DSB (Austria) - 2022-0.083.310: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
Line 30: Line 30:
|GDPR_Article_1=Article 2(2)(a) GDPR
|GDPR_Article_1=Article 2(2)(a) GDPR
|GDPR_Article_Link_1=Article 2 GDPR#2a
|GDPR_Article_Link_1=Article 2 GDPR#2a
|GDPR_Article_2=Article 58(2)(f) GDPR
|GDPR_Article_2=Article 5(1)(b) GDPR
|GDPR_Article_Link_2=Article 58 GDPR#2f
|GDPR_Article_Link_2=Article 5 GDPR#1b
|GDPR_Article_3=
|GDPR_Article_3=Article 6(1)(c) GDPR
|GDPR_Article_Link_3=
|GDPR_Article_Link_3=Article 6 GDPR#1c
|GDPR_Article_4=
|GDPR_Article_4=Article 58(2)(f) GDPR
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=Article 58 GDPR#2f
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 47: Line 51:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=Austrian Minister of Finances
|Party_Name_1=Federal Minister of Finances
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 59: Line 63:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=mg
|Initial_Contributor=
|
|
}}
}}


The Austrian DPA found that the Minister of Finances implementing instructions from a parliamentary anti-corruption committee falls within the scope of the GDPR.
The Austrian DPA dismissed a mandatory injunction against the Federal Minister of Finance by a data subject involved in a parliamentary inquiry into alleged corruption, rejecting the idea of ex-ante control.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
An Austrian parliamentary anti-corruption committee asked the Minister of Finances to disclose information about criminal financial proceedings pending against an ÖVP (Österreichische Volkspartei – Austrian People's Party) politician.  
On 16 December 2021, the corruption inquiry committee ordered the Minister of Finances (controller) to disclose information regarding potential criminal financial proceedings initiated against the data subject.


In an attempt to prevent such disclosure from happening, the data subject requested the Austrian DPA to issue a ban on the processing pursuant to [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]]. According to the data subject, the problem was not the disclosure to the committee per se but rather the fact that personal data are usually leaked to the media. The data subject also claimed that there was no factual element behind the investigation, but only an attempt to damage him politically. Finally, the data subject argued that no legal basis could be found for the intended processing: thus, violations of [[Article 5 GDPR|Articles 5]] and [[Article 6 GDPR|6 GDPR]] occurred.
On 24 January 2022, the data subject submitted a request aiming to prohibit the processing of his personal data through the upcoming transmission of information to the inquiry committee. The data subject stated that the issue therein lay not in the transmission of information itself, but rather the inquiry’s lack of confidentiality, citing past leaks to the media. Moreover, the data subject noted an absence of a legal basis for the processing of data, arguing a violation against Article 5 and 6 GDPR.


The controller in this case was the Minister of Finances, namely an organ of the government. However, the Minister of Finances claimed that it operated on behalf of the parliamentary committee, which is part of the legislative power. Therefore, according to the Minister, the DPA had no competence to deal with the matter since core legislative functions do not fall within the scope of the GDPR ([[Article 2 GDPR#2a|Article 2(2)(a) GDPR]]). If a legal basis had to be found, however, that would be the parliamentary scrutiny in the interest of democracy. The Minister of Finances also argued, that the fact that members of the anti-corruption committee may later leak the data subject's data was not an issue within the control of the Minister of Finances and hence did not constitute a legal interest against the disclosure to the anti-corruption committee.
The Federal Minister of Finances negated the competence of the DPA, relying on recent decisions stating that the GDPR does not cover core legislative activities (Article 2(2)(a) GDPR). He argued that in this case he did not function as part of the executive branch, but rather on behalf of the legislative branch, acting as an auxiliary body of and being subject to submission to the parliament’s inquiry committee. Furthermore, the Federal Minister of Finances pointed out that the threat to confidentiality interests worthy of protection would arise only, if at all, in the sphere of the inquiry committee in parliament.


=== Holding ===
=== Holding ===
According to the DPA, the Minister of Finances' claim that it just implemented instructions from the parliamentary committee was unconvincing. The Minister is part of the executive power. When it comes to the disclosure of personal data, it is not obliged to provide the requested information in each case. As a consequence, it cannot be seen as acting exclusively on behalf of the Parliament. Therefore, the DPA has a general competence to review the Minister of Finances' actions in light of the GDPR.
The DPA denied the Federal Minister of Finances’ claim to function solely on behalf of the legislative branch, as he is not obliged to submit to the inquiry commission in every case and thus retains his function as an organ of the executive branch. As a consequence, the DPA asserted to have the general competence of reviewing the actions of the Federal Minister of Finances.


However, the DPA also clarified that such competence is limited to ex post reviews: the DPA is not entitled to intervene before the processing occurred. Otherwise it would substitute itself to the Minister of Finances in taking the decision. Therefore, the data subject could not rely on [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]], which refers to a processing already in place.
However, the DPA nevertheless rejected the data subject’s request, stating that its role is limited to ex-post control. The DPA held that ex-ante control would lead to the DPA taking the place of the Federal Minister and compromising the functioning of the committee.


In a long obiter dictum, the DPA also added that, even imagining that the DPA was competent for ex ante reviews of the the Minister of Finances' actions, an injunction pursuant to [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]] could only be requested in case of an “imminent danger”. In the present situation, such danger would have lied in potential leaks of information to the media. However, the risk was associated with the parliamentary committee or its individual members and not with the Minister of Finances, which was the controller in this proceeding. Therefore, no measure could have been issued.
Finally, the DPA clarified that even if it were competent to provide ex-ante control, the data subjects’ request pursuant to [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]] would be rejected, as the data subject failed to demonstrate an immediate risk of data protection violations.


== Comment ==
== Comment ==
Line 93: Line 97:
text
text


GZ: 2022-0.083.310 from February 14, 2022 (case number: DSB-D124.0128/22)
GZ: 2022-0.083.310 from February 14, 2022 (procedure number: DSB-D124.0128/22)


[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.]
[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons be. Obvious spelling, grammar and punctuation errors have been corrected.]


NOTICE
NOTICE


SAY
SAYING


The data protection authority decides on the application according to § 22 DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, *** S***, to prohibit the processing of his personal data through the forthcoming transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the committee of inquiry into clarifying corruption allegations against ÖVP government members (ÖVP Corruption Investigation Committee). the Federal Minister of Finance (respondent) as follows:
The data protection authority decides on the application in accordance with Section 22 DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, *** S***, to prohibit processing of his personal data through the imminent transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the investigative committee regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee). the Federal Minister of Finance (respondent) as follows: The data protection authority decides on the application according to paragraph 22, DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, * ** S***, to prohibit the processing of his personal data through the imminent transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the investigative committee regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigation Committee) against the Federal Minister of Finance (respondent) as follows:


 The application is rejected.
   The application is rejected.


Legal basis: §§ 22 para. 1 and 4 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended, Art. 18, 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with §§ 56, 57 para. 1 and 58 of the General Administrative Procedures Act 1991 (AVG), Federal Law Gazette No. 51/1991 as amended, Art. 52a, 53 and 138b of the Federal Constitutional Law (B-VG), Federal Law Gazette No. 1/1930 as amended, Section 25 of the Rules of Procedure for parliamentary committees of inquiry (VO-UA), Federal Law Gazette I. No. 99/2014 as amended.
Legal basis: §§ 22 para. 1 and 4 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended, Articles 18, 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with §§ 56, 57 para. 1 and 58 of the General Administrative Procedure Act 1991 (AVG), BGBl for parliamentary committees of inquiry (VO-UA), BGBl. , 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with paragraphs 56, 57 paragraph one, and 58 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51 from 1991, as amended, Article 52 a, 53 and 138b of the Federal Constitutional Law (B-VG), Federal Law Gazette No. 1 from 1930, as amended, paragraph 25, the Rules of Procedure for Parliamentary Committees of Inquiry (VO-UA), Federal Law Gazette Roman One. No. 99 from 2014, as amended.


REASON
REASON


A. Submissions
A. Submit


1. On January 24, 2022, the applicant submitted an application for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG and Article 58 (2) (f) GDPR.
1. On January 24, 2022, the applicant submitted an application for the issuance of a mandate notice in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG and Article 58 (2) lit. f GDPR. On January 24, 2022, an application was made for the issuance of a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG and Article 58, paragraph 2, letter f, GDPR.


As justification, the applicant essentially argued that the minority of the parliamentary investigative committee called "ÖVP Corruption Investigative Committee" had demanded that the respondent ask whether against him or companies that he owned or in which he held an executive function, financial criminal proceedings had been initiated since 2015 and what the number of these would be.
In support of this, the applicant essentially argued that the minority of the parliamentary investigative committee called the “ÖVP Corruption Investigative Committee” had demanded that the respondent investigate whether against him or companies that were owned by him or in which he held an executive function, Financial criminal proceedings have been initiated since 2015 and how many of them will be conducted.


The transmission of the data concerned to the U-Committee would not be a problem in itself. However, the notorious permeability of sub-committees to the media public, which has been well known since the Ibiza sub-committee at the latest, is unbearable. It forces him to take precautionary action against the disclosure of data of any kind to the U-Committee.
Transmitting the affected data to the U-Committee would not in itself be a problem. However, the notorious permeability of U-committees to the media public, which has been well known since the Ibiza U-Committee at the latest, is intolerable. It forces him to take precautionary action against any kind of data concerning him being passed on to the U-Committee.


On the other hand, it is obviously inadmissible exploratory evidence. The planned data processing does not serve to investigate a "certain completed process in the area of federal administration", but rather to find snippets of information that are interesting for the media.
On the other hand, it is obviously inadmissible exploratory evidence. The intended data processing does not serve to examine a “specific completed process in the area of federal enforcement,but rather to find snippets of information that are interesting for the media.


He is being brought before a political tribunal on a blanket suspicion that has no basis in substance with the only recognizable aim of bringing him out in order to exchange political change on his back.
He would be brought before a political tribunal on the basis of a blanket suspicion that had no substance whatsoever - with the only apparent aim of bringing him in to exchange political change on his back.


The data processing in question - both the evaluation and the transmission - falls within the scope of the GDPR and the DSG. Data processing is therefore only permissible if, on the one hand, it complies with the general basic principles of the processing of personal data (Article 5 GDPR) and, on the other hand, it fulfills a specific legal basis (Article 6 GDPR).
The data processing in question - both the evaluation and the transmission - falls within the scope of the GDPR and the DSG. The data processing is therefore only permitted if, on the one hand, it corresponds to the general basic principles of the processing of personal data (Art. 5 GDPR) and, on the other hand, it fulfills a specific authorization requirement (Art. 6 GDPR). The data processing in question - both the evaluation and the transmission - falls within the scope of application of the GDPR and the DSG. The data processing is therefore only permitted if, on the one hand, it corresponds to the general basic principles of the processing of personal data (Article 5, GDPR) and, on the other hand, it fulfills a specific authorization requirement (Article 6, GDPR).


The present request pursuant to Section 25 (2) VO-UA has no other purpose than to obtain exploratory evidence and contradicts the specificity requirement stipulated by the legislature. His name was picked out completely arbitrarily from the extensive list of "(potential) donors of the ÖVP" and brought into a deeply reputation-damaging, libelous connection to (purely suspected) financial criminal proceedings and corruption.
The present request in accordance with Section 25 Para. 2 VO-UA aims at nothing other than obtaining investigative evidence and contradicts the requirement for certainty established by the legislature. His name is from the comprehensive list of The present request in accordance with Paragraph 25, Paragraph 2, VO-UA aims at nothing other than obtaining investigative evidence and contradicts the specificity requirement set by the legislature. His name was picked out completely arbitrarily from the comprehensive list of (potential) donors to the ÖVP” and brought into a deeply reputation-damaging, defamatory connection to (purely suspected) financial criminal proceedings and corruption.


