DSB (Austria) - 2020-0.829.566

From GDPRhub
Revision as of 09:02, 12 July 2023 by Fm (talk | contribs)
DSB - 2020-0.829.566
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 15(3) GDPR
Article 17 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 23.03.2023
Published: 06.07.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2020-0.829.566
European Case Law Identifier: ECLI:AT:DSB:2021:2020.0.829.566
Appeal: Unknown
Original Language(s): German
Original Source: DSB (Austria) (in DE)
Initial Contributor: mg

The Austrian DPA held that the GDPR does not apply to the expulsion of an individual from a religious organisation.

English Summary

Facts

The data subject was active member of a religious community. They also held an official spiritual role within the church. After many years of service, an internal committee held that data subject committed a serious sin and publicly declared that they were no longer a member of the community.

The data subject claimed that by this public announcement the controller unlawfully processed their personal data. The data subject also requested access and erasure of some personal data and objected to the processing.

The controller claimed that data were processed pursuant to Articles 6(1)(c) and (f) and 9(2)(d) and (f) GDPR. Moreover, a religious organisation enjoys a high degree of autonomy in accordance with the European Convention of Human Rights and the European Treaties. The processing at issue fell therefore outside the State’s competence. The controller also stated to have fully replied to the access request.

The data subject claimed that at the time of their baptism they were only 13 and therefore not able to understand all the legal implications of the affiliation for their right to data protection. They also claimed that it would have been sufficient to bring their expulsion to the attention of only two people, without any need for a public announcement. Thus, the data subject lodged a complaint.

Holding

The Austrian DPA held to have no competence to review “internal matters” of a religious organisation, such as the decision to disclose information about the data subject’s expulsion during a public gathering of the church.

For the same reason, the Austrian DPA denied that Article 15 GDPR was applicable. Moreover, in an obiter dictum, the data subject’s claim that information provided was incomplete was rejected. According to the DPA, Article 15(3) GDPR does not give a data subject the right to request entire documents, such as cover and reference letters or the full assessment of someone’s “spiritual status”. It is sufficient that the controller provides the data subject with a copy of personal data undergoing processing contained in the documents, which is what the controller did in the case at issue.

The fact that the erasure of personal data was an “internal matter” of the church also excluded the applicability of Article 17 GDPR. According to the DPA, the formal exclusion of the data subject from the religious community does not mean that the data subject will no longer be regarded by the community as “spiritually” linked to the church.

Similar considerations applied to the right to object to processing pursuant to Article 21 GDPR.

In light of the above, the Austrian DPA rejected the complaint.

Comment

The Austrian DPA's approach in this case unnecessarily limits the scope of application of the GDPR. Without taking sides on the merits of the controversy, it is difficult to ignore how the DPA de facto creates an exception to the applicability of the regulation which is clearly not provided for in Article 2. Indeed, the "internal matters" of a religious organisation are not excluded as such from the scope of the GDPR. To the contrary, Article 9(2)(d) GDPR explicitly states that special categories of data can be processed by a not-for-profit organisation with a religious aim (e.g. a church): this in turn implies that the GDPR is applicable. The Austrian DPA could have reached conclusions similar to the ones developed in the present case by emphasising the latter element, instead of a vague reference to the "internal matters" of the organisation at issue.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2020-0.829.566 from March 23, 2021 (case number: DSB-D124.2701)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.]

NOTICE

SAY

The Data Protection Authority decides on the data protection complaints of Mr Richard A*** (complainant) of June 22, 2020, improved with submission of August 24, 2020, logged under D124.2702, and of June 29, 2020, improved with Submission of September 2, 2020, logged under D124.2701, against the N*** religious community in Austria (Respondent) for the alleged violation of the right to secrecy, the alleged violation of the right to information, the alleged violation of the right to erasure and of the alleged violation of the right to object as follows:

1. The complaint regarding the alleged violation of the right to confidentiality is dismissed.

2. The complaint regarding the alleged violation of the right to information is dismissed.

3. The complaint regarding the alleged violation of the right to erasure is dismissed.

4. The complaint regarding the alleged violation of the right to object is dismissed.

Legal basis: Art. 15, Art. 17, Art. 21, Art. 51 (1), Art. 57 (1) lit. f, Art. 77 (1) and Art. 91 of Regulation (EU) 2016/679 ( General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 04.05.2016, p. 1; Section 1 (1) and (2) and Section 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 15 StGG on the general rights of citizens, RGBl. No. 142/1867; Art. 9 of the European Convention on Human Rights (EMRK), Federal Law Gazette No. 210/1958 as amended; Art. 10 of the Charter of Fundamental Rights of the European Union (GRC), OJ No. C 202 of 07.06.2016, p. 389; Art. 6 Treaty on the European Union (TEU), Federal Law Gazette III No. 85/1999. : Article 15,, Article 17,, Article 21,, Article 51, paragraph one,, Article 57, paragraph one, litera f,, Article 77, paragraph one, and Article 91 of Regulation (EU) 2016/679 (data protection -Basic Regulation, hereinafter: GDPR), OJ No. L 119 of 04.05.2016, p. 1; Paragraph one, paragraph one and paragraph 2, as well as paragraph 24, paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 from 1999, as amended; Article 15, StGG on the general rights of citizens, RGBl. No. 142/1867; Article 9 of the European Convention on Human Rights (EMRK), Federal Law Gazette No. 210 from 1958, as amended; Article 10 of the Charter of Fundamental Rights of the European Union (CFR), OJ No. C 202 of 07.06.2016, p. 389; Article 6, Treaty on European Union (TEU), Federal Law Gazette Part 3, No. 85 from 1999.

REASON

A. Submissions of the parties and course of the proceedings

1. The complainant claimed in his complaint of June 29, 2020, recorded for GZ D124.2701, improved with the submission of September 2, 2020, that the respondent had violated his right to secrecy. In his complaint of June 22, 2020, which was logged for GZ D124.2702 and improved with the submission of August 24, 2020, the complainant also claimed that the respondent had violated his right to information, his right to erasure and his right to restrict the processing to have been violated.

Regarding the alleged violation of the right to secrecy, the complainant submitted that the respondent would process his data without his consent. At the time of his baptism, he was not yet 14 years old and baptism does not constitute an oral contract or consent to unrestricted data processing. In addition, he did not give the respondent any consent to data processing in 2018. In **** 2020, the Respondent then made the public announcement in a zoom meeting, in front of an estimated 60 to 80 people, that he was no longer a member of the N***, although he had previously contradicted this several times. In addition, he also objected to any internal forwarding of documents concerning him.

With regard to the alleged violation of the right to information, the complainant submitted that he had contacted the respondent with a request for information, which, however, had not been fully complied with.

With regard to the alleged violation of the right to erasure, the complainant stated that he had contacted the respondent with a request for erasure, but that the respondent had not responded to the request.

2. In its statement of October 26, 2020 and December 1, 2020, the Respondent first submitted that the Complainant had been baptized as a member of the N*** on May 12, 1990 and was also a member until July 4, 2020 of the religious community. He would have been active as such for many years and also held the ministry of [editor's note: exact name not reproduced for reasons of pseudonymization from *3.*4.2011 to *7.*3.2015, further abbreviations marked with **** from the same reason] clothed. In **** 2020, a religious law ****committee **** considered whether the complainant had committed a serious sin and whether there was no **** repentance. The ****committee had decided that this would be the case and therefore, at a meeting in K***stadt at the end of **** 2020, the religiously required announcement was made that the complainant was no longer a member of the N*** may be.

With regard to the alleged violation of the right to secrecy, the Respondent submitted in summary that it was entitled to process the Complainant's data in accordance with Art. 6 (1) lit. c and f and in accordance with Art. 9 (2) lit. d and f GDPR and, moreover, the organization of the membership relationships represents an internal matter of a religious community, which is beyond the assessment of state authorities. The announcement of the departure of a former member from the religious community during a church service would also be one of the internal affairs of a religious community and constitute a protected religious practice under Art. 15 StGG, Art. 9, 10, 11 and 14 ECHR and Art. 17 TFEU dar. To the extent that the complainant complained about the forwarding of his data within the community or stated that he had expressly objected to the forwarding of his data, the respondent explained that the forwarding of his data to the **** office would have been necessary because the ****bureau is responsible for the administration of the board and the ****committee and the ****committee also has the final decision on membership issues. In this context, the Respondent once again points out that questions about membership are among the internal affairs of a religious community. With regard to the alleged violation of the right to secrecy, the Respondent submitted in summary that it was entitled to process the Complainant's data in accordance with Article 6, paragraph one, letters c, and f and in accordance with Article 9, paragraph 2, letters d, and f GDPR and, moreover, the organization of the membership relationships represents an internal matter of a religious community, which is beyond the assessment of state authorities. The announcement of the departure of a former member from the religious community during a church service would also be one of the internal affairs of a religious community and constitute a protected religious practice under Article 15 StGG, Articles 9, 10, 11 and 14 ECHR and Article 17 TFEU dar. To the extent that the complainant complained about the forwarding of his data within the community or stated that he had expressly objected to the forwarding of his data, the respondent explained that the forwarding of his data to the **** office would have been necessary because the ****bureau is responsible for the administration of the board and the ****committee and the ****committee also has the final decision on membership issues. In this context, the Respondent once again points out that questions about membership are among the internal affairs of a religious community.

