DSB (Austria) - 2022-0.083.310

From GDPRhub
DSB - 2022-0.083.310
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(2)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1)(c) GDPR
Article 58(2)(f) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 14.02.2022
Published:
Fine: n/a
Parties: Federal Minister of Finances
National Case Number/Name: 2022-0.083.310
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: DSB (Austria) (in DE)
Initial Contributor: n/a

The Austrian DPA found that the Minister of Finances implementing instructions from a a parliamentary anti corruption committee falls within the scope of the GDPR.

English Summary

Facts

On 16 December 2021, the corruption inquiry committee ordered the Minister of Finances as a controller to disclose information regarding potential criminal financial proceedings initiated against an Austrian politician, as data subject.

On 24 January 2022, in an attempt to prevent such disclosure from happening, the data subject requested the Austrian DPA to issue a ban on the processing pursuant to Article 58(2)(f) GDPR. The data subject stated that the issue therein lay not in the transmission of information itself, but rather in the inquiry’s lack of confidentiality, citing past leaks to the media. Moreover, the data subject noted an absence of a legal basis for the processing of his personal data, claiming that this would constitute a violation against Article 5 GDPR and Article 6 GDPR.

The Federal Minister of Finances denied the competence of the DPA, relying on recent decisions stating that the GDPR does not cover core legislative activities as provided for in Article 2(2)(a) GDPR. He argued that in this case he did not act in his role as part of the executive branch, but rather on behalf of the legislative branch, acting as an auxiliary body thereof and being subject to submission to the parliament’s inquiry committee. Furthermore, the Federal Minister of Finances pointed out that the threat to confidentiality interests worthy of protection would arise only, if at all, in the sphere of the inquiry committee in parliament.

Holding

The DPA denied the Federal Minister of Finances’ claim to function solely on behalf of the legislative branch, as he is not obliged to submit to the inquiry commission in every case and thus retains his function as an organ of the executive branch. As a consequence, the DPA asserted to have the general competence of reviewing the actions of the Federal Minister of Finances under the GDPR.

However, the DPA nevertheless rejected the data subject’s request, stating that its role is limited to ex-post control. The DPA held that ex-ante control would lead to the DPA taking the place of the Federal Minister and compromising the functioning of the committee.

Finally, the DPA clarified that even if it were competent to provide ex-ante control, the data subjects’ request pursuant to Article 58(2)(f) GDPR would be rejected, as the data subject failed to demonstrate an immediate risk of data protection violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.083.310 from February 14, 2022 (procedure number: DSB-D124.0128/22)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons be. Obvious spelling, grammar and punctuation errors have been corrected.]

NOTICE

SAYING

The data protection authority decides on the application in accordance with Section 22 DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, *** S***, to prohibit processing of his personal data through the imminent transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the investigative committee regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee). the Federal Minister of Finance (respondent) as follows: The data protection authority decides on the application according to paragraph 22, DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, * ** S***, to prohibit the processing of his personal data through the imminent transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the investigative committee regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigation Committee) against the Federal Minister of Finance (respondent) as follows:

   The application is rejected.

Legal basis: §§ 22 para. 1 and 4 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended, Articles 18, 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with §§ 56, 57 para. 1 and 58 of the General Administrative Procedure Act 1991 (AVG), BGBl for parliamentary committees of inquiry (VO-UA), BGBl. , 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with paragraphs 56, 57 paragraph one, and 58 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51 from 1991, as amended, Article 52 a, 53 and 138b of the Federal Constitutional Law (B-VG), Federal Law Gazette No. 1 from 1930, as amended, paragraph 25, the Rules of Procedure for Parliamentary Committees of Inquiry (VO-UA), Federal Law Gazette Roman One. No. 99 from 2014, as amended.

REASON

A. Submit

1. On January 24, 2022, the applicant submitted an application for the issuance of a mandate notice in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG and Article 58 (2) lit. f GDPR. On January 24, 2022, an application was made for the issuance of a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG and Article 58, paragraph 2, letter f, GDPR.

In support of this, the applicant essentially argued that the minority of the parliamentary investigative committee called the “ÖVP Corruption Investigative Committee” had demanded that the respondent investigate whether against him or companies that were owned by him or in which he held an executive function, Financial criminal proceedings have been initiated since 2015 and how many of them will be conducted.

Transmitting the affected data to the U-Committee would not in itself be a problem. However, the notorious permeability of U-committees to the media public, which has been well known since the Ibiza U-Committee at the latest, is intolerable. It forces him to take precautionary action against any kind of data concerning him being passed on to the U-Committee.

