DSB (Austria) - 2020-0.436.002

From GDPRhub
DSB (Austria) - 2020-0.436.002
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(4) GDPR
Article 12(1) GDPR
Article 15(1) GDPR
Article 15(1)(h) GDPR
Article 22(1) GDPR
Article 22(4) GDPR
Article 2(1) Directive (EU) 2016/943
§ 1(3) Z 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 4(6) Austrian Data Protection Act (Datenschutzgesetz - DSG)
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.09.2020
Published: 09.06.2021
Fine: None
Parties: Dr. Markus A*** (Complainant)
N***AdressverlagsgmbH (Respondent)
National Case Number/Name: 2020-0.436.002
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.436.002
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: n/a

The Austrian DPA held that the right to access under Article 15(1)(h) GDPR applies to all kinds of profiling rather than only to automated decision making under Article 22(1) and (4) GDPR. The DPA further rejected the controller's argument that protection of a trade secret should form an exception to the complainants' right to access. tbd

English Summary

Facts

The respondent had calculated marketing scores called „Dominanten Geo Milieus“ regarding the complainant. These scores consisted of alleged likelihoods (expressed in a percentage number) that the complainant would belong to certain demographic groups, such as "conservatives", "traditionalists", "hedonists" or "digital individualists".

In May 2019, the complainant sent an access request under Article 15 GDPR to the respondent, requesting i.a. information under Article 15(1)(h) GDPR on how the marketing scores have been calculated. In June 2019, the respondent replied, stating that the requested information will not be provided because it qualifies as a trade secret within the meaning of § 4(6) Austrian Data Protection Act (Datenschutzgesetz - DSG). (Note: §4(6) DSG is considered as national law adopted under Article 23(1)(i) GDPR.)

Consequently, the complainant filed a complaint with the Austrian DPA (Datenschutzbehörde - DSB).

Dispute

  • Is the respondent under the obligation to provide information under Article 15(1)(h) GDPR ("meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject") to the respondent regarding the marketing scores „Dominanten Geo Milieus“?
  • If so, could the respondent invoke a trade secret within the meaning of § 4(6) DSG and rightfully refuse to provide said information?

Holding

The DSB initially held, that the marketing scores at hand constitute personal data under Article 4(1) GDPR as they have been assigned to individual natural persons. Furthermore, the DSB held that the processing activities leading to the creation of these marketing scores constitute profiling within the meaning of Article 4(4) GDPR. Taking into account recital 71 GDPR and WP 251 rev.01, the DSB emphasized that the GDPR differentiates between profiling under Article 4(4) GDPR and automated decision making under Article 22 GDPR: for a processing activity to qualify as profiling it is not necessary that this processing activity is carried out solely automated.

The DSB then assessed, whether the complainant had a right to information under Article 15(1)(h) GDPR regarding the marketing scores and whether the respondent had infringed that right, which required an interpretation of said provision. According to the DSB, the right under Article 15(1)(h) GDPR is not limited to cases of automated decision making under Article 22(1) and (4) GDPR, but also encompasses other cases, such as the profiling at hand: the use of the words "at least in those cases" Article 15(1)(h) points toward a broad scope of application. Consequently, the DSB saw no necessity to further assess whether the creation of the marketing also qualifies as automated decision making under Article 22 GDPR.

Lastly, the DSB waived the respondent's argument, that the respondent was exempt from providing information under Article 15(1)(h) GDPR, because the logic involved calculating the marketing scores qualifies a trade secret within the meaning of § 4(6) DSG. The DSB explained that the respondent is not required to disclose the algorithm, source code or compiler code that was used when creating the marketing scores (such information would most likely qualify as a trade secret under Directive 2016/943/EU according to the DSB). Rather the respondent is required to provide the following information in connection with the score calculation:

  • parameters / input variables and how they came about (e.g. using statistical information);
  • effect of the parameters/input variables on the score;
  • explanation of why the data subject was assigned to a particular evaluation result;
  • list of possible profile categories or
  • similar equivalent information that enable the data subject to exercise his or her rights of rectification and erasure and to review the lawfulness of processing.

As a general remark, the DSB held § 4(6) DSG as an exemption of a controller's obligations under Article 15 GDPR must be interpreted narrowly in light of Article 8 ECHR, Article 8 CFR and § 1(3) DSG (right to data protection under Austrian constitutional law).

