DSB (Austria) - 2023-0.227.168: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2023-0.227.168 |ECLI=ECLI:AT:DSB:2023:2023.0.227.168 |Original_Source_Name_1=RIS (Austria) |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=26b36b3a-871d-446c-a92b-f39beb4860c2&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&S...")
 
mNo edit summary
Line 66: Line 66:


=== Facts ===
=== Facts ===
The data subject made an access request with a public company – ELGA – tasked with some services in the sector of public health. Shareholders in such a company were the Austrian federal government, regional administrations and representatives of social security institutions.
The data subject made an access request with a public company – ELGA – tasked with services in the sector of public health, including keeping databases on behalf of the Austrian Ministry of Health. Shareholders in such a company were the Austrian federal government, regional administrations and representatives of social security institutions.
The company never replied to the request. Thus, the data subject lodged a complaint with the Austrian DPA.
 
ELGA never replied to the request. Thus, the data subject lodged a complaint with the Austrian DPA.
 
ELGA denied to be ‘controller’ pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]]. According to the company, the controller was the Austrian Ministry of Health, which determined purposes and means of the processing operations undertaken by the company, especially in the context of vaccination campaigns.
ELGA denied to be ‘controller’ pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]]. According to the company, the controller was the Austrian Ministry of Health, which determined purposes and means of the processing operations undertaken by the company, especially in the context of vaccination campaigns.


=== Holding ===
=== Holding ===
The DPA highlighted that Austrian law assigned to specific office within ELGA the responsibility to deal with, among others, access requests by data subjects concerning processing activities ordered by the Health Ministry.
The DPA highlighted that Austrian law assigned to a specific office within ELGA the responsibility to deal with, among others, access requests by data subjects concerning processing activities ordered by the Health Ministry.
 
According to the DPA, the concept of controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]] must be kept separated from the duty to address an access request. This can be inferred by the fact that the duty to react, even in a negative way, applies to anyone, the existence of a processing activity not being a necessary element for the request.  
According to the DPA, the concept of controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]] must be kept separated from the duty to address an access request. This can be inferred by the fact that the duty to react, even in a negative way, applies to anyone, the existence of a processing activity not being a necessary element for the request.  
If the addressee of the access request considers that a substantial reply is either materially or legally impossible, they still have to inform the data subject about the reasons of the refusal pursuant to [[Article 12 GDPR#4|Article 12(4) GDPR]] and about the possibility to lodge a complaint with the DPA. In other words, a duty to react is essential to enable the data subject to exercise further rights under the GDPR.
If the addressee of the access request considers that a substantial reply is either materially or legally impossible, they still have to inform the data subject about the reasons of the refusal pursuant to [[Article 12 GDPR#4|Article 12(4) GDPR]] and about the possibility to lodge a complaint with the DPA. In other words, a duty to react is essential to enable the data subject to exercise further rights under the GDPR.
Therefore, the DPA used its power under [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and ordered ELGA to provide the requested information.
Therefore, the DPA used its power under [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and ordered ELGA to provide the requested information.


== Comment ==
== Comment ==
This decision, understandable from a practical perspective, is difficult to reconcile with the text of the GDPR. First, it is clear from the text of [[Article 15 GDPR|Article 15 GDPR]], the data subject has a right to obtain confirmation by the controller. The (objective) fact – stressed by the DPA – that an ongoing processing operation is necessary to activate the duty to reply does not influence the subjective qualification of the addressee of this provision. As a matter of fact, a ‘controller’ within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]] does not need to process personal data directly. It is also clear from the text of the decision that ELGA’s argument is not that the company does not process personal data of the data subject; rather, the company argues that it does not determine purposes and means of the processing.
This decision, understandable from a practical perspective, is difficult to reconcile with the text of the GDPR. First, it is clear from the text of [[Article 15 GDPR|Article 15 GDPR]], the data subject has a right to obtain confirmation by the controller. The (objective) fact – stressed by the DPA – that an ongoing processing operation is not necessary to activate the duty to reply does not influence the subjective qualification of the addressee of this provision. As a matter of fact, a ‘controller’ within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]] does not need to process personal data directly. It is also clear from the text of the decision that ELGA’s argument is not that the company does not process personal data of the data subject; rather, the company argues that it does not determine purposes and means of the processing.