Since it is not provided under federal constitutional law or ordinary law to meet inadmissible evidence requirements, the data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no legal basis within the meaning of Art. 6 GDPR.
Since there is no provision under federal constitutional law or ordinary law to comply with inadmissible evidentiary requirements, data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no authorization within the meaning of Article 6 GDPR. Since there is no provision under federal constitutional law or ordinary law to comply with inadmissible evidentiary requirements, data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no authorization within the meaning of Article 6, GDPR.


The request in question also lacks the restriction required in Art. 53 Para. 3 B-VG, according to which only files and documents "to the extent of the subject of the investigation" may be submitted. With regard to the required data, however, there is not even an abstract relevance for the object of investigation. There is a violation of the principle of lawfulness of processing according to Art. 5 Para. 1 lit. a GDPR. In addition, there is a violation of the principle of data minimization according to Art. 5 Para. 1 lit. c GDPR.
The request in question also lacks the restriction required in Article 53 Para. 3 B-VG, according to which only files and documents “to the extent of the subject matter of the investigation” may be submitted. However, with regard to the data required, there is not even an abstract relevance to the subject of the investigation. There is a violation of the principle of lawfulness of processing pursuant to Article 5 (1) (a) GDPR. In addition, there is a violation of the principle of data minimization pursuant to Article 5 Paragraph 1 Letter c GDPR. The request in question also lacks the restriction required in Article 53, Paragraph 3, B-VG, according to which only files and documents “to the extent of the subject matter of the investigation” may be submitted. However, with regard to the data required, there is not even an abstract relevance to the subject of the investigation. There is a violation of the principle of lawfulness of processing pursuant to Article 5, paragraph one, letter a, GDPR. In addition, there is a violation of the principle of data minimization according to Article 5, paragraph one, letter c, GDPR.


The applicant considers a submission to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and purpose limitation due to the lack of abstract relevance to the object of investigation. Likewise, a weighing of interests pursuant to Section 1 (2) DSG must be in favor of the applicant.
The applicant considers a template to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and purpose limitation due to the lack of abstract relevance to the subject of the investigation. Likewise, a balancing of interests in accordance with Section 1 Para. 2 DSG must be in favor of the applicant. The applicant considers a submission to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and the lack of abstract relevance to the subject of the investigation Purpose limitation violates. Likewise, a balancing of interests in accordance with paragraph one, paragraph 2, DSG must be in favor of the applicant.


The main reason why the transmission of personal data to the U-Committee is so problematic is that the confidentiality obligations imposed on the members of the U-Committee and other persons authorized to access the data are simply regarded by them as irrelevant. The VO-UA and the InfoOG provide for a ban on disclosure and publication in several places. In particular, the forwarding of documents from the investigative committee regarding the alleged venality of the turquoise-blue federal government ("Ibiza U-Committee") to the media has shown that the U-Committee has holes like Swiss cheese and that it is practically impossible to Hold those responsible for the data leaks accountable.
The transmission of personal data to the U-Committee is particularly problematic because the confidentiality obligations imposed on the members of the U-Committee and other persons authorized to access the data would simply be viewed by them as irrelevant. The VO-UA and the InfOG stipulate a ban on passing on and publishing in several places. In particular, the leaking of documents from the investigative committee regarding the alleged venality of the turquoise-blue federal government (“Ibiza U-Committee”) to the media showed that the U-Committee was as full of holes as Swiss cheese and that it was practically impossible To hold those responsible for the data leaks accountable.


There is imminent danger with regard to the data processing in question. It can be assumed that the Federal Minister, if he has not already started to do so, will start evaluating/collecting the required data in the next few days and will immediately transmit the evaluated data to the U-Committee. This means that the documents would be sent by the registry of the National Council to all members of the U-committee and numerous other people without prior information and hearing of the person concerned and without closer examination of the content of the documents and the lawfulness of the processing as soon as they were there had arrived. There is a significant and immediate threat to his interests in secrecy, which are worthy of protection.
There is imminent danger with regard to the data processing in question. It can be assumed that the Federal Minister, if he has not already started, will begin evaluating/collecting the required data in the next few days and will soon submit the evaluated data to the U-Committee. This means that the documents from the registry of the National Council would be transmitted to all members of the U-Committee and numerous other people as soon as they were there, without prior information and consultation of the person concerned and without further examination of the content of the documents and the legality of the processing had arrived. There is a significant and immediate threat to his confidentiality interests worthy of protection.


2. In a submission dated January 31, 2022, the respondent argued that the Parliament's request for a survey ultimately led to the U-Committee of the Federal Minister of Finance using the U-Committee for the purpose of indirect evidence gathering. The respondent was formally assigned to the executive state power. However, insofar as he carries out surveys on behalf of a U-committee, he becomes functionally active for the legislature. Actions by an administrative authority to implement a request from a sub-committee to carry out surveys pursuant to Section 25 (3) VO-UA are to be attributed to the legislative power.
2. In a submission dated January 31, 2022, the respondent submitted that Parliament's request for data collection resulted in the U-Committee using the Federal Minister of Finance for the purpose of indirect evidence-taking by the U-Committee. The respondent is formally assigned to the executive power of the state. However, to the extent that he carries out surveys on behalf of a U-committee, he will function functionally for the legislature. Actions by an administrative authority to implement a request from a U-Committee to carry out surveys in accordance with Section 25 Para. 3 VO -UA are to be attributed to the legislative power. submits that Parliament's request for data collection results in the U-Committee being used by the Federal Minister of Finance for the purpose of indirect evidence-taking by the U-Committee. The respondent is formally assigned to the executive power of the state. However, to the extent that he carries out surveys on behalf of a U-committee, he will function functionally for the legislature. Actions by an administrative authority to implement a request from a U-Committee to carry out surveys in accordance with paragraph 25, paragraph 3, VO -UA are to be attributed to the legislative power.


The decision on the purposes of the data processing is specified by the investigation order in accordance with Section 25 (2) and (3) VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the technical and organizational use of resources does not change the fact that the purposes of data processing are specified by the subcommittee. It follows that the U-Committee and not the Federal Minister of Finance is to be qualified as responsible.
The decision on the purposes of data processing is determined by the investigation order in accordance with Section 25 Paragraphs 2 and 3 VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the use of technical and organizational resources does not change the fact that the purposes of data processing are specified by the U-Committee. From this it follows that the U-Committee and not the Federal Minister of Finance should be qualified as the responsible party. The decision on the purposes of data processing is dictated by the investigation order in accordance with paragraph 25, paragraphs 2 and 3 VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the use of technical and organizational resources does not change the fact that the purposes of data processing are specified by the U-Committee. From this it follows that the U-Committee and not the Federal Minister of Finance should be qualified as the responsible party.


According to the wording of § 18 DSG, the DSB is set up as a national supervisory authority under Art. 51 GDPR. From a constitutional point of view, however, it would not be arguable that the DSB would be called upon to control the legislative body.
According to the wording of Section 18 DSG, the DSB is established as a national supervisory authority in accordance with Article 51 GDPR. From a constitutional perspective, however, it could not be argued that the DSB would be called upon to control the legislative body. According to the wording of paragraph 18, DSG, the DSB is established as a national supervisory authority according to Article 51, GDPR. From a constitutional perspective, however, it could not be argued that the DSB is called upon to control the legislative body.


Any data protection control must be limited to checking whether the relevant data protection provisions have been complied with when handling personal data obtained as part of the subject of the investigation and the decision to take evidence. The present application to the DSB is essentially not directed against the fact that the requirements of the GDPR were not observed when processing personal data, but against the collection order of the U-committee to the respondent. In this respect, the DSB is also not responsible. The DSB, as an administrative authority, is prohibited from examining files that are attributable to legislation without an express constitutional basis. This applies even if one assumes that the respondent does not act as an auxiliary body of legislation within the framework of the collection order, but as an administrative body, since any prohibition notice from the DSB would also materially suspend the collection order of the U-committee.
Any data protection control must be limited to checking whether the relevant data protection provisions were complied with when handling personal data obtained in the context of the subject of the investigation and the evidence decision. The present application to the DSB is essentially not directed against the fact that the requirements of the GDPR were not complied with when processing personal data, but rather against the U-Committee's data collection mandate to the respondent. In this respect, the DSB has no jurisdiction. As an administrative authority, the DSB is prohibited from examining acts that are part of the legislation without an express constitutional basis. This applies even if one assumes that the respondent is not acting as an auxiliary legislative body within the framework of the collection mandate, but rather as an administrative body, since in this case too, any prohibition notice from the DSB would materially suspend the U-Committee's collection mandate.


The arguments of the applicant are not suitable to justify a direct threat to secrecy interests worthy of protection in accordance with Sections 22 (4) DSG in conjunction with Section 57 (1) AVG. The respondent, as the body responsible for making submissions to the committee of inquiry, is obliged to fully meet all the evidence requirements within the scope of its competence. In the specific case, the committee of inquiry had clearly defined which files and documents were to be submitted to Parliament by the Federal Minister of Finance in accordance with the supplementary evidence resolution pursuant to Section 25 (2) VO-UA. The threat to his interests in secrecy, which is worthy of protection and which is only alleged by the applicant, arises, if at all, only in the sphere of the investigative committee in Parliament.
The applicant's arguments are not suitable to justify an immediate threat to confidentiality interests worthy of protection in accordance with Section 22 Paragraph 4 DSG in conjunction with Section 57 Paragraph 1 AVG. The respondent, as the body required to submit to the investigative committee, is obliged to fully meet all evidentiary requirements within the scope of its responsibility. In the specific case, the investigative committee clearly defined which files and documents were to be presented to parliament by the Federal Minister of Finance in accordance with the supplementary evidence decision pursuant to Section 25 Para. 2 VO-UA. The threat merely alleged by the applicant to his legitimate confidentiality interests arises, if at all, only in the sphere of the investigative committee in Parliament. The applicant's arguments are not suitable to justify an immediate threat to confidentiality interests worthy of protection in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG. The respondent, as the body required to submit to the investigative committee, is obliged to fully meet all evidentiary requirements within the scope of its responsibility. In the specific case, the investigative committee clearly defined which files and documents were to be presented to parliament by the Federal Minister of Finance in accordance with the supplementary evidentiary decision in accordance with paragraph 25, paragraph 2, VO-UA. The threat merely alleged by the applicant to his legitimate confidentiality interests arises, if at all, only in the sphere of the investigative committee in Parliament.


The VwGH recently dealt in detail with the question of whether the GDPR is also applicable to core activities of legislation and answered this question in the negative because this activity falls under Art. 16 Para. 2 TFEU and is therefore subject to Art. 2 Para. 2 lit. a GDPR is excluded from the material scope of the GDPR (VwGH December 14, 2021, Ro 2021/04/0006). Even if these statements are contained in a preliminary ruling request to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DPO does not have the right to examine due to the lack of applicability of the GDPR.
The Administrative Court recently dealt in detail with the question of whether the GDPR also applies to core legislative activities and answered this question in the negative because this activity falls under Article 16 Paragraph 2 TFEU and is therefore in accordance with Article 2 Paragraph 2 lit a GDPR is excluded from the material scope of application of the GDPR (VwGH December 14, 2021, Ro 2021/04/0006). Even if these statements are contained in a request for a preliminary ruling to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DSB has no authority to examine due to the lack of applicability of the GDPR. The Administrative Court recently dealt in detail with the question of whether The GDPR is also applicable to core legislative activities and answered this question in the negative because this activity falls under Article 16, Paragraph 2, TFEU and is therefore excluded from the material scope of application of the GDPR in accordance with Article 2, Paragraph 2, Letter a, GDPR (VwGH 14.12 .2021, Ro 2021/04/0006). Even if these statements are contained in a request for a preliminary ruling to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DSB has no power of review due to the lack of applicability of the GDPR.


