BVwG - W298 2293438-1
BVwG - W298 2293438-1 | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 2(1) GDPR Article 4 GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 51(1) GDPR Article 71(1) GDPR §1 DSG §24(5) WEG |
Decided: | 24.07.2010 |
Published: | 24.08.2001 |
Parties: | Austrian Data Protection Authority (DSB) |
National Case Number/Name: | W298 2293438-1 |
European Case Law Identifier: | ECLI:AT:BVWG:2024:W298.2293438.1.00 |
Appeal from: | |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | RIS (in German) |
Initial Contributor: | n/a |
The Federal Administrative Court dismissed a complaint filed against the decision of the Austrian DPA, in which the DPA found that the property manager's decision to publicly disclose a letter addressed to the data subject is not admissible.
English Summary
Facts
The co-involved party filed a complaint before the Austrian DPA that the property manager publicly posted a letter from the Camber of Labor solely addressed to the co-involved party, thus violating the right to confidentiality according to §1 of the Austrian Data Protection Act (DSG).
The co-involved party consulted with the Chamber of Labor regarding a circular resolution on renovating the facade of the property, expressing her concerns. The property manager was notified of the result of the consultation and received a letter specifically addressed to the co-involved party. Subsequently, the property manager displayed both the letter and the response publicly in the hallway. The letter included not only the questions of the co-involved party but also her name and address, that she was a member of the Chamber of Labor (Arbeiterkammer), and that she turned to them with her concerns.
The property manager stated that she was legally obliged to do so, referencing §24 of the WEG (Law of Condominiums), and she was allowed to do that according to Article 6(1)(c) GDPR. However, the DPA stated that displaying the entire e-mail was disproportionate to fulfilling the property manager's obligations.
The property manager (complainant) filed a complaint against the Austrian Data Protection Authority's decision at the Austrian Federal Administrative Court. She argued that the DPA was wrong in assuming that the data of the co-involved party was private, as the name and address of the co-involved party can be publicly accessed and identified in other ways (such as based on the name on the doorbell) and that the membership of the Chamber of Labor is mandatory, meaning it was not private information either. She also challenged the impossibility of legal justification as this act of data processing fell under the scope of legitimate interest. Furthermore, the DPA was also accused of not considering important evidence (letters) when ruling.
Holding
The Court ruled that the complainant is accountable as the controller per Article 24(1) GDPR. The data was processed via email and using an electronic word processor, which is covered by the scope of Article 2(1) GDPR. This activity cannot be considered a 'household exception' as it was not related to family activity on behalf of any of the parties and was not processed for private purposes only. The group of people who could potentially access the displayed data was not foreseeable or actively restricted. The letter contained information (e. g. the advisory service of the Chamber of Labor) that is not publicly accessible, and the Court stated that there was personal data worthy of protection concerned either way.
§24(5) WEG is relevant in that the apartment owners are entitled to receive sufficient information about resolutions. However, it does not state that any letters from apartment owners must be disclosed, and it was certainly not necessary to display the entire letter with the personal information of the co-involved party. According to the Court, the DPA correctly indicated that there were less intrusive options for conveying the necessary information.
In terms of a possible justification under Article 6 GDPR, only the overriding legitimate interest of the complainant comes into question (Article 6(1)(f) GDPR) comes into question, as there is no indication of any form of consent from the data subject. However, disclosing an entire letter to the public is not necessary for property management and thus, it does not fulfill the requirements of legitimate interest.
The complaint was dismissed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date July 10, 2024 Standard B-VG Art133 Para4 DSG §1 DSG §18 Para1 DSG §24 Para1 DSG §24 Para5 DSGVO Art4 DSGVO Art5 Para1 litc DSGVO Art51 Para1 DSGVO Art77 Para1 WEG 2002 §24 Para5 B-VG Art. 133 today B-VG Art. 133 valid from January 1, 2019 to May 24, 2018 last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from January 1, 2019 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from May 25, 2018 to December 31, 2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to 24.05.2018 last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from 01.01.2014 to 31.07.2014 last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from December 25, 1946 to December 31, 1974, last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946, last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934 DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from January 1, 2014 last amended by BGBl. I No. 51/2012 DSG Art. 1 § 1 valid from January 1, 2000 to December 31, 2013 DSG Art. 2 § 18 today DSG Art. 2 § 18 valid from May 25, 2018 last amended by BGBl. I No. 120/2017 DSG Art. 2 § 18 valid from January 1, 2014 to May 24, 2018 last amended by BGBl. I No. 83/2013 DSG Art. 2 § 18 valid from April 1, 2005 to December 31, 2013, last amended by BGBl. I No. 13/2005 DSG Art. 2 § 18 valid from January 1, 2000 to March 31, 2005 DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from July 15, 2024, last amended by BGBl. I No. 70/2024 DSG Art. 2 § 24 valid from May 25, 2018 to July 14, 2024, last amended by BGBl. I No. 120/2017 DSG Art. 2 § 24 valid from January 1, 2010 to May 24, 2018, last amended by BGBl. I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009 DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from 15.07.2024 last amended by BGBl. I No. 70/2024 DSG Art. 2 § 24 valid from 25.05.2018 to 14.07.2024 last amended by BGBl. I No. 120/2017 DSG Art. 2 § 24 valid from 01.01.2010 to 24.05.2018 last amended by BGBl. I No. 133/2009 DSG Art. 2 § 24 valid from 01.01.2000 to 31.12.2009 WEG 2002 § 24 today WEG 2002 § 24 valid from 01.07.2022 last amended by BGBl. I No. 222/2021 WEG 2002 § 24 valid from 01.08.2018 to 30.06.2022 last amended by BGBl. I No. 58/2018 WEG 2002 § 24 valid from 01.04.2009 to 31.07.2018 last amended by BGBl. I No. 25/2009 WEG 2002 § 24 valid from 01.10.2006 to 31.03.2009 last amended by BGBl. I No. 124/2006 WEG 2002 § 24 valid from 07.08.2002 to 30.09.2006 last amended by BGBl. I No. 114/2002 WEG 2002 § 24 valid from July 1st, 2002 to August 6th, 2002 Ruling W298 2293438-1/6E In the name of the republic The Federal Administrative Court, through Judge Mag. Mathias VEIGL as chairman and the expert lay judges Mag. Gerda Ferch-Fischer and Dr. Wolfgang Goricnik as assessors, has rightly ruled on the complaint by XXXX against the decision of the Data Protection Authority dated XXXX , GZ: D124.0316/2024-0.321.322: The Federal Administrative Court, through Judge Mag. Mathias VEIGL as chairman and the expert lay judges Mag. Gerda Ferch-Fischer and Dr. Wolfgang Goricnik as assessor on the complaint of the Roman 40, against the decision of the data protection authority of the Roman 40, GZ: D124.0316/2024-0.321.322, rightly ruled: A) The complaint is dismissed. B) The appeal is not admissible according to Art. 133, Paragraph 4, B-VG.The appeal is not admissible according to Article 133, Paragraph 4, B-VG. Text Reasons for the decision: I. Procedure: Roman one. Procedure: 1. In its complaint dated January 22, 2024, addressed to the Data Protection Authority (DSB, the authority responsible before the Federal Administrative Court), XXXX (the co-involved party) complained of a violation of the right to confidentiality pursuant to Section 1 Paragraph 1 of the Data Protection Act and argued that XXXX (the complainant) was the property management company of the co-involved party's owners' association of residential property. The complainant had publicly posted a letter from the Chamber of Labor to her. This was a letter that had been written as a result of a consultation with the co-involved party and was intended only for the respondents. 