== Further Resources ==
== Further Resources ==

Revision as of 12:07, 24 August 2023

DSB - 2023-0.227.168
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(7) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.03.2023
Published: 22.08.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2023-0.227.168
European Case Law Identifier: ECLI:AT:DSB:2023:2023.0.227.168
Appeal: Pending appeal
BVwG (Austria)
Original Language(s): German
Original Source: RIS (Austria) (in DE)
Initial Contributor: mg

The Austrian DPA found that the duty to react to an access request is fully independent from the qualification of the addressee as a controller pursuant to Article 4(7) GDPR.

English Summary

Facts

The data subject made an access request with a public company – ELGA – tasked with services in the sector of public health, including keeping databases on behalf of the Austrian Ministry of Health. Shareholders in such a company were the Austrian federal government, regional administrations and representatives of social security institutions.

ELGA never replied to the request. Thus, the data subject lodged a complaint with the Austrian DPA.

ELGA denied to be ‘controller’ pursuant to Article 4(7) GDPR. According to the company, the controller was the Austrian Ministry of Health, which determined purposes and means of the processing operations undertaken by the company, especially in the context of vaccination campaigns.

Holding

The DPA highlighted that Austrian law assigned to a specific office within ELGA the responsibility to deal with, among others, access requests by data subjects concerning processing activities ordered by the Health Ministry.

According to the DPA, the concept of controller pursuant to Article 4(7) GDPR must be kept separated from the duty to address an access request. This can be inferred by the fact that the duty to react, even in a negative way, applies to anyone, the existence of a processing activity not being a necessary element for the request.

If the addressee of the access request considers that a substantial reply is either materially or legally impossible, they still have to inform the data subject about the reasons of the refusal pursuant to Article 12(4) GDPR and about the possibility to lodge a complaint with the DPA. In other words, a duty to react is essential to enable the data subject to exercise further rights under the GDPR.

Therefore, the DPA used its power under Article 58(2)(c) GDPR and ordered ELGA to provide the requested information.

Comment

This decision, understandable from a practical perspective, is difficult to reconcile with the text of the GDPR. First, it is clear from the text of Article 15 GDPR, the data subject has a right to obtain confirmation by the controller. The (objective) fact – stressed by the DPA – that an ongoing processing operation is not necessary to activate the duty to reply does not influence the subjective qualification of the addressee of this provision. As a matter of fact, a ‘controller’ within the meaning of Article 4(7) GDPR does not need to process personal data directly. It is also clear from the text of the decision that ELGA’s argument is not that the company does not process personal data of the data subject; rather, the company argues that it does not determine purposes and means of the processing.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2023-0.227.168 from March 23, 2023 (case number: DSB-D777.026)

[Note editor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for reasons of pseudonymization and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.

The name of the Respondent was not pseudonymized here, since editing the content of the decision, which would have made it impossible or at least significantly more difficult to identify the Respondent, would only have been possible by largely eliminating the comprehensibility of the content of the decision. The right to secrecy (Section 1 DSG) and the interest in secrecy of the Respondent, a legal entity that was expressly entrusted with statutory tasks in the context of the facts, is opposed to the statutory mandate pursuant to Section 23 (2) DSG, whereby this is a decision of a more fundamental nature importance for the general public, as some legal issues have been finally decided here for the first time. The decision was therefore to be included in the decision documentation of the data protection authority because of the overriding general interest in publication.] The name of the respondent has not been pseudonymised here, since editing the content of the decision, which would have made it impossible or at least significantly more difficult to identify the respondent, only would have been possible by largely eliminating the comprehensibility of the content of the decision. The right to secrecy (paragraph one, DSG) and the interest in secrecy of the respondent, a legal entity that was expressly entrusted with legal tasks in the context of the facts, is opposed to the statutory mandate pursuant to Section 23, paragraph 2, DSG, whereby this is a decision is of fundamental importance for the general public, as some legal issues have been finally decided here for the first time. The decision was therefore to be included in the decision documentation of the data protection authority due to the overriding general interest in publication.]

NOTICE

SAY

The data protection authority decides on the data protection complaint of Dr. Erich A*** (complainant) dated February 10, 2022 (ha. received on February 14, 2022) against ELGA GmbH (respondent) for alleged violation of the right to information as follows:

1. The Complaint is upheld and it is found that the Respondent violated the Complainant's right of access by not responding to his request to that effect.