Comment

Please note that the parties' names as provided in the RIS are not necessarily redacted versions of their actual names but rather pseudonyms.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



Decisive authority
Data protection authority


Decision date
08.09.2020


Business number
2020-0.436.002


Appeal at the BVwG / VwGH / VfGH
This decision is final.




text
GZ: 2020-0.436.002 of September 8, 2020 (case number: DSB-D124.909)

[Note processor: Names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be abbreviated and / or changed for reasons of pseudonymisation be. Obvious spelling, grammar, and punctuation errors have been corrected.]

NOTIFICATION
Proverb
The data protection authority decides on the data protection complaint of the Dr. Markus A *** (complainant) dated June 7, 2019 against N *** AdressverlagsgmbH (respondent), represented by lawyer Mag. Uwe K ***, for violation of the right to information as follows:
1. The complaint is partially allowed and it is established that the respondent has violated the complainant's right to information by providing incomplete information on June 4, 2019 and September 9, 2019 (in the ongoing proceedings before the data protection authority) .
2. The respondent is instructed to provide the complainant with information on the creation of the calculated geographic milieus in accordance with Art. 12 Paragraph 1 in conjunction with Art. 15 Paragraph 1 lit.
3. The complaint is otherwise dismissed.
Legal basis: Art. 4 No. 1, Art. 4 No. 4, Art. 12 Paragraph 1 and Paragraph 6, Art. 15 Paragraph 1, and Art. 77 Paragraph 1 of Regulation (EU) 2016/679 (data protection Basic Regulation GDPR), OJ No. L 119 of 4.5.2016, S 1; in conjunction with §§ 1 Paragraph 3 DSG, 4 Paragraph 6, 24 Paragraph 1 and Paragraph 5 of the Data Protection Act - DSG, Federal Law Gazette I No. 165/1999 as amended.
REASON
A. Arguments of the parties and course of the procedure
1. With submission of June 7, 2019, the complainant asserted a violation of the right to information, since the respondent responded to his request for information of May 28, 2019 regarding the calculation of the so-called "Dominant Geo Milieus" with a letter of June 4, 2019 if this were "probability calculations", the calculation method of which would not be disclosed as a trade and business secret in accordance with Section 4 (6) DSG.
The complainant had received data information from V *** adressen Lieferant GmbH in January 2019 regarding the "Dominant Geo_Milieus" and was referred to the data supplier "N *** AdressverlagsgmbH" with regard to this data - purchased from V *** adressen Lieferant GmbH been. The complainant demanded that the data protection authority should determine that the respondent had to provide information on the calculation method, since it was personal and specific statements about the complainant that would be made available to the public.
2. In a statement of September 9, 2019, the Respondent essentially argued that the Geo_Milieus is a segmentation of societies based on value orientations and lifestyles in 18 nations for strategic marketing based on social science research, mapping social structures, in which similar basic orientations, values, lifestyles and living environments are summarized and made comparable. The calculation model is based on "hypothesis formation" based on our own research and existing data (...) and this is carried out with the involvement of milieu experts. Neither personal and specific statements about the complainant are made nor are these made available to the public. The probabilities of the Geo_Milieus would be calculated by the company Z *** Marketing GmbH in E *** (Y ***). The statement contained an information table with a total of ten geographic milieus and the calculated probabilities for the complainant. An explanation of the significance of the ten Geo_Milieus was also attached. Providing information about the calculation method represents a trade and business secret, whereby providing information on parameters within the scope of information entails considerable legal disadvantages, since these "parameters" can be imitated or reproduced by others.
3. As part of the fact that the parties were granted a hearing (letter from the data protection authority dated October 21, 2019), the complainant submitted a number of new applications (e.g. breach of the right to secrecy, deletion of data and prohibition of processing) both against the respondent and against the V * ** address supplier GmbH, without addressing the original subject of the complaint. The applications were logged under separate procedural numbers (D124.2633 and D205.366).
B. Subject matter of the complaint
Based on the submissions of the parties, the subject of the complaint in these proceedings is the question of whether the respondent has violated the complainant's right to information by providing incomplete information.
C. Factual Findings
The complainant's request for information of May 28, 2019 was answered by letter of June 4, 2019 - as follows:
In the above matter I refer to your letter of May 28th, 2019, received on May 31st, 2019 and I am allowed to inform you of the parameters for GeoMilieus as requested:

Geo Milieus is a segmentation of societies based on value orientations and lifestyles in 18 nations for strategic marketing based on social science research, mapping social structures and their changes, in which similar basic orientations, values, lifestyles, living environments are summarized and through a uniform positioning scheme can be made comparable. The segmentation is sufficiently fine, but not exaggerated and helps with marketing planning, which is recorded in the groups (milieus) listed and enables a resource calculation. This calculation model is based on the formation of hypotheses on the basis of our own research and available data with the involvement of milieu experts, including subsequent verification and correction of the hypothesis and differentiation to determine a strategic map in which products, brands and media can be positioned.

The listed probability values classify in detail (according to Z *** Marketing):

Dominantes_geo_milieu_person:

-Likely_value_conservative

Leading milieu in the traditional area with a high ethics of responsibility: strongly shaped by Christian values, high appreciation of education and culture, critical of current social developments

-Likelihood_value_traditional

The milieu focused on security, order and stability: Rooted in the old petty-bourgeois world, in the traditional working-class culture and in the traditionally rural milieu

-Likelihood_value_established

The performance-oriented elite with a strong sense of tradition: Clear claims to exclusivity and leadership, a high level of class awareness and a pronounced ethos of responsibility

-Likely_value_performer

The flexible and globally oriented modern elite: Efficiency, personal responsibility and individual success have top priority; High business and IT competence

-Likely value_post-material

Cosmopolitan social critics: educated, diverse and culturally interested milieu; cosmopolitan oriented, but critical of globalization; socially engaged

-Likelihood value_digital individualists

The individualistic and networked lifestyle avant-garde: Mentally and geographically mobile, networked online and offline, constantly on the lookout for new experiences

-Likelihood value_buergerliche_mitte

The mainstream, ready to perform and adapt: striving for professional and social establishment, secure and harmonious relationships, support and orientation, calm and deceleration

-Likely_value_adaptive_pragmatic

The new flexible center: pronounced pragmatism in life, striving for anchoring, belonging, security; Basic willingness to perform, but also a desire for fun and entertainment

-Probability value_consumption-oriented_basis

The consumption-oriented lower class striving to participate: Pronounced feelings of disadvantage, fear of the future and resentment; trying to keep up with the lifestyle and consumption standards of the middle

-Likely_value_hedonists

The moment-related, adventure-hungry lower center: living in the here and now, looking for fun and entertainment; Refusal of the conventions of the majority society

The percentage values that you mentioned are based on scientifically recognized probability calculations on the basis of existing social science research and data on the population in several countries, showing the social structures and their changes, in which similar basic orientations, values, lifestyles, living environments are summarized and through a uniform positioning scheme can be made comparable and these calculations are carried out on the basis of our own research and existing data with the involvement of milieu experts by Z *** Marketing GmbH. With reference to existing trade and business secrets, we regrettably cannot disclose the underlying calculation methodology to you and may refer to Section 4 (6) of the Data Protection Act in this regard. We ask for your understanding.

We hope that we have answered your questions with this information.

In the ongoing proceedings before the data protection authority, the following (excerpts) information about the specifically calculated geographic milieus was also given as part of the respondent's statement:
The following classification based on a probability calculation according to the Geo_Milieus of Z *** Marketing (which apply the Sinus-Milieus for dialogue marketing known from market research to the geographical area) are calculated, assigned and stored for the complainant by the respondent:



Dominant_geo_milieu_person
                  Post-material


 Probability_value_conservative
                                                   2.03%