The obligation to submit has a sufficient legal basis within the meaning of Section 1 (2) DSG and the weighing of interests provided for there is in any case in favor of the admissibility of the data use due to the importance of parliamentary control for a democratic society. The further processing of the data in the U-Committee, regardless of whether the respondent is responsible for the collection of the data within the framework of an order from the U-Committee or not, is exclusively the responsibility of Parliament and therefore cannot be the basis of a complaint addressed to the Federal Minister be a cease-and-desist order directed towards finances.
The obligation to submit data has a sufficient legal basis within the meaning of Section 1 Para. 2 DSG and the balancing of interests provided there is in any case in favor of the permissibility of data use due to the importance of parliamentary control for a democratic society. The further treatment of the data in the U-Committee, regardless of whether the respondent is responsible for collecting the data as part of a mandate from the U-Committee or not, falls exclusively within the area of responsibility of Parliament and can therefore not be the basis for a request to the Federal Minister for finances. The obligation to submit a document has a sufficient legal basis in the sense of paragraph one, paragraph 2, DSG and the balancing of interests provided there is in any case in favor of the permissibility of the use of data due to the importance of parliamentary control for a democratic society. The further treatment of the data in the U-Committee, regardless of whether the respondent is responsible for collecting the data as part of a mandate from the U-Committee or not, falls exclusively within the area of responsibility of Parliament and can therefore not be the basis for a request to the Federal Minister a cease-and-desist notice directed at finances.


It is also noted that a body that is required to submit a submission has no authority to subsequently amend a specific and clearly defined additional evidence requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Art. 5 Para. 1 lit. b GDPR and data minimization according to Art. 5 Para. 1 lit -committees would say yes. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons with access rights to the data in non-compliance with legal obligations of confidentiality and secrecy can under no circumstances justify the non-compliance with an additional requirement for evidence by an organ that is obliged to submit a submission, whose actions according to Art. 18 B-VG can only be based on may be made by laws. There would also be legal protection options in connection with the committee of inquiry, which are open to the person concerned at any time.
It should also be noted that a body required to submit a submission has no authority to subsequently change a concrete and clearly defined additional evidentiary requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Art. 5 Para. 1 lit. b GDPR and data minimization according to Art. 5 Para. 1 lit committees would say yes. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons authorized to access the data in the event of non-compliance with statutory confidentiality and secrecy obligations cannot under any circumstances justify non-compliance with a supplementary requirement for evidence by a body subject to the obligation to submit documents, whose actions in accordance with Article 18 B-VG are only based on this by law. There would also be legal protection options in connection with the investigative committee, which are available to those affected at any time. It should also be noted that a body required to submit a submission has no authority to subsequently change a concrete and clearly defined additional evidentiary requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Article 5, paragraph one, Litera b, GDPR and data minimization according to Article 5, paragraph one, Litera c, GDPR when fulfilling a supplementary proof requirement if the applicability of the GDPR in the area of the U committees would approve. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons authorized to access the data in the event of non-compliance with statutory confidentiality and secrecy obligations cannot under any circumstances justify non-compliance with a supplementary requirement for evidence by an organ subject to the obligation to provide evidence, whose actions in accordance with Article 18, B-VG can only be based on this by law. There would also be legal protection options in connection with the investigative committee, which are available to those affected at any time.


B. Findings of Facts
B. Findings of Fact


1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with § 33 (1) second sentence GOG-NR regarding clarification of corruption allegations against ÖVP government members (ÖVP corruption investigative committee) was introduced in the National Council (4/US 27th GP) and the committee of inquiry concerned was set up on December 9, 2021 as part of the 133rd session of the National Council.
1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with Section 33 Para. 1 second sentence GOG-NR regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee) was submitted to the National Council (4/US 27. GP) and the relevant investigative committee was set up on December 9, 2021 as part of the 133rd meeting of the National Council.1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with paragraph 33, paragraph one, second sentence GOG-NR regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee) was submitted to the National Council (4/US 27. GP) and The investigative committee in question was set up on December 9, 2021 as part of the 133rd meeting of the National Council.


2. On December 16, 2021, some of the members of the committee of inquiry pursuant to Section 25 (2) VO-UA made the following request to the respondent (formatting not reproduced 1:1, markings by the applicant):
2. On December 16, 2021, some of the members of the investigative committee made the following request to the respondent in accordance with Section 25 Para. 2 VO-UA (formatting not reproduced in 1:1, markings by the applicant): 2. On 16 In December 2021, some of the members of the investigative committee made the following request to the respondent in accordance with paragraph 25, paragraph 2, VO-UA (formatting not reproduced in 1:1, markings by the applicant):


[Editor's note: the graphic file (request to the respondent by some of the members of the investigative committee) was removed because it cannot be displayed pseudonymised in the RIS. The document contains the request to the Federal Minister of Finance "to find out against which of the following persons or companies, which were owned by these persons or in which they held executive positions, criminal financial proceedings have been initiated since 2015 and the number of these proceedings" . The following list contains the name of the applicant.]
[Editor's note: the graphic file (request to the respondent by some of the members of the investigative committee) was removed because it cannot be displayed pseudonymously in the RIS. The document contains a request to the Federal Minister of Finance “to determine against which of the following persons or companies, which were owned by these persons or in which they held executive functions, financial criminal proceedings have been initiated since 2015 and how many of them have been carried out.” . The following list contains the name of the applicant.]


Evidence assessment: The findings result from the submissions of the applicant in the complaint brief dated January 24, 2022, the statement by the respondent dated January 31, 2022 and official investigations by the data protection authority (ÖVP - Corruption Investigation Committee).
Assessment of evidence: The findings arise from the applicant's submissions in the written complaint dated January 24, 2022, the respondent's statement dated January 31, 2022 and from ex officio investigations by the data protection authority (ÖVP - Corruption Investigation Committee).


D. In legal terms it follows that:
D. In legal terms it follows:


C.1. On the competence of the data protection authority
C.1. On the responsibility of the data protection authority


The Respondent essentially argues that he is formally assigned to the executive state power. However, insofar as he carries out surveys on behalf of a U-committee, he is functionally working for the legislature and is therefore not the responsibility of the data protection authority. In this context, the respondent refers to the case law of the Constitutional Court, according to which organs that act on behalf of another state function are attributed to the state function on whose behalf they are acting (VfSlg. 10.290/1984, 11.961/1989 , 13.670/1994 concerning measures taken by administrative authorities following a court order).
The respondent essentially argues that he is formally assigned to the executive power of the state. However, insofar as he carries out surveys on behalf of a U-committee, he is functionally acting for the legislature and the data protection authority is therefore not responsible. In this context, the respondent refers to the jurisprudence of the Constitutional Court, according to which, according to the established jurisprudence of the Constitutional Court, organs that act on behalf of another state function are attributed to the state function on whose behalf they act (VfSlg. 10.290/1984, 11.961/1989 , 13.670/1994 concerning measures taken by administrative authorities pursuant to a judicial order).


The data protection authority does not share the legal opinion of the respondent that he, as the referring body, is to be attributed to the legislative power:
The data protection authority does not share the respondent's legal opinion that, as a submitting body, he is part of the legislative power:


According to Art. 53 Para. 1 B-VG, the National Council can appoint committees of inquiry by resolution. Committees of inquiry are to be assigned to the legislature, both organizationally and functionally.
According to Art. 53 Para. 1 B-VG, the National Council can set up investigative committees by resolution. Committees of inquiry are to be assigned to the legislative power both organizationally and functionally. According to Article 53, paragraph one, B-VG, the National Council can set up committees of inquiry by resolution. Committees of inquiry are part of the legislative power both organizationally and functionally.


Art. 53 para. 3 B-VG obliges all the bodies mentioned to support the activities of a committee of inquiry by submitting files and documents and by conducting surveys. Para. 3 leg. cit. establishes a self-information right of the sub-committee to the extent of the subject of investigation (cf. Konrath/Posnik in Kahl/Khakzadeh/Schmid, commentary on the Federal Constitutional Law B-VG and fundamental rights Art. 53 B-VG).
Art. 53 Para. 3 B-VG obliges all of the above-mentioned bodies to support the activities of a committee of inquiry by submitting files and documents as well as through surveys. Paragraph 3 leg. cit. Establishes the U-Committee's right to information to the extent of the subject matter of the investigation (cf. Article 53, Paragraph 3, B-VG obliges all named bodies to support the activities of a committee of inquiry by submitting files and documents as well as through surveys. Paragraph 3, leg. cit . establishes the U-Committee's right to self-information within the scope of the subject matter of the investigation, see Konrath/Posnik in Kahl/Khakzadeh/Schmid, Commentary on Federal Constitutional Law B-VG and Fundamental Rights Art. 53 B-VG).Federal Constitutional Law B-VG and Fundamental Rights Article 53, B- VG).


According to Section 25 (2) VO-UA, a quarter of the members of the (already set up) investigative committee can request additional evidence (beyond the basic evidence resolution).
According to Section 25 Para. 2 VO-UA, a quarter of the members of the (already appointed) investigative committee can demand additional evidentiary requirements (beyond the basic decision on evidence). According to paragraph 25, paragraph 2, VO-UA, a quarter of the members of the (already appointed) investigative committee can demand additional evidence requirements (beyond the basic decision on evidence).


The constitutional requirements according to Art. 53 Para. 3 and 4 B-VG are decisive. They are intended to ensure that the activities of a committee of inquiry do not endanger sources pursuant to Art. 52a para. 2 B-VG, nor influence a decision-making or decision-making process in a federal executive body, and this also not in any other way is impaired (cf. Paperback Committees of Inquiry Legal Texts and Explanations, 7th edition, page 73).
The constitutional requirements in accordance with Article 53 Paragraphs 3 and 4 B-VG are decisive. They are intended to ensure that the activities of an investigative committee neither endanger sources in accordance with Article 52a Paragraph 2 B-VG nor influence a decision-making or decision-making process in a federal executive body, nor in any other way is impaired (see pocket book of investigative committees, legal texts and explanations, 7th edition, page 73). The constitutional requirements in accordance with Article 53, paragraph 3, and 4 B-VG are decisive. They are intended to ensure that the activities of an investigative committee neither endanger sources in accordance with Article 52a, Paragraph 2, B-VG, nor influence a decision-making or decision-making process in one federal executive body, nor in another In this way, see paperback investigative committees, legal texts and explanations, 7th edition, page 73).


The system of separation of powers and only individual power-binding elements on which the Federal Constitution is based requires an independent area of responsibility for implementation in general, and for the Federal Government and its members in particular. By determining the object of investigation in Art. 53 Para. 2 B-VG, it is generally ruled out that a committee of inquiry is involved with the ongoing activities of the Federal Government or its members and in particular with open decision-making processes (cf. Erl to Federal Law Gazette I No. 101/ 2014, 439 dB XXV.GP)
The system of separation of powers and only individual elements that combine powers on which the Federal Constitution is based presupposes an independent area of responsibility for enforcement in general and for the federal government and its members in particular. The determination of the subject matter of the investigation in Art. 53 Para. 2 B-VG basically precludes a committee of inquiry from being concerned with the ongoing activities of the federal government or its members and in particular with open decision-making processes (cf. Explanation to Federal Law Gazette I No. 101/ 2014, 439 dB XXV. GP) The system of separation of powers and only individual elements that combine powers on which the Federal Constitution is based requires an independent area of responsibility for enforcement in general and for the federal government and its members in particular. The determination of the subject matter of the investigation in Article 53, Paragraph 2, B-VG basically precludes a committee of inquiry from being concerned with the ongoing activities of the federal government or its members and in particular with open decision-making processes, see Erl on Federal Law Gazette Part One, No. 101 from 2014 ,, 439 dB Roman XXV. GP)


Art. 53 para. 4 B-VG substantiates para. 3 insofar as it clarifies that the information rights of the National Council are not unlimited in the interest of the functioning of the federal government and its members (cf. paperback investigative committees legal texts and explanations, 7th edition, page 14 ff).
Art. 53 Paragraph 4 B-VG specifies Paragraph 3 insofar as it clarifies that the National Council's information rights are not unlimited in the interest of the functioning of the Federal Government and its members (cf. Paperback Investigative Committees, Legal Texts and Explanations, 7th edition, page 14 ff).Article 53, paragraph 4, B-VG specifies paragraph 3 insofar as it makes it clear that the information rights of the National Council are not unlimited in the interest of the functioning of the federal government and its members, see paperback investigative committees, legal texts and explanations, 7th edition , page 14 ff).