2. The Respondent is instructed to comply with their obligation to respond to the Complainant pursuant to Art. 12 (3) in conjunction with Art. 15 (1) GDPR within a period of four weeks or else execution. , to comply with their obligation to respond to the complainant in accordance with Article 12, paragraph 3, in conjunction with Article 15, paragraph one, GDPR within a period of four weeks, otherwise execution.

Legal basis: Art. 12 Para. 1, Para. 2, Para. 3 and Para. 4, Art. 15 Para. 1, Art. 23 Para. 1 lit. e, Art. 51 Para. 1, Art. 57 Para. 1 lit. f, Art. 58 Para. 2 lit. c and Art. 77 Para p. 1; Sections 18 (1) and 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; §§ 2 Z 14, 17 Para. 1 and Para. 2, 24c Para. 1, 24e Para. 1 Z 1 and 27 Para. 17 of the Healthcare Telematics Act 2012 (GTelG 2012), Federal Law Gazette I No. Article 12, paragraph one,, paragraph 2, paragraph 3 and paragraph 4,, Article 15, paragraph one,, Article 23, paragraph one, litera e,, Article 51, paragraph one,, Article 57, paragraph one, litera f ,, Article 58, paragraph 2, litera c, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1 ; Paragraphs 18, paragraph one, as well as 24 paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 from 1999, as amended; Paragraphs 2, number 14,, 17 paragraph one and paragraph 2,, 24c paragraph one,, 24e paragraph one, number one, and 27 paragraph 17, of the Health Telematics Act 2012 (GTelG 2012), Federal Law Gazette Part One, No. 111 from 2012, idgF.

REASON

A. Submissions of the parties and course of the proceedings

1. With a procedural submission dated February 10, 2022 (received February 14, 2022), the complainant alleged a violation of the right to information because the respondent had not responded (in due time) to his request of January 3, 2022.

2. Due to a large number of identical complaints, the data protection authority requested the respondent with ho. Writing down September 28, 2022 for comment.