Probability_value_traditional
0.38%


Probability_value_established
14.44%


Probability_value_performer
34.27%


Probability_value_post-material
25.22%


 Probability_value_digital_individualists
8.19%


Probability value_buergerliche_mitte
3.20%


Probability_value_adaptive_pragmatic
1.59%


Probability-value_consumption-oriented_basis
1.42%


Probability-value_hedonists
9.28%







Assessment of evidence: The findings are based on the letters and statements contained in the file, known to both parties and which have remained undisputed.
D. From a legal point of view, it follows:
1. To provide data / information for calculating the geographic milieus (point 2a.)
a. According to Art. 4 No. 1 GDPR, "personal data" is all information that relates to an identified or identifiable natural person; A natural person is regarded as identifiable who can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, [...] to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or the social identity of this natural person;
b. In its partial recognition of August 20, 2020, GZ W258 2217446-1 / 15E, the BVwG stated that statistically calculated data that is assigned to a specific person is personal data.
In the present case, too, these prerequisites are undoubtedly present, since the "geo-milieu data" refer to an identified natural person, namely the complainant, regardless of whether they have been calculated statistically or with the help of probability calculations (cf. also Kühling / Bucher, Commentary on the GDPR, margin no. 15 to Art. 4 number 1, Klabunde in Ehmann / Selmayr, General Data Protection Regulation, Art. 4, Rz.10 or see Ziebarth in Sydow, European General Data Protection Regulation, Handkommentar, Art. 4 41). Without the assignment, personalized or targeted advertising would not even be possible. It should be noted that the data protection commission at the time already qualified assessments with the help of statistical extrapolations regarding a person's probable membership of a certain target or age group as personal data (see Jahnel, Handbuch Datenschutzrecht, margin no. 3/72; see also the notification of DSK of May 20, 2005, GZ K120.908 / 0009-DSK / 2005). Against this background, the subject matter of the complainant's geo_milieu data with a percentage probability is in any case personal data subject to disclosure within the meaning of Art. 4 no. 1 GDPR.
In a further step, it must be clarified to what extent the processing is profiling.
c. As the Respondent herself explains, in the so-called Geo_Milieus, similar basic orientations, values, lifestyles and living environments are summarized and made comparable, whereby the calculation model is based on "hypothesis formation" on the basis of our own research and available data (...) with the involvement of environment experts, including subsequent review and correction of the hypotheses by Z *** Marketing GmbH in E *** in order to carry out marketing planning.
d. Art 4 (4) GDPR defines “profiling” as any type of automated processing of personal data that consists of using this personal data to evaluate certain personal aspects relating to a natural person, in particular aspects relating to work performance to analyze or predict the economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or relocation of this natural person;
e. When segmenting, calculating and assigning Geo_Milieus, personal data is processed automatically in order to evaluate certain personal aspects that relate to a natural person, in this case in particular to assign aspects relating to the economic situation, personal preferences, interests, etc. analyze, segment and calculate the probabilities of an assignment to Geo_Milieus in order to carry out targeted strategic marketing, product planning and advertising mailings.
f. Subsuming under the term profiling - according to the wording of Art 4 Z 4 GDPR - does not require that analyzes or predictions about a natural person are exclusively automated, as is standardized for example in Art. 22 GDPR for "automated decisions in individual cases" . Rather, it is clear from the last sentence on Recital 71 that the Union legislature wanted to consider the terms “profiling” and “automated decision-making” separately if it is standardized (“(...) automated decision-making and profiling should be based on special categories of personal data only be allowed under certain conditions ”).
Accordingly, the guidelines on automated decisions in individual cases including profiling for the purposes of Regulation 2016/679 "(WP 251 rev.01) of February 6, 2018 under point A. (" Profiling ") can be read:
“Article 4 (4) refers to“ any type of automated processing ”, not to“ exclusively ”automated processing (as described in Article 22). Profiling must be a type of automated processing - even if an intervention by a person does not necessarily exclude the activity from the definition. "
The data protection authority therefore considers the calculation and assignment of Geo_Milieu probabilities to a specific person as a form of profiling within the meaning of Art. 4 No. 4 GDPR for the purposes of strategic marketing, product planning and sending advertising.
G. In a further step, it must be clarified whether and, if so, according to which provisions of Art. 15 GDPR, the complainant has a right to information regarding the occurrence of the calculated probabilities.