1. In its complaint dated January 22, 2024, addressed to the Data Protection Authority (DSB, the authority concerned before the Federal Administrative Court), roman 40 (the co-involved party) complained of a violation of the right to confidentiality in accordance with paragraph one, paragraph one, DSG and argued that roman 40 (the complainant) was the property management company of the owners' association of the co-involved party's residential property. The complainant had publicly posted a letter from the Chamber of Labor to it. This was a letter that had been written as a result of a consultation with the co-involved party and was intended only for the respondents. 2. At the request of the authority concerned, the complainant submitted a statement and stated in summary that, as the property management company of the property in question, she was its legal representative. She had posted the letter in question in the course of implementing a circular resolution on the upcoming facade renovation. She was legally obliged to do so in accordance with Section 24 of the WEG. The letter should have been made known to the other co-owners. Furthermore, it is clear from an overall view that no secret or non-public data is affected here. In any case, the complainant's legitimate interest in the data processing in question would prevail. 2. At the request of the authority concerned, the complainant submitted a statement and stated in summary that, as the property management company of the property in question, she was its legal representative. She had put up the letter in question in the course of implementing a circular resolution on the upcoming facade renovation. She was legally obliged to do so in accordance with Section 24 of the WEG. The letter should have been made known to the other co-owners. Furthermore, it is clear from an overall view that no secret or non-public data is affected here. In any case, the complainant's legitimate interest in the data processing in question would prevail. 3. With the now contested decision of XXXX, the authority concerned upheld the data protection complaint and stated that the complainant had violated the co-participating party's right to confidentiality by attaching the questions of the Chamber of Labor from the conversation with the co-participating party to the decision and publicly displaying them on the co-participating party's property. 3. With the now contested decision of Roman 40, the authority concerned upheld the data protection complaint and stated that the complainant had violated the co-participating party's right to confidentiality by attaching the questions of the Chamber of Labor from the conversation with the co-participating party to the decision and publicly displaying them on the co-participating party's property. From a legal perspective, the authority concerned stated that there was no public data and that in the area of Section 1 Paragraph 1 of the Data Protection Act, it was not important how the data was processed. According to Section 24, Paragraph 5 WEG, the complainant had a ground for processing pursuant to Article 6, Paragraph 1, Letter c, GDPR, but not a sufficient one, as posting the entire email was not proportionate. In any case, it would have been sufficient to only post parts of it to fulfil the legal obligation. From a legal point of view, the authority concerned stated that there was no public data and that in the area of paragraph one, subsection one, DSG, it did not matter how the data was processed. According to Section 24, Paragraph 5, WEG, the complainant had a ground for processing pursuant to Article 6, Paragraph one, Letter c, GDPR, but not a sufficient one, as posting the entire email was not proportionate. In any case, it would have been sufficient to only post parts of it to fulfil the legal obligation. 4. The complainant lodged an appeal against the above-mentioned decision on June 10, 2024, essentially arguing that the authority concerned was wrong about the question of whether secret data within the meaning of Section 1 Paragraph 1 of the Data Protection Act existed when it determined that the data of the co-participating party was secret. If it had correctly determined that the co-participating party was named on the doorbell and also appeared in the land register, it would have had to come to the conclusion that no secret data existed. In particular, not through representation by the Chamber of Labor. Membership is mandatory and it is beyond any life experience that this fact was not known to the other parties. The authority is also wrong when it assumes that there is no legal justification and that the data processing is also in the complainant's overriding legitimate interest. The decision was also tainted with illegality in its content because the authority concerned had violated procedural regulations and had not brought important letters from the complainant to its attention. There had been no subjective violation of the rights of the co-participating party and the decision was therefore tainted with illegality in its content. 4. The complainant lodged an appeal against the above-mentioned decision on June 10, 2024, essentially arguing that the authority concerned had erred on the question of whether secret data within the meaning of paragraph one, subsection one, of the Data Protection Act existed when it determined that the data of the co-participating party was secret. If it had correctly determined that the co-participating party was named on the doorbell and also appeared in the land register, it would have had to come to the conclusion that no secret data existed. In particular, not through representation by the Chamber of Labor. Membership is compulsory and it is beyond any life experience that this fact was not known to the other parties. The authority is also mistaken in assuming that there is no legal justification and that the data processing is also in the complainant's legitimate interest. The decision is also tainted with illegality in its content because the authority concerned has violated procedural regulations and has not brought important letters to the attention of the complainant. There was no subjective violation of the rights of the other party involved and the decision is therefore tainted with illegality in its content. 5. After the authority concerned submitted its submission, the parties were granted a hearing by the Federal Administrative Court, in particular all parts of the files relating to the proceedings that were not yet known were presented to the complainant for a hearing. 