BVwG - W298 2266986 -1/20E

From GDPRhub
BVwG - W298 2266986 -1/20E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 9(2)(f) GDPR
Decided: 04.01.2024
Published: 23.01.2024
Parties:
National Case Number/Name: W298 2266986 -1/20E
European Case Law Identifier: ECLI:AT:BVWG:2024:W298.2266986.1.00
Appeal from: DSB (Austria)
D124.0813/22 2022-0.777.774
Appeal to:
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: co

An Austrian Court partially upheld an appeal by a data subject stating that documents, including personal data of the data subject, provided by a controller in the context of criminal proceedings must be limited to what is necessary in order to comply with Article 5(1)(c) GDPR.

English Summary

Facts

A judicial officer (data subject) of an Austrian prison was injured by a prisoner in 2021, following which he reported the offence and started legal proceedings against the prisoner. During the criminal investigations, the judge granted access to the files to the accused, which included personal data of the data subject, among others information about her injury, annual salary, marital status and contact details. These data had been provided to the judge by the employer of the data subject, the Federal Ministry of Justice, who joined the proceedings as a co-participating private party and was represented in this by a state attorney.

According to the data subject the controller should not have disclosed such information about her and this constituted a violation of her right to privacy, hence she filed a complaint with the Austrian DPA ('DSB').

The state attorney, hereinafter the controller, submitted that the employer had suffered a financial damage as a consequence of the sick leave of the data subject and had to provide documents about her health status to prove the damage in accordance with Austrian Criminal Procedural law. The controller believed this to be compliant with Article 9 GDPR. The data subject instead claimed that the documents should have been redacted.

On 11 November 2022, the DSB dismissed the complaint stating that its competence is limited to verifying whether the documents provided by the controller were appropriate to serve as evidence for the investigation, which it confirmed. The DSB claimed that it cannot rule on the content of the documents adduced by a representative of a public authority during a court procedure.

The data subject appealed the decision before the Austrian Federal Administrative Court (Bundesverwaltungsgericht, BVwG) claiming that the controller provided more unredacted documents to the court than strictly necessary, thereby violating Article 5(1)(c) GDPR.

Holding

The BVwG first of all considered that the DSB erred in assuming that this constituted a case in which the DSB has a limited competence to decide which documents can be accepted as evidence in a criminal procedure. As a matter of fact, the BVwG held that in this case, the state attorney, despite being a public entity, should be considered equivalent to a lawyer as professional party representative. Further, the court held that this is not a situation in which a public authority acts with imperium but merely carries out an administrative activity. Hence, the state attorney should also be seen as a controller because it determines the means of processing personal data for the purpose of representing its client, the Federal Ministry of Justice, which does not issue any instructions on such processing. As a consequence, the controller must also demonstrate compliance with the GDPR in accordance with Article 24(1) GDPR.

Further, the BVwG assessed whether the controller had violated the principle of data minimization under Article 5(1)(c) GDPR. In this respect, the court considered that it cannot be asked to a party in the procedure nor to its representative to decide beforehand which parts of a document should be redacted or deleted, as this is up to the courts to establish in their rules of procedure. However, the court held that the processing by a legal representative in court must always be based on a valid legal basis and the necessity of processing operations is to be assessed for each category of data.

As regards the lawfulness of processing, the BVwG held that the controller lawfully processed personal data of the data subject on the basis of Article 6(1)(c) GDPR, as a representative of the Ministry of Justice mandated by the Austrian Procuration Act. The court further noted that also under Article 9(2)(f) GDPR a controller may process personal data against the will of a data subject if this is necessary in the context of an investigation by a public authority. However, the BVwG underlined that the data processed for a certain purpose must be necessary for achieving such purpose and this has to be assessed in light of the subject matter of the proceedings and the purpose of processing, which is that of proving the existence of a damage suffered by the data subject. As regards the categories “marital status and contact data”, the court found that such data was not necessary to achieve the purpose of processing as the BVwG could not find any causal link with the participation of the controller in the criminal proceedings, hence, the processing of those categories of data was not adequate for the purpose of processing.

In light of all this, the court concluded that the appeal by the data subject was partially well-founded and the controller unlawfully processed some categories of data about the data subject, in violation of Article 5(1)(c) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision date

01/04/2024

standard

B-VG Art 133 Paragraph 4
GDPR Art4 Z1
GDPR Art5 Paragraph 1 litc
GDPR Art51 Paragraph 1
GDPR Art57 Paragraph 1 litf
GDPR Art6 Paragraph 1 litf
GDPR Art77
GDPR Art9

B-VG Art. 133 today B-VG Art. 133 valid from January 1st, 2019 to May 24th, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from May 25th, 2018 to December 31st, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art I No. 164/2013 B-VG Art by BGBl amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934

saying

W298 2266986 -1/20E

In the name of the republic

The Federal Administrative Court has judge Mag. Mathias VEIGL as chairman and the expert lay judges Mag. Laura Sanjath and Dr. Wolfgang Goricnik as assessor on the complaint of XXXX, represented by Mag. Thomas Preisinger, Mariahilferstraße 76 1070 Vienna, against the data protection authority's decision of November 11, 2022, GZ: D124.0813/22 2022-0.777.774, rightly recognized: The Federal Administrative Court has the judge Mag. Mathias VEIGL as chairman and the expert lay judges Mag. Laura Sanjath and Dr. Wolfgang Goricnik as assessor on the complaint by Roman XXXX, represented by Mag. Thomas Preisinger, Mariahilferstraße 76 1070 Vienna, against the data protection authority's decision of November 11, 2022, GZ: D124.0813/22 2022-0.777.774, rightly recognized:

A) The complaint is partially followed and the decision in the decision is amended to read:

"1) The data protection complaint is partially upheld and it is determined that the respondent violated the complainant's right to secrecy by disclosing data in the categories of marital status and contact details (private address and mobile phone number) to the XXXX public prosecutor's office by transmitting it. "1) The data protection complaint is partially upheld and it is determined that the respondent violated the complainant's right to secrecy by disclosing data in the categories of marital status and contact details (private address and mobile phone number) to the Roman XXXX public prosecutor's office by transmitting it.