On the other hand, it is obviously inadmissible exploratory evidence. The intended data processing does not serve to examine a “specific completed process in the area of federal enforcement,” but rather to find snippets of information that are interesting for the media.

He would be brought before a political tribunal on the basis of a blanket suspicion that had no substance whatsoever - with the only apparent aim of bringing him in to exchange political change on his back.

The data processing in question - both the evaluation and the transmission - falls within the scope of the GDPR and the DSG. The data processing is therefore only permitted if, on the one hand, it corresponds to the general basic principles of the processing of personal data (Art. 5 GDPR) and, on the other hand, it fulfills a specific authorization requirement (Art. 6 GDPR). The data processing in question - both the evaluation and the transmission - falls within the scope of application of the GDPR and the DSG. The data processing is therefore only permitted if, on the one hand, it corresponds to the general basic principles of the processing of personal data (Article 5, GDPR) and, on the other hand, it fulfills a specific authorization requirement (Article 6, GDPR).

The present request in accordance with Section 25 Para. 2 VO-UA aims at nothing other than obtaining investigative evidence and contradicts the requirement for certainty established by the legislature. His name is from the comprehensive list of The present request in accordance with Paragraph 25, Paragraph 2, VO-UA aims at nothing other than obtaining investigative evidence and contradicts the specificity requirement set by the legislature. His name was picked out completely arbitrarily from the comprehensive list of “(potential) donors to the ÖVP” and brought into a deeply reputation-damaging, defamatory connection to (purely suspected) financial criminal proceedings and corruption.

Since there is no provision under federal constitutional law or ordinary law to comply with inadmissible evidentiary requirements, data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no authorization within the meaning of Article 6 GDPR. Since there is no provision under federal constitutional law or ordinary law to comply with inadmissible evidentiary requirements, data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no authorization within the meaning of Article 6, GDPR.

The request in question also lacks the restriction required in Article 53 Para. 3 B-VG, according to which only files and documents “to the extent of the subject matter of the investigation” may be submitted. However, with regard to the data required, there is not even an abstract relevance to the subject of the investigation. There is a violation of the principle of lawfulness of processing pursuant to Article 5 (1) (a) GDPR. In addition, there is a violation of the principle of data minimization pursuant to Article 5 Paragraph 1 Letter c GDPR. The request in question also lacks the restriction required in Article 53, Paragraph 3, B-VG, according to which only files and documents “to the extent of the subject matter of the investigation” may be submitted. However, with regard to the data required, there is not even an abstract relevance to the subject of the investigation. There is a violation of the principle of lawfulness of processing pursuant to Article 5, paragraph one, letter a, GDPR. In addition, there is a violation of the principle of data minimization according to Article 5, paragraph one, letter c, GDPR.

The applicant considers a template to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and purpose limitation due to the lack of abstract relevance to the subject of the investigation. Likewise, a balancing of interests in accordance with Section 1 Para. 2 DSG must be in favor of the applicant. The applicant considers a submission to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and the lack of abstract relevance to the subject of the investigation Purpose limitation violates. Likewise, a balancing of interests in accordance with paragraph one, paragraph 2, DSG must be in favor of the applicant.

The transmission of personal data to the U-Committee is particularly problematic because the confidentiality obligations imposed on the members of the U-Committee and other persons authorized to access the data would simply be viewed by them as irrelevant. The VO-UA and the InfOG stipulate a ban on passing on and publishing in several places. In particular, the leaking of documents from the investigative committee regarding the alleged venality of the turquoise-blue federal government (“Ibiza U-Committee”) to the media showed that the U-Committee was as full of holes as Swiss cheese and that it was practically impossible To hold those responsible for the data leaks accountable.

There is imminent danger with regard to the data processing in question. It can be assumed that the Federal Minister, if he has not already started, will begin evaluating/collecting the required data in the next few days and will soon submit the evaluated data to the U-Committee. This means that the documents from the registry of the National Council would be transmitted to all members of the U-Committee and numerous other people as soon as they were there, without prior information and consultation of the person concerned and without further examination of the content of the documents and the legality of the processing had arrived. There is a significant and immediate threat to his confidentiality interests worthy of protection.