Overall, these provisions mean that the National Council's right to information can therefore be restricted and the exception serves, among other things, to ensure the functionality and the independent and uninfluenced decision of the Federal Government or a member of the Federal Government in individual cases (cf. Zögernitz, NR-GOG, § 24 VO-UA).
Overall, it follows from these provisions that the National Council's right to information can therefore be restricted and the exception serves, among other things, to ensure the functionality and the independent and uninfluenced decision of the Federal Government or a member of the Federal Government in individual cases (see and the exception serves, among other things, Ensuring the functionality and the independent and uninfluenced decision of the federal government or a member of the federal government in individual cases see Zögernitz, NR-GOG, § 24 VO-UA). , NR-GOG, paragraph 24, VO-UA).


Contrary to what the respondent argues, it is not always obliged to submit it to the committee of inquiry, especially not in the cases of Art. 53 (3) last sentence and (4) B-VG, which in any case speaks against the assumption of the respondent that it "as a (mere) collection body" would be functionally assigned to the state function of legislation, because in this case it would not have any independent discretion with regard to the submission of files. The regulation of Art. 138b Para. 1 Z 4 B-VG and the related case law of the Constitutional Court (see in particular VfSlg. 19.973/2015) speak against the acceptance of the respondent.
Contrary to what the respondent argues, he is not obliged to submit to the investigative committee in every case, especially not in the cases of Article 53 paragraph 3 last sentence and paragraph 4 B-VG, which in any case speaks against the respondent's acceptance that it would be functionally attributable to the state function of legislation “as a (mere) collection body” because in this case it would have no independent scope for assessment with regard to the file submission. The regulation of Art. 138b Para. 1 Z 4 B-VG and the case law of the Constitutional Court (see in particular VfSlg. 19.973/2015) also speak against the respondent's acceptance. obligated to submit it to the committee of inquiry, especially not in the cases of Article 53, paragraph 3, last sentence and paragraph 4, B-VG, which in any case speaks against the respondent's assumption that it functions “as a (mere) collection body” of the state would be attributable to legislation because in this case he would have no independent scope for assessment with regard to the file submission. The regulation of Article 138 b, paragraph one, number 4, B-VG and the case law issued by the Constitutional Court (see in particular VfSlg. 19.973/2015) also speak against the respondent's acceptance.


Therefore, the respondent is not deprived of its organizational and functional classification as an administrative organ even in the case of an obligation to submit to a committee of inquiry.
Therefore, even if the respondent is required to submit to an investigative committee, his organizational and functional classification as an administrative body will not be taken away.


In summary, it is therefore possible for an administrative body that is obliged to provide information to submit complaints in connection with a file submission to a committee of inquiry at the data protection authority, which has comprehensive powers of control over - including the highest - administrative bodies (Section 35 (1) and (2) DSG).
In summary, it is therefore possible to submit complaints in connection with a file submission by an administrative body required to provide information to an investigative committee at the data protection authority, which has comprehensive control authority over - including the highest - administrative bodies (Section 35 Paragraphs 1 and 2 DSG). In summary, it is therefore possible to submit complaints in connection with a file submission by an administrative body that is required to provide information to an investigative committee at the data protection authority, which has comprehensive control authority over - including the highest - organs of the administration (Section 35, paragraph one, and 2 DSG).


However, as the Constitutional Court has already stated, the role of the data protection authority is limited to an ex-post control in the event of an obligation to submit to a committee of inquiry (see, for example, the decision of September 25, 2021, UA 6/2021 with further references; see also the - approving - notification of September 8, 2021, GZ: 2021-0.474.768).
However, as the Constitutional Court has already stated, the role of the data protection authority is limited to ex-post control in the event of an obligation to submit a report to a committee of inquiry (see, for example, the decision of September 25, 2021, UA 6/2021 with further references; see also the - approving - decision of September 8, 2021, GZ: 2021-0.474.768).


An ex-ante control, as sought by the applicant, would inevitably result in the data protection authority as an - albeit independent - administrative authority taking the place of the body responsible for submission and thus having to interpret a request in accordance with Section 25 VO-UA. On the one hand, this would result in an examination of the content of the request and thus to the admissibility of the request from the point of view of the GDPR and the DSG. On the other hand, it would then be in the hands of the data protection authority to (partially) prevent the files being submitted to a committee of inquiry and thus restrict its investigative activities, without the committee of inquiry or its members being able to contest this decision due to lack of party status.
An ex-ante control, as sought by the applicant, would inevitably lead to the data protection authority as an - albeit independent - administrative authority replacing the body required to submit documents and thus an interpretation of a request in accordance with Section 25 VO, as sought by the applicant, would inevitably lead to the data protection authority, as an - albeit independent - administrative authority, replacing the body required to submit documents and thus having to interpret a request in accordance with paragraph 25, VO-UA. On the one hand, this would result in an examination of the content of the request and thus the admissibility of the request from the perspective of the GDPR and the DSG. On the other hand, it would then be in the hands of the data protection authority to (partially) prevent the submission of files to an investigative committee and thus restrict its investigative activities, without the investigative committee or its members being able to fight this decision due to a lack of party status.


In Art. 138b B-VG (conclusive), the constitutional legislature has provided for the possibility of binding dispute settlement by the Constitutional Court in connection with committees of inquiry.
In Article 138b B-VG (finally), the constitutional legislature has provided for the possibility of binding dispute resolution by the Constitutional Court in connection with committees of inquiry. In Article 138 b, B-VG (finally), the constitutional legislature has provided for the possibility of binding dispute resolution by the Constitutional Court in connection with committees of inquiry.


The fact that Art. 138b B-VG does not provide for a data subject to prevent the submission of a file due to the risk of violating highly personal rights (see again the ruling of September 25, 2021 already cited) may represent a gap in the legal protection system, but it can not lead to establishing a competence of the data protection authority.
The fact that Art. 138b B-VG does not provide for the possibility for a data subject to prevent a file from being submitted due to the risk of violating personal rights (see again the previously cited finding of September 25, 2021) may represent a gap in the legal protection system, but it can does not lead to the establishment of jurisdiction of the data protection authority. That Article 138 b, B-VG does not provide for the possibility of a data subject to prevent a file from being submitted for reasons of the risk of violation of personal law (see again the previously cited finding of September 25th 2021) may represent a gap in the legal protection system, but cannot lead to the data protection authority being responsible.


Finally, it is noted here that the request for a preliminary ruling from the ECJ cited by the respondent pursuant to Art -33/22), which deals with the applicability of the GDPR to the processing of personal data by a committee of inquiry set up by a parliament of a Member State in the exercise of its right to oversee enforcement. In the present case, on the other hand, the subject of the proceedings is data processing which, although connected to the activities of a committee of inquiry, is carried out or should be carried out by an organ referring to the committee of inquiry. In the present case, therefore, nothing can be derived from the reference for a preliminary ruling referred to.
Finally, it should be noted here that the request for a preliminary ruling to the ECJ cited by the respondent pursuant to Article 267 TFEU (Decision of the Administrative Court of December 14, 2021, EU 2021/0009-1 (Ro 2021/04/0006); do. logged to C -33/22), the applicability of the GDPR to the processing of personal data by a person appointed by a parliament of a Member State in the exercise of its right of control over enforcement. Finally, it is noted here that the request for a preliminary ruling to the ECJ cited by the respondent is pursuant to Article 267, TFEU ( Decision of the Administrative Court of December 14, 2021, EU 2021/0009-1 (Ro 2021/04/0006); do. recorded on C-33/22), the applicability of the GDPR to the processing of personal data by a parliament The subject of the investigation is a committee of inquiry set up by the Member State in the exercise of its right to control enforcement. In the present case, on the other hand, the subject of the procedure is data processing which, although it is related to the activities of a committee of inquiry, is or is intended to be carried out by a body submitting data to the committee of inquiry. Therefore, nothing can be gained from the above-mentioned request for a preliminary ruling for the present case.


The application therefore proves to be inadmissible for the reasons given above.
The application therefore proves to be inadmissible for the reasons mentioned above.


C.2. On the mandate notice in general
C.2. Regarding the mandate decision in general


But even if one wanted to assume that the data protection authority had jurisdiction, the application would not be successful.
But even if one wanted to assume that the data protection authority was responsible, the application would not be successful.


Mandate notifications typically serve the immediate and ex officio enforcement of measures of an administrative nature that cannot be postponed in a one-party procedure. In this respect, they are of a provisional nature and therefore do not fit into a procedure with several parties involved, in which a (final) decision can be issued which would finally regulate the matter - which is disputed between the parties involved - after the corresponding investigations have been carried out.
Mandate notices typically serve to immediately and ex officio enforce measures of an administrative police nature that cannot be postponed in a one-party procedure. In this respect, they are of a preliminary nature and therefore do not fit into a procedure with several parties involved, in which a (final) decision can be issued that would finally settle the disputed matter between the parties involved after appropriate investigations have been carried out.


In this respect, this is an atypical mandate decision of its own kind, but it can be deduced from the clear wording of the law in the sense of the applicant's submission that the legislator wanted to grant the person concerned a subjective right to legal protection by the data protection authority. A merit-based decision must therefore be made on the present application (cf. the notification of October 29, 2015, GZ: DSB-D215.861/0010-DSB/2015).
In this respect, this is an atypical mandate decision of its own kind, although it can be deduced from the clear wording of the law in the sense of the applicant's submission that the legislature wanted to grant the person concerned a subjective right to legal protection from the data protection authority. The present application must therefore be decided on the merits (cf. the decision of October 29, 2015, GZ: DSBE). In this respect, this is an atypical mandate decision of its own kind, but the clear wording of the law is in the sense of the argument of the applicant, it can be deduced that the legislature wanted to grant the person concerned a subjective right to legal protection from the data protection authority. The present application must therefore be decided on a merits basis - see the decision of October 29, 2015, GZ: DSB-D215.861 /0010-DSB/2015).


According to § 22 Para. 4 DSG in connection with § 57 Para in default) is present and thus takes into account an increased risk potential in the event of imminent danger (cf. Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, margin no. 8).
According to § 22 para. 4 DSG in conjunction with § 57 para , AVG, the data protection authority is entitled to prohibit the continuation of data processing with a mandate notice without prior investigation if the operation of data processing poses a significant immediate threat to the confidentiality interests of the data subject worthy of protection (imminent danger) and thus carries an increased risk potential in the event of imminent danger (cf. and thus takes into account an increased risk potential in the event of imminent danger see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, paragraph 8)., Practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 8 ).


Since the issuance of a mandate decision does not have to be preceded by an investigation by the data protection authority, it is up to the applicant to certify the legal requirements for the issuance of the decision together with the application (to make this credible, to provide prima facie evidence; cf. Schmidl in Gantschacher†/Jelinek/Schmidl/Spanberger , Commentary on the DSG, § 22 Note 9). Subsequent retrieval of the certificate or evidence-based proceedings would not be compatible with the character of the decision pursuant to § 22 DSG as an urgent administrative measure (data protection police emergency decree) (cf. the decision of September 24, 2015, GZ: DSB-D215.813/0012 -DSB/2015).
Since the issuance of a mandate decision does not have to be preceded by an investigation by the data protection authority, it is the applicant's responsibility to certify the legal requirements for the issuance of the decision together with the application (to make it credible, to provide prima facie evidence; cf. Since the issuance of a mandate decision is not preceded by an investigation by the data protection authority must, it is the applicant's responsibility to certify the legal requirements for the decision to be issued together with the application (to make it credible, to provide prima facie evidence; see Schmidl in Gantschacher†/Jelinek/Schmidl/Spanberger, commentary on the DSG, § 22 note 9) . A subsequent subsequent revision of the certificate or an evidentiary procedure would be incompatible with the character of the decision according to § 22 DSG as an urgent administrative police measure (data protection emergency order) (cf. the decision of September 24, 2015, GZ: DSB-D215.813/ 0012-DSB/2015)., Commentary on the DSG, paragraph 22, note 9). A subsequent revision of the certificate or an evidentiary procedure would be incompatible with the character of the decision according to paragraph 22, DSG as an urgent measure of an administrative police nature (data protection police emergency order) compare the decision of September 24, 2015, GZ: DSB-D215.813/0012- DSB/2015).