2) Otherwise, the complaint is dismissed.”

B) The revision is permissible in accordance with Article 133 Para. 4 B-VG. B) The revision is permitted in accordance with Article 133, Paragraph 4, B-VG.

text

Reasons for the decision:

I. Process: Roman one. Process:

1. In her complaint dated June 3, 2022, addressed to the data protection authority (DSB, the authority concerned before the Federal Administrative Court), amended with a letter dated August 8, 2022, XXXX (complainant) asserted a violation of the right to secrecy. She stated that she was a prison guard at XXXX Prison (JA XXXX) and was injured by prisoner XXXX on March 28, 2021 and was subsequently on sick leave. Because of the injury caused by the prisoner, a criminal complaint was filed with the XXXX public prosecutor's office (StA), which the complainant's employer joined as a private party (PB connection). XXXX (participating party) arranged this on behalf of the complainant's employer. In the course of the investigation, the detention and legal protection judge in the XXXX case granted the accused XXXX access to the files. In the course of this inspection of the files, data such as name, private address, days of sick leave, information about injuries, annual pay slips, SV number, accident report and diagnosis, etc. were disclosed to XXXX. Due to the PB connection, this data was in the StA's investigation file. The complainant came across the documents in question during the search of the XXXX detention room on June 6, 2022. This shows that the party involved violated the complainant's right to secrecy by submitting numerous documents in the PB to StA XXXX. 1. In her complaint dated June 3, 2022, addressed to the data protection authority (DSB, the authority concerned before the Federal Administrative Court), amended with a letter dated August 8, 2022, Roman XXXX (complainant) asserted a violation of the right to secrecy. In addition, she stated that she was a prison guard at the Roman XXXX prison (JA Roman XXXX) and that she was injured by the prisoner Roman XXXX on March 28, 2021 and was subsequently on sick leave. Because of the injury caused by the prisoner, a criminal complaint was filed with the public prosecutor's office in Rome XXXX (StA), which the complainant's employer joined as a private party (PB connection). Roman XXXX (participating party) arranged this on behalf of the complainant's employer. In the course of the investigation, the detention and legal protection judge in the Roman XXXX procedure granted the accused Roman XXXX access to the files. In the course of this inspection of the files, data such as name, private address, days of sick leave, information about injuries, annual pay slips, SV number, accident report and diagnosis, etc. were disclosed to Roman XXXX. Due to the PB connection, this data was in the StA's investigation file. The complainant came across the documents in question during the search of the Roman XXXX detention room on June 6, 2022. It follows from this that the party involved violated the complainant's right to secrecy by submitting numerous documents in the PB to the StA Roman XXXX.

2. At the request of the authority concerned on September 12, 2022, the party involved submitted a statement on September 30, 2022 and stated that the complainant was an employee of the Republic of Austria and had been on sick leave for 13 days due to the injury on duty. Because the complainant was entitled to continued payment of wages, the Republic suffered damage that should be asserted in the criminal proceedings initiated in connection with the incident. It is correct that the party involved joined the criminal proceedings as PB on the basis of a mandate from the Republic and disclosed the necessary evidentiary documents regarding the financial disadvantage incurred to the StA. She is not only entitled to do this, but also obliged in accordance with the provisions of the StPO. In any case, the financial demands must be quantified precisely. Since the damage occurred because the complainant was on (justified) sick leave, the party involved also had to submit documents on the type and causality of the sick leave. The data processing is justified by Art. 9 GDPR. 2. At the request of the authority concerned on September 12, 2022, the party involved submitted a statement on September 30, 2022 and stated that the complainant was an employee of the Republic of Austria and had been on sick leave for 13 days due to the injury on duty. Because the complainant was entitled to continued payment of wages, the Republic suffered damage that should be asserted in the criminal proceedings initiated in connection with the incident. It is correct that the party involved joined the criminal proceedings as PB on the basis of a mandate from the Republic and disclosed the necessary evidentiary documents regarding the financial disadvantage incurred to the StA. She is not only entitled to do this, but also obliged in accordance with the provisions of the StPO. In any case, the financial demands must be quantified precisely. Since the damage occurred because the complainant was on (justified) sick leave, the party involved also had to submit documents on the type and causality of the sick leave. The data processing is justified by Article 9, GDPR.

3. In a submission dated October 27, 2022, the complainant replied that under the given conditions, in view of the complainant's confidentiality interests, it was permissible to submit certain parts of the files and documentary evidence redacted and that the fact that the party involved had not done so meant that the complainant was within her rights breached confidentiality

4. In a decision dated November 11, 2022, the data protection authority dismissed the confidentiality complaint and essentially stated, justifying, that the data protection authority's authority to review the results of evidence was limited to the prohibition of excessive use. The party involved is a federal institution that represented the Republic in the criminal proceedings. In the present case, the data protection authority only had to check whether the documents submitted by the party involved to the StA XXXX were possibly suitable for proving the issue in question. The data protection authority affirmed this requirement and refrained from further examination. 4. In a decision dated November 11, 2022, the data protection authority dismissed the confidentiality complaint and essentially stated, justifying, that the data protection authority's authority to review the results of evidence was limited to the prohibition of excessive use. The party involved is a federal institution that represented the Republic in the criminal proceedings. In the present case, the data protection authority only had to check whether the documents submitted by the party involved to the StA Roman XXXX were possibly suitable for proving the issue in question. The data protection authority affirmed this requirement and refrained from further examination.