2. In a submission dated January 31, 2022, the respondent submitted that Parliament's request for data collection resulted in the U-Committee using the Federal Minister of Finance for the purpose of indirect evidence-taking by the U-Committee. The respondent is formally assigned to the executive power of the state. However, to the extent that he carries out surveys on behalf of a U-committee, he will function functionally for the legislature. Actions by an administrative authority to implement a request from a U-Committee to carry out surveys in accordance with Section 25 Para. 3 VO -UA are to be attributed to the legislative power. submits that Parliament's request for data collection results in the U-Committee being used by the Federal Minister of Finance for the purpose of indirect evidence-taking by the U-Committee. The respondent is formally assigned to the executive power of the state. However, to the extent that he carries out surveys on behalf of a U-committee, he will function functionally for the legislature. Actions by an administrative authority to implement a request from a U-Committee to carry out surveys in accordance with paragraph 25, paragraph 3, VO -UA are to be attributed to the legislative power.

The decision on the purposes of data processing is determined by the investigation order in accordance with Section 25 Paragraphs 2 and 3 VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the use of technical and organizational resources does not change the fact that the purposes of data processing are specified by the U-Committee. From this it follows that the U-Committee and not the Federal Minister of Finance should be qualified as the responsible party. The decision on the purposes of data processing is dictated by the investigation order in accordance with paragraph 25, paragraphs 2 and 3 VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the use of technical and organizational resources does not change the fact that the purposes of data processing are specified by the U-Committee. From this it follows that the U-Committee and not the Federal Minister of Finance should be qualified as the responsible party.

According to the wording of Section 18 DSG, the DSB is established as a national supervisory authority in accordance with Article 51 GDPR. From a constitutional perspective, however, it could not be argued that the DSB would be called upon to control the legislative body. According to the wording of paragraph 18, DSG, the DSB is established as a national supervisory authority according to Article 51, GDPR. From a constitutional perspective, however, it could not be argued that the DSB is called upon to control the legislative body.

Any data protection control must be limited to checking whether the relevant data protection provisions were complied with when handling personal data obtained in the context of the subject of the investigation and the evidence decision. The present application to the DSB is essentially not directed against the fact that the requirements of the GDPR were not complied with when processing personal data, but rather against the U-Committee's data collection mandate to the respondent. In this respect, the DSB has no jurisdiction. As an administrative authority, the DSB is prohibited from examining acts that are part of the legislation without an express constitutional basis. This applies even if one assumes that the respondent is not acting as an auxiliary legislative body within the framework of the collection mandate, but rather as an administrative body, since in this case too, any prohibition notice from the DSB would materially suspend the U-Committee's collection mandate.

The applicant's arguments are not suitable to justify an immediate threat to confidentiality interests worthy of protection in accordance with Section 22 Paragraph 4 DSG in conjunction with Section 57 Paragraph 1 AVG. The respondent, as the body required to submit to the investigative committee, is obliged to fully meet all evidentiary requirements within the scope of its responsibility. In the specific case, the investigative committee clearly defined which files and documents were to be presented to parliament by the Federal Minister of Finance in accordance with the supplementary evidence decision pursuant to Section 25 Para. 2 VO-UA. The threat merely alleged by the applicant to his legitimate confidentiality interests arises, if at all, only in the sphere of the investigative committee in Parliament. The applicant's arguments are not suitable to justify an immediate threat to confidentiality interests worthy of protection in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG. The respondent, as the body required to submit to the investigative committee, is obliged to fully meet all evidentiary requirements within the scope of its responsibility. In the specific case, the investigative committee clearly defined which files and documents were to be presented to parliament by the Federal Minister of Finance in accordance with the supplementary evidentiary decision in accordance with paragraph 25, paragraph 2, VO-UA. The threat merely alleged by the applicant to his legitimate confidentiality interests arises, if at all, only in the sphere of the investigative committee in Parliament.

The Administrative Court recently dealt in detail with the question of whether the GDPR also applies to core legislative activities and answered this question in the negative because this activity falls under Article 16 Paragraph 2 TFEU and is therefore in accordance with Article 2 Paragraph 2 lit a GDPR is excluded from the material scope of application of the GDPR (VwGH December 14, 2021, Ro 2021/04/0006). Even if these statements are contained in a request for a preliminary ruling to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DSB has no authority to examine due to the lack of applicability of the GDPR. The Administrative Court recently dealt in detail with the question of whether The GDPR is also applicable to core legislative activities and answered this question in the negative because this activity falls under Article 16, Paragraph 2, TFEU and is therefore excluded from the material scope of application of the GDPR in accordance with Article 2, Paragraph 2, Letter a, GDPR (VwGH 14.12 .2021, Ro 2021/04/0006). Even if these statements are contained in a request for a preliminary ruling to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DSB has no power of review due to the lack of applicability of the GDPR.

