DSB (Austria) - 2021-0.187.619

From GDPRhub
DSB - 2021-0.187.619
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(f) GDPR
Article 17(1)(d) GDPR
Article 17(3)(a) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 07.04.2022
Published: 26.04.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 2021-0.187.619
European Case Law Identifier: AT:DSB:2021:2021.0.187.619
Appeal: Not appealed
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: Fabian Dechent

The Austrian DPA held that the operator of a search engine must delete a link to a database which contains the home address of the data subject if the latter fears for his physical integrity after receiving a death threat.

English Summary

Facts

The data subject is a court-certified expert and as such can be found in the publicly accessible database of court experts of the Austrian Federal Minister of Justice. The controller operates an online search engine and has offices in Austria, Ireland and the USA, which are all separate entities.

The data subject posted an analytical article concerning historical events in the Balkan region on his LinkedIn page and subsequently received death threats from unknown persons. When entering the name of the data subject in the controller’s search engine, a link to the database of court experts appeared, where the data subjects residential address was listed. The data subject requested the Austrian entity of the search engine to delete the link via an online form. The Austrian entity forwarded the request to the US entity claiming that it was neither legally authorised nor factually able to process the deletion request. The US entity refused to delete the link arguing that the residential address is part of a public database by the Austrian Judiciary and, therefore, the public interest to access the database outweighs the data subjects interest to be forgotten.

Subsequently, the data subject lodged a complaint with the Austrian data protection authority (Datenschutzbehörde - DSB) against the US and Austrian entity. During the proceedings the Austrian DPA asked the Irish DPA whether the Irish entity was responsible for deletion requests which the Irish DPA denied, pointing to the US entity as being responsible for such requests.

Holding

The DSB held that the US entity of the controller had to delete the link to the database of court experts within two weeks pursuant to Article 17(1)(d) GDPR because the processing was unlawful under Article 6 GDPR and the exception of Article 17(3)(a) GDPR did not apply.

The DSB reasoned that Article 6(1)(f) GDPR and Article 17(3)(a) GDPR did not apply because the interest of the data subject to physical integrity outweighed the legitimate interest of the controller to operate an internet search engine as well as the interest of the public to use the search engine. The DSB rejected the argument of the controller that the processing was lawful because the database was publicly available. It found that the database's purpose was to make it easier for judges to find a suitable expert witness in court proceedings and that this purpose could also be fulfilled without the search engine indexing the database, since judges use the database directly without using the search engine first. The DSB also rejected the argument that the data subject should have directly requested deletion from the database instead of de-referencing from the search engine. It found that this option was not feasible since the data subject would no longer be considered as an expert witness in court proceedings and, therefore, could not pursue his profession.

With regard to the complaint against the Austrian entity, the DSB found that the online form, witch the data subject used to request deletion, made it clear that the request will be conveyed to the US entity. The DSB, therefore, concluded that by using the online form the data subject only requested deletion from the US entity and not from the Austrian entity so it rejected the complaint as unfounded and did not investigate further.

Comment

Regarding the Austrian entity, it seems that the DSB wanted to reject the complaint with as less effort as possible. However, Article 17 GDPR obliges the controller to delete the data without a request of the data subject as the second half of Article 17(1) GDPR clearly states that the controller has an "obligation" to erase the data. Therefore, rejecting the complaint because the data subject did not request erasure from the Austrian entity was legally incorrect. The Austrian entity was actually obliged to delete the data if it would have been considered the controller and would have been able to delete it.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2021-0.187.619 from April 7, 2021 (case number: DSB-D124.2575)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.]

NOTICE

SAY

The data protection authority decides on the data protection complaint of DI Ahmed A*** (complainant), represented by B*** & Partner Rechtsanwälte, ***straße *4, **** U***, of August 21, 2020, improved on September 18, 2020, against 1. N***, Inc., ****, United States of America (first respondent) and 2. N*** Austria GmbH, ***straße *5/**/2 *, **** I***, Austria (second respondent) for violation of the right to erasure as follows:

1. The complaint against the first respondent is upheld and it is found that the first respondent violated the complainant's right to erasure by not complying with the complainant's request for erasure of March 19, 2020 until the conclusion of the proceedings before the data protection authority Has.

2. The first respondent is instructed, immediately, but no later than within a period of two weeks in other cases of execution, the URL https://sdgliste.justiz.gv.at/edikte/sv/svliste.nsf/1**** and the URL https://edikte.justiz.gv.at/edikte/sv/svliste.nsf/2**** from the N*** search index in connection with a search for the names “Ahmed Á***” and “ Ahmed A***" [Editor's note: These are two different spellings of the complainant's name].