5. In the decision complaint dated December 7, 2022, the complainant once again complained that the party involved in the PB connection was only allowed to send those documents (unredacted) to the StA XXXX that were absolutely suitable for the purposes. In any case, the submission of the documents in question was excessive in form and the party involved would have had to make use of its rights under the ZPO. In any case, the complainant had to fear retaliation as a result of the disclosure to XXXX. 5. In the decision appeal dated December 7, 2022, the complainant once again complained that the party involved in the PB connection was only allowed to send those documents (unredacted) to the StA Roman XXXX that were absolutely suitable for the purposes. In any case, the submission of the documents in question was excessive in form and the party involved would have had to make use of its rights under the ZPO. In any case, the complainant had to fear retaliation as a result of the disclosure to Roman XXXX.

6. In a letter dated February 13, 2023, the authority concerned submitted the complaint and the administrative act to the Federal Administrative Court for a decision and issued a statement to the effect that reference was made in full to the contested decision and that the complaint was requested to be dismissed.

II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:

1. Findings:

The procedure listed under point I. is used as the basis for the findings. The one under point one. The above-mentioned procedure will be used as the basis for the findings.

1.2. The participating party is a federal institution whose task, among other things, is to represent legal entities before all courts and administrative authorities.

1.3. The complainant is a public servant in the service of the Federal Ministry of Justice (BMJ) and works as a prison guard at JA XXXX. 1.3. The complainant is a public servant in the service of the Federal Ministry of Justice (BMJ) and works as a prison guard at JA Roman XXXX.

1.3.1. The complainant was injured by prisoner XXXX during the transfer, so that she was unable to work for 13 days. 1.3.1. The complainant was injured by prisoner Roman XXXX during the transfer, so that she was unable to work for 13 days.

1.4. The Federal Ministry of Justice had to pay the complainant's wages due to her incapacity to work as a result of the above-mentioned work-related accident, even though the complainant was not entitled to any benefits.

1.5. An investigation was initiated at StA XXXX on suspicion of serious bodily harm etc. with file number XXXX. 1.5. An investigation was initiated at the StA Roman XXXX on suspicion of serious bodily harm etc. with the file number Roman XXXX.

1.6. In a letter dated April 23, 2021, the respondent was commissioned by the BMJ with a mandate to take legal action, in particular regarding compensation for the financial disadvantage to the detriment of the BMJ.

1.7. In a letter dated April 26, 2021, the party involved joined the proceedings against the accused XXXX as a private party in the exercise of the mandate for the BMJ and attached the following documents to the private party connection. 1.7. In a letter dated April 26, 2021, the party involved joined the proceedings against the accused Roman XXXX as a private party in the exercise of the mandate for the BMJ and attached the following documents to the private party connection.

1.8. As a result, at a point in time that cannot be determined, the representative of XXXX was granted access to the relevant investigation file of StA XXXX. All parts of the file were released unredacted to XXXX by order of the responsible detention and legal protection judge. 1.8. As a result, at a point in time that cannot be determined, the representative of Roman XXXX was granted access to the relevant investigation file of the StA Roman XXXX. All parts of the file were released unredacted to the Roman XXXX by order of the responsible detention and legal protection judge.

1.9. Finally, on June 6, 2022, in the course of examining the detention room at XXXX, the complainant learned that the private party connection of the BMJ had been requested by the party involved under II 1.7. The documents mentioned above containing personal data were disclosed to XXXX. 1.9. Finally, on June 6, 2022, in the course of examining the detention room of Roman XXXX, the complainant learned that the private party connection of the BMJ had been used by the party involved under Roman II 1.7. The documents mentioned above containing personal data were disclosed to Roman XXXX.

2. Assessment of evidence:

The findings arise from the administrative act and from a request for a statement from the party involved as well as from the relevant documents.

3. Legal assessment:

3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality. 3.1. According to Article 130, paragraph one, number one, B-VG, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality.

According to Section 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by single judges, unless federal or state laws provide for the decision by senates. In accordance with Section 27 of the Data Protection Act (DSG) as amended (which essentially corresponds to Section 39 of the Data Protection Act 2000, which was in force until May 24, 2018), the Federal Administrative Court decides in proceedings on complaints against notices due to violations of the obligation to provide information in accordance with Section 24 Paragraph 7 and the decision-making obligation of the Federal Administrative Court Data protection authority by Senate. The Senate consists of a chairman and an expert lay judge from the employer and employee circles. According to paragraph 6, Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by single judges, unless federal or state laws provide for the decision by senates. According to paragraph 27, Data Protection Act (DSG) as amended (which essentially corresponds to paragraph 39, DSG 2000, which was in force until May 24, 2018), the Federal Administrative Court decides in proceedings on complaints against notices due to violation of the obligation to provide information in accordance with paragraph 24, paragraph 7 and the Duty of the data protection authority to make decisions by the Senate. The Senate consists of a chairman and an expert lay judge from the employer and employee circles.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.). According to Section 58 Paragraph 2 VwGVG, conflicting provisions that were already announced at the time this federal law came into force remain in force. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (paragraph one, leg.cit.) . According to paragraph 58, paragraph 2, VwGVG, conflicting provisions that were already announced at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise provided in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 as well as Part IV and others apply to the complaint procedure in accordance with Article 130 Paragraph 1 B-VG to apply the laws mentioned (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws that the authority applied or would have applied in the proceedings preceding the proceedings before the administrative court. According to paragraph 17, VwGVG, unless otherwise provided in this federal law, the procedures for complaints in accordance with Article 130, paragraph one, B-VG are subject to the provisions of the AVG with the exception of paragraphs one to 5 as well as Roman Part IV and others to apply the laws specified in more detail (not relevant in the present case) and, moreover, those procedural provisions in federal or state laws that the authority applied or would have had to apply in the proceedings preceding the proceedings before the administrative court.

