DSB (Austria) - 2020-0.349.984

From GDPRhub
DSB - DSB-D205.023
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 5(1)(f) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 51(1) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
§ 1(1) DSG (Datenschutzgesetz)
§ 1(2) DSG (Datenschutzgesetz)
§ 18(1) DSG (Datenschutzgesetz)
§ 24(1) DSG (Datenschutzgesetz)
§ 24(5) DSG (Datenschutzgesetz)
§ 3(4) PMG (Postmarktgesetz)
§ 3(12) PMG (Postmarktgesetz)
§ 12 PMG (Postmarktgesetz)
§ 17 PMG (Postmarktgesetz)
§ 20 PMG (Postmarktgesetz)
Type: Complaint
Outcome: Rejected
Started:
Decided: 26.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: DSB-D205.023
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.349.984
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in DE)
Initial Contributor: Agnieszka Rapcewicz

The Austrian DPA holds that making by the post office a copy of a recipient's identity card does not infringe complainant's right to privacy and the post office has a legitimate interest in processing the personal data contained in the identity document to safeguard or defend its legal claims.

English Summary

Facts

The complainant went to a post office to receive a letter addressed to him. From the post office employee, he was informed that the letter had not been delivered to him and that it had been left at that post office and that a notice had been left to the complainant (the so-called “yellow slip”). This was a non-official, recomanded (with a take-over certificate) registered letter. The post office clerk asked the complainant to show his identity document with a photo in order to take the letter. The complainant showed his identity card. Subsequently, the post office employee electronically (using a scanning device) recorded identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name. It was stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made. The complainant alleged that the post office infringed confidentiality obligations by making a copy of his identity card. The complainant pointed out that even the general terms and conditions of the Post Office, in the event of doubts as to the identity of a person, refer to a presentation of a document and not to data collection. That is why he lodged a complaint with the supervisory authority.

Dispute

Has the complainant's right to privacy been infringed by the action of a postal worker to electronically register and save the complainant's identity card when he receives his registered letter at the post office?

Holding

The DPA rejected the complaint. It held that making by the post office a copy of a recipient's identity card does not infringe complainant's right to privacy and the post office has a legitimate interest in processing the personal data contained in the identity document to safeguard or defend its legal claims.

Comment

The DPA examined whether the provisions of the PMG (Postmarktgesetz) may create a legal obligation for the Post Office to process personal data under Article 6(1)(c). The DPA pointed out that the national law stipulates the need to confirm receipt or delivery of the consignment. However, it doesn't say anything about the recording or storage of personal (ID) data. The law does not impose any legal obligation to process personal data. Moreover, the DPA noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality. Therefore scanning and storage of the complainant's identity document cannot be based onthe PMg provisions in concjuntion with Article 6(1)(c).

However, the supervisory authority considered that the post office has a legitimate interest in processing the personal data contained in the identity document. The defendant might have been exposed to warranty claims and/or claims for damages by the sender and the processing was therefore necessary to safeguard or defend its legal claims, which constitute a legitimate interest. Furthermore, the DPA considered that it was justified to keep a copy of the document, because it could be used to prove that the data had been handed over to the correct recipient in the event of a dispute. The supervisory authority stressed, taht also reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place. The DPA found that the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.

What is more, in the DPA's opinion the categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate.

In the light of above the DPA came to the conclusion that the legitimate interests of the respondent outweighed the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6(1)(f).

The complaint was therefore dismissed.



Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



Decisive authority
Data protection authority


Decision date
06/26/2020


Business number
2020-0.349.984


Appeal at the BVwG / VwGH / VfGH
This decision is final.




text
GZ: 2020-0.349.984 of June 26, 2020 (case number: DSB-D205.023)

[Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected.
The respondent's company was not pseudonymized here because, according to the reasons for the decision, the universal service operator was involved in this role in accordance with Section 12 (1) PMG, and the respondent is listed as such in the cited law. A meaningful pseudonymization was also not possible due to multiple references to the business activity of the Respondent as a universal service operator in the matter (e.g. registered letter, "yellow note"). However, the interest in secrecy of the respondent who won the proceedings, whose actions were found to be lawful, does not outweigh the public interest in the publication of the decision, as required by law in Section 23 (2) DSG.]