3. The complaint against the second respondent is dismissed as unfounded.

Legal basis: Article 2 paragraph 1, Article 3 paragraph 2 letter b, Article 6 paragraph 1 letter f, Article 17 paragraph 1 and paragraph 3, Article 51 paragraph 1, Article 57 Paragraph 1 letter f, Article 58 paragraph 2 letter g and Article 77 paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5 .2016 p. 1; Sections 18 (1) and 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 3b (1) of the Experts and Interpreters Act (SDG), Federal Law Gazette No. 137/1975 as amended.

REASON

A. Submissions of the parties and course of the proceedings

1. With a complaint dated August 21, 2020, improved with a submission dated September 18, 2020, the complainant submitted in summary that the second respondent had violated his right to erasure because she had not complied with a requested erasure. The complainant had in the past posted an analytical statement of facts [editor's note: the subject, concerning historical events in the Balkan region, has been removed in order to increase the pseudonymisation of the complainant's identity.] on his LinkedIn profile and subsequently by unknown persons a Threat to [Editor's note: language has been removed to increase the pseudonymization of the complainant's identity.]. The complainant therefore fears for his physical integrity. When the complainant's name was entered in N***'s search engine, a link to the Internet address "edikte.justiz.gv.at" appeared, where the complainant's home address was directly visible. The complainant therefore requested the deletion of the link on March 19, 2020, which was rejected by letter dated March 31, 2020. Based on the feared impairment of the complainant's physical integrity (murder threat), a significant endangerment of the person concerned was to be assumed. In terms of balancing interests, the protection of physical integrity should be given priority over other interests (e.g. the person responsible). The request for deletion is attached to the file.

2. In a statement dated October 27, 2020, the second respondent argued in summary that it was neither legally authorized nor factually able to process users' requests for deletion. The complainant's request for deletion was therefore forwarded to the first respondent.

3. In a statement dated November 18, 2020, the first respondent submitted (albeit without being asked by the data protection authority) that the "right to be forgotten" pursuant to Art Right to information is necessary (Art. 17 Para. 3 lit. a GDPR) or if this is necessary to fulfill a legal obligation of the person responsible (Art. 17 Para. 3 lit. b GDPR). The complainant was listed as a generally sworn and court-certified expert in connection with his work as [editor's note: profession removed to reinforce the pseudonymisation of the complainant's identity] in a publicly accessible database, which is part of the main website of the Austrian judiciary. There is a legal basis for this public list. The complainant's assertion that the publication posed a danger to his life and limb was unsubstantiated and therefore the public interest in access to legally legitimate information from an authority was to be given greater weight in the present case than the individual right to be forgotten. Since the complainant was still certified as an expert until the end of 2022, the information was up-to-date and relevant from the public's point of view. In addition, in this case the complainant has the option of having his entry removed directly from the body responsible for this database.

4. On 4 December 2020, the Data Protection Authority issued a request for assistance to the Irish Data Protection Authority (DPC) as to whether the First Respondent or N*** Ireland Limited has jurisdiction over requests to remove search engine results from N***. The Irish supervisory authority has stated that the first respondent has jurisdiction. The information from the Irish Data Protection Authority of 10 December 2020 was also sent to the complainant.

5. In a letter dated March 3, 2021, the complainant submitted in summary that the complaint was also directed against the first respondent and that the applications would be upheld.

B. Subject of Complaint

Based on the complainant's submissions, it follows that the subject of the complaint is the question of whether the respondents violated the complainant's right to erasure by not fully complying with the complainant's request for erasure from March 19, 2020 until the end of the proceedings before the data protection authority have corresponded.

C. Findings of Facts

1. The complainant is a court-certified expert and can be found as such in the publicly accessible database of court experts and court interpreters of the Federal Minister of Justice.

The complainant's entry is specifically as follows (formatting not reproduced 1:1):

[Editor's note: The complainant's entry in the list of court experts, which is reproduced here as a graphic file, cannot be pseudonymised with reasonable effort. It contains the name (including titles and academic degrees), year of birth, occupation, field of expertise as an expert, address, e-mail address and a telephone number of the complainant.]

When the complainant's name is entered via the N*** search engine, the link to the complainant's entry above appears on the first page of the N*** search results.

Specifically, the following N*** search result is displayed (formatting not reproduced 1:1):

[Editor's note: The result of a search using the N*** search engine, which is reproduced here as a graphic file, cannot be pseudonymised with reasonable effort. The first two links found are visible, the first leading to a social network, the second directly to the above entry of the complainant in the list of court experts.]