The issuing of a mandate decision requires, on the one hand, that the data processing is materially unlawful and that there is already a reasonable suspicion that this is the case. Factual indications must therefore justify the assumption of the probability that provisions of data protection law have been violated and that this can be explained in a rationally comprehensible manner (cf. VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that the operation of this data processing poses a significant direct threat to confidentiality interests of the data subjects that are worthy of protection (i.e. imminent danger) (cf. Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, margin no. 15). Both criteria must be met in order for a mandate decision to be issued.
The issuance of a mandate notice requires, on the one hand, that the data processing is materially illegal and that reasonable suspicion is sufficient for this to exist. There must therefore be actual evidence to justify the assumption of the probability that provisions of data protection law have been violated and this can be explained in a rationally comprehensible manner (cf. VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that this can be explained in a rationally comprehensible manner (see VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that the operation of this very data processing poses a significant direct threat to the confidentiality interests of those affected (i.e. imminent danger) that are worthy of protection (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 (i.e. imminent danger). DSG, Rz 15). For a mandate to be issued, both criteria must be met. , practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 15). For a mandate to be issued, both criteria must be met.


There is imminent danger if the omission of the official measure would probably result in the data subject having to accept (further) privacy violations or even damage, which can be prevented by issuing the provisional prohibition of data processing. In this respect, Section 22 (4) DSG represents a lex specialis to Section 57 AVG. This means that the otherwise necessary examination of the impossibility of postponing the measure in relation to the necessary duration of the preliminary investigation in the data protection area is omitted (cf. Thiele/Wagner, practical commentary on the data protection law ( DSG), § 22 DSG, margin no. 18).
Imminent danger exists if failure to take official action would likely result in those affected having to accept (further) privacy violations or even damage, which can be prevented by issuing a provisional ban on data processing. Section 22 (4) of the Data Protection Act (DSG) establishes a danger of imminent delay if failure to take the official measure would probably lead to those affected having to accept (further) privacy violations or even damage, which can be prevented by issuing the provisional ban on data processing . Paragraph 22, Paragraph 4, DSG represents a lex specialis to Section 57 AVG. This means that the examination that would otherwise have to be carried out to determine whether the measure cannot be postponed is no longer necessary in relation to the necessary duration of the investigation in the data protection area (cf. Paragraph 57, AVG). This means that the examination that would otherwise have to be carried out to determine whether the measure cannot be postponed in relation to the necessary duration of the investigation in the data protection area is no longer necessary (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, para. 18). , practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 18).


A general concern with regard to future events is not sufficient to meet the criteria of “imminent danger” (cf. DSK 30.3.2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified with facts that relate to the individual case. Pure speculation, hypothetical considerations or assumptions based on everyday experience that are independent of the case are not sufficient (cf. Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, margin no. 20).
General concern about future events is not sufficient to fulfill the offense of “imminent danger” (see DSK March 30, 2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified by facts relating to the individual case. compare DSK March 30, 2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified by facts relating to the individual case. Pure speculation, hypothetical considerations or case-independent assumptions based solely on everyday experience are not sufficient (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, para. 20). , Practical commentary on the Data Protection Act (DSG), Paragraph 22, DSG, Rz 20).


C.3. Regarding the existence of a significant direct threat to the applicant's confidentiality interests worthy of protection through the operation of the data processing in question (imminent danger):
C.3. Regarding the existence of a significant immediate threat to the applicant's confidentiality interests worthy of protection through the operation of the data processing in question (danger imminent):


First of all, it should be noted that the data protection authority, according to the statements made above, in any case over the application of January 24, 2022 for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) lit. f GDPR has to deny merit.
First of all, it should be noted that, according to the statements made above, the data protection authority has decided on the application dated January 24, 2022 for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) lit. f GDPR First of all, it should be noted that, according to the statements made above, the data protection authority has decided on the application of January 24, 2022 for the issuance of a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG in conjunction with Article 58, paragraph 2, Litera f, GDPR must be meritoriously objected to.


As has been established, as part of the additional evidence requirement pursuant to Section 25 (2) VO-UA of December 16, 2021, the respondent was requested to raise whether against the applicant or companies that were owned by or in which he held board functions, since 2015 criminal financial proceedings were initiated and to what number these were led.
As stated, as part of the additional evidence requirement pursuant to Section 25 Para. 2 VO-UA dated December 16, 2021, the respondent was asked to establish whether or not the applicant or companies owned by him or her He has held executive functions since financial criminal proceedings were initiated in 2015 and how many of them were conducted. As stated, as part of the additional evidence requirement pursuant to Paragraph 25, Paragraph 2, VO-UA of December 16, 2021, the respondent was asked to establish whether the applicant or companies owned by him or in in which he held executive functions, financial criminal proceedings were initiated since 2015 and the number of cases in which they were conducted.


With regard to the data processing in question, the applicant argues that the evaluation and transmission of the data concerned to the committee of inquiry is not a problem in principle, but that it is about the forwarding of information or documents to the media public by members of the committee of inquiry.
Regarding the data processing in question, the applicant submits that the evaluation and transmission of the data concerned to the committee of inquiry is in principle not a problem, but rather that it is a matter of forwarding information or documents to the media public by members of the committee of inquiry.


With regard to the possible existence of imminent danger, the applicant claims in his submission initiating the proceedings that as a result of the investigative work of the ÖVP corruption investigation committee it can be assumed that the data will be transmitted promptly to this committee of investigation. Essentially, the applicant justifies the existence of a significant threat to his confidentiality interests with the fact that information or documents concerning him were passed on by third parties (members of the investigative committee) and finally published.
Regarding the possible existence of imminent danger, the applicant claims in his introductory submission that, as a result of the investigative work of the ÖVP Corruption Investigative Committee, it can be assumed that the data will be transmitted to this investigative committee in a timely manner. Essentially, the applicant justifies the existence of a significant threat to his confidentiality interests by saying that information or documents concerning him would be passed on by third parties (members of the investigative committee) and ultimately published.


However, the admissibility of a mandate decision presupposes that a dangerous situation by the respondent and person responsible within the meaning of Art. 4 Z 7 DSGVO is to be feared.
However, the admissibility of a mandate notice presupposes that a dangerous situation is to be feared by the respondent and responsible person within the meaning of Article 4, Paragraph 7 of the GDPR.


However, it is not concretely recognizable and it was also not presented to what extent this dangerous situation would have arisen directly as a result of the objected data processing by the respondent (especially since this is basically covered in Art. 53 Para. 3 B-VG), the application of 24 January 2022 against the (upcoming) evaluation and transmission of documents related to the applicant to the ÖVP corruption investigation committee. At no time did the applicant claim that this personal data (e.g. to the media) was directly disclosed by the respondent. Rather, the applicant expressly stated that the data processing of the respondent did not pose a problem in principle.
However, it is not clear and has not been stated to what extent this dangerous situation would be directly caused by the data processing complained about by the respondent (especially since this is fundamentally covered by Art. 53 Para. 3 B-VG), the application dated 24. January 2022 against the (upcoming) evaluation and transmission of documents related to the applicant to the ÖVP corruption investigation committee. The disclosure of this personal data (e.g. to the media) would be possible (especially since this is generally covered by Article 53, Paragraph 3, B-VG), but the application of January 24, 2022 is directed against the (upcoming) evaluation and transmission of documents with reference to the applicant to the ÖVP corruption investigation committee. The applicant never claimed that this personal data was disclosed (e.g. to the media) directly by the respondent. Rather, the applicant expressly stated that the respondent's data processing did not fundamentally pose a problem.


Thus, the (alleged) direct threat to his interests in secrecy, which is worthy of protection, does not lie in the data processing that is the subject of the proceedings.
Therefore, the (alleged) direct threat to his confidentiality interests worthy of protection does not lie in the data processing in question.


In addition, only a general concern regarding future events can be derived from the submissions of the applicant, which, however, are not attributable to the sphere of the respondent. From the data protection authority's point of view, the fear that members of the committee of inquiry would - contrary to existing confidentiality obligations - disclose to third parties the information they became aware of in the course of their work for the committee of inquiry is merely hypothetical considerations or assumptions based on everyday experience (by the applicant "the notorious permeability of U-committees" is cited), which are not suitable for being able to certify the existence of a concrete dangerous situation within the meaning of § 22 DSG with regard to the respondent (cf. again Thiele/Wagner, practical commentary on the data protection law (DSG), § 22 DSG, margin no. 20).
Furthermore, the applicant's arguments only indicate a general concern about future events, which, however, cannot be attributed to the respondent's sphere. The fear that members of the investigative committee would - contrary to existing confidentiality obligations - disclose to third parties the information they have become aware of in the course of their work for the investigative committee is, from the data protection authority's point of view, merely hypothetical considerations or merely assumptions based on everyday experience (from the applicant "The notorious permeability of U-committees" is cited), which are not suitable for detecting the existence of a concrete dangerous situation within the meaning of Section 22 of the DSG "), which are not suitable for detecting the existence of a concrete dangerous situation within the meaning of Paragraph 22, DSG with regard to the to be able to certify the respondent (cf. to be able to certify again see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, paragraph 20)., practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 20).


In summary, it can be stated that the alleged endangerment of the applicant's interests is seen in the activities of members of the committee of inquiry, but not in the data processing by the respondent - which is the subject of the proceedings here. In any case, it is beyond the Respondent's sphere to influence the data processing after the transmission has taken place (apart from the classification according to the InfOG).
In summary, it should be noted that the alleged threat to the applicant's interests is seen in the activities of members of the investigative committee, but not in the data processing - which is the subject of the proceedings here - by the respondent. In any case, it is outside the respondent's sphere of influence to influence data processing after transmission (apart from the classification according to the Information Act).


The application was therefore dismissed accordingly.
The application was therefore dismissed according to the verdict.


In the present case, the applicant has submitted an application for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) (f) GDPR.
In the present case, the applicant has submitted an application for the issuance of a mandate notice in accordance with Section 22 Paragraph 4 DSG in conjunction with Section 57 Paragraph 1 AVG in conjunction with Article 58 Paragraph 2 Letter f GDPR. In the present case, the applicant has submitted an application for a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG in conjunction with Article 58, paragraph 2, letter f, GDPR.


For this reason, these legal bases for a mandate decision are also listed in the decision (§ 22 Para. 4 DSG and § 57 AVG). Nevertheless, the refusal does not take the form of a mandate decision, since the characteristic of imminent danger required under Section 57 (1) AVG is in any case missing for the refusal of the application. A mandate decision - and thus a legal protection procedure extended and extended by the possibility of presentation - only makes sense in the case of a positive administrative police intervention in existing rights (arg: "measures that cannot be postponed"), but not in the present case of the rejection of such an application Intervention due to the lack of the legal requirements (see again the above-mentioned decision of September 24, 2015).
For this reason, these legal bases for a mandate notice are also listed in the award (§ 22 para. 4 DSG and § 57 AVG). For this reason, these legal bases for a mandate notice are also listed in the award (paragraph 22, paragraph 4, DSG and paragraph 57, AVG). Nevertheless, the rejection does not take place in the form of a mandate notice, since the characteristic of imminent danger required by Section 57 Para. 1 AVG is missing for the rejection of the application. A mandate decision - and thus a legal protection procedure expanded and extended by the possibility of presentation - logically and systematically only makes sense in the case of a positive administrative police intervention in existing rights (arguably: “immediate measures”), but not in the present case of the rejection of such an application Intervention due to the lack of the legal requirements (cf. again the above-mentioned decision of September 24, 2015), since the characteristic of imminent danger required by paragraph 57, paragraph one of the AVG is missing for the rejection of the application. A mandate decision - and thus a legal protection procedure expanded and extended by the possibility of presentation - logically and systematically only makes sense in the case of a positive administrative police intervention in existing rights (arguably: “immediate measures”), but not in the present case of the rejection of such an application intervention due to the lack of the legal requirements, compare again the above-mentioned decision of September 24, 2015).
</pre>
</pre>

Revision as of 10:00, 9 January 2024

DSB - 2022-0.083.310
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(2)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1)(c) GDPR
Article 58(2)(f) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 14.02.2022
Published:
Fine: n/a
Parties: Federal Minister of Finances
National Case Number/Name: 2022-0.083.310
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: DSB (Austria) (in DE)
Initial Contributor: n/a

The Austrian DPA dismissed a mandatory injunction against the Federal Minister of Finance by a data subject involved in a parliamentary inquiry into alleged corruption, rejecting the idea of ex-ante control.

