervisory authority, as the responsible lead supervisory authority (Article 56, paragraph one, GDPR), after carrying out a dispute resolution procedure within the meaning of Article 65, GDPR, adopted a decision in accordance with Article 60, paragraph 7, first sentence of the GDPR. This decision was made in accordance with a binding decision in accordance with Article 65, paragraph one, letter a, GDPR of the European Data Protection Board (EDPB), whereby the individual supervisory authorities have their seat and vote in the EDPB (Article 68, paragraph 3, GDPR) and thereby take part in the procedure participate in the issuance of a decision in accordance with Article 65, paragraph one, letter a, GDPR. Due to the relevant jurisdiction rules in Articles 56, 60 and 65 of the GDPR, the competent authority in question, which was not the responsible lead supervisory authority in the case, is responsible for issuing a binding decision, i.e. a decision that concludes the procedure in a meritorious manner.
II.3.1.6.Roman II.3.1.6. Result: If the complainant takes the legal view in her complaint dated February 7th, 2023 that the two resolutions of the relevant authority dated January 11th, 2023 and January 13th, 2023 in conjunction with the decision of the Irish supervisory authority (DPC) and the decision of the European Data Protection Board are considered as a whole From the point of view of the ruling Senate, it was not possible to qualify the decision within the meaning of §§ 58ff AVG in the light of the above statements. In this case, there is no suitable subject matter for the complaint within the meaning of Article 130 Paragraph 1 Z 1 B-VG and Section 7 VwGVG, which is why the complaint had to be rejected. Result: If the complainant represents the legal opinion in her complaint dated February 7, 2023, the two From this point of view, the decisions taken by the relevant authority on January 11, 2023 and January 13, 2023 in conjunction with the decision of the Irish Supervisory Authority (DPC) and the decision of the European Data Protection Board should be qualified as a decision within the meaning of paragraphs 58 f, f, AVG of the discerning Senate cannot be followed in the light of the above statements. In this case, there is no suitable subject matter for the complaint within the meaning of Article 130, Paragraph One, Number One, B-VG and Paragraph 7, VwGVG, which is why the complaint had to be rejected.
For the sake of completeness, the following should be noted with regard to the complainant's submission in her complaint dated February 7, 2023 that it is urgently suggested to combine the current complaint with the complaint regarding GZ W258 2232927-1, which is also pending at the BVwG:
The proceedings pending in court division W258 essentially concern questions of jurisdiction. Specifically, in the underlying decision dated May 26, 2020, the authority concerned essentially stated that no decision had yet been made by the lead supervisory authority, but only a preliminary legal opinion was being expressed. The Irish supervisory authority, as the lead supervisory authority in accordance with Article 56 (3) GDPR, decided to deal with the complaint dated May 25, 2018. If an investigation were to be carried out and a subsequent meritorious decision was made, the data protection authority would unjustifiably claim its jurisdiction and, since the requirements for a meritorious referral were not met, the application should have been rejected according to the ruling. The case is pending in court division W258 essentially about questions of jurisdiction. Specifically, in the underlying decision dated May 26, 2020, the authority concerned essentially stated that no decision had yet been made by the lead supervisory authority, but only a preliminary legal opinion was being expressed. The Irish supervisory authority, as the lead supervisory authority in accordance with Article 56, Paragraph 3, GDPR, decided to deal with the complaint dated May 25, 2018. If an investigation were to be carried out and a subsequent meritorious decision was made, the data protection authority would unjustifiably claim its jurisdiction and, since the requirements for a meritorious referral were not met, the application should be rejected according to the ruling.
In the case W258 2232927-1, an oral hearing took place before the BVwG on March 15, 2023. From the point of view of the adjudicating Senate, combining the proceedings is out of the question for both legal and factual reasons.
II.3.2.Roman II.3.2. Regarding the cancellation of an oral hearing:
Since the complaint had to be rejected in the present case, an oral hearing could not be held in accordance with Section 24, Paragraph 2, Paragraph 1, First Case VwGVG. Since the complaint had to be rejected in the present case, in accordance with Paragraph 24, Paragraph 2, Number One, first case VwGVG there is no need to hold an oral hearing.
II.3.3.Roman II.3.3. Regarding point B) – inadmissibility of the appeal:
According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Article 133 Paragraph 4 B-VG. The decision must be briefly justified. According to paragraph 25 a, paragraph one, VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Article 133, paragraph 4, B-VG. The statement needs to be briefly justified.
The appeal is permissible in accordance with Article 133 Para. 4 B-VG because case law determining Section 27 DSG - which regulates the Senate's jurisdiction in the cases mentioned there - is missing in those cases in which - as in the present case - the existence of a In the decision of the data protection authority as part of the complaint to the Federal Administrative Court, this question therefore forms the core of the legal question to be assessed by the Federal Administrative Court. The appeal is permissible in accordance with Article 133, paragraph 4, B-VG, because case law determining paragraph 27, DSG - which regulates the Senate's jurisdiction in the cases mentioned there - is missing for those cases in which - as in the present case - this applies a decision from the data protection authority is alleged as part of the complaint to the Federal Administrative Court, this question therefore forms the core of the legal question to be assessed by the Federal Administrative Court.
