DSB (Austria) - 2022-0.876.190

From GDPRhub
DSB - 2022-0.876.190
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1) GDPR
Article 55(1) GDPR
Article 55(2) GDPR
Article 56 GDPR
Type: Complaint
Outcome: Other Outcome
Started: 30.10.2022
Decided: 15.12.2022
Published: 25.01.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2022-0.876.190
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: n/a

The Austrian DPA dismissed a complaint of a data subject against an embassy on the Austrian territory due to a lack in authority pursuant to Article 55(2) GDPR and the diplomatic immunity enshrined in international law.

English Summary

Facts

In the case at hand, a data subject complained about the embassy of the Republic of N*** in Vienna (the controller) to the Austrian DPA. (The concerned Republic had been censored in the published decision.)

As part of the N*** 2022 elections, an electoral roll, which included the data subject’s name, date of birth and voter register number, was posted on the outside of the controller’s office building. This electoral roll was therefore accessible to the general public.

The subject of the complaint was the question of whether the controller violated a data subject's right to secrecy by publishing their personal data. Before the DPA addressed the concrete substance of the allegation it first had to assess its competence.

Holding

In its decision, DPA found itself not competent.

It did so based on two lines of reasoning. One related to the Articles 55 and 56 GDPR, the other based on the Vienna Convention on Diplomatic Relations.

First, the DPA assessed the provisions of the GDPR. Pursuant to Article 55(1) GDPR, any supervisory authority responsible for the fulfilment of the tasks and the exercise of the powers assigned to it by the GDPR, have jurisdiction in the territory of their own Member State. The data protection authority is therefore the supervisory authority responsible for the sovereign territory of the Republic of Austria (see §18(1) of the Austrian Data Protection Law).

Nevertheless, in this case the DPA noted that the complaint is directed against the embassy of a third country. It pointed out that modern international law does not count embassies among the exclaves of another state, but assigns them to the receiving state. Therefore, since the embassy of the Republic of N*** is in Vienna, it is part of Austrian territory and the responsible DPA for data processing in the Embassy would therefore, in principle, be the Austrian DPA pursuant to Article 55(1) GDPR.

However, the DPA further considered the exception of Article 55(2) GDPR which states that local DPA's are not responsible if the processing is carried out by authorities or private bodies in other Member States on the basis of Article 6(1)(c) or (e) GDPR. In this case, the DPA of the Member State concerned would be responsible and the procedure according to Article 56 GDPR does not find any application. It follows from this that the Austrian DPA has no jurisdiction over public authorities or private bodies whose data processing is attributable to another Member State. Consequently, the DPA held that this must also apply to authorities or private bodies whose data processing is attributable to a third country - here: Embassy of the Republic of N***.

Secondly, the DPA stated that it also necessary to consider the Vienna Convention on Diplomatic Relations which both Austria and the Republic of N*** have ratified.

It noted that these conventions provide for privileges and immunities of missions and diplomatic personnel from the exercise of domestic state authority (see e.g. Article 22 and 31). Pursuant to Article 31(1) of the Vienna Convention on Diplomatic Relations, diplomats enjoy immunity from criminal jurisdiction, civil jurisdiction and administrative jurisdiction of the receiving state to the subject matter, even if, pursuant to Article 41(1), they are obliged to comply with the laws and other legal regulations of the recipient country - and thus also the GDPR, which, as a directly applicable legal act of the European Union, is equivalent to national laws.

As, by virtue of this regulation under international law, the ambassador or the mission under the authority of the Republic of N*** cannot be prosecuted by the Austrian DPA, the data subject's complaint had to be dismissed

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.876.190 from December 15, 2022 (case number: DSB-D124.1413/22)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization being. Corrected obvious spelling, grammar, and punctuation errors.]

NOTICE

SAY

The data protection authority decides on the data protection complaint by Ignaz A*** (complainant) of October 30, 2022 against the Embassy of the Republic of N*** in Vienna (respondent) for violation of the right to secrecy as follows:

- The complaint is rejected.

Legal basis: Art. 4 Z 7, Art. 51 Para. 1, Art. 55 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation). , hereinafter: GDPR), OJ No. L 119 of 05/04/2016 p. 1; Sections 18 (1) and 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 31 Para. 1 and Art. 41 Para. 1 of the Vienna Convention on Diplomatic Relations, Federal Law Gazette No. 66/1966 as amended.