English Summary

Facts

On 16 December 2021, the corruption inquiry committee ordered the Minister of Finances (controller) to disclose information regarding potential criminal financial proceedings initiated against the data subject.

On 24 January 2022, the data subject submitted a request aiming to prohibit the processing of his personal data through the upcoming transmission of information to the inquiry committee. The data subject stated that the issue therein lay not in the transmission of information itself, but rather the inquiry’s lack of confidentiality, citing past leaks to the media. Moreover, the data subject noted an absence of a legal basis for the processing of data, arguing a violation against Article 5 and 6 GDPR.

The Federal Minister of Finances negated the competence of the DPA, relying on recent decisions stating that the GDPR does not cover core legislative activities (Article 2(2)(a) GDPR). He argued that in this case he did not function as part of the executive branch, but rather on behalf of the legislative branch, acting as an auxiliary body of and being subject to submission to the parliament’s inquiry committee. Furthermore, the Federal Minister of Finances pointed out that the threat to confidentiality interests worthy of protection would arise only, if at all, in the sphere of the inquiry committee in parliament.

Holding

The DPA denied the Federal Minister of Finances’ claim to function solely on behalf of the legislative branch, as he is not obliged to submit to the inquiry commission in every case and thus retains his function as an organ of the executive branch. As a consequence, the DPA asserted to have the general competence of reviewing the actions of the Federal Minister of Finances.

However, the DPA nevertheless rejected the data subject’s request, stating that its role is limited to ex-post control. The DPA held that ex-ante control would lead to the DPA taking the place of the Federal Minister and compromising the functioning of the committee.

Finally, the DPA clarified that even if it were competent to provide ex-ante control, the data subjects’ request pursuant to Article 58(2)(f) GDPR would be rejected, as the data subject failed to demonstrate an immediate risk of data protection violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.083.310 from February 14, 2022 (procedure number: DSB-D124.0128/22)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons be. Obvious spelling, grammar and punctuation errors have been corrected.]

NOTICE

SAYING

The data protection authority decides on the application in accordance with Section 22 DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, *** S***, to prohibit processing of his personal data through the imminent transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the investigative committee regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee). the Federal Minister of Finance (respondent) as follows: The data protection authority decides on the application according to paragraph 22, DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, * ** S***, to prohibit the processing of his personal data through the imminent transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the investigative committee regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigation Committee) against the Federal Minister of Finance (respondent) as follows:

   The application is rejected.

Legal basis: §§ 22 para. 1 and 4 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended, Articles 18, 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with §§ 56, 57 para. 1 and 58 of the General Administrative Procedure Act 1991 (AVG), BGBl for parliamentary committees of inquiry (VO-UA), BGBl. , 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with paragraphs 56, 57 paragraph one, and 58 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51 from 1991, as amended, Article 52 a, 53 and 138b of the Federal Constitutional Law (B-VG), Federal Law Gazette No. 1 from 1930, as amended, paragraph 25, the Rules of Procedure for Parliamentary Committees of Inquiry (VO-UA), Federal Law Gazette Roman One. No. 99 from 2014, as amended.

REASON

A. Submit

1. On January 24, 2022, the applicant submitted an application for the issuance of a mandate notice in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG and Article 58 (2) lit. f GDPR. On January 24, 2022, an application was made for the issuance of a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG and Article 58, paragraph 2, letter f, GDPR.

In support of this, the applicant essentially argued that the minority of the parliamentary investigative committee called the “ÖVP Corruption Investigative Committee” had demanded that the respondent investigate whether against him or companies that were owned by him or in which he held an executive function, Financial criminal proceedings have been initiated since 2015 and how many of them will be conducted.

Transmitting the affected data to the U-Committee would not in itself be a problem. However, the notorious permeability of U-committees to the media public, which has been well known since the Ibiza U-Committee at the latest, is intolerable. It forces him to take precautionary action against any kind of data concerning him being passed on to the U-Committee.

On the other hand, it is obviously inadmissible exploratory evidence. The intended data processing does not serve to examine a “specific completed process in the area of federal enforcement,” but rather to find snippets of information that are interesting for the media.

He would be brought before a political tribunal on the basis of a blanket suspicion that had no substance whatsoever - with the only apparent aim of bringing him in to exchange political change on his back.

The data processing in question - both the evaluation and the transmission - falls within the scope of the GDPR and the DSG. The data processing is therefore only permitted if, on the one hand, it corresponds to the general basic principles of the processing of personal data (Art. 5 GDPR) and, on the other hand, it fulfills a specific authorization requirement (Art. 6 GDPR). The data processing in question - both the evaluation and the transmission - falls within the scope of application of the GDPR and the DSG. The data processing is therefore only permitted if, on the one hand, it corresponds to the general basic principles of the processing of personal data (Article 5, GDPR) and, on the other hand, it fulfills a specific authorization requirement (Article 6, GDPR).

The present request in accordance with Section 25 Para. 2 VO-UA aims at nothing other than obtaining investigative evidence and contradicts the requirement for certainty established by the legislature. His name is from the comprehensive list of The present request in accordance with Paragraph 25, Paragraph 2, VO-UA aims at nothing other than obtaining investigative evidence and contradicts the specificity requirement set by the legislature. His name was picked out completely arbitrarily from the comprehensive list of “(potential) donors to the ÖVP” and brought into a deeply reputation-damaging, defamatory connection to (purely suspected) financial criminal proceedings and corruption.

Since there is no provision under federal constitutional law or ordinary law to comply with inadmissible evidentiary requirements, data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no authorization within the meaning of Article 6 GDPR. Since there is no provision under federal constitutional law or ordinary law to comply with inadmissible evidentiary requirements, data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no authorization within the meaning of Article 6, GDPR.

The request in question also lacks the restriction required in Article 53 Para. 3 B-VG, according to which only files and documents “to the extent of the subject matter of the investigation” may be submitted. However, with regard to the data required, there is not even an abstract relevance to the subject of the investigation. There is a violation of the principle of lawfulness of processing pursuant to Article 5 (1) (a) GDPR. In addition, there is a violation of the principle of data minimization pursuant to Article 5 Paragraph 1 Letter c GDPR. The request in question also lacks the restriction required in Article 53, Paragraph 3, B-VG, according to which only files and documents “to the extent of the subject matter of the investigation” may be submitted. However, with regard to the data required, there is not even an abstract relevance to the subject of the investigation. There is a violation of the principle of lawfulness of processing pursuant to Article 5, paragraph one, letter a, GDPR. In addition, there is a violation of the principle of data minimization according to Article 5, paragraph one, letter c, GDPR.

The applicant considers a template to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and purpose limitation due to the lack of abstract relevance to the subject of the investigation. Likewise, a balancing of interests in accordance with Section 1 Para. 2 DSG must be in favor of the applicant. The applicant considers a submission to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and the lack of abstract relevance to the subject of the investigation Purpose limitation violates. Likewise, a balancing of interests in accordance with paragraph one, paragraph 2, DSG must be in favor of the applicant.

The transmission of personal data to the U-Committee is particularly problematic because the confidentiality obligations imposed on the members of the U-Committee and other persons authorized to access the data would simply be viewed by them as irrelevant. The VO-UA and the InfOG stipulate a ban on passing on and publishing in several places. In particular, the leaking of documents from the investigative committee regarding the alleged venality of the turquoise-blue federal government (“Ibiza U-Committee”) to the media showed that the U-Committee was as full of holes as Swiss cheese and that it was practically impossible To hold those responsible for the data leaks accountable.

There is imminent danger with regard to the data processing in question. It can be assumed that the Federal Minister, if he has not already started, will begin evaluating/collecting the required data in the next few days and will soon submit the evaluated data to the U-Committee. This means that the documents from the registry of the National Council would be transmitted to all members of the U-Committee and numerous other people as soon as they were there, without prior information and consultation of the person concerned and without further examination of the content of the documents and the legality of the processing had arrived. There is a significant and immediate threat to his confidentiality interests worthy of protection.

2. In a submission dated January 31, 2022, the respondent submitted that Parliament's request for data collection resulted in the U-Committee using the Federal Minister of Finance for the purpose of indirect evidence-taking by the U-Committee. The respondent is formally assigned to the executive power of the state. However, to the extent that he carries out surveys on behalf of a U-committee, he will function functionally for the legislature. Actions by an administrative authority to implement a request from a U-Committee to carry out surveys in accordance with Section 25 Para. 3 VO -UA are to be attributed to the legislative power. submits that Parliament's request for data collection results in the U-Committee being used by the Federal Minister of Finance for the purpose of indirect evidence-taking by the U-Committee. The respondent is formally assigned to the executive power of the state. However, to the extent that he carries out surveys on behalf of a U-committee, he will function functionally for the legislature. Actions by an administrative authority to implement a request from a U-Committee to carry out surveys in accordance with paragraph 25, paragraph 3, VO -UA are to be attributed to the legislative power.

The decision on the purposes of data processing is determined by the investigation order in accordance with Section 25 Paragraphs 2 and 3 VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the use of technical and organizational resources does not change the fact that the purposes of data processing are specified by the U-Committee. From this it follows that the U-Committee and not the Federal Minister of Finance should be qualified as the responsible party. The decision on the purposes of data processing is dictated by the investigation order in accordance with paragraph 25, paragraphs 2 and 3 VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the use of technical and organizational resources does not change the fact that the purposes of data processing are specified by the U-Committee. From this it follows that the U-Committee and not the Federal Minister of Finance should be qualified as the responsible party.

According to the wording of Section 18 DSG, the DSB is established as a national supervisory authority in accordance with Article 51 GDPR. From a constitutional perspective, however, it could not be argued that the DSB would be called upon to control the legislative body. According to the wording of paragraph 18, DSG, the DSB is established as a national supervisory authority according to Article 51, GDPR. From a constitutional perspective, however, it could not be argued that the DSB is called upon to control the legislative body.

Any data protection control must be limited to checking whether the relevant data protection provisions were complied with when handling personal data obtained in the context of the subject of the investigation and the evidence decision. The present application to the DSB is essentially not directed against the fact that the requirements of the GDPR were not complied with when processing personal data, but rather against the U-Committee's data collection mandate to the respondent. In this respect, the DSB has no jurisdiction. As an administrative authority, the DSB is prohibited from examining acts that are part of the legislation without an express constitutional basis. This applies even if one assumes that the respondent is not acting as an auxiliary legislative body within the framework of the collection mandate, but rather as an administrative body, since in this case too, any prohibition notice from the DSB would materially suspend the U-Committee's collection mandate.

The applicant's arguments are not suitable to justify an immediate threat to confidentiality interests worthy of protection in accordance with Section 22 Paragraph 4 DSG in conjunction with Section 57 Paragraph 1 AVG. The respondent, as the body required to submit to the investigative committee, is obliged to fully meet all evidentiary requirements within the scope of its responsibility. In the specific case, the investigative committee clearly defined which files and documents were to be presented to parliament by the Federal Minister of Finance in accordance with the supplementary evidence decision pursuant to Section 25 Para. 2 VO-UA. The threat merely alleged by the applicant to his legitimate confidentiality interests arises, if at all, only in the sphere of the investigative committee in Parliament. The applicant's arguments are not suitable to justify an immediate threat to confidentiality interests worthy of protection in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG. The respondent, as the body required to submit to the investigative committee, is obliged to fully meet all evidentiary requirements within the scope of its responsibility. In the specific case, the investigative committee clearly defined which files and documents were to be presented to parliament by the Federal Minister of Finance in accordance with the supplementary evidentiary decision in accordance with paragraph 25, paragraph 2, VO-UA. The threat merely alleged by the applicant to his legitimate confidentiality interests arises, if at all, only in the sphere of the investigative committee in Parliament.