3. In a submission dated November 15, 2022, the Respondent submitted as follows:

Initially, the Respondent's lack of responsibility in connection with the electronic vaccination card (hereinafter: "e-vaccination card") is pointed out, since this is neither provided for by law, nor would the Respondent have any other factual decision-making powers about the purposes and means of processing. Rather, this decision is made by the responsible federal minister (note: Federal Minister for Social Affairs, Health, Care and Consumer Protection), who draws up the legal basis for the processing activity "e-vaccination card", introduces the decision in the National Council, in the relevant bodies - especially in those of the Respondent - specify the development and mostly finance the e-vaccination card. As a result, this means “without a health minister, no e-vaccination card”. The fact that there was even a discussion about the person responsible in the case at hand is solely due to the opening clause of Art. 4 Z 7 GDPR. In this context, however, the question arises as to whether an opening clause also allows an assignment "contra facta" or is only applicable in cases of doubt. In any case, the corresponding guidelines of the European Data Protection Board would suggest that completely contrary circumstances should not be “bent” by legal definitions. The European Data Protection Board further states that if the person responsible is explicitly determined by law, this is decisive for determining the responsibility. However, this presupposes that the legislature designates that body as the responsible body which has the opportunity to exercise "real" control. The fact that the Respondent is not in a position to do so is shown, for example, by the lack of (specific) access authorization in Section 24f (4) GTelG 2012, which would not even allow the Respondent to exercise the – disputed – data subject rights (reference to the decision of the data protection authority dated September 2nd, 2022, GZ: 2022-0.347.251), the Respondent's obligation to issue instructions to its owners, the factual issuing of numerous orders and specifications to the Respondent regarding processing activities in connection with the e-vaccination card and the continuous adjustment of the legal basis by the competent federal minister. As already stated, the Respondent also has no budgetary authority. In addition, the responsible federal minister publicly clarified that the initiation of proceedings in accordance with Art. 36 GDPR - at that time in connection with the COVID-19 Mandatory Vaccination Act, which has since been repealed - is not one of the tasks of the Respondent's management, although the initiation of such proceedings is the responsibility of the person responsible incumbent. The Respondent also had no genuine interest in this processing activity. Rather, the interest is limited to the paid processing of orders that are awarded by their owners or other public bodies. In its decision of October 14, 2022, the data protection authority also stated that the respondent was not responsible for the processing activity "e-vaccination card" and therefore had no passive legitimation. In addition, reference is made to the respondent's statement on the ministerial draft of the federal law amending the Epidemics Act 1950 and the COVID-19 Measures Act, in which it was explained in detail that the "pilot phase" of the central vaccination register had already expired and from this point in time the competent federal minister is responsible. Apart from that, there is also a lack of passive legitimation for the exercise of data subject rights. According to § 24e Abs. 1 Z 1 GTelG 2012, the persons concerned have the right to information only in writing to the "ELGA ombudsman" or electronically via the access portal. Even if the Respondent were to be responsible, the additional claims of the Respondent for all data subject rights under Chapter III GDPR - in particular through § 24e Para. 1 Z 1 GTelG 2012 - would be excluded, as the relevant parliamentary materials would also prove The Respondent's capacity to be responsible in connection with the electronic vaccination card (hereinafter: "e-vaccination card") is pointed out, since this is neither provided for by law, nor would the Respondent have any other factual decision-making powers about the purposes and means of processing. Rather, this decision is made by the responsible Federal Minister, who draws up the legal basis for the "e-vaccination pass" processing activity, introduces the decision in the National Council, in the relevant bodies - in particular in those of the Respondent - specify the development and mostly finance the e-vaccination card. As a result, this means “without a health minister, no e-vaccination card”. The fact that there is any discussion about the person responsible in the case at hand is solely due to the opening clause of Article 4, paragraph 7, GDPR. In this context, however, the question arises as to whether an opening clause also allows an assignment "contra facta" or is only applicable in cases of doubt. In any case, the corresponding guidelines of the European Data Protection Board would suggest that completely contrary circumstances should not be “bent” by legal definitions. The European Data Protection Board further states that if the person responsible is explicitly determined by law, this is decisive for determining the responsibility. However, this presupposes that the legislature designates that body as the responsible body which has the opportunity to exercise "real" control. The fact that the Respondent is not in a position to do so is shown, for example, by the lack of (specific) access authorization in Section 24 f, Paragraph 4, GTelG 2012, which would not even allow the Respondent to exercise the – disputed – rights of those affected (reference to the decision of the data protection authority of September 2, 2022, GZ: 2022-0.347.251), in the respondent's obligation to issue instructions to its owners, in the factual issuing of numerous orders and specifications to the respondent regarding processing activities in connection with the e-vaccination card and in the continuous adjustment of the legal bases by the competent federal minister. As already stated, the Respondent also has no budgetary authority. In addition, the responsible federal minister publicly clarified that the initiation of a procedure in accordance with Article 36, GDPR - at that time in connection with the COVID-19 compulsory vaccination law, which has since been repealed - is not one of the tasks of the respondent's management, although the initiation of such a procedure is the responsibility of the person responsible incumbent. The Respondent also had no genuine interest in this processing activity. Rather, the interest is limited to the paid processing of orders that are awarded by their owners or other public bodies. In its decision of October 14, 2022, the data protection authority also stated that the respondent was not responsible for the processing activity "e-vaccination card" and therefore had no passive legitimation. In addition, reference is made to the respondent's statement on the ministerial draft of the federal law amending the Epidemics Act 1950 and the COVID-19 Measures Act, in which it was explained in detail that the "pilot phase" of the central vaccination register had already expired and from this point in time the competent federal minister is responsible. Apart from that, there is also a lack of passive legitimation for the exercise of data subject rights. According to paragraph 24 e, paragraph one, number one, GTelG 2012, the persons concerned have the right to information only in writing to the "ELGA ombudsman" or electronically via the access portal. Even if the Respondent were to be responsible, the additional claims of the Respondent for all data subject rights under Chapter Roman III GDPR - in particular through Paragraph 24 e, Paragraph One, Number One, GTelG 2012 - would be excluded, as the relevant parliamentary materials would also prove.

4. With the date of January 10, 2023, the data protection authority granted the complainant a hearing on the respondent's statement.

5. The complainant did not make any further statements during the granted hearing of the parties. A corresponding forwarding report is enclosed with the file and there is no error message from an email server.

B. Subject of Complaint

Based on the submissions of the complaint, the subject of the complaint is the question of whether the Respondent violated the Complainant's right to information by not responding to his request in this regard.