6. In a submission dated June 28, 2024, the complainant commented and again stated that the decision of the authority concerned was tainted with illegality of content and that the relevant facts had not been established since it had not been established that the party involved appeared by name on the doorbell and that it had also not announced that the letter should not be passed on. In addition, there was a quasi-consent to the data transfer. II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered: 1. Findings: 1.1. The complainant XXXX is the property manager of the property at XXXX in XXXX , in which several parties live. 1.1. The complainant roman 40 is the property manager of the property at roman 40 in roman 40 , in which several parties live. 1.2. The co-involved party is a co-owner of the property. 1.3. A circular resolution was passed on the question of renovating the facade of the property in question, and the co-involved party held a consultation with the XXXX Chamber of Labor in the course of this. The complainant was informed of the result of the circular resolution by letter dated XXXX 2024. On XXXX 2023, the XXXX Chamber of Labor addressed a letter to the complainant, specifically to the co-involved party, which was posted in the hallway of the property in question in January 2024, together with its response dated XXXX 2024. The notice at least showed the name and address of the complainant, as well as that the complainant is a member of the XXXX Chamber of Labor, that she had turned to it for support, and what questions the complainant had about the circular resolution.1.3. A circular resolution was passed on the question of renovating the facade of the property in question, and the co-participating party held a consultation with the Roman Chamber of Labor in the course of this. The complainant was informed of the result of the circular resolution by letter dated Roman 40, 2024. The Roman Chamber of Labor sent a letter to the complainant on Roman 40, 2023, addressing the co-participating party by name, which was posted in the hallway of the property in question in January 2024, together with its response dated Roman 40, 2024. The notice at least showed the name and address of the complainant, as well as that the complainant is a member of the Roman Chamber of Labor 40, that she had turned to them for support and what questions the complainant had about the deadline. 1.4. The questions from the XXXX Chamber of Labor and the complainant's response were sent by email.1.4. The questions from the Roman Chamber of Labor and the complainant's response were sent by email. 2. Assessment of evidence: The findings are based on the unobjectionable content of the file. 3. Legal assessment: 3.1. According to Section 6 BVwGG, the Federal Administrative Court decides by single judges unless federal or state laws provide for a decision by senates. According to Section 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings on complaints against decisions due to violation of the duty to inform pursuant to Section 24 Paragraph 7 and the data protection authority's duty to decide by senates. The Senate consists of a chairman and one expert lay judge from the circle of employers and one from the circle of employees.3.1. According to Paragraph 6 of the Federal Administrative Court Act, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates. According to Paragraph 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides by senate in proceedings on complaints against decisions due to violation of the duty to inform pursuant to Paragraph 24, Paragraph 7 and the data protection authority's duty to decide. The Senate consists of a chairman and one expert lay judge from the circle of employers and one from the circle of employees. The procedure of the administrative courts with the exception of the Federal Finance Court is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). According to Section 58, Paragraph 2 of the Administrative Court Act (VwGVG), conflicting provisions that were already published at the time this federal law came into force remain in force. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Act (VwGVG), Federal Law Gazette Roman one 2013/33 in the version of Federal Law Gazette Roman one 2013/122 (Paragraph one, leg.cit.). According to Paragraph 58, Paragraph 2 of the Administrative Court Act (VwGVG), conflicting provisions that were already published at the time this federal law came into force remain in force. According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code – BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act – AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority has applied or should have applied in the proceedings before the administrative court preceding the proceedings, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Federal Law.According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code – BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act – AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority has applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Federal Law. to 5 and Roman IV, the provisions of the Federal Tax Code - BAO, Federal Law Gazette No. 194 of 1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173 of 1950, and the Civil Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29 of 1984, and in addition those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings before the administrative court prior to the proceedings are to be applied. According to Section 28 Paragraph 1 VwGVG, the administrative court must settle the legal matter by decision unless the complaint is to be rejected or the proceedings are to be discontinued. According to Section 31 Paragraph 1 of the Administrative Court Act (VwGVG), decisions and orders are made by resolution unless a ruling is to be made. According to Paragraph 28, Paragraph 1 of the Administrative Court Act (VwGVG), the administrative court must settle the legal matter by ruling unless the appeal is to be rejected or the proceedings are to be discontinued. According to Paragraph 31, Paragraph 1 of the Administrative Court Act (VwGVG), decisions and orders are made by resolution unless a ruling is to be made. According to Section 28, Paragraph 2 of the Administrative Court Act, the administrative court must decide on the merits of complaints pursuant to Article 130, Paragraph 1, Item 1 of the Federal Constitutional Court Act if (1) the relevant facts are established or (2) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.According to Paragraph 28, Paragraph 2 of the Administrative Court Act, the administrative court must decide on the merits of complaints pursuant to Article 130, Paragraph one, Item one of the Federal Constitutional Court Act if (1) the relevant facts are established or (2) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings. 3.2. On the procedural requirements: The relevant facts are established. The complaint was filed within the time limit pursuant to Section 7, Paragraph 4 of the Administrative Court Act (VwGVG) and the other procedural requirements are also met.The complaint was filed within the time limit pursuant to Paragraph 7, Paragraph 4 of the Administrative Court Act (VwGVG) and the other procedural requirements are also met. 3.3. Regarding part A of the ruling): 3.3.1. The legal bases relevant to the current proceedings are as follows: Article 4, Paragraphs 1, 2 and 7 of the GDPR read:Article 4, Paragraph 1, 2 and 7 of the GDPR read: "Article 4 Definitions "1. "Personal