With regard to the alleged violation of the right to information, the Respondent confirmed that the Complainant sent her a request for information on June 8, 2020. However, since she had already complied with the request on June 26, 2020, she could not understand why the complainant claimed that his right to information had been violated.

Regarding the alleged violation of the right to erasure, the Respondent argued that the regulation of membership and the resulting consequences represent an essential part of the core of a religious community's right to self-determination, which is the sole responsibility of the religious community. In this context, the Respondent submitted in particular that, for example, according to the canon law of the Catholic Church, termination of membership after baptism was no longer possible. The processing of the complainant's data would therefore be necessary in accordance with Art. 17 (3) lit. b and e GDPR and would conflict with the complainant's right to erasure. Regarding the alleged violation of the right to erasure, the Respondent argued that the regulation of membership and the resulting consequences represent an essential part of the core of a religious community's right to self-determination, which is the sole responsibility of the religious community. In this context, the Respondent submitted in particular that, for example, according to the canon law of the Catholic Church, termination of membership after baptism was no longer possible. The processing of the complainant's data would therefore be required under Article 17, Paragraph 3, Letters b and e GDPR and would conflict with the complainant's right to erasure.

3. As part of the granted hearing, the complainant submitted in letters dated December 7, 2020 and December 13, 2020 - insofar as relevant to the procedure - that he was only 13 years old when he was baptized and that he was unable to do so due to extremely limited and one-sided false information would have been to assess the legal context and lifelong obligations of membership with the Respondent. In addition, the announcement of his resignation, which he would have objected to, would not fall within the religious right to self-determination, but within the scope of the GDPR. In addition, according to the constitution of the Respondent, it would also be sufficient if the declaration of leaving the community was made to two people.

With regard to the alleged violation of the right to information, the complainant pointed out that he had already requested complete information in April 2018 and had explained in this context that this also included the accompanying letters, letters of introduction, assessments of his "mental status", information and documents about exclude yourself from the ****community file and the like. In addition, it was evident from an e-mail correspondence that there were also recordings of his telephone dial-in to church services, which had not been transmitted, which is why the information remained incomplete.

Regarding the alleged violation of the right to erasure, the complainant argued that he was not concerned with the erasure of non-sensitive data such as name, address or date of birth, which would have to be stored to document the erasure, but with all other data.

B. Subject of Complaint

The subject of the complaint is the question of whether the Respondent violated the Complainant's right to secrecy, the right to information, the right to erasure and the right to object.

C. Findings of Facts

The Respondent is a religious community recognized in Austria.

The complainant was baptized on *4.*1.199* and was a member of the religious community of the respondent until *4.*7.2020.

On March 15, 2020, the complainant contacted the respondent with a request for information. In a letter dated June 8, 2020, the Complainant requested the Respondent to delete his data and objected to the announcement of the termination of his membership at a meeting and the related forwarding of data to the Respondent's ****office.

On July 4, 2020, at a meeting of the respondent in K***stadt, it was announced that the complainant was no longer a member of the religious community and the **** office was informed of this.

The ****office is responsible for administering the ****committee, which makes the final decision on membership matters.

In a letter dated June 26, 2020, the Respondent provided the Complainant with the following data protection information or informed the Complainant that it will not comply with the request for deletion:

"Data information from the **** municipality of K***stadt

Dear Mr A***,

We will answer your request regarding data protection as follows:

1.

Your data will be processed by us in accordance with the General Data Protection Regulation (GDPR)

processed.

2.