According to Section 28 Paragraph 1 VwGVG, the administrative court must settle the case through a ruling unless the complaint is rejected or the proceedings are discontinued. According to Section 31 Paragraph 1 VwGVG, the decisions and orders are made by resolution unless a finding is to be made. According to Paragraph 28, paragraph one, VwGVG, the administrative court has to settle the case by means of a finding, unless the complaint is rejected or the proceedings are discontinued is. According to paragraph 31, paragraph one, VwGVG, decisions and orders are made by resolution unless a finding has to be made.

According to Section 28 Paragraph 2 VwGVG, the administrative court itself has to decide on complaints in accordance with Article 130 Paragraph 1 Z 1 B-VG if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of the speed or is associated with significant cost savings. According to paragraph 28, paragraph 2, VwGVG, the administrative court itself has to decide on complaints in accordance with Article 130, paragraph one, number one, B-VG if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the in the interests of speed or is associated with significant cost savings.

3.2. Regarding the process requirements:

The complaint was filed within the deadline in accordance with Section 7 Paragraph 4 VwGVG and the other procedural requirements were also met. The complaint was filed within the deadline in accordance with Section 7, Paragraph 4, VwGVG and the other procedural requirements were also met.

3.3. Regarding sentence A):

3.3.1. Legal situation:

The authority concerned based its decision - insofar as it is relevant to the proceedings - on the following legal bases:

Art. 4 Z 1 and Z 2, Art. 5 Para. 1 lit. c, Art. 6 Para. 1 lit. f, Art. 12 Para. 3, Art. 20 Para. 1, Art. 51 Para. 1, Article 57 Paragraph 1 Letter f and Article 77 Paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of May 4, 2016, p. 1; §§ 18 paragraph 1 as well as 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended. These provisions must also be used in the present complaint procedure before the Federal Administrative Court. Article 4, paragraph one and paragraph 2,, Article 5, paragraph one, Litera c,, Article 6, paragraph one, Litera f,, Article 12, paragraph 3,, Article 20, paragraph one, Article 51, paragraph one, Article 57, paragraph one, letter f, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ. No. L 119 of May 4, 2016 p. 1; Paragraph 18, paragraph one, as well as 24 paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part one, No. 165 from 1999, as amended. These provisions must also be used in the present complaint procedure before the Federal Administrative Court.

Art. 4 Z 1 GDPR reads:Article 4, paragraph one, GDPR reads:

Article 4

Definitions

For the purposes of this Regulation, the term means:

1. “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); A natural person is considered to be identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

Article 5 paragraph 1 lit. c GDPR reads: Article 5 paragraph one, letter c, GDPR reads:

Article 5

Principles for processing personal data

(1) Personal data must

c) be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing (“data minimization”);

Article 6 paragraph 1 letter f GDPR reads: Article 6 paragraph one letter f GDPR reads:

Article 6

Lawfulness of processing

(1) Lawfulness of processing

f) the processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh them, in particular if the data subject is a child acts.

Article 9 - Processing of special categories of personal data

(1) The processing of personal data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data relating to sexual life or the sexual orientation of a natural person is prohibited.

(2) Paragraph 1 does not apply in the following cases: […]

f) the processing is necessary for the establishment, exercise or defense of legal claims or for the actions of the courts in the context of their judicial activities, […]

Article 51

supervisory authority

1. Each Member State shall provide that one or more independent authorities are responsible for monitoring the application of this Regulation in order to protect the fundamental rights and freedoms of natural persons during processing and to facilitate the free movement of personal data within the Union (hereinafter: “Supervisory Authority”).

Article 57, Paragraph 1, Letter f of the GDPR reads:Article 57, Paragraph One, Letter f, of the GDPR reads:

Article 57

Tasks

(1) Without prejudice to other tasks set out in this Regulation, each supervisory authority in its territory must

(f) deal with complaints from a data subject or complaints from a body, organization or association in accordance with Article 80, investigate the subject matter of the complaint to an appropriate extent and inform the complainant within a reasonable time of the progress and outcome of the investigation, in particular, if further investigation or coordination with another supervisory authority is necessary;

Article 77 paragraph 1 GDPR reads:Article 77 paragraph one GDPR reads:

Article 77

Right to complain to a supervisory authority

(1) Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her place of residence, place of work or the place of the alleged infringement, if the data subject is of the opinion that the processing of the data subject personal data concerning them violates this Regulation.

2) The supervisory authority to which the complaint was lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy in accordance with Article 78.

3.3.2 Applied to the present case, this means the following:

The complainant believes that the respondent, as a result of disclosing the unredacted documents relating to the connection of private parties to the StA XXXX, violated her right to secrecy by the co-involved party disclosing data to the StA XXXX that were subject to the provisions of Article 5 Para 1 lit. c) GDPR was not necessary for legal prosecution. The complainant believes that the respondent, as a result of disclosing the unredacted documents relating to the connection of private parties to the StA Roman XXXX, violated her right to secrecy by the co-involved party disclosing data to the StA Roman XXXX, which were subject to the provisions of Article 5 , paragraph one, litera c,) GDPR was not necessary for legal prosecution.

The complaint is justified to the extent that the party involved disclosed the data of the categories to the StA XXXX as stated in the ruling. The complaint is justified to the extent that the party involved disclosed the data of the categories as stated in the ruling to the StA Roman XXXX.

The authority concerned rejected the complaint on the grounds that it was a case of prohibition of excess.