The Administrative Court recently dealt in detail with the question of whether the GDPR also applies to core legislative activities and answered this question in the negative because this activity falls under Article 16 Paragraph 2 TFEU and is therefore in accordance with Article 2 Paragraph 2 lit a GDPR is excluded from the material scope of application of the GDPR (VwGH December 14, 2021, Ro 2021/04/0006). Even if these statements are contained in a request for a preliminary ruling to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DSB has no authority to examine due to the lack of applicability of the GDPR. The Administrative Court recently dealt in detail with the question of whether The GDPR is also applicable to core legislative activities and answered this question in the negative because this activity falls under Article 16, Paragraph 2, TFEU and is therefore excluded from the material scope of application of the GDPR in accordance with Article 2, Paragraph 2, Letter a, GDPR (VwGH 14.12 .2021, Ro 2021/04/0006). Even if these statements are contained in a request for a preliminary ruling to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DSB has no power of review due to the lack of applicability of the GDPR.

The obligation to submit data has a sufficient legal basis within the meaning of Section 1 Para. 2 DSG and the balancing of interests provided there is in any case in favor of the permissibility of data use due to the importance of parliamentary control for a democratic society. The further treatment of the data in the U-Committee, regardless of whether the respondent is responsible for collecting the data as part of a mandate from the U-Committee or not, falls exclusively within the area of responsibility of Parliament and can therefore not be the basis for a request to the Federal Minister for finances. The obligation to submit a document has a sufficient legal basis in the sense of paragraph one, paragraph 2, DSG and the balancing of interests provided there is in any case in favor of the permissibility of the use of data due to the importance of parliamentary control for a democratic society. The further treatment of the data in the U-Committee, regardless of whether the respondent is responsible for collecting the data as part of a mandate from the U-Committee or not, falls exclusively within the area of responsibility of Parliament and can therefore not be the basis for a request to the Federal Minister a cease-and-desist notice directed at finances.

It should also be noted that a body required to submit a submission has no authority to subsequently change a concrete and clearly defined additional evidentiary requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Art. 5 Para. 1 lit. b GDPR and data minimization according to Art. 5 Para. 1 lit committees would say yes. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons authorized to access the data in the event of non-compliance with statutory confidentiality and secrecy obligations cannot under any circumstances justify non-compliance with a supplementary requirement for evidence by a body subject to the obligation to submit documents, whose actions in accordance with Article 18 B-VG are only based on this by law. There would also be legal protection options in connection with the investigative committee, which are available to those affected at any time. It should also be noted that a body required to submit a submission has no authority to subsequently change a concrete and clearly defined additional evidentiary requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Article 5, paragraph one, Litera b, GDPR and data minimization according to Article 5, paragraph one, Litera c, GDPR when fulfilling a supplementary proof requirement if the applicability of the GDPR in the area of the U committees would approve. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons authorized to access the data in the event of non-compliance with statutory confidentiality and secrecy obligations cannot under any circumstances justify non-compliance with a supplementary requirement for evidence by an organ subject to the obligation to provide evidence, whose actions in accordance with Article 18, B-VG can only be based on this by law. There would also be legal protection options in connection with the investigative committee, which are available to those affected at any time.

B. Findings of Fact

1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with Section 33 Para. 1 second sentence GOG-NR regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee) was submitted to the National Council (4/US 27. GP) and the relevant investigative committee was set up on December 9, 2021 as part of the 133rd meeting of the National Council.1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with paragraph 33, paragraph one, second sentence GOG-NR regarding the clarification of corruption allegations against ÖVP government members (ÖVP Corruption Investigative Committee) was submitted to the National Council (4/US 27. GP) and The investigative committee in question was set up on December 9, 2021 as part of the 133rd meeting of the National Council.

2. On December 16, 2021, some of the members of the investigative committee made the following request to the respondent in accordance with Section 25 Para. 2 VO-UA (formatting not reproduced in 1:1, markings by the applicant): 2. On 16 In December 2021, some of the members of the investigative committee made the following request to the respondent in accordance with paragraph 25, paragraph 2, VO-UA (formatting not reproduced in 1:1, markings by the applicant):

[Editor's note: the graphic file (request to the respondent by some of the members of the investigative committee) was removed because it cannot be displayed pseudonymously in the RIS. The document contains a request to the Federal Minister of Finance “to determine against which of the following persons or companies, which were owned by these persons or in which they held executive functions, financial criminal proceedings have been initiated since 2015 and how many of them have been carried out.” . The following list contains the name of the applicant.]

Assessment of evidence: The findings arise from the applicant's submissions in the written complaint dated January 24, 2022, the respondent's statement dated January 31, 2022 and from ex officio investigations by the data protection authority (ÖVP - Corruption Investigation Committee).

D. In legal terms it follows:

C.1. On the responsibility of the data protection authority

The respondent essentially argues that he is formally assigned to the executive power of the state. However, insofar as he carries out surveys on behalf of a U-committee, he is functionally acting for the legislature and the data protection authority is therefore not responsible. In this context, the respondent refers to the jurisprudence of the Constitutional Court, according to which, according to the established jurisprudence of the Constitutional Court, organs that act on behalf of another state function are attributed to the state function on whose behalf they act (VfSlg. 10.290/1984, 11.961/1989 , 13.670/1994 concerning measures taken by administrative authorities pursuant to a judicial order).

The data protection authority does not share the respondent's legal opinion that, as a submitting body, he is part of the legislative power:

According to Art. 53 Para. 1 B-VG, the National Council can set up investigative committees by resolution. Committees of inquiry are to be assigned to the legislative power both organizationally and functionally. According to Article 53, paragraph one, B-VG, the National Council can set up committees of inquiry by resolution. Committees of inquiry are part of the legislative power both organizationally and functionally.

Art. 53 Para. 3 B-VG obliges all of the above-mentioned bodies to support the activities of a committee of inquiry by submitting files and documents as well as through surveys. Paragraph 3 leg. cit. Establishes the U-Committee's right to information to the extent of the subject matter of the investigation (cf. Article 53, Paragraph 3, B-VG obliges all named bodies to support the activities of a committee of inquiry by submitting files and documents as well as through surveys. Paragraph 3, leg. cit . establishes the U-Committee's right to self-information within the scope of the subject matter of the investigation, see Konrath/Posnik in Kahl/Khakzadeh/Schmid, Commentary on Federal Constitutional Law B-VG and Fundamental Rights Art. 53 B-VG).Federal Constitutional Law B-VG and Fundamental Rights Article 53, B- VG).

According to Section 25 Para. 2 VO-UA, a quarter of the members of the (already appointed) investigative committee can demand additional evidentiary requirements (beyond the basic decision on evidence). According to paragraph 25, paragraph 2, VO-UA, a quarter of the members of the (already appointed) investigative committee can demand additional evidence requirements (beyond the basic decision on evidence).

The constitutional requirements in accordance with Article 53 Paragraphs 3 and 4 B-VG are decisive. They are intended to ensure that the activities of an investigative committee neither endanger sources in accordance with Article 52a Paragraph 2 B-VG nor influence a decision-making or decision-making process in a federal executive body, nor in any other way is impaired (see pocket book of investigative committees, legal texts and explanations, 7th edition, page 73). The constitutional requirements in accordance with Article 53, paragraph 3, and 4 B-VG are decisive. They are intended to ensure that the activities of an investigative committee neither endanger sources in accordance with Article 52a, Paragraph 2, B-VG, nor influence a decision-making or decision-making process in one federal executive body, nor in another In this way, see paperback investigative committees, legal texts and explanations, 7th edition, page 73).

The system of separation of powers and only individual elements that combine powers on which the Federal Constitution is based presupposes an independent area of responsibility for enforcement in general and for the federal government and its members in particular. The determination of the subject matter of the investigation in Art. 53 Para. 2 B-VG basically precludes a committee of inquiry from being concerned with the ongoing activities of the federal government or its members and in particular with open decision-making processes (cf. Explanation to Federal Law Gazette I No. 101/ 2014, 439 dB XXV. GP) The system of separation of powers and only individual elements that combine powers on which the Federal Constitution is based requires an independent area of responsibility for enforcement in general and for the federal government and its members in particular. The determination of the subject matter of the investigation in Article 53, Paragraph 2, B-VG basically precludes a committee of inquiry from being concerned with the ongoing activities of the federal government or its members and in particular with open decision-making processes, see Erl on Federal Law Gazette Part One, No. 101 from 2014 ,, 439 dB Roman XXV. GP)

Art. 53 Paragraph 4 B-VG specifies Paragraph 3 insofar as it clarifies that the National Council's information rights are not unlimited in the interest of the functioning of the Federal Government and its members (cf. Paperback Investigative Committees, Legal Texts and Explanations, 7th edition, page 14 ff).Article 53, paragraph 4, B-VG specifies paragraph 3 insofar as it makes it clear that the information rights of the National Council are not unlimited in the interest of the functioning of the federal government and its members, see paperback investigative committees, legal texts and explanations, 7th edition , page 14 ff).

Overall, it follows from these provisions that the National Council's right to information can therefore be restricted and the exception serves, among other things, to ensure the functionality and the independent and uninfluenced decision of the Federal Government or a member of the Federal Government in individual cases (see and the exception serves, among other things, Ensuring the functionality and the independent and uninfluenced decision of the federal government or a member of the federal government in individual cases see Zögernitz, NR-GOG, § 24 VO-UA). , NR-GOG, paragraph 24, VO-UA).

Contrary to what the respondent argues, he is not obliged to submit to the investigative committee in every case, especially not in the cases of Article 53 paragraph 3 last sentence and paragraph 4 B-VG, which in any case speaks against the respondent's acceptance that it would be functionally attributable to the state function of legislation “as a (mere) collection body” because in this case it would have no independent scope for assessment with regard to the file submission. The regulation of Art. 138b Para. 1 Z 4 B-VG and the case law of the Constitutional Court (see in particular VfSlg. 19.973/2015) also speak against the respondent's acceptance. obligated to submit it to the committee of inquiry, especially not in the cases of Article 53, paragraph 3, last sentence and paragraph 4, B-VG, which in any case speaks against the respondent's assumption that it functions “as a (mere) collection body” of the state would be attributable to legislation because in this case he would have no independent scope for assessment with regard to the file submission. The regulation of Article 138 b, paragraph one, number 4, B-VG and the case law issued by the Constitutional Court (see in particular VfSlg. 19.973/2015) also speak against the respondent's acceptance.

Therefore, even if the respondent is required to submit to an investigative committee, his organizational and functional classification as an administrative body will not be taken away.

In summary, it is therefore possible to submit complaints in connection with a file submission by an administrative body required to provide information to an investigative committee at the data protection authority, which has comprehensive control authority over - including the highest - administrative bodies (Section 35 Paragraphs 1 and 2 DSG). In summary, it is therefore possible to submit complaints in connection with a file submission by an administrative body that is required to provide information to an investigative committee at the data protection authority, which has comprehensive control authority over - including the highest - organs of the administration (Section 35, paragraph one, and 2 DSG).

However, as the Constitutional Court has already stated, the role of the data protection authority is limited to ex-post control in the event of an obligation to submit a report to a committee of inquiry (see, for example, the decision of September 25, 2021, UA 6/2021 with further references; see also the - approving - decision of September 8, 2021, GZ: 2021-0.474.768).

An ex-ante control, as sought by the applicant, would inevitably lead to the data protection authority as an - albeit independent - administrative authority replacing the body required to submit documents and thus an interpretation of a request in accordance with Section 25 VO, as sought by the applicant, would inevitably lead to the data protection authority, as an - albeit independent - administrative authority, replacing the body required to submit documents and thus having to interpret a request in accordance with paragraph 25, VO-UA. On the one hand, this would result in an examination of the content of the request and thus the admissibility of the request from the perspective of the GDPR and the DSG. On the other hand, it would then be in the hands of the data protection authority to (partially) prevent the submission of files to an investigative committee and thus restrict its investigative activities, without the investigative committee or its members being able to fight this decision due to a lack of party status.