Below is a copy of the data we hold about you:

Name: A***, Richard

Gender Male

Date of birth: 2*.10. 197*

Address; L***gasse *5/*3/2*, **** H***dorf

Date of baptism: *4.*1.199*

****Municipality: K***stadt

Spiritual Office: [Editor's note: exact name not reproduced for reasons of pseudonymization] from *3.*4.2011 to *7.*3.2015

Type of Membership Loss: Disfellowshipped

Date of Resignation Announcement: *4.*7.2020

Basis of the decision: apostasy

Furthermore, we have a copy of our data information from 12.07.2018.

3.

We retain this minimum level of personal information to protect and protect believers and to keep the ****congregation clean in accordance with the religious beliefs of the N*** ]. In addition, keeping a history of your status, including your current status as a former member of the N***, is necessary to fulfill our legitimate religious interests. The data is physically stored by us.

Data information from the **** municipality of K***stadt

Mr A***

The data will be processed for the following purposes due to the fact that you have submitted to the religious community law of our religious community with your **** baptism and due to legitimate interests of the religious community:

 No involvement in N*** volunteer services or projects;

 No participation in any convention, ****convention or regional convention;

 Not accepting responsibilities or performing certain functions in the **** community;

 Documentation of membership status (****cards of the****municipality);

 Documentation of the exercise of clerical offices;

 No re-baptism;

 Enabling a retrial.

The data will not be processed beyond mere storage, with the exception of the following cases: Request for readmission into the religious community by the person concerned; Assertion, exercise or defense of legal claims.

In particular, the data will not be disclosed or passed on to third parties. The data is additionally protected by the fact that only clergy have access to the data and they are therefore subject to clergy privilege. The cases in which the aforementioned clergy are permitted access to the data are restricted to a minimum by religious law requirements, so that misuse of the data is ruled out.

4.

The data name, gender, date of birth, date of baptism, **** congregation, type of loss of membership, date of announcement of the resignation and basis of the decision were after the conclusion of the ****committee procedure (§ 14 statutes of the N** * Religious community) sent to the **** office. The data name, gender, date of birth, date of baptism, ****congregation, manner of loss of membership, date of notice of resignation and basis of decision were obtained after completion of the ****committee process (Article 14, N* Bylaws ** Religious community) sent to the **** office.

We did not transfer the data to recipients in so-called third countries, i.e. countries outside the European Union (EU), or to international organizations.

5.

The data is kept permanently as proof of membership status and to document the exercise of a spiritual ministry. In the event of a resumption, the data on the type of loss of membership, the date on which the resignation was announced and the basis of the decision are generally destroyed after five years.

6.

The data name, gender, date of birth, date of baptism and ****congregation were made available by you as part of your membership.

The data on the exercise of a spiritual office arose in connection with your appointment and deletion as [Editor's note: exact name not reproduced for reasons of pseudonymization].

Data information from the **** municipality of K***stadt

Mr A***

The data on the type of loss of membership, the date on which the resignation was announced and the basis of the decision arose when the ****committee procedure was carried out on the basis of religious community law.

7.

The processing of the data is not related to automated decision-making or profiling.



8th.

In principle, you have the right to information, correction, deletion, restriction of processing, data transferability and objection.

9.

You want your personal data to be deleted.

Art. 17 GDPR only allows the deletion of personal data if certain reasons are met. We have checked the reasons and see no basis for the deletion of the personal data stored by us. We keep a minimum amount of personal data that is necessary for our legitimate religious purposes according to Art. 6 and Art. 9 (2) lit. d GDPR. Article 17 GDPR only allows the deletion of personal data if certain reasons are met. We have checked the reasons and see no basis for the deletion of the personal data stored by us. We keep a minimum level of personal data necessary for our legitimate religious purposes according to Article 6 and Article 9, Paragraph 2, Litera d, GDPR.

Rest assured that access to the personal data concerning you is strictly limited. Data from a committee procedure is only accessible to a small group of selected people who are also bound to secrecy by the duty of confidentiality associated with the exercise of a spiritual office. In addition, it is ensured by religious law that your data may not be viewed or processed without special cause. In order to facilitate a retrial in order to avoid violating our own religious principles, it is necessary to retain basic personal data with us. The personal data we store is the minimum necessary to fulfill your history of status, including your current status as a former member of the N***, to exercise our right to religious self-determination and in accordance with our own religious principles.