Regarding the existence of a decision prohibiting excessive use:

The opinion of the authority concerned that this is a case of prohibition of excess is wrong:

In decisions on the prohibition of excess, a limited standard of review is justified by the fact that in constitutional procedures according to the relevant procedural rules (AVG, ZPO, StPO), a data protection assessment of which evidence the authority or court was permitted to use ultimately leads to the competence determinations provided for by the constitution be undermined by the data protection authority (or then the Federal Administrative Court) deciding what kind of procedure could be used in terms of content. (see decision of the data protection authority of November 9, 2017, GZ DSB-D122.706/0005-DSB/2017 maN.) In decisions on the prohibition of excess, a limited standard of review is justified by the fact that in constitutional procedures according to the relevant procedural rules (AVG, ZPO, StPO) a data protection assessment of which evidence the authority or the court was permitted to use leads to the fact that the constitutionally provided competence determinations are ultimately undermined by the data protection authority (or then the Federal Administrative Court) deciding what content could be used for a procedure. see decision of the data protection authority of November 9, 2017, GZ DSB-D122.706/0005-DSB/2017 man.)

Although the participating party is set up as an authority, as a legal representative of the federal corporations (see Section 1 ProkG), its activities are to be treated in the same way as lawyers as professional party representatives. For this reason, the considerations of the prohibition of excess cannot be transferred to the present case constellation: The respondent represented the federal government on behalf of the BMJ (see Sections 3 Paragraph 1 and 4 Paragraph 1 ProkG). This means that there is no typical procedural law situation in which an authority (federal or state) itself had to carry out legal proceedings and typically acts with empire. There is no administrative action in the narrower sense to which the standard of Art. 18 B-VG is to be applied, but the submission of documents to the court (or StA) for the enforcement of civil court claims is to be subsumed under simple administrative activity. The party involved is an authority However, as the legal representative of federal corporations (see paragraph one, ProkG), it is to be treated in the same way as lawyers as professional party representatives. For this reason, the considerations of the prohibition of excess cannot be transferred to the present case constellation: The respondent represented the federal government on behalf of the BMJ (see paragraphs 3, paragraph one and 4, paragraph one, ProkG). This means that there is no typical procedural law situation in which an authority (federal or state) itself had to carry out legal proceedings and typically acts with empire. There is no administrative action in the narrower sense to which the standard of Article 18, B-VG is to be applied, but rather the submission of documents to the court (or State Attorney) for the enforcement of civil court claims is to be subsumed under simple administrative activity.

The question of whether the processing of the data violated data protection obligations, as complained about, is therefore not limited to the prohibition of excessive use.

Regarding the question of whether the party involved is responsible:

The person responsible is the person or institution who is responsible for ensuring that the data protection regulations of the GDPR are complied with. The person responsible is therefore considered the addressee of the obligations under the GDPR and the term is used to assign responsibilities (s Hötzendorfer/Kastelitz/Tschohl in Knyrim DatKomm Art Art 24 Rz 1, as of May 2022). The person responsible is the addressee of the data subject's claims and is considered the contact point for measures taken by the supervisory authority (see Art 24; Recital 74) (as above, paragraph 77). The person responsible is the person or institution that has to ensure that: that the data protection regulations of the GDPR are complied with. The person responsible is therefore considered the addressee of the obligations under the GDPR and the term is used to assign responsibilities (see Hötzendorfer/Kastelitz/Tschohl in Knyrim DatKomm Art Article 24, Rz 1, as of May 2022). The person responsible is the addressee of the data subject's claims and is considered the contact point for measures taken by the supervisory authority (see Article 24, recital 74) (as above, paragraph 77).

Responsibility is given to whoever has the power to make decisions. The decisive factor in assigning responsibility is therefore who decides on the essential aspects of the means and purposes of the processing. In order to attribute the status of controller, it is not necessary that the controller itself processes data, is in possession of the processed data or has physical control. If he decides that data is to be processed, all persons and bodies that carry out data processing steps under his supervision or instructions (auxiliary bodies) are to be assigned to him (paragraph 83).

The orientation of the definition of controller as the person or body that decides on the purpose(s) and means of the processing is a functional view, according to which responsibility is assigned based on the actual influence on the decision. There may be an explicit legal basis for this, in which case the assignment of the person responsible and the purpose, including data categories and data recipients, can usually be clearly identified. However, if a legal norm only provides for implicit legal obligations, the person or body that meets this legal obligation and processes personal data for this purpose is to be regarded as the person responsible (paragraph 87).

Lawyers and public prosecutors are regularly responsible themselves when they process data for the purpose of representing their clients. Although you act under power of attorney and are therefore entitled to make legally binding declarations on behalf of your clients, the decision as to which third party data is to be processed in order to fulfill the mandate is made by the lawyer, unless there is proof to the contrary taken without instructions from the client. (see data protection authority in the decision of March 9, 2015, GZ. DSB-D122.299/0003-DSB/2015 Federal Administrative Court on the responsible role and independence of professional detectives, decision of June 25, 2019, Zl. W258 2188466-1 and court experts, Findings from September 27, 2018, Zl. W214 2196366-2 and from January 23, 2020, Zl. W214 2196366-3) Lawyers and public prosecutors are regularly responsible for processing data for the purpose of representing their clients. Although you act under power of attorney and are therefore entitled to make legally binding declarations on behalf of your clients, the decision as to which third party data is to be processed in order to fulfill the mandate is made by the lawyer, unless there is proof to the contrary taken without instructions from the client. see data protection authority in the decision of March 9, 2015, GZ. DSB-D122.299/0003-DSB/2015 Federal Administrative Court on the responsible role and independence of professional detectives, finding of June 25, 2019, Zl. W258 2188466-1 and court experts, findings of September 27, 2018, Zl. W214 2196366-2 and from January 23, 2020, Zl. W214 2196366-3)

In the present case, too, the party involved processed data without being told by the client (BMJ) which data should be processed in what way and for what purpose.

This means that the participating party is also accountable as the responsible party within the meaning of Article 24 (1) GDPR. This means that the participating party is also accountable as the responsible party within the meaning of Article 24, paragraph one, GDPR.

Regarding the alleged violation of data mining obligations:

The complainant believes that his right to secrecy has been violated because the principles of data processing have not been adhered to because, in accordance with the principle of data minimization, data that is not necessary for legal prosecution has been disclosed. In particular, the disclosure of date of birth, private address, cell phone number, marital status, personnel number and rank, date of entry into the judiciary has no connection to the reason for processing the civil law assertion of claims for damages.

