DSB (Austria) - 2020-0.349.984

From GDPRhub
Revision as of 09:12, 21 October 2020 by Isabel Hahn (talk | contribs)
DSB - DSB-D205.023
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(22) GDPR
Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
§ 1 Abs. 1, 2 DSG - Datenschutzgesetz (Data Protection Act)
§ 4 Abs. 1 DSG - Datenschutzgesetz (Data Protection Act)
§ 3 (4) PMG - Postmarktgestez (Postal Market Law)
§ 5 (3) PMG - Postmarktgestez (Postal Market Law)
§ 12 (1) PMG - Postmarktgestez (Postal Market Law)
§ 20(1) PMG - Postmarktgestez (Postal Market Law)
Type: Complaint
Outcome: Rejected
Started:
Decided: 26.06.2020
Published:
Fine: None
Parties: Österreichische Post AG
National Case Number/Name: DSB-D205.023
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.349.984
Appeal: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in DE)
Initial Contributor: n/a

The Austrian DPA (DSB) decided that the electronic recording and storing of identity card data in the course of collecting a postal item is lawful.

English Summary

Facts

The complainant was not at home when a registered mail has been tried to be handed over. Therefore, he needed to collect it at the postal office. In order to identify the complainant as the adressee of the registered mail, an employee asked for his identity card and "scanned" it with a special identity card reader, however, no copy of the document itself was made.

The complainant alleges that the Post AG infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).

Dispute

Has the Österreichische Post AG infringed the complainant's right to confidentiality by an employee who was electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail)?

Holding

The processing of identity card data in order to verify the person collecting registered mail is lawful.

As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law. Private entities, § 26 (4) DSG, may base their actions on an enabling norm in the sense of Article 6 (1) (c) and Article 5 (1) (a) GDPR.

The provisions of the PMG do not create a legal obligation to process personal data under Article 6 (1) (c) GDPR.

Article 6 (1) (f) GDPR data can be procesed if they constitute the legitimate interests of a party. Here, the Post AG might have been exposed to warranty claims, damage etc. if the claimant would not have been identified correctly. These data are also necessary to defend their legal claims and the fundamental rights and freedoms of the data subject, i.e. secrecy, are not overriding the one of the Post AG.

The collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant, no special categories of data were processed, the storage period of six months is also proportionate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.


Decision-making authority
Data Protection Authority
Document type
Decision text
Decision type
Decision Complaint
Business figures
2020-0.349.984
Decision date
26.06.2020
Appeal to the BVwG/VwGH/VfGH
This decision is final.
Standard
DSG §1 Abs1
DSG §1 Abs2
DSG §4 Abs1
PMG §3 Z4
PMG §3 Z12
PMG §5 Abs3
PMG §12 Abs1
PMG §20 Abs1
DSGVO Art4 Z2
DSGVO Art5 Abs1 lita
DSGVO Art5 Abs1 litb
DSGVO Art5 Abs1 litf
DSGVO Art6 Abs1 litc
DSGVO Art6 Abs1 litf
Text

GZ: 2020-0.349.984 of 26 June 2020 (procedure number: DSB-D205.023)

Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected.

The respondent's company name was not pseudonymised here, since according to the reasons for the decision, the universal service provider pursuant to Section 12 (1) PMG was involved in the procedure in this role, and the respondent is listed as such in the cited Act. Moreover, a meaningful pseudonymisation was not possible due to multiple references to the respondent's business activities as a universal service provider in the facts of the case (e.g. registered letter, "yellow slip"). However, the interest in secrecy of the respondent who won the proceedings and whose actions were found to be lawful does not outweigh here the public interest in the publication of the decision required by law under section 23(2) of the DSG].

DECISION

SPEECH

The data protection authority decides on the data protection complaint of Gustav A*** (complainant) of 17 April 2019 against Österreichische Post AG (respondent) for violation of the right to secrecy as follows

- The complaint is dismissed as unfounded.

Legal basis: Article 4(2), Article 5(1)(f), Article 6(1)(c) and (f), Article 13, Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (Basic Regulation on data protection, hereinafter referred to as the DSGVO), OJ No Article 119 of 4 May 2016, p. 1; Articles 1(1) and (2), 18(1) and 24(1) and (5) of the Data Protection Act (Datenschutzgesetz, DSG), Federal Law Gazette I No 165/1999 as amended; Article 3(4) and (12), Article 12, Article 17 and Article 20 of the Postal Market Act (Postal Market Act, PMG), Federal Law Gazette I No 123/2009 as amended;

EXPLANATIONS

A. Arguments of the parties and procedure

1 In his submission of 17 April 2019 initiating the proceedings, repeated on 23 June 2019 and 26 July 2019, the complainant alleged a violation of the right to confidentiality as well as a violation of the respondent's information duties.