10

You can reach the data protection officer at:

N*** religious community in Austria

Data Protection Officer

E*** Street *4

1*** Vienna

Email: DataProtectionOfficer.AT@n***.org

Data information from the **** municipality of K***stadt

Mr A***

11.

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can contact the supervisory authority. For N*** Austria this is:

Austrian data protection authority

Barichgasse 40-42

1030 Vienna

Email: dsb@dsb.gv.at

It is our sincere hope that over time you will decide that you want to be a member of the N*** again and reestablish your relationship with **** and the ****.

Sincerely"

Assessment of evidence: The findings result from the submissions of the parties and the documents submitted.

D. In legal terms it follows that:

First of all, it should be pointed out that the data protection authority already dealt with the question of whether the provisions of Art. 91 GDPR apply to the respondent in the decision of August 29, 2019, GZ DSB-D123.874/0016-DSB/2019 . First of all, it should be pointed out that the data protection authority already dealt with the question of whether the provisions of Article 91 GDPR apply to the respondent in the decision of August 29, 2019, GZ DSB-D123.874/0016-DSB/2019 .

The data protection authority has come to the conclusion that the Respondent's global data protection guidelines do not represent comprehensive rules for the protection of natural persons when processing personal data within the meaning of Art. 91 (1) GDPR and that the data protection guidelines must therefore be supplemented by state regulations. The data protection authority has come to the conclusion that the Respondent's global data protection guidelines do not constitute comprehensive rules for the protection of natural persons in the processing of personal data within the meaning of Article 91, paragraph one, GDPR and that the data protection guidelines must therefore be supplemented by state regulations.

The case in question must therefore be examined on the basis of the GDPR, whereby the respondent's corporate religious freedom (cf. Art. 15 StGG, Art. 10 EU-GRC, Art. 9 ECHR in conjunction with Art. 6 EUV) must be taken into account. However, the applicability of the GDPR requires the competence of the data protection authority as the supervisory authority under Art. 51 GDPR, which was not disputed by the Respondent. The case in question must therefore be examined on the basis of the GDPR, whereby the respondent's corporate religious freedom (compare Article 15, StGG, Article 10, EU-GRC, Article 9, EMRK in conjunction with Article 6, EUV) must be taken into account. However, the applicability of the GDPR requires the competence of the data protection authority as the supervisory authority under Article 51 GDPR, which was not disputed by the Respondent.

However, the data protection authority is not competent to make a substantive decision where the processing of data is inextricably linked to an "internal matter" of the respondent. According to the case law of the European Court of Human Rights, "internal affairs" include both the determination of the content of faith and forms of expression, as well as the internal organization of the community, such as the determination of the religious leader or who can be a member and who is excluded (cf. Krömer/Brandner in compare Krömer/Brandner in Knyrim, DatKomm Art. 91 GDPR, Rz 9). , DatKomm Article 91, GDPR, margin no. 9).

Regarding point 1

The fundamental right to data protection enshrined in § 1 DSG, according to the first paragraph of which everyone has the right to secrecy of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in this, includes the protection of the Data subjects before their data is determined and the data determined about them is passed on. However, the fundamental right to data protection is not absolute, but may be limited by certain, permissible interventions and must be viewed with regard to its social function and weighed against other fundamental rights while maintaining the principle of proportionality. The fundamental right to data protection anchored in paragraph one, DSG, after The first paragraph of which everyone, in particular with regard to respect for their private and family life, has a right to confidentiality of personal data concerning them, insofar as there is a legitimate interest in doing so, includes the protection of the data subject from the determination of his data and the disclosure of the data determined for him. However, the fundamental right to data protection is not absolute, but may be limited by certain permissible interventions and must be viewed with regard to its social function and weighed against other fundamental rights while maintaining the principle of proportionality.

Insofar as the complainant submitted that the respondent would process his data unlawfully because he had never given his consent to data processing, it should first be pointed out that the complainant - as established - from *4.*1.199* to *4. *7.2020 was a member of the Respondent's religious community. Since questions regarding membership in a religious community - and the associated processing of personal data - are the "internal affairs" of the respondent, the data protection authority has no jurisdiction in this regard (cf. the decision of the Constitutional Court of March 16, 1987, VfSlg 11300 and the decision of the former data protection commission of November 16, 2007, GZ K121.309/0010-DSK/2007). - and the associated processing of personal data - are subject to the "internal affairs" of the respondent, but the data protection authority has no jurisdiction in this regard. Compare the decision of the Constitutional Court of March 16, 1987, VfSlg 11300 and the decision of the former data protection commission of November 16, 2007 , GZ K121.309/0010-DSK/2007).