The N*** search engine is operated by the first respondent.

Evidence assessment: The findings are based on the corresponding statements of the complainant of August 21, 2020 and the statement of the first respondent of November 18, 2020. In addition, the data protection authority conducted official research in the form of an N*** search query (entering the name of the complainant in the N*** search engine) and in the form of a database query of the list for court experts and court interpreters (requested on April 7, 2021). The finding that the N*** search engine is operated by the first respondent results from the first respondent's statement of November 18, 2020.

2. The complainant published a post on the Z*** platform. In it he dealt with [Editor's note: the topic concerning historical events in the Balkan region has been removed in order to increase the pseudonymisation of the applicant's identity]. The applicant then received a threat from unknown persons.

Assessment of evidence: This finding results from the submissions of the complainant in his statement of August 21, 2020. The respondents have not expressly disputed this submission. There are no other indications to cast doubt on this argument.

3. On March 19, 2020, the complainant submitted the following application to the first respondent using an electronic sample application form from the first respondent (formatting not reproduced 1:1):

[Editor's note: The complainant's request for deletion, which is reproduced here as a graphic file, cannot be pseudonymised with reasonable effort. It contains the details of two URLs that should no longer be displayed, the name and email address of the complainant, the statement that he/she requested deletion on his/her own behalf, and the reason for unknown persons because of a website that has since been deleted -Postings to have been threatened by phone.]

The first respondent responded to the above-mentioned request by the complainant in a letter dated March 31, 2020 as follows (excerpt, formatting not reproduced 1:1):

[Editor's note: The reply letter reproduced here as a graphic file cannot be pseudonymised with justifiable effort. Under a reference number, it contains the message that the search results in question will not be blocked, among other things because the relevant content is made available to the public by an authority, the recommendation to contact those responsible for the relevant websites directly, and the note that a complaint to the "data protection authority of your country" is possible.]

Assessment of evidence: These findings result from the complainant's statement of September 18, 2020 and the enclosures submitted therein. The screenshots shown here can be found in Enclosure ./A. The finding that the complainant used N***'s request form to remove personal data stems from the consideration that N*** provides an electronic form for requests for removal of search engine results and the content of the complainant's request basically corresponds to the content of the electronic form. The N*** web form is available at: https://www.n***.com/*** (accessed 7 April 2021).

4. The above sample request form for the removal of personal data from N*** includes the following (excerpt, formatting not reproduced 1:1):

[Editor's note: The text reproduced here as a graphic file from the Respondent's website, which cannot be pseudonymised with reasonable effort, contains the information that the Respondent is "responsible for the processing of personal data used in the determination of search results in of the N*** search is performed".]

Evaluation of evidence: These findings result from official research by the data protection authority of the website https://www.n***.com/*** (accessed on April 7, 2021).

D. In legal terms it follows that:

2. Regarding point 1 (first respondent)

a) On the distribution of roles under data protection law

The first respondent processes the complainant's personal data within the meaning of Art. 4 Z 2 GDPR by recording it and then providing search results in the form of URLs that contain the data entered by the complainant. By automatically, continuously and systematically scouring the Internet for the information published there, the complainant collects personal data within the meaning of Art. 4 Z 1 GDPR, which it then reads out, stores in an organized manner on its servers and makes it available based on a search query. Since the first respondent thus decides on the purposes and means of the processing of the personal data, it is responsible within the meaning of Art. 4 Z 7 DSGVO (cf. the judgment of the ECJ of May 13, 2014 - C-131 /12).

A request for assistance from the Data Protection Authority and subsequent information from the Data Protection Authority of Ireland dated 10 December 2020 confirmed that the First Respondent (and not the Second Respondent or N*** Ireland Limited) is the data controller.

Finally, the first respondent has never disputed its responsibility for the data processing relevant here in the ongoing proceedings.

b) Right to erasure:

i) Legal bases

According to Article 17 (1) (d) GDPR, a data subject has the right, among other things, to demand that the person responsible delete personal data relating to them immediately if the personal data is being processed unlawfully.

According to Art. 17 Para. 3 lit. a GDPR, there is in Para. 1 leg. However, this does not apply if the data processing is necessary to exercise the right to freedom of expression and information.