The obligation to submit data has a sufficient legal basis within the meaning of Section 1 Para. 2 DSG and the balancing of interests provided there is in any case in favor of the permissibility of data use due to the importance of parliamentary control for a democratic society. The further treatment of the data in the U-Committee, regardless of whether the respondent is responsible for collecting the data as part of a mandate from the U-Committee or not, falls exclusively within the area of responsibility of Parliament and can therefore not be the basis for a request to the Federal Minister for finances. The obligation to submit a document has a sufficient legal basis in the sense of paragraph one, paragraph 2, DSG and the balancing of interests provided there is in any case in favor of the permissibility of the use of data due to the importance of parliamentary control for a democratic society. The further treatment of the data in the U-Committee, regardless of whether the respondent is responsible for collecting the data as part of a mandate from the U-Committee or not, falls exclusively within the area of responsibility of Parliament and can therefore not be the basis for a request to the Federal Minister a cease-and-desist notice directed at finances.

It should also be noted that a body required to submit a submission has no authority to subsequently change a concrete and clearly defined additional evidentiary requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Art. 5 Para. 1 lit. b GDPR and data minimization according to Art. 5 Para. 1 lit committees would say yes. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons authorized to access the data in the event of non-compliance with statutory confidentiality and secrecy obligations cannot under any circumstances justify non-compliance with a supplementary requirement for evidence by a body subject to the obligation to submit documents, whose actions in accordance with Article 18 B-VG are only based on this by law. There would also be legal protection options in connection with the investigative committee, which are available to those affected at any time. It should also be noted that a body required to submit a submission has no authority to subsequently change a concrete and clearly defined additional evidentiary requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Article 5, paragraph one, Litera b, GDPR and data minimization according to Article 5, paragraph one, Litera c, GDPR when fulfilling a supplementary proof requirement if the applicability of the GDPR in the area of the U committees would approve. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons authorized to access the data in the event of non-compliance with statutory confidentiality and secrecy obligations cannot under any circumstances justify non-compliance with a supplementary requirement for evidence by an organ subject to the obligation to provide evidence, whose actions in accordance with Article 18, B-VG can only be based on this by law. There would also be legal protection options in connection with the investigative committee, which are available to those affected at any time.

B. Findings of Fact

1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with Section 33 Para. 1 second sentence GOG-NR regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee) was submitted to the National Council (4/US 27. GP) and the relevant investigative committee was set up on December 9, 2021 as part of the 133rd meeting of the National Council.1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with paragraph 33, paragraph one, second sentence GOG-NR regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee) was submitted to the National Council (4/US 27. GP) and The investigative committee in question was set up on December 9, 2021 as part of the 133rd meeting of the National Council.

2. On December 16, 2021, some of the members of the investigative committee made the following request to the respondent in accordance with Section 25 Para. 2 VO-UA (formatting not reproduced in 1:1, markings by the applicant): 2. On 16 In December 2021, some of the members of the investigative committee made the following request to the respondent in accordance with paragraph 25, paragraph 2, VO-UA (formatting not reproduced in 1:1, markings by the applicant):

[Editor's note: the graphic file (request to the respondent by some of the members of the investigative committee) was removed because it cannot be displayed pseudonymously in the RIS. The document contains a request to the Federal Minister of Finance “to determine against which of the following persons or companies, which were owned by these persons or in which they held executive functions, financial criminal proceedings have been initiated since 2015 and how many of them have been carried out.” . The following list contains the name of the applicant.]

Assessment of evidence: The findings arise from the applicant's submissions in the written complaint dated January 24, 2022, the respondent's statement dated January 31, 2022 and from ex officio investigations by the data protection authority (ÖVP - Corruption Investigation Committee).

D. In legal terms it follows:

C.1. On the responsibility of the data protection authority

The respondent essentially argues that he is formally assigned to the executive power of the state. However, insofar as he carries out surveys on behalf of a U-committee, he is functionally acting for the legislature and the data protection authority is therefore not responsible. In this context, the respondent refers to the jurisprudence of the Constitutional Court, according to which, according to the established jurisprudence of the Constitutional Court, organs that act on behalf of another state function are attributed to the state function on whose behalf they act (VfSlg. 10.290/1984, 11.961/1989 , 13.670/1994 concerning measures taken by administrative authorities pursuant to a judicial order).

The data protection authority does not share the respondent's legal opinion that, as a submitting body, he is part of the legislative power:

According to Art. 53 Para. 1 B-VG, the National Council can set up investigative committees by resolution. Committees of inquiry are to be assigned to the legislative power both organizationally and functionally. According to Article 53, paragraph one, B-VG, the National Council can set up committees of inquiry by resolution. Committees of inquiry are part of the legislative power both organizationally and functionally.