Insofar as the complainant considered that the Respondent had violated its right to secrecy, since the Respondent made the public announcement at a meeting in K***stadt on *4.*7.2020 that he was no longer a member of the N*** it should be pointed out that both the organization of the service and questions about membership in a religious community are undoubtedly to be regarded as an "internal matter" of the respondent, which is beyond the jurisdiction of the data protection authority.

Insofar as the complainant saw a violation of his right to secrecy in the fact that the respondent transmitted his data to the **** office, it should be pointed out that the respondent explained in a comprehensible manner that the transfer of the data to the **** office was necessary because the ****office is responsible for the administration of the board and the ****committee and the ****committee also has the final decision on membership issues. Since the data transmission is therefore also attributable to the "internal affairs" of the respondent, the data protection authority has no responsibility in this regard either.

The complaint has therefore proven to be unjustified on this point and was therefore found to be justified in accordance with Section 24 (5) DSG and was therefore dismissed in accordance with Section 24, Paragraph 5, DSG.

Regarding point 2

The right to information under data protection law enables the data subject to request confirmation as to whether a person responsible is processing his or her personal data. In the event that a person responsible processes data on the person concerned, he has a right to information about this data as well as about the information defined in paragraph 1 lit. a to h leg. cit [note processor: what is meant is Article 15 paragraph 1 GDPR]. The purpose of this provision is to enable the data subject to gain an insight into the "whether and how" of the processing (Art. 4 Z 2 GDPR) of his data, which should enable the data subject to check the legality of the processing. The right to information and the information associated with it also serve to effectively enforce the law (cf. Paal in The right to information under data protection law enables the data subject to request confirmation as to whether a person responsible is processing his or her personal data. In the event that a person responsible If the data subject processes the data subject, he has a right to information about this data as well as about the information defined in paragraph one, lit , to enable the data subject to gain insight into the "whether and how" of the processing (Article 4, paragraph 2, GDPR) of his data, whereby the data subject should be able to check the legality of the processing effective legal enforcement compare Paal in Paal/Pauly, General Data Protection Regulation, Art. 15, margin no. 3). , General Data Protection Regulation, Article 15, margin no. 3).

In the opinion of the data protection authority, the information provided by the respondent is to be regarded as complete within the meaning of Art. 15 GDPR. In the opinion of the data protection authority, the information provided by the respondent is to be regarded as complete within the meaning of Article 15, GDPR.

Insofar as the complainant claimed that the information provided by the Respondent was incomplete because he was not entitled to any information regarding the accompanying letters, letters of introduction, assessments of his "mental status" and no information and documents from the **** municipal filing cabinet or records of his telephone dial-in services would have been granted, it should first be pointed out that the data protection authority, based on recital 63 and the judgment of the ECJ of 17. July 2014, YS et al., C-141/12 and C-372/12, takes the view that Art. 15 (3) GDPR does not give rise to a right to the release of a copy of documents containing personal data of an information seeker (cf. the notice of November 13, 2019, GZ DSB-D062.268/0001-DSB/2019). With reference to Art. 15 Para. 3 GDPR, it is therefore not possible to demand the surrender of entire documents or - as is the case at issue - accompanying letters, letters of introduction or assessments of the "intellectual status", even if personal data of an information seeker appear therein (cf. in in this sense also the judgment of the BG for commercial matters Vienna of October 7, 2019, GZ 18 C 263/19m regarding the issuance of an insurance policy). Art. 15 (3) GDPR only standardizes the right to receive a "Insofar as the complainant claimed that the information provided by the respondent was incomplete because he had not received any information regarding the accompanying letters, letters of introduction, assessments of his "mental status" and no information and Documents from the **** community file and recordings of his telephone dial-in to church services had been issued, it should first be pointed out that the data protection authority, based on recital 63 and the judgment of the ECJ of July 17, 2014, YS et al., C-141 /12 and C-372/12, takes the view that Article 15, paragraph 3, GDPR does not give rise to a right to the release of a copy of documents containing personal data of a person requesting information, compare the decision of November 13, 2019 , GZ DSB-D062.268/0001-DSB/2019). With reference to Article 15, paragraph 3, GDPR, it is therefore not possible to demand the surrender of entire documents or - as is the case at issue - accompanying letters, letters of introduction or assessments of the "intellectual status", even if personal data of an information seeker appear therein. Compare in this sense also the judgment of the Vienna Commercial Court of October 7, 2019, GZ 18 C 263/19m regarding the issuance of an insurance policy). Article 15, paragraph 3, GDPR only regulates the right to receive a "copy of the personal data that is the subject of the processing", which is why it is sufficient if the person responsible provides the data subject with a copy of the personal data contained in the documents.