data" means all information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); a natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction; 7. “controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others decides on the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;" Article 5(1)(c) GDPR reads: Article 5, paragraph one, letter c, GDPR reads: "Article 5 Principles for the processing of personal data (1) Personal data must be adequate, relevant and limited to what is necessary for the purposes of the processing ('data minimisation'); Article 51(1) GDPR reads: Article 51, paragraph one, GDPR reads: "Article 51 Supervisory authority (1) Each Member State shall provide for one or more independent authorities to be responsible for monitoring the application of this Regulation in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free movement of personal data within the Union (hereinafter referred to as the 'supervisory authority'). Article 77, paragraph 1 of the GDPR reads:Article 77, paragraph one of the GDPR reads: "Article 77 Right to lodge a complaint with a supervisory authority (1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data concerning him or her infringes this Regulation. Section 1 of the DSG reads:Paragraph one of the DSG reads: (1) Everyone has the right to have personal data concerning him or her kept confidential, in particular with regard to respect for his or her private and family life, provided that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a claim of confidentiality due to its general availability or because it cannot be traced back to the data subject. (2) To the extent that the use of personal data is not in the vital interest of the data subject or with his consent, restrictions on the right to confidentiality shall only be permissible to protect the overriding legitimate interests of another person, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons set out in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection to protect important public interests and must at the same time establish appropriate guarantees for the protection of the data subject's interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the goal.(2) If the use of personal data is not in the vital interest of the person concerned or with his consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons stated in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 of 1958. Such laws may only provide for the use of data that are particularly worthy of protection by their nature to protect important public interests and must at the same time establish appropriate guarantees for the protection of the interests of the persons concerned in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the goal. (3) Everyone has, insofar as personal data concerning him or her are intended for automated processing or for processing in manual files, i.e. files kept without automated support, in accordance with statutory provisions 1. the right to information about who processes which data about him or her, where the data comes from and what it is used for, in particular to whom it is transmitted; 2. the right to correct incorrect data and the right to delete data that has been processed unlawfully. (4) Restrictions on the rights under paragraph 3 are only permitted under the conditions set out in paragraph 2.(4) Restrictions on the rights under paragraph 3 are only permitted under the conditions set out in paragraph 2. Section 18 paragraph 1 DSG reads: Paragraph 18, paragraph one, DSG reads: (1) The data protection authority is established as the national supervisory authority in accordance with Article 51 GDPR.(1) The data protection authority is established as the national supervisory authority in accordance with Article 51 GDPR. Paragraph 24, paragraphs 1 and 5 of the Data Protection Act read: Paragraph 24, paragraph one and 5 of the Data Protection Act read: (1) Any data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or paragraph 1 or Article 2, Chapter 1.(1) Any data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or paragraph one or Article 2, Chapter 1. (5) If a complaint proves to be justified, it must be acted upon. If a violation can be attributed to a controller in the private sector, this controller must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the violation of law identified. If the complaint proves to be unjustified, it must be rejected. Federal Law on Condominium Ownership (Condominium Ownership Act 2002 – WEG 2002) StF: BGBl. I No. 70/2002 as amended by BGBl. I No. 114/2002Federal Law on Condominium Ownership (Condominium Ownership Act 2002 – WEG 2002) StF: Federal Law Gazette Part One, No. 70 of 2002, as amended by Federal Law Gazette Part One, No. 114 of 2002, Resolutions of the owners’ association § 24.(5) Resolutions of the owners’ association must be brought to the attention of each condominium owner both by posting them in a place in the building that is clearly visible to all condominium owners (in the case of several buildings or several stairwells, in a corresponding number of such places) and by sending them in writing. A letter sent to the owner of an apartment or other independent space must be sent to the address of his or her apartment property or to another domestic delivery address provided by him or her. A letter sent to the owner of a parking space for motor vehicles must be sent to a domestic delivery address provided by him or her. The sent resolution must be accompanied by a note stating that the start of the period for contesting the resolution is determined by the time it is posted in the building; the day of the posting and the resulting end of the period must also be announced. Each apartment owner can request that resolutions be sent to him or her by electronic transmission rather than by post. Paragraph 24, point (, 5,) Resolutions of the owners' association must be brought to the attention of each apartment owner both by posting them in a place in the building that is clearly visible to all apartment owners (in the case of several buildings or several stairwells, at a corresponding number of such places) and by sending them in writing. A notice must be sent to the owner of an apartment or other independent space at the address of his or her apartment property or to another domestic delivery address provided by him or her. A notice must be sent to the owner of a parking space for motor vehicles at a domestic delivery address provided by him or her. The sent resolution must be accompanied by a note stating that the start of the period for contesting the resolution is determined by the time it is posted in the building; at the same time, the day of the posting and the resulting end of the period must be announced. Any apartment owner can request that resolutions be sent to him or her not by post, but by electronic transmission. Section 25, Paragraph 2 of the WEG reads: Paragraph 25, Paragraph 2 of the WEG reads: The convening of the owners' meeting and the items to be decided upon must be brought to the attention of every apartment owner in writing at least two weeks before the meeting date in the manner described in Section 24, Paragraph 5.The convening of the owners' meeting and the items to be decided upon must be brought to the attention of every apartment owner in writing at least two weeks before the meeting date in the manner described in Section 24, Paragraph 5. 