Art. 53 Para. 3 B-VG obliges all of the above-mentioned bodies to support the activities of a committee of inquiry by submitting files and documents as well as through surveys. Paragraph 3 leg. cit. Establishes the U-Committee's right to information to the extent of the subject matter of the investigation (cf. Article 53, Paragraph 3, B-VG obliges all named bodies to support the activities of a committee of inquiry by submitting files and documents as well as through surveys. Paragraph 3, leg. cit . establishes the U-Committee's right to self-information within the scope of the subject matter of the investigation, see Konrath/Posnik in Kahl/Khakzadeh/Schmid, Commentary on Federal Constitutional Law B-VG and Fundamental Rights Art. 53 B-VG).Federal Constitutional Law B-VG and Fundamental Rights Article 53, B- VG).

According to Section 25 Para. 2 VO-UA, a quarter of the members of the (already appointed) investigative committee can demand additional evidentiary requirements (beyond the basic decision on evidence). According to paragraph 25, paragraph 2, VO-UA, a quarter of the members of the (already appointed) investigative committee can demand additional evidence requirements (beyond the basic decision on evidence).

The constitutional requirements in accordance with Article 53 Paragraphs 3 and 4 B-VG are decisive. They are intended to ensure that the activities of an investigative committee neither endanger sources in accordance with Article 52a Paragraph 2 B-VG nor influence a decision-making or decision-making process in a federal executive body, nor in any other way is impaired (see pocket book of investigative committees, legal texts and explanations, 7th edition, page 73). The constitutional requirements in accordance with Article 53, paragraph 3, and 4 B-VG are decisive. They are intended to ensure that the activities of an investigative committee neither endanger sources in accordance with Article 52a, Paragraph 2, B-VG, nor influence a decision-making or decision-making process in one federal executive body, nor in another In this way, see paperback investigative committees, legal texts and explanations, 7th edition, page 73).

The system of separation of powers and only individual elements that combine powers on which the Federal Constitution is based presupposes an independent area of responsibility for enforcement in general and for the federal government and its members in particular. The determination of the subject matter of the investigation in Art. 53 Para. 2 B-VG basically precludes a committee of inquiry from being concerned with the ongoing activities of the federal government or its members and in particular with open decision-making processes (cf. Explanation to Federal Law Gazette I No. 101/ 2014, 439 dB XXV. GP) The system of separation of powers and only individual elements that combine powers on which the Federal Constitution is based requires an independent area of responsibility for enforcement in general and for the federal government and its members in particular. The determination of the subject matter of the investigation in Article 53, Paragraph 2, B-VG basically precludes a committee of inquiry from being concerned with the ongoing activities of the federal government or its members and in particular with open decision-making processes, see Erl on Federal Law Gazette Part One, No. 101 from 2014 ,, 439 dB Roman XXV. GP)

Art. 53 Paragraph 4 B-VG specifies Paragraph 3 insofar as it clarifies that the National Council's information rights are not unlimited in the interest of the functioning of the Federal Government and its members (cf. Paperback Investigative Committees, Legal Texts and Explanations, 7th edition, page 14 ff).Article 53, paragraph 4, B-VG specifies paragraph 3 insofar as it makes it clear that the information rights of the National Council are not unlimited in the interest of the functioning of the federal government and its members, see paperback investigative committees, legal texts and explanations, 7th edition , page 14 ff).

Overall, it follows from these provisions that the National Council's right to information can therefore be restricted and the exception serves, among other things, to ensure the functionality and the independent and uninfluenced decision of the Federal Government or a member of the Federal Government in individual cases (see and the exception serves, among other things, Ensuring the functionality and the independent and uninfluenced decision of the federal government or a member of the federal government in individual cases see Zögernitz, NR-GOG, § 24 VO-UA). , NR-GOG, paragraph 24, VO-UA).

Contrary to what the respondent argues, he is not obliged to submit to the investigative committee in every case, especially not in the cases of Article 53 paragraph 3 last sentence and paragraph 4 B-VG, which in any case speaks against the respondent's acceptance that it would be functionally attributable to the state function of legislation “as a (mere) collection body” because in this case it would have no independent scope for assessment with regard to the file submission. The regulation of Art. 138b Para. 1 Z 4 B-VG and the case law of the Constitutional Court (see in particular VfSlg. 19.973/2015) also speak against the respondent's acceptance. obligated to submit it to the committee of inquiry, especially not in the cases of Article 53, paragraph 3, last sentence and paragraph 4, B-VG, which in any case speaks against the respondent's assumption that it functions “as a (mere) collection body” of the state would be attributable to legislation because in this case he would have no independent scope for assessment with regard to the file submission. The regulation of Article 138 b, paragraph one, number 4, B-VG and the case law issued by the Constitutional Court (see in particular VfSlg. 19.973/2015) also speak against the respondent's acceptance.