The alleged breach of the duty to provide information is the subject of separate proceedings concerning the business number DSB-D205.246.

As regards the alleged breach of confidentiality, the complainant submitted the following summarised submissions:

The complainant had remedied a letter addressed to him by means of a so-called "yellow slip" on 29 March 2019 at a branch of the respondent. In the course of that repair, an employee of the defendant requested the production of an identity card of the complainant, which was produced by the complainant. Subsequently, however, the employee made a copy against his will and without his permission. The identity card was placed on a scanner and the data was recorded electronically. The complainant further submits that even in the respondent's General Terms and Conditions ("AGB-Brief National") under point 3.5.2, there is only reference to a document in case of doubt as to identity, and not to data collection.

By decision of 22 July 2019 (ref. no.: DSB-D205.023/0001-DSB-2019), the data protection authority invited the respondent to submit comments.

4 By submission of 20 August 2019, the defendant submitted the following observations:

It was correct that the complainant had remedied a recommanded (= with a take-over certificate) registered letter in a branch of the defendant, since he had not been found at the time of the attempted delivery. He had therefore been informed, by means of a "yellow slip", of the attempted delivery and of the deposit of the item and of the need to produce an official identity document with a photograph when the item was rectified. The notice of deposit also contained a reference to the defendant's data protection notices, which provided information in particular on the processing of identity card data.

When the complainant rectified the consignment, an employee of the defendant asked the complainant to present a photo ID and subsequently automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanning device was used to record the ID card data, which merely reads out concrete data from the respective ID card, namely the type of ID card, the ID card number, the issuing authority and date of birth as well as the corresponding name - no copy was made. The complainant had acknowledged receipt of the registered mail on the card.

The challenged processing of the identity card data was necessary in order to fulfil a legal obligation to which the respondent was subject as the person responsible (Article 6(1)(c) DSGVO): under Section 3(12) PMG, the acceptance of registered mailings to the correct recipient had to be acknowledged. Unless the respondent is personally known to the respondent, the handover to the correct person is only possible within the framework of an identification/authentication procedure to be carried out, i.e. by presenting an official photo ID. In accordance with Section 20 PMG, the respondent had issued general terms and conditions (in particular "AGB Brief"), which had also been approved by the regulatory authority. This also resulted in the need for a confirmation of takeover and a determination of identity (points 3.3 and 3.5.2 of the national letter contract terms and point 4.1 of the product and price list ("PVV") for return receipt letters, including registered letters). It was apparent from these documents (GTC and PVV) that the handing over of a registered letter was only permissible after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and thus kept them for 6 months for the possible handling of potential investigations (item 3.10 of the GTC Letter national) as well as possible warranty cases (item 4 of the GTC Letter national), i.e. for the assertion, exercise or defence of legal claims and also for the implementation of the contractual relationship with the sender, and deleted them afterwards. A processing and storage authorisation is also based on the fact that the respondent is exposed to possible warranty claims and/or claims for damages if a consignment is not handed over properly, in particular to the correct recipient. It must therefore be possible to defend oneself at least within the statutory warranty period. In the context of any proceedings before the data protection authority, the defendant must also be able to prove its freedom, for example, that it has complied with its duty of care and has verifiably verified the identity of the transferee. The respondent referred to the time-limit laid down in Paragraph 24(4) of the DSG and a more detailed decision of the data protection authority concerning the admissibility of a copy of the identity document for the purpose of checking identity.

Furthermore, the processing of the identity card data in order to safeguard the legitimate interests of the respondent and the respective sender in the sense of Article 24(4) of the DSG. Art. 6 para. 1 lit. f DSGVO in order to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof of this. This was the only way to prevent any possible abuse. The interests of the respondent and its contractual partner outweighed the interests or fundamental rights and freedoms of the complainant. There would be no noticeable impairment of the complainant, as only the necessary data would be stored, which would be protected in accordance with Section 5 of the PMG and by comprehensive technical and organisational measures.

The defendant also stated that it had complied with its duties to provide information and referred to the "data protection notices" which were available on its website.