3.3.2. Applied to the present case, this means the following: 3.3.2.1. The complainant essentially complains to the Federal Administrative Court that the authority concerned violated her right not to establish a data protection violation by upholding the data protection complaint of the party involved. The authority concerned is wrong in its interpretation of the WEG and the GDPR. In particular, the authority should have determined that no personal data that is secret had been processed, that the data in question was not covered by the scope of the Data Protection Act, in the event that the processing was based on a legal basis or that there was a legitimate interest that outweighed that of the person concerned. The complaint is unfounded. 3.3.2.2. According to Section 1 Paragraph 2 of the Data Protection Act, restrictions on the right to confidentiality are only permissible if the use of personal data is in the vital interest of the person concerned or with their consent, if there are overriding legitimate interests of a third party or if there is a qualified legal basis.3.3.2.2. According to Paragraph 1, Paragraph 2 of the Data Protection Act, restrictions on the right to confidentiality are only permissible if the use of personal data is in the vital interest of the person concerned or with their consent, if there are overriding legitimate interests of a third party or if there is a qualified legal basis. Regarding the implicit question of whether the complainant - regardless of the homeowners' association she represents - is the controller, it should be stated: The controller is the person or institution that has to ensure that the data protection provisions of the GDPR are complied with. The controller is therefore the addressee of the obligations arising from the GDPR and the term is used to assign responsibilities (see Hötzendorfer/Kastelitz/Tschohl in Knyrim DatKomm Art Art 24 Rz 1, as of May 2022). The controller is the addressee of claims of the data subject and is the contact point for measures taken by the supervisory authority (see Art 24; Recital 74) (as above, Rz 77).Regarding the implicit question of whether the complainant - regardless of the homeowners' association she represents - is the controller, it should be stated: The controller is the person or institution that has to ensure that the data protection provisions of the GDPR are complied with. The controller is therefore the addressee of the obligations arising from the GDPR and the term is used to assign responsibilities (see Hötzendorfer/Kastelitz/Tschohl in Knyrim DatKomm Art Article 24, para. 1, as of May 2022). The controller is the addressee of claims of the data subject and is the contact point for measures taken by the supervisory authority (see Article 24;, Recital 74) (as above, para. 77). Responsibility is assigned to the person who has the decision-making power. The decisive factor for the allocation of responsibility is therefore who decides on the essential aspects of the means and purposes of processing. In order to be assigned the status of responsible person, it is not necessary for the responsible person to process data himself, to be in possession of the data processed or to have physical control over it. If he decides that data is to be processed, all persons and bodies that carry out data processing steps under his supervision or instruction (auxiliary bodies) are to be functionally assigned to him (para. 83). The definition of responsible person as the person or body that decides on the purpose(s) and means of processing is a functional view, according to which responsibility is allocated based on the actual influence on the decision. There may be an explicit legal basis for this, in which case the allocation of the responsible person and the purpose, including data categories and data recipients, is usually clearly identifiable. However, if a legal norm only provides for implicit legal obligations, the person or body that has this legal obligation and processes personal data for this purpose is to be regarded as the controller. Lawyers, for example, are usually themselves the controllers when they process data for the purpose of representing their clients. They act under a power of attorney and are therefore authorized to make legally binding statements on behalf of their clients. However, the decision as to which third-party data is to be processed in order to fulfill the mandate is made by the lawyer without instructions from the client, unless there is proof to the contrary. (cf. Data Protection Authority in the decision of March 9, 2015, GZ. DSB-D122.299/0003-DSB/2015 Federal Administrative Court on the responsible role and independence of professional practice for professional detectives, decision of June 25, 2019, No. W258 2188466-1 and court experts, decisions of September 27, 2018, No. W214 2196366-2 and of January 23, 2020, No. W214 2196366-3) Lawyers, for example, are usually responsible themselves when they process data for the purpose of representing their clients. In doing so, they act under power of attorney and are therefore authorized to make legally binding declarations on behalf of their clients. The decision as to which third party data is to be processed in order to fulfil the mandate is made by the lawyer without instructions from the client, unless there is proof to the contrary. See the Data Protection Authority's decision of 9 March 2015, GZ. DSB-D122.299/0003-DSB/2015 Federal Administrative Court on the role of the responsible party and independence of the professional practice of professional detectives, decision of June 25, 2019, No. W258 2188466-1 and court experts, decisions of September 27, 2018, No. W214 2196366-2 and of January 23, 2020, No. W214 2196366-3) In the present case, too, the complainant processed data without being told by the client (homeowners' association) which data was to be processed for which purposes. This means that the complainant is also accountable as the responsible party within the meaning of Art. 24 (1) GDPR. In particular with regard to compliance with data minimization in accordance with Art. 5 (1) lit. c GDPR. This means that the complainant is also accountable as the controller within the meaning of Article 24, paragraph one, GDPR. In particular with regard to compliance with data minimization in accordance with Article 5, paragraph one, letter c, GDPR. Regarding the question of whether the letter from the Chamber of Labor on behalf of the party involved is covered by the scope of Art. 2 GDPR, it must first be noted that it was processed using an electronic word processing program and via email and is therefore subject to the material scope of the GDPR in accordance with Art. 2 paragraph 1 GDPR in conjunction with Art. 4 2 GDPR. Furthermore, it should be noted that the authority concerned obviously correctly assumes that the group of people who could potentially have accessed the data in question was not foreseeable from the outset and that the potential recipients are not to be regarded as "family members", at least in the broader sense (cf. OGH of June 23, 2021, 6 Ob 56/21k and Kühling/Raab in Kühling/Buchner, DS-GVO BDSG Art 2 DSGVO Rz 25 maN). On the question of whether the letter from the Chamber of Labor on behalf of the co-participating party is covered by the scope of Article 2, GDPR, it should first be noted that it was processed using an electronic word processing program and via email and is therefore subject to the material scope of the GDPR in accordance with Article 2, paragraph one, GDPR in conjunction with Article 4, 2. GDPR. Furthermore, it should be noted that the authority concerned obviously