In addition, however, it should also be pointed out that accompanying letters, letters of introduction, assessments of the "mental status" of the members as well as information and documents from the **** community file of the Respondent as well as any recordings of the telephone dial-in to church services are undoubtedly the "internal affairs" of the are to be attributed to the Respondent, since they document the specific structure of the membership relationship.

The complaint has therefore proven to be unjustified on this point and was therefore found to be justified in accordance with Section 24 (5) DSG and was therefore dismissed in accordance with Section 24, Paragraph 5, DSG.

Regarding point 3

According to Art. 17 Para. 1 GDPR, a data subject has the right to demand the immediate deletion of his or her personal data from the person responsible (first case), and the person responsible is also obliged to delete personal data immediately (second case) if one of the reasons stated in Art. 17 Para. 1 lit. a - lit. f GDPR applies. Pursuant to Article 17, paragraph one, GDPR, a data subject has the right to demand the immediate deletion of his or her personal data from the person responsible (first case) , and the person responsible is also obliged to delete personal data immediately (second case) if one of the reasons specified in Article 17, paragraph one, litera a – litera f, GDPR applies.

Insofar as the complainant requested the Respondent to delete his data - with the exception of his name, address and birth data - it should be pointed out that the complainant is currently no longer a member of the Respondent, but this does not change the fact that the Respondent Apparently, the complainant continued to be regarded as a – purely spiritual – member. In this context, the Respondent pointed out that, as in the Catholic Church, membership can no longer be terminated after baptism has taken place.

Since, as explained above, questions of membership in a religious community and the associated processing of personal data - deletion is a form of processing according to Art. 4 Para. 2 GDPR - but represent an "internal matter" of the respondent, there are none in this regard Competence of the Data Protection Authority. and the associated processing of personal data - deletion is a form of processing according to Article 4, paragraph 2, GDPR - but represent an "internal matter" of the respondent, the data protection authority has no responsibility in this regard.

The complaint has therefore proven to be unjustified on this point and was therefore found to be justified in accordance with Section 24 (5) DSG and was therefore dismissed in accordance with Section 24, Paragraph 5, DSG.

Regarding point 4

First of all, it should be pointed out that although the complainant alleged a violation of the right to restriction, based on his statements he obviously meant a violation of the right to object. The complainant stated that he had objected to the public announcement that he was no longer a member of the N*** and to the relevant forwarding of his data to the **** office. Since party declarations are to be interpreted exclusively according to their objective explanatory value (see, for example, the decision of the Administrative Court of July 28, 2000, GZ 94/09/0308), an alleged violation of the right to objection is also the subject of the complaint. First of all, it should be pointed out that although the complainant alleged a violation of the right to restriction, based on his statements he obviously meant a violation of the right to object. The complainant stated that he had objected to the public announcement that he was no longer a member of the N*** and to the relevant forwarding of his data to the **** office. Since party declarations are to be interpreted exclusively according to their objective explanatory value (compare, for example, the decision of the Administrative Court of July 28, 2000, GZ 94/09/0308), an alleged violation of the right to objection is also the subject of the complaint.

However, the complaint turned out to be unjustified on this point:

Even if the complainant has objected to the announcement of the termination of his membership and the forwarding of his data, the announcement of the termination of membership at a meeting and the relevant forwarding to the **** office is an "internal matter" of the respondent qualify (see already point 1) and thus withdrawn from the decision of the data protection authority.

The complaint has therefore proven to be unjustified on this point and was therefore found to be justified in accordance with Section 24 (5) DSG and was therefore dismissed in accordance with Section 24, Paragraph 5, DSG.

It had to be decided accordingly.