Therefore, even if the respondent is required to submit to an investigative committee, his organizational and functional classification as an administrative body will not be taken away.

In summary, it is therefore possible to submit complaints in connection with a file submission by an administrative body required to provide information to an investigative committee at the data protection authority, which has comprehensive control authority over - including the highest - administrative bodies (Section 35 Paragraphs 1 and 2 DSG). In summary, it is therefore possible to submit complaints in connection with a file submission by an administrative body that is required to provide information to an investigative committee at the data protection authority, which has comprehensive control authority over - including the highest - organs of the administration (Section 35, paragraph one, and 2 DSG).

However, as the Constitutional Court has already stated, the role of the data protection authority is limited to ex-post control in the event of an obligation to submit a report to a committee of inquiry (see, for example, the decision of September 25, 2021, UA 6/2021 with further references; see also the - approving - decision of September 8, 2021, GZ: 2021-0.474.768).

An ex-ante control, as sought by the applicant, would inevitably lead to the data protection authority as an - albeit independent - administrative authority replacing the body required to submit documents and thus an interpretation of a request in accordance with Section 25 VO, as sought by the applicant, would inevitably lead to the data protection authority, as an - albeit independent - administrative authority, replacing the body required to submit documents and thus having to interpret a request in accordance with paragraph 25, VO-UA. On the one hand, this would result in an examination of the content of the request and thus the admissibility of the request from the perspective of the GDPR and the DSG. On the other hand, it would then be in the hands of the data protection authority to (partially) prevent the submission of files to an investigative committee and thus restrict its investigative activities, without the investigative committee or its members being able to fight this decision due to a lack of party status.

In Article 138b B-VG (finally), the constitutional legislature has provided for the possibility of binding dispute resolution by the Constitutional Court in connection with committees of inquiry. In Article 138 b, B-VG (finally), the constitutional legislature has provided for the possibility of binding dispute resolution by the Constitutional Court in connection with committees of inquiry.

The fact that Art. 138b B-VG does not provide for the possibility for a data subject to prevent a file from being submitted due to the risk of violating personal rights (see again the previously cited finding of September 25, 2021) may represent a gap in the legal protection system, but it can does not lead to the establishment of jurisdiction of the data protection authority. That Article 138 b, B-VG does not provide for the possibility of a data subject to prevent a file from being submitted for reasons of the risk of violation of personal law (see again the previously cited finding of September 25th 2021) may represent a gap in the legal protection system, but cannot lead to the data protection authority being responsible.

Finally, it should be noted here that the request for a preliminary ruling to the ECJ cited by the respondent pursuant to Article 267 TFEU (Decision of the Administrative Court of December 14, 2021, EU 2021/0009-1 (Ro 2021/04/0006); do. logged to C -33/22), the applicability of the GDPR to the processing of personal data by a person appointed by a parliament of a Member State in the exercise of its right of control over enforcement. Finally, it is noted here that the request for a preliminary ruling to the ECJ cited by the respondent is pursuant to Article 267, TFEU ( Decision of the Administrative Court of December 14, 2021, EU 2021/0009-1 (Ro 2021/04/0006); do. recorded on C-33/22), the applicability of the GDPR to the processing of personal data by a parliament The subject of the investigation is a committee of inquiry set up by the Member State in the exercise of its right to control enforcement. In the present case, on the other hand, the subject of the procedure is data processing which, although it is related to the activities of a committee of inquiry, is or is intended to be carried out by a body submitting data to the committee of inquiry. Therefore, nothing can be gained from the above-mentioned request for a preliminary ruling for the present case.

The application therefore proves to be inadmissible for the reasons mentioned above.

C.2. Regarding the mandate decision in general

But even if one wanted to assume that the data protection authority was responsible, the application would not be successful.

Mandate notices typically serve to immediately and ex officio enforce measures of an administrative police nature that cannot be postponed in a one-party procedure. In this respect, they are of a preliminary nature and therefore do not fit into a procedure with several parties involved, in which a (final) decision can be issued that would finally settle the disputed matter between the parties involved after appropriate investigations have been carried out.

In this respect, this is an atypical mandate decision of its own kind, although it can be deduced from the clear wording of the law in the sense of the applicant's submission that the legislature wanted to grant the person concerned a subjective right to legal protection from the data protection authority. The present application must therefore be decided on the merits (cf. the decision of October 29, 2015, GZ: DSBE). In this respect, this is an atypical mandate decision of its own kind, but the clear wording of the law is in the sense of the argument of the applicant, it can be deduced that the legislature wanted to grant the person concerned a subjective right to legal protection from the data protection authority. The present application must therefore be decided on a merits basis - see the decision of October 29, 2015, GZ: DSB-D215.861 /0010-DSB/2015).