correctly assumes that the group of people who could potentially have accessed the data in question was not foreseeable from the outset and that the potential recipients are not to be regarded as "family members" at least in the broader sense (see OGH of 23.6.2021, 6 Ob 56/21k and Kühling/Raab in Kühling/Buchner, DS-GVO BDSG Article 2, DSGVO Rz 25 maN). The complainant's reference to the potential disclosure recipients (see also Zukic, the scope of the household exception of the GDPR using the example of social online networks and image recordings in Jahnel, Datenschutzrecht, Jahrbuch 2019) is also relevant for answering the question of whether family purposes exist. This is to be assessed on the basis of common opinion, in the English version of the GDPR there is talk of "household activity". While data processing for private purposes such as leisure activities or vacation planning meets the definition of "household activity", i.e. family activity, another purpose, for example of a purely monetary or economic (business) nature, is not covered (see Ernst in Paal/Pauly General Data Protection Regulation on Art. 2). The ECJ has already ruled that for the "household exception" to apply, data processing must be carried out exclusively for private purposes and that even a private mixed economic activity leads to the full application of data protection provisions (ECJ of 10 July 2018, Jehovah's Witnesses C-25/17). The complainant's reference to the potential disclosure recipients (see also Zukic, the scope of the GDPR's household exception using the example of social online networks and image recordings in Jahnel, Data Protection Law, Yearbook 2019) is also relevant to answering the question of whether family purposes exist. This is to be assessed based on the common understanding; the English version of the GDPR refers to "household activity". While data processing for private purposes such as leisure activities or vacation planning meets the definition of "household activity", i.e. family activity, another purpose, for example of a purely monetary or economic (business) nature, is not covered (see Ernst in Paal/Pauly General Data Protection Regulation on Article 2). The ECJ has already stated that in order to accept the "household exception", data processing must be carried out exclusively for private purposes and that even a private mixed economic activity leads to the full application of data protection regulations (ECJ of July 10, 2018, Jehovah's Witnesses C-25/17). The content of the letter and its publication to an indefinable group of people is therefore within the scope of application of Section 1 Paragraph 1 DSG, because neither the complainant has a family activity (insofar as this is even possible for a capital company; see ECJ 9 November 2010, C-92/09, Schecke; C-93/09, Eifert)) nor the other party involved. The content of the letter and its publication to an indefinable group of people is therefore within the scope of application of Section 1 Paragraph 1 DSG, because neither the complainant has a family activity (insofar as this is even possible for a capital company; see ECJ 9 November 2010, C-92/09, Schecke; C-93/09, Eifert)) nor the other party involved. 3.3.2.3. There is also no generally available data (absolutely) to which there is no claim to confidentiality. A legitimate interest in confidentiality presupposes that there is personal data at all that can be traced back to a person whose identity is determined (or at least identifiable), and that this data can also be kept secret, which will in principle be impossible if it is generally accessible. (Pollirer/Weiss/Knyrim/Haidinger, DSG4 § 1 (as of April 1, 2019, rdb.at)) Section 1 Paragraph 1 DSG restricts the right to confidentiality only to the extent that a legitimate interest is excluded if data is not accessible to a confidentiality claim due to its general availability or due to its lack of traceability to the person concerned (VwGH February 28, 2018, Ra 2015/04/0087). A legitimate interest in confidentiality presupposes that there is personal data at all that can be traced back to a person whose identity is determined (or at least identifiable), and that this data can also be kept secret, which will then be fundamentally impossible if it is generally accessible. (Pollirer/Weiss/Knyrim/Haidinger, DSG4 Paragraph one, (as of 1.4.2019, rdb.at)) Paragraph one, subsection one, DSG restricts the claim to confidentiality only to the extent that a legitimate interest is excluded if data is not accessible to a claim to confidentiality due to its general availability or due to its lack of traceability to the person concerned (VwGH 28. 2. 2018, Ra 2015/04/0087). It follows from the findings that the content of the letter also includes the advisory service provided by the Chamber of Labor, the result of this and the questions of the other party to the complainant regarding the facade repair - in other words parts that cannot be ascertained from public registers or information on doorbells. It is also relevant here that the notice in the stairwell was made visible not only to the decision-making parties, but also to an unrestricted public (as already stated above), i.e. an indefinable group of people (guests, parcel deliverers, emergency services, etc.). For a breach of the duty of confidentiality, it is not a question of a specific outcome, i.e. whether third parties actually became aware of the date, but merely of the fact that a corresponding possibility existed at the time of the specifically complained-of data processing (see judgment of 24 November 2011, C-468/10 and C-469/10, EU:C:2011:777, and repeated in the judgment of 11 December 2019 C-708/17 ECLI:EU:C:2019:1064). It follows from the findings that the content of the letter also includes the advisory service provided by the Chamber of Labour, the result of this and the questions of the co-participating party to the complainant regarding the facade repair - in other words parts that cannot be ascertained from public registers or information on doorbells. It is also relevant here that the notice in the stairwell made the information visible not only to the decision-making parties, but also to an unrestricted public (as already stated above), i.e. an indefinable group of people (guests, parcel deliverers, emergency services, etc.). For a breach of the duty of confidentiality, it is not a question of a specific result, i.e. whether third parties actually became aware of the date, but merely of the fact that a corresponding possibility existed at the time of the specifically complained data processing (see judgment of 24 November 2011, C-468/10 and C-469/10, EU:C:2011:777, and repeated in the judgment of 11 December 2019 C-708/17 ECLI:EU:C:2019:1064). The authority concerned cannot therefore be contradicted if it assumes that the potential recipients of the disclosure could not have known all the information due to its general availability. Rather, it can be assumed that personal data worthy of protection was processed in the context of the proceedings. 