By decision of 19 September 2019 (ref. DSB-D205.023/0003-DSB/2019), the data protection authority granted the complainant the right to be heard and to submit comments.

The complainant made no further submissions.

B. Object of the complaint

The subject of the complaint is the question whether the respondent has infringed the complainant's right to confidentiality by an employee of the respondent electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail).

The alleged violation of the information duties is dealt with separately in the procedure concerning the business number DSB-D205.246 and was therefore not the subject of the present proceedings.

C. Findings of the facts

1 On 29 March 2019, the complainant replied to a letter sent at the (post) office ****, **** XY, *** street *. The respondent had informed the complainant at a point in time which could not be further specified about an unsuccessful delivery attempt and the subsequent deposit in the said post office by means of a notification about a deposited item ("yellow slip"). This was a non-official, recomanded (with a take-over certificate) registered letter.

(2) The complainant, after having been requested to do so by an employee of the respondent, presented his official photo identification in the course of the rectification of the consignment. Subsequently, the identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name were recorded electronically using a scanning device and stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made.

Evaluation of evidence: The findings result from the concurring submissions of the parties, in particular the submission of the complainant of 17 April 2019 and the submission of the respondent of 20 August 2019.

3 The following General Terms and Conditions of the respondent were valid as of 29 March 2019:

Assessment of evidence: The findings result from the respondent's submission of 20 August 2019 and were not disputed by the complainant.

D. From a legal point of view, the following follows:

The complainant alleges that the respondent infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).

In conclusion, there is no justification for these statements:

D.1 Re Art. 6 (1) lit. c DSGVO:

Under Section 1(1) of the DSGVO, everyone has the right to the confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, provided there is an interest worthy of protection.

Under Section 1, paragraph 2 of the DSG, restrictions on the right to secrecy, insofar as the use of personal data is not in the vital interest of the person concerned or with his or her consent, are only permissible in order to safeguard the overriding legitimate interests of another.

The data processing in question was neither carried out in the vital interest of the complainant nor did consent exist, which is why its lawfulness had to be examined on the basis of the protection of overriding legitimate interests: According to the case law of the data protection authority, a breach of confidentiality obligations does not exist in particular if the rules of the DPA and the principles enshrined therein, which are to be regarded as implementing provisions under Article 4 (1) DPA, have not been breached (cf. the notice of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).

Under Article 5 (1) (b) of the DPA, personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes ("purpose limitation"). The processing of personal data is justified, inter alia, if it is necessary to fulfil a legal obligation to which the controller is subject (Art. 6 para. 1 lit. c DSGVO) or to safeguard the legitimate interests of the controller or of a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail (Art. 6 para. 1 lit. f DSGVO).

Art. 6 para. 1 lit. c DSGVO in conjunction with the PMG and Art. 6 para. 1 lit. f DSGVO are relevant in this context:

However, the respondent also correctly referred to the legal obligations under the PMG:

§ Section 3 no. 4 and no. 12 PMG reads as follows (emphasis added by the data protection authority):

Definitions

§ 3.

For the purposes of this Act

[...]

4.
	

"Universal service operator" means one or more designated universal service operators under section 12(1) or one or more designated postal service providers under section 12(2);
	

[...]

12.
	

"Registered item" shall mean a postal item which is insured by the postal service provider against loss, theft or damage on a flat-rate basis and in respect of which the sender is provided, where appropriate at his or her request, with a confirmation of receipt of the item and/or its delivery to the addressee;

	

§ Section 12 PMG reads as follows (emphasis added by the data protection authority)

Universal service provider

§ 12.

(1) Upon entry into force of this Federal Act, Austrian Post will be designated as the universal service operator.

[...]

§ Section 20 of the PMG and its title reads as follows (emphasis added by the data protection authority):

General Terms and Conditions of the Universal Service Operator

§ 20.

(1) The universal service operator shall, in accordance with the provisions of this Act and the regulations for services in the universal service area adopted on the basis of this Act, issue general terms and conditions of business.

[...]

In any event, a legal obligation under Article 6(1)(c) of the DSGVO is to be understood as an obligation under objective law (Frenzel in Paal/Pauly, Datenschutz-Grundverordnung Art. 6, margin no. 16) which may result in particular from a legal basis in a Member State or in Union law and which, moreover, relates directly to data processing (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO, margin no. 39).

As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.