H. Art. 15 para. 1 lit. h GDPR provides that if there is automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved, as well as the scope and the intended Effects of such processing for the data subject are to be granted, whereby in Recital 63 it is mentioned that the rights and freedoms of other persons, such as trade secrets or rights of intellectual property and in particular the copyright to software, should not be impaired, but not in addition may result in the data subject being refused any information. As already stated, the calculation and allocation of the geographic milieus calculated in this case is in any case a profiling within the meaning of Art. 4 No. 4 GDPR. Since Art. 15 (1) (h) GDPR does not limit the specific rights to information to Art. 22 (1) and (4) GDPR, but rather wants to see these rights extended to other cases by using the word at least ("at least") For this procedure, a further check is made as to whether the calculated probability values are not to be subsumed under Art. 22 Para. 4 GDPR anyway (cf. for example the probability value_conservative, (...) "strongly shaped by Christian values").
i. Consequently, in the guidelines on Art. 22 GDPR already mentioned, it is also stated that the explanations refer to “all” profiling activities and automated decisions.
The guidelines state the following on p. 18 for the provision of information:
"According to Article 15, the data subject has the right to request details of the personal data used for profiling, including the data categories used for profiling. In addition to the transmission of general information on processing, the person responsible is obliged in accordance with Article 15 (3) to provide the input data used to create the profile; he must also provide information on the profile and details of the segments into which the data subject has been divided. (...) "
The right to information on the content of Geo_Milieu Daten is therefore based on Article 15 (1) (h) GDPR, whereby specifically for information in accordance with Article 15 (1) (h) GDPR, the parameters / input variables of a calculated assignment, their influence on the calculated one Assignment, i.e. essentially the weighting of the parameters, the information on the occurrence of the parameters / input variables (e.g. whether the parameter "living environment" was statistically extrapolated), an explanation of why the person concerned was assigned to a certain evaluation result and a list of the profile categories that for an assignment are possible, would have to be provided (according to Zavadil in Dako 2020/33 for the information in an "automated decision-making", "the special right to information about the logic involved in data processing" mwN) or similar information equivalent to the information content enable the data subject to exercise his or her right to rectification g to exercise deletion and verification of legality.
2. On the objection that a trade and business secret of the respondent was affected:
a. The company and trade secret cited by the respondent for the calculated allocation does not speak against such information. Because the information is in no way due to the logic of the algorithm, its source code, the compilation code or the complete documentation, but only information for those affected in the specific individual case, which makes the traceability, comprehensibility and the correctness or topicality of the input variables in the case of the person concerned. The data protection authority does not fail to recognize that the calculation method of the Geo_Milieus is almost certainly subject to the European legal provisions of Directive 2016/943 / EU (Know-How Directive), since the scientifically developed calculation method undoubtedly represents a not insignificant commercial value, neither in its entirety is still generally known in the relevant public in terms of the exact arrangement and composition of its components and corresponding confidentiality measures are evidently put in place (cf. Art. 2 no. 1 leg. cit.). However, by deciding to provide information on parameters and their weighting in individual cases, the data protection authority assesses the risk of being able to disclose and / or imitate a (complete) algorithm or to disclose the exact arrangement and composition of the algorithm as low, especially since the The data protection authority leaves it up to the respondent to fulfill his obligations by providing similar information equivalent to the information content, which enables the data subject to exercise his rights to rectification, deletion and verification of legality.
b. In principle, it is stated that the refusal to provide information on the basis of business and trade secrets vis-à-vis the constitutional or primary-legal rights under Art. 8 ECHR or Art. 8 EU-GRC as well as § 1 Para. 3 DSG for information or correction data from the data subject will be less difficult to weight. With regard to the provision of Section 4 (6) DSG - brought up by the respondent - according to which the right to information does not exist if the business and company secrecy of the person responsible is jeopardized, it should be noted that this is an exception to the right to information and exceptions to the general provisions of the GDPR - following the case law of the ECJ - are to be interpreted strictly (see last judgment of July 16, 2020, C-311/18, margin no.84). Apart from this, reference is made to the above statements, according to which the information can also be given in such a way that company and business secrets are not affected.
c. On the other hand, the complainant's request had to be rejected - the respondent should (fully) disclose its calculation method. This does not appear to be necessary for a request for information, nor does it result from the provision of Art. 15 (1) (h) GDPR, where only “meaningful information on the logic involved and its effects” is mentioned, but not the logic involved self.
It was therefore to be decided as a whole in accordance with the ruling.


European Case Law Identifier
ECLI: AT: DSB: 2020: 2020.0.436.002