3.3.2.4. In terms of the scope of the data processing, there is ultimately no qualified legal basis for the data processing. The complainant has clearly posted not only the circular resolution, but also the entire email of questions from the legal representative of the other party involved, along with their answers, for the parties and other persons who are in the building of the property in question, and believes that she has no discretion with regard to Section 24 WEG and that she has to process the data in this way. 3.3.2.4. In terms of the scope of the data processing, there is ultimately no qualified legal basis for the data processing. The complainant has clearly posted not only the circular resolution, but also the entire email of questions from the legal representative of the other party involved, including their answers, for the parties and other persons who are in the building of the property in question, and believes that she has no discretion with regard to paragraph 24 of the WEG and that she must process the data in this way. Paragraph 24, Section 5 of the WEG is relevant for the modalities of posting the resolution. In addition to the content of the resolution passed, the letter must also contain a note that the date of the posting in the building is decisive for the start of the period for contesting the decision (Kothbauer, immolex 2012, 192). According to paragraph 5, sentence 4, this date and the resulting end of the period must also be announced (Würth/Zingher/Kovanyi, Miet- und Wohnrecht II23 Paragraph 24 WEG (as of 1.6.2015, rdb.at)). Paragraph 24, paragraph 5, WEG is relevant for the modalities of posting the resolution. The letter must - in addition to the content of the resolution passed - also contain the information that the date of the posting in the building is decisive for the start of the period for contesting the decision (Kothbauer, immolex 2012, 192). According to paragraph 5, sentence 4, this date and the resulting end of the period must also be announced (Würth/Zingher/Kovanyi, Miet- und Wohnrecht II23 Paragraph 24, WEG (as of: 1.6.2015, rdb.at)). The notice must provide the apartment owners with sufficient information (5 Ob 2382/96x MietSlg 49.528/43) about the subject of the resolution, without a word-for-word draft of the intended resolution having to be transmitted (5 Ob 219/98m MietSlg 51.532; 5 Ob 64/00y wobl 2001/10 [Call] = MietSlg 52/26); however, the notification of an intended resolution on major repairs must contain the cost-related magnitude of the expenditure (5 Ob 106/01a wobl 2001/203 [Call] = MietSlg 53.517; 5 Ob 204/12d immolex 2013/89 [Cerha] = MietSlg 65.480). (Würth/Zingher/Kovanyi, Tenancy and Housing Law II23 § 25 WEG (as of 1 June 2015, rdb.at)). The apartment owners must have sufficient information (5 Ob 2382/96x MietSlg 49.528/43) about the subject of the resolution through the notice, without a word-for-word draft of the intended resolution having to be transmitted (5 Ob 219/98m MietSlg 51.532; 5 Ob 64/00y wobl 2001/10 [Call] = MietSlg 52/26); However, the agreement on an intended decision on a major repair must contain the cost-related magnitude of the effort (5 Ob 106/01a wobl 2001/203 [Call] = MietSlg 53.517; 5 Ob 204/12d immolex 2013/89 [Cerha] = MietSlg 65.480). (Würth/Zingher/Kovanyi, Miet- und Wohnrecht II23 Paragraph 25, WEG (as of 1.6.2015, rdb.at)). The case law of the Constitutional Court on the legal basis also requires that the data processing must be foreseeable in terms of the intensity and depth of the intervention (cf. Constitutional Court of 27.06.2014 G47/2012 maN). However, it is not clear from the wording of the provision that any letters from apartment owners and their legal representatives would be required to be attached to the notice pursuant to Section 24 Paragraph 5 WEG. In particular, it is not clear that the legislator had in mind that all information must already be available through the notice. Accordingly, it was not absolutely necessary to hang up the entire letter with the letterhead of the party involved, etc. The case law of the Constitutional Court on the legal basis also requires that data processing must be foreseeable in terms of its intensity and depth of intervention (cf. Constitutional Court of June 27, 2014 G47/2012 maN). However, it is not clear from the wording of the provision that any letters from apartment owners and their legal representatives would be required to be attached to the notice pursuant to Section 24 Paragraph 5 WEG. In particular, it is not clear that the legislator had in mind that all information must already be available through the notice. Accordingly, it was not absolutely necessary to display the entire letter with the letterhead of the party involved, etc. The authority concerned correctly assumes that less intrusive options were available and, with regard to the purpose of enforcing the law, are sufficient to meet the legal requirement of the attack in the house. 3.3.2.5. Following on from this, the question of whether the complainant has a (sufficient) justification within the meaning of Art. 6 GDPR must also be answered in the negative.3.3.2.5. Following on from this, the question of whether the complainant has a (sufficient) justification within the meaning of Article 6 GDPR must also be answered in the negative. Accordingly, the legality of any data processing requires that the processing - cumulatively to the other principles regulated in Art. 5 para. 1 - must satisfy at least one of the legal grounds conclusively defined in Art. 6 para. 1 GDPR (see judgment of 24 November 2011, C‑468/10 and C‑469/10, EU:C:2011:777, and repeatedly in the judgment of 11 December 2019 C-708/17 ECLI:EU:C:2019:1064, and most recently VwGH of 06.03.2024 Ro 2021/04/0030-4 to 0031-5, para. 50 with reference to ECJ of 22.06.2023, C-579/21 J.M. para. 62). Accordingly, the legality of any data processing requires that the processing - cumulatively to the other principles regulated in Article 5, paragraph one - must satisfy at least one of the legal grounds conclusively defined in Article 6, paragraph one, GDPR (see judgment of November 24, 2011, C‑468/10 and C‑469/10, EU:C:2011:777, and repeatedly in the judgment of December 11, 2019 C-708/17 ECLI:EU:C:2019:1064, and most recently VwGH of March 6, 2024 Ro 2021/04/0030-4 to 0031-5, para. 50 with reference to ECJ of June 22, 2023, C-579/21 J.M. para. 62). In this specific case, there is no evidence that the party involved has (implied) consented to the data processing or that the vital interests of the party involved are affected. Therefore, only processing based on Article 6, Paragraph 1, Letter f, GDPR (overriding legitimate interests of the complainant) is possible.In this specific case, there is no evidence that the party involved has (implied) consented to the data processing or that the vital interests of the party involved are affected. Therefore, only processing based on Article 6, Paragraph 1, Letter f, GDPR (overriding legitimate interests of the complainant) is possible. The processing of personal data is permitted, among other things, in accordance with Article 6, Paragraph 1, Letter f, GDPR if it is necessary to protect the legitimate interests of the controller or a third party. If the complainant now claims that the data processing in question is in his legitimate interest, this is not correct. The processing of personal data is permissible under Article 6, paragraph one, letter f, GDPR, among other things, if it is necessary to protect the legitimate interests of the controller or a third party. If the complainant now claims that the data processing in question is in his legitimate interest, this is not correct. A case-by-case balancing of interests must be carried out, in which the legitimate interests of the controller or a third party for the processing must be compared with the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In doing so, the interests of the controller and of third parties, on the one hand, and the interests, rights and expectations of the