As a result, the legitimate interests of the respondent to the first complaint (as the operator of the search engine) and third parties (the general public using the search engine) must be assessed within the meaning of Article 6(1)(f) GDPR and these must be compared with the interests and to weigh possible consequences for the complainant resulting from the processing in question.

ii) balancing of interests

The interests of the first respondent lie in operating an internet search engine and making it (or its search results) available to the general public (cf. the decision of January 15, 2019, GZ: DSB-D123.527/0004-DSB/ 2018, according to which the right to freedom of expression and freedom of information enshrined in Art. 11 EU-GRC or the right to freedom of expression enshrined in Art. 10 ECHR - in addition to the expression of opinions - also expressly includes the receipt and transmission of messages or protects ideas).

On the other hand, the complainant relies on the fact that he is exposed to an increased risk of his physical integrity and comparable facts due to the fact that it is easier to find his home address via a search with the respondent's search engine. This in particular against the background that the complainant has received a death threat in the recent past.

In its guidelines 5/2019 on the criteria of the right to be forgotten in cases relating to search engine entries, the European Data Protection Board stated in margin no. 13 that the "special situation" of a person must be taken into account when weighing up interests. As an example, the committee cites “disadvantage in private life”.

Even more explicit was the former Art 29 Working Party, which in its "Guidelines on the implementation of the Court of Justice of the European Union Judgment on ,Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González' C-131/121" on page 13 as an important criterion in the context of the balancing of interests on the "risk for data subjects" associated with the search engine result.

In the case at hand, the data processing means that the complainant is exposed to an increased risk in terms of his physical integrity.

The Respondent's argument that the database of court experts and court interpreters is publicly accessible cannot be upheld:

Basically, it should be noted that Art. 8 EU-GRC and the GDPR - unlike § 1 Para. 1 DSG - do not exclude the protection of personal data due to their (permitted) general availability.

Pursuant to Section 3b (1) SDG, the purpose of the database to be set up by the Federal Minister of Justice is to enable a generally available query option for the appointment of court experts and court interpreters.

However, this purpose can also be easily achieved if the request for deletion of the complainant relevant here is fulfilled:

It can be assumed that judges do not use the search engine operated by the first respondent for careful research by court experts and court interpreters, but directly access the database of the Federal Minister of Justice. In addition, such a search is carried out precisely in order to find an expert whose name is still unknown - for example a civil engineer like the complainant - within a certain district.

Likewise, the Respondent's argument that the Complainant could arrange for his removal from the database cannot be upheld, since in this case he would no longer be considered as an expert by judges in the database research mentioned above, which in turn would significantly limit his Freedom of occupation according to Art. 15 EU-GRC or entrepreneurial freedom according to Art. 16 EU-GRC.

However, this argument also fails because the ECJ affirmed that the Respondent's obligation to delete data was independent of that of the operator of the original website. In other words: Just because no deletion was or was not requested on the original website, this does not mean that deletion in the result list of the search engine operated by the respondent is inadmissible (judgment of the ECJ of September 24, 2019, C-136/17 , margin nos. 62 to 64).

Due to his expert work, the complainant is not publicly known or even a person of public life.

It is true that unknown third parties could in principle research the complainant's home address without N***; However, this requires the additional knowledge that the complainant is entered in the above-mentioned database of the Federal Minister of Justice, which is why researching his residential address is considerably more difficult or even impossible without this additional knowledge.

Against the background of all these considerations, the interests of the complainant prevail, which is why the facts of Art. 17 (3) lit. a GDPR are not met.

This result also corresponds to the general assessment of the ECJ, according to which the right of the person concerned, protected by Art. 8 EU-GRC, generally outweighs the interest of internet users to access information from search engine results (cf. again the judgment of the ECJ of 24 September 2019, Rz 66 mwN).

There are no indications to deviate from this general assessment of the ECJ in the present case.

iii) Outcome

The first respondent wrongly failed to comply with the complainant's application of March 19, 2020.

2. Regarding point 2 (performance mandate)

The first respondent was therefore to be ordered to delete (or delist) the data pursuant to Art. 58 (2) (g) GDPR in conjunction with Section 24 (5) DSG.

A period of two weeks seems appropriate to delete two URLS as search engine results in connection with the name "Ahmed A***" or "Ahmed Á***".

3. Regarding point 3 (second respondent)

As is clear from the facts, the complainant directed the request for erasure pursuant to Art. 17 GDPR (only) against the first respondent, but not also against the second respondent.

In the electronic model form from N***, it was also clear to the complainant that the application was (only) sent to the first respondent.

The second respondent therefore did not have to deal with the complainant's request for deletion of March 19, 2020 and was not obliged to react within the meaning of Art. 12 (4) GDPR.

The complaint against the second respondent therefore proves to be unfounded for this reason alone, and further investigative steps with regard to the responsibility of the second respondent could therefore be omitted.

It was therefore to be decided accordingly.