C. Findings of Facts

1. The Respondent is a limited liability company registered under FN 338778 d with its registered office in 1200 Vienna, Treustraße 35-43. The purpose of the company is to provide services in the public interest in the area of e-health for the introduction and implementation of the electronic health record. The owners (shareholders) are the federal government (represented by the Federal Minister of Health), the federal states and the umbrella organization of social security institutions.

Evidence assessment: The findings are based on an official query of the company register for FN 338778 d and the website www.elga.gv.at, last queried by the data protection authority on March 22, 2023.

2. The Complainant has to the Respondent - addressing the under point C.1. given address - sent a letter by post on January 3, 2022, excerpts of which - insofar as relevant to the procedure - were as follows:

[Editor's note: Request for information presented in the original as a graphic file.]

Subject: Request for information pursuant to Article 15 GDPR Subject: Request for information pursuant to Article 15 GDPR

Ladies and Gentlemen!

I am referring to my rights under the GDPR, in particular Article 15 GDPR.I am referring to my rights under the GDPR, in particular Article 15 GDPR.

Please confirm whether you process personal data concerning me.

I would like to ask you for information about all personal data that you have stored about me.

Also ask for the following information:

- The processing purposes and the categories of personal data that are processed and, if the personal data was not collected from me, all information about the origin of this data.

- all contract or Legal bases on which this data is used.

- the recipients or categories of recipients to whom the personal data has been disclosed or transmitted or will be disclosed, as well as the guarantees under Art. 46 GDPR, if personal data are or have been transmitted to a third country or international organizations.- the recipients or categories of recipients to whom the personal data has been disclosed or transmitted or is still being disclosed, as well as the guarantees under Article 46, GDPR, if personal data is or was transmitted to a third country or international organizations.

- the existence of a right to correction and deletion of personal data concerning me or to restriction of processing by you or a right to object to this processing.

- the existence of a right of appeal to the competent supervisory authority

- If links are made to other databases (including external ones), the request for information also applies to this data; this also applies if such links are planned. Furthermore, the results of the links must also be given in detail.

- the planned duration for which the personal data will be stored. or, if that is not possible, the criteria used to determine that duration.

Assessment of evidence: The findings are based on the complainant's credible submission initiating the proceedings, in the context of which, among other things, a copy of the letter mentioned was submitted.

3. The item C.2. The Respondent received the above-mentioned letter (by post). The Respondent did not provide any substantive information or any other information or reactions to the complainant until the conclusion of the proceedings.

Assessment of evidence: The findings are based on the complainant's credible submissions, which the respondent has never disputed or called into question in any other way. In particular, the Respondent never denied receipt of the letter.

D. In legal terms it follows that:

D.1. Regarding point 1

D.1.1. legal bases

In accordance with Art. 15 (1) GDPR, the data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, they have a In accordance with Article 15, paragraph one, GDPR, the data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, she has a right to information about this personal data and to the right referred to in para. 2 leg. cit. mentioned information. about this personal data and in paragraph 2, leg. cit. mentioned information.

According to Art. 12 Para. 1 GDPR, this information must be transmitted in a precise, transparent, understandable and easily accessible form in clear and simple language ("accuracy and comprehensibility requirement"). Pursuant to para. 2 leg. cit. the data subject to exercise their rights as a data subject (“facilitation requirement”). According to paragraph 3 leg. cit. the application must – in principle – be complied with immediately, but in any case within one month. If the person responsible does not act upon the request of the data subject, according to para. 4 leg. cit. obliged to provide the data subject without delay, but no later than one month after receipt of the request, about the This information must be provided in accordance with Article 12, paragraph one, GDPR in a precise, transparent, intelligible and easily accessible form, using clear and plain language (“Accuracy and comprehensibility requirement”). Pursuant to paragraph 2, leg. cit. the data subject to exercise their rights as a data subject (“facilitation requirement”). Pursuant to paragraph 3, leg. cit. the application must – in principle – be complied with immediately, but in any case within one month. If the person responsible does not act upon the request of the data subject, according to paragraph 4, leg. cit. obliged to inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority or lodging a judicial remedy ("reaction and acceleration requirement").