In Article 138b B-VG (finally), the constitutional legislature has provided for the possibility of binding dispute resolution by the Constitutional Court in connection with committees of inquiry. In Article 138 b, B-VG (finally), the constitutional legislature has provided for the possibility of binding dispute resolution by the Constitutional Court in connection with committees of inquiry.

The fact that Art. 138b B-VG does not provide for the possibility for a data subject to prevent a file from being submitted due to the risk of violating personal rights (see again the previously cited finding of September 25, 2021) may represent a gap in the legal protection system, but it can does not lead to the establishment of jurisdiction of the data protection authority. That Article 138 b, B-VG does not provide for the possibility of a data subject to prevent a file from being submitted for reasons of the risk of violation of personal law (see again the previously cited finding of September 25th 2021) may represent a gap in the legal protection system, but cannot lead to the data protection authority being responsible.

Finally, it should be noted here that the request for a preliminary ruling to the ECJ cited by the respondent pursuant to Article 267 TFEU (Decision of the Administrative Court of December 14, 2021, EU 2021/0009-1 (Ro 2021/04/0006); do. logged to C -33/22), the applicability of the GDPR to the processing of personal data by a person appointed by a parliament of a Member State in the exercise of its right of control over enforcement. Finally, it is noted here that the request for a preliminary ruling to the ECJ cited by the respondent is pursuant to Article 267, TFEU ( Decision of the Administrative Court of December 14, 2021, EU 2021/0009-1 (Ro 2021/04/0006); do. recorded on C-33/22), the applicability of the GDPR to the processing of personal data by a parliament The subject of the investigation is a committee of inquiry set up by the Member State in the exercise of its right to control enforcement. In the present case, on the other hand, the subject of the procedure is data processing which, although it is related to the activities of a committee of inquiry, is or is intended to be carried out by a body submitting data to the committee of inquiry. Therefore, nothing can be gained from the above-mentioned request for a preliminary ruling for the present case.

The application therefore proves to be inadmissible for the reasons mentioned above.

C.2. Regarding the mandate decision in general

But even if one wanted to assume that the data protection authority was responsible, the application would not be successful.

Mandate notices typically serve to immediately and ex officio enforce measures of an administrative police nature that cannot be postponed in a one-party procedure. In this respect, they are of a preliminary nature and therefore do not fit into a procedure with several parties involved, in which a (final) decision can be issued that would finally settle the disputed matter between the parties involved after appropriate investigations have been carried out.

In this respect, this is an atypical mandate decision of its own kind, although it can be deduced from the clear wording of the law in the sense of the applicant's submission that the legislature wanted to grant the person concerned a subjective right to legal protection from the data protection authority. The present application must therefore be decided on the merits (cf. the decision of October 29, 2015, GZ: DSBE). In this respect, this is an atypical mandate decision of its own kind, but the clear wording of the law is in the sense of the argument of the applicant, it can be deduced that the legislature wanted to grant the person concerned a subjective right to legal protection from the data protection authority. The present application must therefore be decided on a merits basis - see the decision of October 29, 2015, GZ: DSB-D215.861 /0010-DSB/2015).

According to § 22 para. 4 DSG in conjunction with § 57 para , AVG, the data protection authority is entitled to prohibit the continuation of data processing with a mandate notice without prior investigation if the operation of data processing poses a significant immediate threat to the confidentiality interests of the data subject worthy of protection (imminent danger) and thus carries an increased risk potential in the event of imminent danger (cf. and thus takes into account an increased risk potential in the event of imminent danger see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, paragraph 8)., Practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 8 ).

Since the issuance of a mandate decision does not have to be preceded by an investigation by the data protection authority, it is the applicant's responsibility to certify the legal requirements for the issuance of the decision together with the application (to make it credible, to provide prima facie evidence; cf. Since the issuance of a mandate decision is not preceded by an investigation by the data protection authority must, it is the applicant's responsibility to certify the legal requirements for the decision to be issued together with the application (to make it credible, to provide prima facie evidence; see Schmidl in Gantschacher†/Jelinek/Schmidl/Spanberger, commentary on the DSG, § 22 note 9) . A subsequent subsequent revision of the certificate or an evidentiary procedure would be incompatible with the character of the decision according to § 22 DSG as an urgent administrative police measure (data protection emergency order) (cf. the decision of September 24, 2015, GZ: DSB-D215.813/ 0012-DSB/2015)., Commentary on the DSG, paragraph 22, note 9). A subsequent revision of the certificate or an evidentiary procedure would be incompatible with the character of the decision according to paragraph 22, DSG as an urgent measure of an administrative police nature (data protection police emergency order) compare the decision of September 24, 2015, GZ: DSB-D215.813/0012- DSB/2015).

The issuance of a mandate notice requires, on the one hand, that the data processing is materially illegal and that reasonable suspicion is sufficient for this to exist. There must therefore be actual evidence to justify the assumption of the probability that provisions of data protection law have been violated and this can be explained in a rationally comprehensible manner (cf. VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that this can be explained in a rationally comprehensible manner (see VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that the operation of this very data processing poses a significant direct threat to the confidentiality interests of those affected (i.e. imminent danger) that are worthy of protection (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 (i.e. imminent danger). DSG, Rz 15). For a mandate to be issued, both criteria must be met. , practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 15). For a mandate to be issued, both criteria must be met.

Imminent danger exists if failure to take official action would likely result in those affected having to accept (further) privacy violations or even damage, which can be prevented by issuing a provisional ban on data processing. Section 22 (4) of the Data Protection Act (DSG) establishes a danger of imminent delay if failure to take the official measure would probably lead to those affected having to accept (further) privacy violations or even damage, which can be prevented by issuing the provisional ban on data processing . Paragraph 22, Paragraph 4, DSG represents a lex specialis to Section 57 AVG. This means that the examination that would otherwise have to be carried out to determine whether the measure cannot be postponed is no longer necessary in relation to the necessary duration of the investigation in the data protection area (cf. Paragraph 57, AVG). This means that the examination that would otherwise have to be carried out to determine whether the measure cannot be postponed in relation to the necessary duration of the investigation in the data protection area is no longer necessary (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, para. 18). , practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 18).

General concern about future events is not sufficient to fulfill the offense of “imminent danger” (see DSK March 30, 2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified by facts relating to the individual case. compare DSK March 30, 2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified by facts relating to the individual case. Pure speculation, hypothetical considerations or case-independent assumptions based solely on everyday experience are not sufficient (see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, para. 20). , Practical commentary on the Data Protection Act (DSG), Paragraph 22, DSG, Rz 20).

C.3. Regarding the existence of a significant immediate threat to the applicant's confidentiality interests worthy of protection through the operation of the data processing in question (danger imminent):

First of all, it should be noted that, according to the statements made above, the data protection authority has decided on the application dated January 24, 2022 for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) lit. f GDPR First of all, it should be noted that, according to the statements made above, the data protection authority has decided on the application of January 24, 2022 for the issuance of a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG in conjunction with Article 58, paragraph 2, Litera f, GDPR must be meritoriously objected to.

As stated, as part of the additional evidence requirement pursuant to Section 25 Para. 2 VO-UA dated December 16, 2021, the respondent was asked to establish whether or not the applicant or companies owned by him or her He has held executive functions since financial criminal proceedings were initiated in 2015 and how many of them were conducted. As stated, as part of the additional evidence requirement pursuant to Paragraph 25, Paragraph 2, VO-UA of December 16, 2021, the respondent was asked to establish whether the applicant or companies owned by him or in in which he held executive functions, financial criminal proceedings were initiated since 2015 and the number of cases in which they were conducted.

Regarding the data processing in question, the applicant submits that the evaluation and transmission of the data concerned to the committee of inquiry is in principle not a problem, but rather that it is a matter of forwarding information or documents to the media public by members of the committee of inquiry.

Regarding the possible existence of imminent danger, the applicant claims in his introductory submission that, as a result of the investigative work of the ÖVP Corruption Investigative Committee, it can be assumed that the data will be transmitted to this investigative committee in a timely manner. Essentially, the applicant justifies the existence of a significant threat to his confidentiality interests by saying that information or documents concerning him would be passed on by third parties (members of the investigative committee) and ultimately published.

However, the admissibility of a mandate notice presupposes that a dangerous situation is to be feared by the respondent and responsible person within the meaning of Article 4, Paragraph 7 of the GDPR.

However, it is not clear and has not been stated to what extent this dangerous situation would be directly caused by the data processing complained about by the respondent (especially since this is fundamentally covered by Art. 53 Para. 3 B-VG), the application dated 24. January 2022 against the (upcoming) evaluation and transmission of documents related to the applicant to the ÖVP corruption investigation committee. The disclosure of this personal data (e.g. to the media) would be possible (especially since this is generally covered by Article 53, Paragraph 3, B-VG), but the application of January 24, 2022 is directed against the (upcoming) evaluation and transmission of documents with reference to the applicant to the ÖVP corruption investigation committee. The applicant never claimed that this personal data was disclosed (e.g. to the media) directly by the respondent. Rather, the applicant expressly stated that the respondent's data processing did not fundamentally pose a problem.

Therefore, the (alleged) direct threat to his confidentiality interests worthy of protection does not lie in the data processing in question.

Furthermore, the applicant's arguments only indicate a general concern about future events, which, however, cannot be attributed to the respondent's sphere. The fear that members of the investigative committee would - contrary to existing confidentiality obligations - disclose to third parties the information they have become aware of in the course of their work for the investigative committee is, from the data protection authority's point of view, merely hypothetical considerations or merely assumptions based on everyday experience (from the applicant "The notorious permeability of U-committees" is cited), which are not suitable for detecting the existence of a concrete dangerous situation within the meaning of Section 22 of the DSG "), which are not suitable for detecting the existence of a concrete dangerous situation within the meaning of Paragraph 22, DSG with regard to the to be able to certify the respondent (cf. to be able to certify again see Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, paragraph 20)., practical commentary on the Data Protection Act (DSG), paragraph 22, DSG, paragraph 20).

In summary, it should be noted that the alleged threat to the applicant's interests is seen in the activities of members of the investigative committee, but not in the data processing - which is the subject of the proceedings here - by the respondent. In any case, it is outside the respondent's sphere of influence to influence data processing after transmission (apart from the classification according to the Information Act).

The application was therefore dismissed according to the verdict.

In the present case, the applicant has submitted an application for the issuance of a mandate notice in accordance with Section 22 Paragraph 4 DSG in conjunction with Section 57 Paragraph 1 AVG in conjunction with Article 58 Paragraph 2 Letter f GDPR. In the present case, the applicant has submitted an application for a mandate decision in accordance with paragraph 22, paragraph 4, DSG in conjunction with paragraph 57, paragraph one, AVG in conjunction with Article 58, paragraph 2, letter f, GDPR.

For this reason, these legal bases for a mandate notice are also listed in the award (§ 22 para. 4 DSG and § 57 AVG). For this reason, these legal bases for a mandate notice are also listed in the award (paragraph 22, paragraph 4, DSG and paragraph 57, AVG). Nevertheless, the rejection does not take place in the form of a mandate notice, since the characteristic of imminent danger required by Section 57 Para. 1 AVG is missing for the rejection of the application. A mandate decision - and thus a legal protection procedure expanded and extended by the possibility of presentation - logically and systematically only makes sense in the case of a positive administrative police intervention in existing rights (arguably: “immediate measures”), but not in the present case of the rejection of such an application Intervention due to the lack of the legal requirements (cf. again the above-mentioned decision of September 24, 2015), since the characteristic of imminent danger required by paragraph 57, paragraph one of the AVG is missing for the rejection of the application. A mandate decision - and thus a legal protection procedure expanded and extended by the possibility of presentation - logically and systematically only makes sense in the case of a positive administrative police intervention in existing rights (arguably: “immediate measures”), but not in the present case of the rejection of such an application intervention due to the lack of the legal requirements, compare again the above-mentioned decision of September 24, 2015).