According to § 22 para. 4 DSG in conjunction with § 57 para , AVG, the data protection authority is entitled to prohibit the continuation of data processing with a mandate notice without prior investigation if the operation of data processing poses a significant immediate threat to the confidentiality interests of the data subject worthy of protection (imminent danger) and thus carries an increased risk potential in the event of imminent danger (cf. and thus takes into account an increased risk potential in the event of imminent danger see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, paragraph 8)., Practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 8 ).

Since the issuance of a mandate decision does not have to be preceded by an investigation by the data protection authority, it is the applicant's responsibility to certify the legal requirements for the issuance of the decision together with the application (to make it credible, to provide prima facie evidence; cf. Since the issuance of a mandate decision is not preceded by an investigation by the data protection authority must, it is the applicant's responsibility to certify the legal requirements for the decision to be issued together with the application (to make it credible, to provide prima facie evidence; see Schmidl in Gantschacher†/Jelinek/Schmidl/Spanberger, commentary on the DSG, § 22 note 9) . A subsequent subsequent revision of the certificate or an evidentiary procedure would be incompatible with the character of the decision according to § 22 DSG as an urgent administrative police measure (data protection emergency order) (cf. the decision of September 24, 2015, GZ: DSB-D215.813/ 0012-DSB/2015)., Commentary on the DSG, paragraph 22, note 9). A subsequent revision of the certificate or an evidentiary procedure would be incompatible with the character of the decision according to paragraph 22, DSG as an urgent measure of an administrative police nature (data protection police emergency order) compare the decision of September 24, 2015, GZ: DSB-D215.813/0012- DSB/2015).

The issuance of a mandate notice requires, on the one hand, that the data processing is materially illegal and that reasonable suspicion is sufficient for this to exist. There must therefore be actual evidence to justify the assumption of the probability that provisions of data protection law have been violated and this can be explained in a rationally comprehensible manner (cf. VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that this can be explained in a rationally comprehensible manner (see VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that the operation of this very data processing poses a significant direct threat to the confidentiality interests of those affected (i.e. imminent danger) that are worthy of protection (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 (i.e. imminent danger). DSG, Rz 15). For a mandate to be issued, both criteria must be met. , practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 15). For a mandate to be issued, both criteria must be met.

Imminent danger exists if failure to take official action would likely result in those affected having to accept (further) privacy violations or even damage, which can be prevented by issuing a provisional ban on data processing. Section 22 (4) of the Data Protection Act (DSG) establishes a danger of imminent delay if failure to take the official measure would probably lead to those affected having to accept (further) privacy violations or even damage, which can be prevented by issuing the provisional ban on data processing . Paragraph 22, Paragraph 4, DSG represents a lex specialis to Section 57 AVG. This means that the examination that would otherwise have to be carried out to determine whether the measure cannot be postponed is no longer necessary in relation to the necessary duration of the investigation in the data protection area (cf. Paragraph 57, AVG). This means that the examination that would otherwise have to be carried out to determine whether the measure cannot be postponed in relation to the necessary duration of the investigation in the data protection area is no longer necessary (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, para. 18). , practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 18).

General concern about future events is not sufficient to fulfill the offense of “imminent danger” (see DSK March 30, 2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified by facts relating to the individual case. compare DSK March 30, 2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified by facts relating to the individual case. Pure speculation, hypothetical considerations or case-independent assumptions based solely on everyday experience are not sufficient (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, para. 20). , Practical commentary on the Data Protection Act (DSG), Paragraph 22, DSG, Rz 20).

C.3. Regarding the existence of a significant immediate threat to the applicant's confidentiality interests worthy of protection through the operation of the data processing in question (danger imminent):

First of all, it should be noted that, according to the statements made above, the data protection authority has decided on the application dated January 24, 2022 for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) lit. f GDPR First of all, it should be noted that, according to the statements made above, the data protection authority has decided on the application of January 24, 2022 for the issuance of a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG in conjunction with Article 58, paragraph 2, Litera f, GDPR must be meritoriously objected to.