NOTIFICATION
SPEECH
The data protection authority decides on the data protection complaint by Gustav A *** (complainant) of April 17, 2019 against Österreichische Post AG (respondent) due to violation of the right to secrecy as follows:
- The complaint is dismissed as unsubstantiated.
Legal basis: Art. 4 no. 2, Art. 5 para. 1 lit. f, Art. 6 Para. 1 lit. c and lit. f, Art. 13, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), ABl. No. L 119 of 4.5.2016 p. 1; §§ 1 Paragraph 1 and Paragraph 2, 18 Paragraph 1 and 24 Paragraph 1 and Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 3 Z 4 and Z 12, § 12, § 17, § 20 of the Postal Market Act (PMG), Federal Law Gazette I No. 123/2009 as amended;

REASON
A. Arguments of the parties and course of the procedure
1. With the preliminary filing of April 17, 2019, repeated on June 23, 2019 and July 26, 2019, the complainant alleged a violation of the right to secrecy and a violation of the information obligations by the respondent.
The alleged breach of the duty to provide information is reported in a separate procedure for reference number DSB-D205.246.
2. With regard to the alleged breach of the right to secrecy, the complainant summarized the following:
The complainant had corrected a letter addressed to him by means of a so-called "yellow note" on March 29, 2019 in a branch of the respondent. In the course of this, an employee of the respondent requested that the complainant be presented with an ID, which was also presented by the complainant. As a result, however, the employee made a copy against his will and without his permission. The ID card was placed on a scanner and the data was recorded electronically. The complainant further explains that even in the general terms and conditions of the respondent ("AGB-Brief National") under point 3.5.2 there is only talk of a submission in case of doubt of identity, and not of data collection.
3. With the settlement of July 22, 2019 (GZ: DSB-D205.023 / 0001-DSB-2019), the data protection authority requested the respondent to comment.
4. With the submission dated August 20, 2019, the Respondent commented as follows:
It is correct that the complainant repaired a returned (= with acceptance note) registered mail in a branch of the respondent because he was not found at the time of the attempted delivery. He was therefore informed by means of a “yellow slip of paper” about the attempted delivery and the deposit of the shipment and about the need to present an official photo ID when removing the shipment. The notification of deposit also contains a reference to the data protection information of the respondent, which in particular also provides information on the processing of ID data.
When the complainant rectified the consignment, an employee of the respondent asked the complainant to present a photo ID and, as a result, automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanner is used to record the ID data, which only reads out specific data from the respective ID, namely ID type, ID number, issuing authority and date of birth as well as the corresponding name - a copy is not made. The complainant also acknowledged acceptance of the registered mail on the.
The criticized processing of the ID data is necessary to fulfill a legal obligation to which the respondent as the person responsible is subject (Art. 6 Para. 1 lit. c GDPR): According to § 3 Z 12 PMG, the acceptance of registered mail to the correct recipient must be acknowledged. The handover to the right person - if this is not known personally to the respondent - is only possible as part of an identification / authentication process to be carried out, i.e. by presenting an official photo ID. The Respondent had issued general terms and conditions (in particular "AGB Brief") in accordance with § 20 PMG, which were also approved by the regulatory authority. This also results in the need for a confirmation of acceptance and identification (points 3.3 and 3.5.2 of the General Terms and Conditions for letters nationally and point 4.1 of the product and price list ("PVV") for return receipt letters, which also include registered mail). These documents (GTC and PVV) show that the handover of a registered item is only permitted after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and, consequently, for any processing of potential inquiries (point 3.10 of the national letter terms and conditions) and any warranty cases (point 4 of the national letter terms and conditions), i.e. for the assertion, exercise or defense of Legal claims and also to implement the contractual relationship with the sender are kept for 6 months and then deleted. The fact that the Respondent is exposed to possible warranty and / or claims for damages if a shipment is not properly handed over, in particular to the correct recipient, gives rise to a processing and storage authorization. It must therefore be possible to defend oneself at least within the statutory warranty period. Also in the context of any proceedings before the data protection authority, the respondent must be able to prove freely, for example that she has fulfilled her duty of care and verifiably checked the identity of the transferee. The respondent relied on the deadline set out in Section 24 (4) DSG and a more detailed decision by the data protection authority regarding the admissibility of a copy of an identity card for identity verification.
Furthermore, the processing of the ID data to safeguard the legitimate interests of the respondent and the respective sender in the sense of Art. 6 para. 1 lit. f GDPR required to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof. This is the only way to prevent any abuse. The interests of the respondent and those of her contractual partner would outweigh the interests or fundamental rights and freedoms of the complainant. There was no noticeable impairment of the complainant, since only the necessary data would be stored, which is also protected according to § 5 PMG and by extensive technical and organizational measures.
The Respondent also stated that she had complied with her information obligations and referred to the “data protection information”, which can be found on her website.
5. With the settlement dated September 19, 2019 (GZ: DSB-D205.023 / 0003-DSB / 2019), the data protection authority granted the complainant a hearing and the opportunity to comment.
6. No further submissions were made on the part of the complainant.
B. Subject matter of the complaint
The subject of the complaint is the question of whether the respondent has violated the complainant's right to secrecy in that an employee of the respondent electronically recorded and saved the complainant's identification data when collecting a mail item (registered mail).
The alleged violation of the information obligations is dealt with separately in the proceedings relating to reference number DSB-D205.246 and was therefore not the subject of the complaint in the present proceedings.
C. Factual Findings
1. On March 29, 2019, the complainant removed a letter from the (post) branch ****, **** XY, *** - Strasse *. The respondent had informed the complainant about an unsuccessful delivery attempt and the subsequent deposit in the post office mentioned by means of a notification of a deposited item (“yellow slip”) at a point in time that could not be determined in detail. This was a non-official, recommended (with transfer note) registered mail.
2. After being asked to do so by an employee of the respondent, the complainant presented his official photo ID in the course of repairing the shipment. Subsequently, the ID data: ID type, ID number, issuing authority, date of birth and the corresponding name were electronically recorded using a scanner and saved for 6 months. After the retention period expired, the relevant data was deleted. A copy of the identity document itself, however, was not made.
Assessment of evidence: The findings result from consistent submissions of the parties, in particular the complainant's submission of April 17, 2019 and the respondent's submission of August 20, 2019.
3. The following General Terms and Conditions of the Respondent were in effect on March 29, 2019:


Evidence assessment: The findings result from the respondent's submission of August 20, 2019 and remained undisputed by the complainant.
D. In legal terms it follows:
The complainant believes the respondent has violated confidentiality obligations by making a copy of the ID (recording with a scanner and saving the ID data).
As a result, the statements are not justified:
D.1. On Art. 6 Para. 1 lit. c GDPR:
According to Section 1 (1) DSG, everyone, especially with regard to respect for their private and family life, has the right to confidentiality of their personal data, provided that there is a legitimate interest in it.
Pursuant to Section 1 (2) DSG, restrictions on the right to confidentiality are only permitted in order to safeguard the overriding legitimate interests of another, insofar as the use of personal data is not in the vital interest of the person concerned or with his consent.
The data processing in question was not carried out in the complainant's vital interest, nor was consent given, which is why the legality had to be checked on the basis of the safeguarding of overriding legitimate interests: According to the case law of the data protection authority, there is no violation of confidentiality obligations, in particular if the implementation provisions are violated According to Section 4 (1) GDPR, the rules of the GDPR and the principles anchored therein have not been violated (see the decision of October 31, 2018, GZ DSB-D123.076 / 0003-DSB / 2018).
According to Art. 5 Para. 1 lit. b GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a way that is incompatible with these purposes ("earmarking"). The processing of personal data is justified, among other things, if it is necessary to fulfill a legal obligation to which the person responsible is subject (Art. 6 Para. 1 lit. c GDPR) or to safeguard the legitimate interests of the person responsible or a third party unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail (Art. 6 Para. 1 lit. f GDPR).
In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant:
The Respondent also correctly relied on the legal obligations of the PMG:
Section 3 no.4 and no.12 PMG including the heading reads as follows (emphasis by the data protection authority):
Definitions
§ 3.
For the purposes of this federal law:
[...]


4th
“Universal service operator” one or more named universal service operators in accordance with Section 12 Paragraph 1 or one or more named postal service providers in accordance with Section 12 Paragraph 2;






[...]


12th

"Registered item" means a piece of mail that is insured by the postal service provider against loss, theft or damage and for which the sender, if necessary at his or her request, provides a confirmation of receipt of the item and / or its delivery to the recipient or the recipient is granted;








Section 12 PMG including the heading reads as follows (emphasis by the data protection authority):
Universal service operator
§ 12.
(1) With the entry into force of this federal act, Austrian Post will be named as the universal service operator.
[...]