According to the consistent case-law of the Constitutional Court on the quality of an obligatory standard in the sense of Section 1 (2) of the German Data Protection Act (2000), this standard must "specify with sufficient precision, i.e. predictable for everyone, under which conditions the determination or use of data for the performance of specific administrative tasks is permissible. The respective legislator must therefore, in the sense of Section 1 (2) of the Data Protection Act (2000) § 1 (2) DSG 2000, the respective legislator must therefore provide for a substantive regulation in the sense that the cases of permissible encroachments on the fundamental right to data protection are specified and limited (VfSlg. 18.146/2007).

In doing so, the data protection authority does not overlook the fact that this case law refers to an overriding norm which is intended to legitimise official action, which is not the case here.

Nevertheless, this case law can also apply mutatis mutandis if those responsible in the private sector (Section 26 (4) DSG) base their actions on an enabling norm in the sense of Article 6 (1) (c) DSGVO. This also follows from Art. 5 (1) lit. a DSGVO, according to which personal data are processed in a lawful manner, in good faith and in a manner comprehensible to the data subject.

It must therefore be examined whether the provisions of the PMG may create a legal obligation to process personal data under Art. 6 (1) lit. c DSGVO.

§ Section 3 no. 12 PMG stipulates the need to confirm receipt or delivery of the consignment. However, Section 3 No. 12 PMG does not make any statement about the mere determination, i.e. the recording or storage of personal (ID) data beyond this. This applies equally to Section 20 (1) PMG, which merely sets out the constitution of general terms and conditions, but does not impose any legal obligation to process personal data.

Moreover, it should be noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality.

As a result, the provisions of the PMG in conjunction with Article 6(1)(c) of the DSGVO put forward by the respondent do not constitute a legal basis for the scanning and storage of the complainant's identity document.

D.2 To safeguard legitimate interests (Art. 6 para. 1 lit. f DSGVO):

It must then be examined whether the processing of the complainant's personal data was necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 paragraph 1 letter f DSGVO.

According to the ECJ's rulings, the processing is permissible on the legal basis of "legitimate interest" under three cumulative conditions: i) the controller or the third party(ies) exercising a legitimate interest third parties to whom the data are disclosed, (ii) the necessity of the processing of personal data for the purposes of the legitimate interest and (iii) the fundamental rights and freedoms of the data subject do not prevail over the legitimate interest perceived (see, with regard to Directive 95/46/EC, ECJ judgment of 11 December 2019, C-708/18 [TK] Rz 40 mwN).

(i) Legitimate interests of the data controller or a third party

It must first be examined whether the respondent or a third party had a legitimate interest in processing the identity card data of the complainant in question:

To this end, the respondent argued, inter alia, that it might have been exposed to warranty claims and/or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.

In this respect, it must be noted that the respondent's interest in being able to defend itself sufficiently in the event of a legal dispute, at least within the statutory warranty period, and to provide proof of the lawful transfer to the correct person, was certainly to be regarded as justified (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 DSGVO Rz. 54).

Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.

ii) Necessity of the data processing

Furthermore, it should also be recognised that the processing of the complainant's identity card data could be used to prove that the data had been handed over to the correct recipient in the event of a dispute.

iii) No overriding of the fundamental rights and freedoms of the data subject

Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance had to be examined.

In doing so, the reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place (see ErwG. 47 of the DSGVO). In any event, the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.

In order to weigh up the specific interests involved, it should also be noted that no special categories of personal data pursuant to Article 9(1) DSGVO, no data relevant to criminal law pursuant to Article 10 DSGVO and no other personal data were processed which would involve a particularly intensive encroachment on the fundamental right to secrecy.

The categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate. Also in view of the case law of the European Court of Justice, no excessive data processing can be seen here: Moreover, the processing was limited to the absolutely necessary, both in terms of the volume of data processed and the storage period (cf. e.g. ECJ 11.12.2014, C-212/13, Ryneš), as the respondent stored the ID card data for only six months and thus only for a clearly defined, non excessive period of time.

D.3 Result:

Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6 (1) lit. f of the DPA.

The complaint was therefore to be dismissed as inadmissible.
Keywords
Confidentiality, lawfulness of processing, postal service, universal service provider, registered letter, person collecting, scanning of photo identification, authorisation standard, general terms and conditions, balancing of interests
European Case Law Identifier (ECLI)
ECLI:AT:DSB:2020:2020.0.349.984
Last updated on
29.09.2020
Document number
DSBT_20200626_2020_0_349_984_00