As stated, as part of the additional evidence requirement pursuant to Section 25 Para. 2 VO-UA dated December 16, 2021, the respondent was asked to establish whether or not the applicant or companies owned by him or her He has held executive functions since financial criminal proceedings were initiated in 2015 and how many of them were conducted. As stated, as part of the additional evidence requirement pursuant to Paragraph 25, Paragraph 2, VO-UA of December 16, 2021, the respondent was asked to establish whether the applicant or companies owned by him or in in which he held executive functions, financial criminal proceedings were initiated since 2015 and the number of cases in which they were conducted.

Regarding the data processing in question, the applicant submits that the evaluation and transmission of the data concerned to the committee of inquiry is in principle not a problem, but rather that it is a matter of forwarding information or documents to the media public by members of the committee of inquiry.

Regarding the possible existence of imminent danger, the applicant claims in his introductory submission that, as a result of the investigative work of the ÖVP Corruption Investigative Committee, it can be assumed that the data will be transmitted to this investigative committee in a timely manner. Essentially, the applicant justifies the existence of a significant threat to his confidentiality interests by saying that information or documents concerning him would be passed on by third parties (members of the investigative committee) and ultimately published.

However, the admissibility of a mandate notice presupposes that a dangerous situation is to be feared by the respondent and responsible person within the meaning of Article 4, Paragraph 7 of the GDPR.

However, it is not clear and has not been stated to what extent this dangerous situation would be directly caused by the data processing complained about by the respondent (especially since this is fundamentally covered by Art. 53 Para. 3 B-VG), the application dated 24. January 2022 against the (upcoming) evaluation and transmission of documents related to the applicant to the ÖVP corruption investigation committee. The disclosure of this personal data (e.g. to the media) would be possible (especially since this is generally covered by Article 53, Paragraph 3, B-VG), but the application of January 24, 2022 is directed against the (upcoming) evaluation and transmission of documents with reference to the applicant to the ÖVP corruption investigation committee. The applicant never claimed that this personal data was disclosed (e.g. to the media) directly by the respondent. Rather, the applicant expressly stated that the respondent's data processing did not fundamentally pose a problem.

Therefore, the (alleged) direct threat to his confidentiality interests worthy of protection does not lie in the data processing in question.

Furthermore, the applicant's arguments only indicate a general concern about future events, which, however, cannot be attributed to the respondent's sphere. The fear that members of the investigative committee would - contrary to existing confidentiality obligations - disclose to third parties the information they have become aware of in the course of their work for the investigative committee is, from the data protection authority's point of view, merely hypothetical considerations or merely assumptions based on everyday experience (from the applicant "The notorious permeability of U-committees" is cited), which are not suitable for detecting the existence of a concrete dangerous situation within the meaning of Section 22 of the DSG "), which are not suitable for detecting the existence of a concrete dangerous situation within the meaning of Paragraph 22, DSG with regard to the to be able to certify the respondent (cf. to be able to certify again see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, paragraph 20)., practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 20).

In summary, it should be noted that the alleged threat to the applicant's interests is seen in the activities of members of the investigative committee, but not in the data processing - which is the subject of the proceedings here - by the respondent. In any case, it is outside the respondent's sphere of influence to influence data processing after transmission (apart from the classification according to the Information Act).

The application was therefore dismissed according to the verdict.

In the present case, the applicant has submitted an application for the issuance of a mandate notice in accordance with Section 22 Paragraph 4 DSG in conjunction with Section 57 Paragraph 1 AVG in conjunction with Article 58 Paragraph 2 Letter f GDPR. In the present case, the applicant has submitted an application for a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG in conjunction with Article 58, paragraph 2, letter f, GDPR.

For this reason, these legal bases for a mandate notice are also listed in the award (§ 22 para. 4 DSG and § 57 AVG). For this reason, these legal bases for a mandate notice are also listed in the award (paragraph 22, paragraph 4, DSG and paragraph 57, AVG). Nevertheless, the rejection does not take place in the form of a mandate notice, since the characteristic of imminent danger required by Section 57 Para. 1 AVG is missing for the rejection of the application. A mandate decision - and thus a legal protection procedure expanded and extended by the possibility of presentation - logically and systematically only makes sense in the case of a positive administrative police intervention in existing rights (arguably: “immediate measures”), but not in the present case of the rejection of such an application Intervention due to the lack of the legal requirements (cf. again the above-mentioned decision of September 24, 2015), since the characteristic of imminent danger required by paragraph 57, paragraph one of the AVG is missing for the rejection of the application. A mandate decision - and thus a legal protection procedure expanded and extended by the possibility of presentation - logically and systematically only makes sense in the case of a positive administrative police intervention in existing rights (arguably: “immediate measures”), but not in the present case of the rejection of such an application intervention due to the lack of the legal requirements, compare again the above-mentioned decision of September 24, 2015).