Section 20 PMG including the heading reads as follows (emphasis by the data protection authority):
General terms and conditions of the universal service provider
§ 20.
(1) The universal service operator shall issue general terms and conditions in accordance with the provisions of this Act and the ordinances issued on the basis of this Act for services in the universal service area.
[...]
Under a legal obligation according to Art 6 para. 1 lit. c GDPR is in any case an obligation based on objective law (Frenzel in Paal / Pauly, General Data Protection Regulation Art. 6 Rz. 16), which can arise in particular from a legal basis in member states or Union law and which also relates directly to data processing (Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no.39).
As a universal service operator within the meaning of Section 3 no. 4 in conjunction with Section 12 (1) PMG, the Respondent is subject to the provisions of the PMG and is therefore to be seen as the addressee of the legal obligations resulting from this law.
According to the constant jurisprudence of the Constitutional Court on the quality of an encroachment norm within the meaning of Section 1 (2) DSG (2000), it must “be sufficiently precise, i.e. predictable for everyone, to specify the conditions under which the determination or use of the data for the performance of specific administrative tasks is permitted is. The respective legislator must therefore iSd. Section 1 (2) DSG 2000 provides for a material-specific regulation in the sense that the cases of permissible interference with the fundamental right to data protection are specified and limited (VfSlg. 18.146 / 2007).
The data protection authority does not overlook the fact that this jurisprudence refers to an interference norm that is intended to legitimize official action, which is not the case here.
Nevertheless, this jurisprudence can also apply accordingly if those responsible in the private sector (Section 26 Paragraph 4 DSG) rely on an authorization norm within the meaning of Article 6 Paragraph 1 lit. c GDPR. This also results from Art. 5 Para. 1 lit. a GDPR, according to which personal data are processed in a lawful manner, in good faith and in a manner that is understandable for the person concerned.
It must therefore be checked whether the provisions of the PMG create a legal obligation to process personal data according to Art. 6 Para. 1 lit. c GDPR.
§ 3 Z 12 PMG standardizes the need for confirmation of receipt or delivery of the shipment. On the other hand, § 3 Z 12 PMG does not make any statement about the mere determination, i.e. the additional collection or storage of personal (ID) data. This also applies to Section 20 (1) PMG, which only standardizes the constitution of general terms and conditions, but not a legal obligation to process personal data.
It should also be noted that the Respondent's General Terms and Conditions cannot constitute a legal obligation due to a lack of material legal quality.
As a result, the provisions of the PMG put forward by the Respondent in conjunction with Art. 6 Para. 1 lit. c GDPR does not constitute a legal basis for scanning and saving the complainant's ID.
D.2. To safeguard legitimate interests (Art. 6 Para. 1 lit.f GDPR):
As a result, it must be checked whether the processing of the complainant's personal data is necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 (1) lit. f GDPR was required.
According to the Rsp of the ECJ, processing on the legal basis of “legitimate interest” is permissible under three cumulative conditions: i) Perception of a legitimate interest by the person responsible or the third party (s) to whom the data is transmitted, ii) Requirement of processing personal data Data for the realization of the legitimate interest and iii) no predominance of the fundamental rights and freedoms of the person affected by data protection over the perceived legitimate interest (see with regard to Directive 95/46 / EC the judgment of the ECJ of December 11, 2019, C- 708/18 [TK] margin no. 40 with further references).
i) Legitimate interests of those responsible or a third party
It must first be checked whether the respondent or a third party had a legitimate interest in processing the complainant's ID data:
In addition, the Respondent submitted, among other things, that it could possibly be exposed to warranty and / or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.
It should be noted that the Respondent's interest in being able to adequately defend itself in the event of a legal dispute, at least within the statutory warranty period, and to be able to provide evidence of the lawful transfer to the correct person, was to be regarded as justified (see Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no. 54).
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.
ii) Necessity of data processing
In addition, it should also be recognized that the processing of the complainant's identification data could serve to prove the transfer to the correct recipient in the event of a legal dispute.
iii) No predominance of the fundamental rights and freedoms of the data subject
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance to be checked.
In doing so, the reasonable expectations of the complainant must also be taken into account, i.e. in particular whether he could reasonably foresee at the time the identification data was collected and in view of the circumstances under which it was carried out that processing for this purpose might possibly take place (cf. Recital 47 of the GDPR). The collection and storage of ID data for the purpose of defending legal claims regarding mail is in any case within general life experience and was therefore easily foreseeable for the complainant.
In order to weigh up specific interests, it should also be noted that there are no special categories of personal data pursuant to Art. 9 Para. 1 GDPR, no criminally relevant data pursuant to Art. 10 GDPR and no other personal data that were processed with a particularly intensive interference with the fundamental right related to secrecy.
The data categories processed by the Respondent are by no means excessive and the storage period of six months is in no way to be regarded as disproportionate. Also with regard to the case law of the ECJ, no excessive data processing can be seen here: the processing was moreover to the absolute minimum, both with regard to the scope of the processed data and with regard to the storage duration (see for example ECJ December 11, 2014, C-212/13 , Ryneš), as the Respondent saved the ID data for only six months and therefore only for a non-excessive period that was clearly defined in advance.
D.3 Result:
Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing is lawful on the basis of "legitimate interests" according to Art. 6 para. 1 lit. f GDPR took place.
The complaint had to be dismissed according to the ruling.


European Case Law Identifier
ECLI: AT: DSB: 2020: 2020.0.349.984