It should be noted that an overall consideration of the principle of data minimization, including its requirement to limit data processing to the necessary extent, shows that it includes the requirements of data avoidance and data economy. The application is divided into numerous aspects, some of which overlap with the principle of purpose limitation and the principle of storage limitation: The principle of data minimization generally limits the depth of intervention and thus the type of data, the personal reference of the data, the amount of data, the level of detail of the data, the storage period of the data, the number of uses and the group of those authorized to access. Minimizing the amount of data means both minimizing the number of those affected and minimizing the amount of data per person affected.” (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR, Rz 39It should be noted that an overall consideration of the principle of data minimization includes Its requirement to limit data processing to the necessary level shows that it includes the requirements of data avoidance and data economy. The application is spread across numerous aspects, some of which overlap with the principle of purpose limitation and the principle of storage limitation: The principle Data minimization generally limits the depth of intervention and thus the type of data, the personal reference of the data, the amount of data, the level of detail of the data, the storage period of the data, the number of uses and the circle of those authorized to access. Minimizing the amount of data means both Minimizing the number of those affected as well as minimizing the amount of data per affected person.” (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Article 5, GDPR, Rz 39

Since the necessity of certain information may be unclear in the case of disputed claims, no exaggerated claims should be made (Weichert in Kühling/Buchner, DS-GVO/BDSG3 Rz 86 on Art. 9). Regarding necessity, Schiff further explains that not every statement of facts that contains sensitive data of a data subject violates Article 9 simply because this statement is assessed by the court as insignificant. Only in the event of an arbitrary, conscious disclosure of sensitive data that no longer has any connection with the subject matter in dispute does the exception clause no longer apply (Schiff in Ehmann/Selmayr, DS-GVO2, K 49 on Art. 9; also Kastelitz /Hötzendorfer/Tschohl in Knyrim, DatKomm Art 9 GDPR, Rz 45, with reference to OGH, July 14, 2019, 6 Ob 45/19i). Since the necessity of certain information can be unclear in the case of disputed claims, no exaggerated claims should be made ( Weichert in Kühling/Buchner, DS-GVO/BDSG3 Rz 86 on Article 9). Regarding necessity, Schiff further explains that not every statement of facts that contains sensitive data of a data subject violates Article 9 simply because this statement is assessed by the court as irrelevant. Only in the event of an arbitrary, conscious disclosure of sensitive data that no longer has any connection with the subject matter in dispute does the exception clause no longer apply (Schiff in Ehmann/Selmayr, DS-GVO2, K 49 on Article 9;, also Kastelitz /Hötzendorfer/Tschohl in Knyrim, DatKomm Article 9, GDPR, Rz 45, with reference to OGH, July 14, 2019, 6 Ob 45/19i).

According to the case law of the Court of Justice, any processing of personal data must comply with the data processing principles set out in Article 5(1) of the GDPR and must meet the conditions for the lawfulness of the processing set out in Article 6 leg cit (cf . inter alia judgments of the ECJ of October 6, 2020, La Quadrature du Net and others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 208, of 22. June 2021, Latvijas Republikas Saeima [penalty points], C‑439/19, EU:C:2021:504, para. 96, and of October 20, 2022, Digi, C‑77/21, EU:C:2022:805 , paragraphs 49 and 56).According to the case law of the Court, any processing of personal data must therefore comply with the principles for the processing of data set out in Article 5, paragraph one, of the GDPR and the conditions set out in Article 6, leg cit For the lawfulness of the processing, compare, among other things, Judgments of the ECJ of October 6, 2020, La Quadrature du Net and Others, C-511/18, C-512/18 and C-520/18, EU:C:2020:791, paragraph 208, of June 22, 2021 , Latvijas Republikas Saeima [Penalty Points], C‑439/19, EU:C:2021:504, para. 96, and of October 20, 2022, Digi, C‑77/21, EU:C:2022:805, para . 49 and 56).

In its recent judgment of the ECJ of March 2, 2023 in Case C-268/21, Norra Stockholm Bygg AB, the ECJ ruled that Articles 5 and 6 of the GDPR are to be interpreted to the effect that courts are responsible for assessing the question of whether the production of a document containing personal data is required to take into account the interests of the data subjects and to do so according to the circumstances of the individual case, the nature of the procedure concerned and with due regard to the requirements arising from the principle of proportionality, as well in particular, to weigh up those requirements that arise from the principle of data minimization according to Article 5 Paragraph 1 Letter c GDPR. In other words, excessive investigations should not lead to endless data processing. In its recent judgment of the ECJ of March 2, 2023 in Case C-268/21, Norra Stockholm Bygg AB, the ECJ stated that Articles 5 and 6 of the GDPR are to be interpreted to the effect that courts are responsible for assessing the question of whether the production of a document containing personal data is required to take into account the interests of the data subjects and to do so according to the circumstances of the individual case, the nature of the procedure concerned and with due regard to the requirements arising from the principle of proportionality, as well in particular, to weigh up the requirements that arise from the principle of data minimization according to Article 5, paragraph one, letter c GDPR. In other words, excessive investigations should not lead to endless data processing.