REASON

A. Submissions of the parties and course of the proceedings

In his submission of October 30, 2022 to the data protection authority, the complainant essentially submitted that the respondent had publicly posted a list of all those entitled to vote in the context of the n*** elections. The name, date of birth and voter registration number were visible to all passers-by.

In a letter dated November 9, 2022, the data protection authority manu- duced the unrepresented complainant about its likely lack of jurisdiction and gave the complainant the opportunity to withdraw his complaint. The complainant subsequently made no further comments.

B. Subject of Complaint

Based on the Complainant's submissions, it follows that the subject of the Complaint is the question of whether the Respondent violated the Complainant's right to secrecy by publishing the Complainant's name, date of birth and voter registration number in the context of the n*** elections .

First, however, the question of the competence of the data protection authority must be clarified.

C. Findings of Facts

The respondent is the embassy of the Republic of N*** in Vienna.

As part of the n*** 2022 elections, an electoral roll, which included the complainant’s name, date of birth and voter register number, was posted on the outside of the respondent’s office building and this electoral roll was therefore accessible to the general public.

Assessment of evidence: The findings made are based on the complainant's submission in his submission of October 30, 2022, which initiated the proceedings, to which a photograph of the published electoral roll was also attached.

D. In legal terms it follows that:

1. Pursuant to Article 55(1) of the GDPR, each supervisory authority is responsible for carrying out the tasks and exercising the powers conferred on it by the GDPR on the territory of its own Member State.

The data protection authority is therefore the supervisory authority responsible for the sovereign territory of the Republic of Austria (cf. Section 18 (1) DSG).

In this case, however, it should be noted that the complaint is directed against the embassy of a third country.

Modern international law does not count embassies among the exclaves of another state, but assigns them to the receiving state (cf. Doehring, Völkerrecht, § 12, Rz 676). Since the embassy of the Republic of N*** is in Vienna, it is therefore part of Austrian territory and the data protection authority for data processing there would therefore in principle be the supervisory authority responsible in accordance with Art. 55 (1) GDPR.

However, Art. 55 (2) GDPR already contains the exception that the local supervisory authority is not responsible if the processing is carried out by authorities or private bodies of other member states on the basis of Art. 6 (1) lit. c or e GDPR. In this case, the supervisory authority of the Member State concerned is responsible and the procedure under Art. 56 GDPR does not apply.

It follows from this that the Austrian data protection authority has no jurisdiction over public authorities or private bodies whose data processing is attributable to another Member State.

Consequently, this must also apply to authorities or private bodies whose data processing is attributable to a third country - here: Embassy of the Republic of N***.

2. In this context, the Vienna Convention on Diplomatic Relations, which has been ratified by both the Republic of Austria and the Republic of N***, must also be observed:

At various points, these conventions provide for privileges and immunities of missions and diplomatic personnel from the exercise of domestic state authority (see e.g. Art. 22 and Art. 31).

Pursuant to Art. 31 Para. 1 of the Vienna Convention on Diplomatic Relations, diplomats enjoy immunity from criminal jurisdiction, civil jurisdiction and administrative jurisdiction of the receiving state, with the exception of certain cases that are not relevant to the case at hand, even if, pursuant to Art. 41 Para. 1 leg .cit. are obliged to observe the laws and other legal regulations of the recipient country - including the GDPR, which as a directly applicable legal act of the European Union is equivalent to national laws.

By virtue of this regulation under international law, the ambassador sent by the Republic of N*** or the mission under him cannot be prosecuted by the data protection authority (cf. essentially Schmidl, in Jahnel (ed.) Yearbook Data Protection Law 2021, The GDPR and international Organisations, p. 25) and it is also not apparent that he would have acted exclusively in a private-law capacity within the framework of the publication of the voter register at issue (cf. Reinisch (ed.), Handbuch des Völkerrechts5 VI Rz 1557, according to which sanctions would be conceivable, provided that diplomatic personnel act exclusively in a private-law capacity).

Consequently, the complaint was to be dismissed due to the immunity of the person responsible for data protection, which is enshrined in international law.

It was therefore to be decided accordingly.