data subject, on the other hand, must be taken into account (Recital 47 GDPR). In the course of this balancing of interests, the following conditions must be met cumulatively: (i) existence of a legitimate interest, (ii) necessity of processing the personal data in question in order to pursue this interest, (iii) no outweighing of the fundamental rights and freedoms of the data subject (cf. Jahnel, Commentary on the General Data Protection Regulation Art. 6 GDPR Rz 71 [as of 1.12.2020, rdb.at]). A case-by-case balancing of interests must be carried out in which the legitimate interests of the controller or a third party for the processing must be compared with the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In doing so, the interests of the controller and of third parties, on the one hand, and the interests, rights and expectations of the data subject, on the other hand, must be taken into account (Recital 47 GDPR). In the course of this balancing of interests, the following conditions must be met cumulatively: (i) existence of a legitimate interest, (ii) necessity of processing the personal data in question in order to pursue this interest, (iii) no outweighing of the fundamental rights and freedoms of the data subject (cf. Jahnel, Commentary on the General Data Protection Regulation Article 6, GDPR Rz 71 [as of December 1, 2020, rdb.at]). The legitimate interest of the complainant as property management lies in carrying out the property management in the interests of its client. In its complaint against the decision, the complainant states in summary that the party involved, as the owner's representative, has a duty to disclose the letter to the other owners because the data processing was necessary in connection with the decision to repair the facade. The complainant's legitimate interest in processing data is based on the one hand on exercising her recognized profession and on the other hand on fulfilling her mandate (specifically: making a decision on facade repairs) for the client (homeowners' association). In view of this, data processing to this extent of disclosing the entire letter to an unspecified public cannot be justified, especially to the co-participating party, because data processing to this extent was not necessary. In particular, it would have been sufficient to answer the questions raised anonymously to fulfill the purpose. The data processing that is the subject of the proceedings is also not necessary for the exercise of the property management business. The posting of the questions from the co-participating party's representative to the complainant was therefore not based on an overriding legitimate interest compared to the co-participating party's non-use of this data. 3.3.2.6. According to the case-law of the Court of Justice, any processing of personal data must comply with the principles for the processing of data set out in Article 5(1) of the GDPR and meet the conditions for lawfulness of the processing set out in Article 6 leg cit (see, inter alia, judgments of the ECJ of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 208; of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 96; and of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, Paragraphs 49 and 56).3.3.2.6. According to the case-law of the Court, any processing of personal data must comply with the principles for data processing set out in Article 5(1) of the GDPR and satisfy the conditions for lawfulness of processing set out in Article 6, leg cit. see, inter alia, Judgments of the ECJ of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, para. 208, of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, para. 96, and of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, paras. 49 and 56). Since the data processing was not based on a justification, the decision had to be taken in accordance with the judgment. 3.4. According to Section 24 Paragraph 1 of the Administrative Court Act (VwGVG), the administrative court must hold a public oral hearing upon request or, if it deems this necessary, of its own motion.3.4. According to Paragraph 24, Paragraph 1 of the Administrative Court Act (VwGVG), the administrative court must hold a public oral hearing upon request or, if it deems this necessary, of its own motion. According to Section 24 Paragraph 4 of the Administrative Court Act (VwGVG), the administrative court can refrain from holding a hearing, regardless of a party's request, unless federal or state law provides otherwise, if the files show that the oral discussion is unlikely to provide further clarification of the legal matter and neither Article 6 Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights preclude the omission of the hearing. According to paragraph 24, paragraph 4, VwGVG, the administrative court can – unless otherwise provided by federal or state law – refrain from holding a hearing regardless of a party's application if the files show that the oral discussion is unlikely to provide any further clarification of the legal matter and if neither Article 6, paragraph 1, ECHR nor Article 47, GRC stand in the way of dispensing with the hearing. In the present case, the omission of an oral hearing can be based on the fact that the facts were clarified from the files. The Federal Administrative Court had to rule exclusively on a legal question (cf. ECHR 20.06.2013, Appl. No. 24510/06, Abdulgadirov/AZE, para. 34ff). According to the case law of the Constitutional Court, an oral hearing may be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B 155/12). In the present case, the omission of an oral hearing can be based on the fact that the facts were clear from the files. The Federal Administrative Court had to rule exclusively on a legal question (cf. ECHR 20.06.2013, Appl. No. 24510/06, Abdulgadirov/AZE, para. 34ff). According to the case law of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B 155/12). According to Section 24, Paragraph 1 and Paragraph 4 of the Administrative Court Constitution Act, an oral hearing was therefore not required.According to Section 24, Paragraph 1 and Paragraph 4 of the Administrative Court Constitution Act, an oral hearing was therefore not required. 3.5. On B) Inadmissibility of the appeal: According to Section 25a, Paragraph 1 of the Administrative Court Constitution Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitution Act. The ruling must be briefly justified. According to paragraph 25a, paragraph one, VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible according to Article 133, paragraph 4, B-VG. The ruling must be briefly justified. The appeal is not admissible according to Article 133, paragraph 4, B-VG because the decision does not depend on the solution of a legal question that is of fundamental importance. The decision in question does not deviate from the previous case law of the Administrative Court, nor is there a lack of case law; furthermore, the present case law of the Administrative Court cannot be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be resolved.The appeal is not admissible according to Article 133, paragraph 4, B-VG because the decision does not depend on the solution of a legal question that is of fundamental importance. The decision in question does not deviate from the previous case law of the Administrative Court, nor is there a lack of case law; Furthermore, the present case law of the Administrative Court cannot be considered inconsistent. There are also no other indications of a fundamental importance of the legal issue to be resolved.