The party involved has now submitted unredacted but complete documents to StA XXXX, but has not added any additional information themselves. It is undisputed that the data presented to StA XXXX is correct in the sense of complete, unredacted documents. The legal representation and assertion of claims in criminal proceedings are also generally suitable for the co-involved party to prove the relevant legal relationships for a private party connection in criminal proceedings. Now the co-involved party has submitted unredacted but complete documents to the StA Roman XXXX, but has not added any additional information themselves. It is undisputed that the data presented to the StA Roman XXXX is correct in the sense of complete, unredacted documents. The legal representation and assertion of claims in criminal proceedings are also generally suitable for the co-involved party to prove the relevant legal relationships for a private party to be involved in criminal proceedings

With regard to the evidence assessment rules of Section 296 ZPO, according to which the court must assess in accordance with Section 272 ZPO (principle of free assessment of evidence) whether and to what extent crossing-outs, erasures and other erasures, insertions or other external defects in a (public or private) In order to reduce the evidentiary value of a document or to abolish it completely, from the point of view of the adjudicating Senate, a party or its representative cannot in principle be obliged to make cuts in advance and thereby possibly limit the chances of enforcement and the best possible representation of their interests and their claims as long as the processing of is based on a justification, although the corresponding necessity of data processing or transmission must be assessed separately for each data category. With regard to the rules for assessing evidence in Section 296, ZPO, according to which the court must assess, in accordance with Section 272, ZPO (principle of free assessment of evidence), whether and to what extent crossing-outs, erasures and other erasures, insertions or other external defects of a (public or private) document reduces its probative value or completely annuls it, from the point of view of the adjudicating Senate, a party or its representative cannot in principle be obliged to make cuts in advance and thereby possibly limit the chances of enforcement and the best possible representation of their interests and their claims, as long as the Processing is based on a justification, although the corresponding necessity of data processing or transmission must be assessed separately for each data category.

Regarding the authorization of data processing by the participating party:

It was found that the co-involved party disclosed the data of the marital status data types and contact details to the StA XXXX in its letter of April 24, 2022. It was determined that the co-involved party disclosed the data of the marital status data types and contact details in its letter of April 24, 2022 Contact details have been disclosed to the StA Roman XXXX.

The participating party is set up as an authority. With regard to EEWGr. 47, the justification for data processing for data that is not subject to Art. 9 GDPR by a controller who is an authority is not permissible with overriding legitimate interests within the meaning of Art. 6 Para. 1 lit f) GDPR. However, the party involved acts as a mandate of the BMJ on its behalf. There is therefore, as can also be seen from Section 4 Paragraph 6 ProkG, an obligation to take action on behalf of the client. This obligation also justifies the participating party to process data within the meaning of Article 6 Paragraph 1 Letter c) GDPR. The participating party is set up as an authority. With regard to EEWGr. 47, the justification for data processing for data that is not subject to Article 9 of the GDPR is permissible by a controller who is an authority who does not have overriding legitimate interests within the meaning of Article 6, paragraph one, letter f) of the GDPR. However, the party involved acts as a mandate of the BMJ on its behalf. There is therefore, as can also be seen from paragraph 4, paragraph 6, ProkG, an obligation to take action on behalf of the client. This obligation also justifies the participating party to process data within the meaning of Article 6, paragraph one, letter c,) GDPR.

Art. 9 Para. 2 lit f GDPR is a legal basis on the basis of which specially protected data (such as health data of a data subject) may be used even against the will of the latter in the course of an official investigation (judicial or administrative procedure). The provision can also be used as a basis for an interference with the right to confidentiality. (cf. § 4 Para. 1 DSG) Article 9, Paragraph 2, Letter f, GDPR is a legal basis on the basis of which specially protected data (such as health data of a data subject) can be used even against the will of the latter in the course of an official investigation (judicial procedure). or administrative procedure). The provision can also be used as a basis for an interference with the right to confidentiality. compare paragraph 4, paragraph one, DSG)

This regulation is intended to avoid that a legal claim cannot be asserted in court, in an administrative procedure or out of court (and is therefore ultimately unenforceable) or that the defense position is weakened because this does not occur without the processing (in particular the disclosure in the procedure) of sensitive data another person is not possible. At the same time, it is normed that courts may also process (in particular collect, record, store and - if necessary - disclose to other parties involved in the process) sensitive data (such as health data to calculate compensation for pain and suffering or to determine other claims) as part of their judicial activities. are necessary for procedural processing and decision-making (“functionality”). […] The criterion of necessity must be taken into account (if necessary within the framework of a balancing of interests), even if the necessity of specific data may be unclear in the case of disputed claims. (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 9 GDPR (as of May 7, 2020, rdb.at), Rz 45). This regulation is intended to avoid that a legal claim cannot be asserted in courts, in an administrative procedure or out of court (and therefore ultimately unenforceable) or the defense position is weakened because this is not possible without the processing (in particular the disclosure in the process) of another person's sensitive data. At the same time, it is normed that courts may also process (in particular collect, record, store and - if necessary - disclose to other parties involved in the process) sensitive data (such as health data to calculate compensation for pain and suffering or to determine other claims) as part of their judicial activities. are necessary for procedural processing and decision-making (“functionality”). […] The criterion of necessity must be taken into account (if necessary within the framework of a balancing of interests), even if the necessity of specific data may be unclear in the case of disputed claims. (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Article 9, GDPR (as of May 7, 2020, rdb.at), Rz 45).

However, it also emerges from the literature and the ECJ case law cited above that the data must fundamentally be suitable for the purpose (“necessary for the purpose”). In the case in question, whether the data is at all suitable for pursuing the purpose must also be assessed based on the subject matter of the proceedings. The party involved has taken part in the criminal proceedings as a private participant, for which only the existence of damage has to be proven. However, regarding the data types contact details and marital status, there is no reference to the purpose of data processing. The purpose of legitimizing data processing is that data processing should be possible with a view to the legitimate enforcement of rights. (see Paal/Pauly GDPR on Art. 9 Rn 37) Necessity for the purpose only exists if the task cannot otherwise be fulfilled, in particular not without data processing (see Paal/Pauly GDPR on Art. 6 Rn 9 and Sydow in GDPR on Art. 9 Rn 34 with reference to Damman/Simits, EC-DSRL, Art. 8 Rn 20) From the literature and the case law of the ECJ cited above it also emerges that the data is fundamentally suitable for the purpose (“necessary for the purpose”) must be. In the case in question, whether the data is at all suitable for pursuing the purpose must also be assessed based on the subject matter of the proceedings. The party involved has taken part in the criminal proceedings as a private participant, for which only the existence of damage has to be proven. However, regarding the data types contact details and marital status, there is no reference to the purpose of data processing. The purpose of legitimizing data processing is that data processing should be possible with a view to the legitimate enforcement of rights. compare Paal/Pauly GDPR on Article 9, Rn 37) Necessity for the purpose only exists if the task cannot otherwise be fulfilled, in particular not without data processing, compare Paal/Pauly GDPR on Article 6, Rn 9 and Sydow in GDPR on Article 9 , Rn 34 with reference to Damman/Simits, EC-DSRL, Article 8, Rn 20)

For the court and the StA, with regard to Section 67 Paragraph 2 of the Code of Criminal Procedure, it is relevant that damage has been caused; other circumstances are not important because the declaration of wanting to take part in the criminal proceedings is to seek compensation for the damage caused the victim becomes a private party. (Korn/Zöchbauer in Fuchs/Ratz, WK StPO § 67 (as of October 30, 2021, rdb.at). It is sufficient for this if the existence of a claim arising from the punishment that can be asserted in civil law is conclusively asserted (13 Os 27/84, EvBl 1985/95, 471; 13 Os 36/15s; Hügeler/Oshidari, criminal proceedings Rz 10.72), if the accused requests compensation for specific damage suffered as a result of the crime. For the court and the StA is With regard to paragraph 67, paragraph 2, of the Code of Criminal Procedure, it is relevant that damage has been caused; other circumstances are irrelevant because by declaring that they want to take part in the criminal proceedings in order to receive compensation for the damage caused, the victim is (Korn/Zöchbauer in Fuchs/Ratz, WK StPO Paragraph 67, (as of October 30, 2021, rdb.at). It is sufficient for this if the existence of a claim arising from the punishment that can be asserted in civil law is conclusively asserted will (13 Os 27/84, EvBl 1985/95, 471; 13 Os 36/15s; Hügeler/​Oshidari, criminal proceedings Rz 10.72), if the accused is seeking compensation for specific damage suffered as a result of the crime.

With regard to the types of data mentioned, there is no causal connection with joining as a private party in criminal proceedings.

However, the ruling Senate considers it necessary to point out that neither the jurisprudence nor the literature shows that a person responsible has to take into account any future legal violations that he cannot foresee. In this regard, the only question inherent in the fundamental rights doctrine of proportionality (see also recital 39) is whether data is appropriate for the purpose. It would be completely excessive to demand that the party involved had to assume a priori that data transmitted to the judicial authorities for a specific purpose would not be treated in accordance with data protection regulations.

According to the verdict, the complaint was therefore partially upheld.

3.3.3. According to Section 24 Paragraph 1 VwGVG, the administrative court must conduct a public oral hearing upon request or, if it considers this necessary, of its own motion.3.3.3. According to paragraph 24, paragraph one, VwGVG, the administrative court must conduct a public oral hearing upon request or, if it deems it necessary, on its own initiative.

According to Section 24 Paragraph 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's request, refrain from a hearing if the files show that the oral discussion does not lead to the expectation of further clarification of the case, and Neither Article 6 Para. 1 ECHR nor Article 47 CFR conflict with the cancellation of the hearing. According to paragraph 24, paragraph 4, VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's request, refrain from a hearing if the files show that the oral discussion does not lead to the expectation of further clarification of the case, and neither Article 6, paragraph one, ECHR nor Article 47, CFR precludes the cancellation of the hearing.

Although the complainant has actually submitted a request for a public hearing to be held, in the present case the omission of an oral hearing can be based on the fact that the facts were clarified from the file, in particular taking into account the investigation results from the ed. Court filing. The Federal Administrative Court only had to rule on a legal question (cf. ECHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, paragraph 34ff). Even according to the jurisprudence of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH June 18, 2012, B 155/12). Although the complainant has actually submitted a request for a public hearing to be held, in the present case the omission of an oral hearing can be based on the fact that the facts were clarified from the file, in particular taking into account the investigation results from the ed. Court filing. The Federal Administrative Court only had to decide on a legal question see ECHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, Rz 34ff). Even according to the jurisprudence of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH June 18, 2012, B 155/12).

It was therefore necessary to refrain from holding an oral hearing in accordance with Section 24 Paragraph 1 and Paragraph 4 VwGVG. It was therefore necessary to refrain from holding an oral hearing in accordance with Paragraph 24, Paragraph One and Paragraph 4 of the VwGVG.

3.4. Regarding B) Admissibility of the revision:

According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Article 133 Paragraph 4 B-VG. The decision must be briefly justified. According to paragraph 25 a, paragraph one, VwGG, the administrative court must state in its decision or decision whether the appeal is permissible in accordance with Article 133, paragraph 4, B-VG. The statement needs to be briefly justified.

The appeal is permissible because there is a lack of case law from the Administrative Court on the question of whether a (complete) document submission to prove damage in criminal proceedings as a private party can contradict the principle of processing in good faith or whether this violates the data mining principle in accordance with Article 5 Para 1 lit. c GDPR can be violated and therefore constitutes a breach of confidentiality in accordance with Section 1 Paragraph 1 DSG. The answer to this question also has effects beyond the individual case because it is prejudicial to every document presented in criminal proceedings as a private party. The appeal is admissible because there is a lack of case law from the Administrative Court on the question of whether a (complete) document submission to prove damage in criminal proceedings as a private party can contradict the principle of processing in good faith or whether this violates the data mining principle in accordance with Article 5, paragraph one, Litera c, GDPR can be violated and therefore constitutes a breach of confidentiality according to paragraph one, paragraph one, DSG. The answer to this question also has effects beyond the individual case because it is prejudicial to every document presented in criminal proceedings as a private party.