Pursuant to § 24e Para. 1 GTelG 2012, citizens have the right to receive information electronically via the access portal or in writing from the ELGA ombudsman (Art. 15 in conjunction with Art. 23 Para. 1 lit. e GDPR) about the data concerning them , to receive data and log data stored in the central vaccination register and to print out the data stored in the central vaccination register yourself or have them printed out by the ELGA ombudsman, whereby § 17 para. 2 and 4 leg. cit. According to paragraph 24 e, paragraph one, GTelG 2012, citizens have the right to obtain information electronically via the access portal or in writing from the ELGA ombudsman (article 15, in conjunction with article 23, paragraph one, letter e, GDPR ) about the data and log data relating to them stored in the central vaccination register and to print out the data stored in the central vaccination register yourself or have them printed out by the ELGA ombudsman, whereby paragraph 17, paragraph 2, and 4 leg. cit. applies.

According to § 17 Para. 1 and Para. 2 GTelG 2012 (as well as § 10 Para. 1 and Para. 3 Z 1 ELGA-VO 2015), the ELGA ombudsman offices are to be set up by the federal minister responsible for the health system (by ordinance) and by him to operate. According to paragraph 17, paragraph one and paragraph 2, GTelG 2012 (as well as paragraph 10, paragraph one and paragraph 3, number one, ELGA-VO 2015), the ELGA ombudsman offices are to be set up (by ordinance) by the federal minister responsible for the health care system and to be operated by it. The task of an ELGA ombudsman is in particular to provide information, advice and support to those affected in matters relating to ELGA, in particular in enforcing participant rights and in matters of data protection. In this sense, the ELGA ombudsman, as the point of contact for the ELGA participant, must provide all information within two weeks upon request that is necessary to inform the person responsible for processing his/her data in ELGA (Art. 4 Z 7 GDPR). The responsibilities of the data protection authority remain unaffected by this provision. is in particular the information, advice and support of persons concerned in matters related to ELGA, in particular in enforcing participant rights and in matters of data protection. In this sense, the ELGA ombudsman, as the point of contact for the ELGA participant, must provide all information within two weeks upon request that is necessary to enable the person responsible for processing his/her data in ELGA (Article 4, Clause 7, GDPR). The responsibilities of the data protection authority remain unaffected by this provision.

D.1.2. On the alleged violation of the right to information

It should be noted at the outset that the item C.2. The letter mentioned is undoubtedly a request for information within the meaning of Article 15 (1) in conjunction with Article 12 (3) GDPR, which is undisputedly in the sense of Article 15, paragraph one, in conjunction with Article 12, paragraph 3, GDPR, which is undisputed came into the Respondent's sphere of power - and consequently it was received by it - (cf. on the application of the "reception theory" for example the decision of the DSB of February 22, 2019, GZ: DSB-D124.098/0002-DSB/2019, available in the RIS) . the Respondent received - consequently it received - on the application of the "reception theory" compare, for example, the decision of the DSB of February 22, 2019, GZ: DSB-D124.098/0002-DSB/2019, available in the RIS).

As can be seen from the findings, the Respondent did not provide any information on the content or any other reaction - in particular no information about the reasons for the non-compliance - but simply remained inactive.

The Respondent reasoned that due to her lack of responsibility in connection with processing in the electronic vaccination card (hereinafter: e-vaccination card), she was neither legally obliged nor - legally or factually - competent to provide information. In addition, § 24e Para. 1 GTelG 2012 restricts the modalities of exercising the right to information about the data stored in the central vaccination register to electronic queries via the access portal or written assertion to the "ELGA ombudsman", whereby the latter is not to be equated with the respondent - but how e.g. from § 17 leg. cit. apparent - is to be assigned to the responsible federal minister. The respondent explained that due to her lack of responsibility in connection with processing in the electronic vaccination card (hereinafter: e-vaccination card), she was neither legally obliged nor - legally or factually - competent to provide information. In addition, paragraph 24 e, paragraph one, GTelG 2012 restricts the modalities of exercising the right to information about the data stored in the central vaccination register to electronic queries via the access portal or written assertion to the "ELGA ombudsman", whereby the latter is not to be equated with the respondent - but as, inter alia, from paragraph 17, leg. cit. visible - to be assigned to the competent federal minister.

With regard to the alleged lack of responsibility under data protection law, the Respondent overlooks the fact that, according to the provisions of the GDPR, there is a relationship between the "obligated person" - that is the body to which the request for information is directed - and the actual person responsible - in accordance with Art. 4 Z 7 leg. cit . i.e. the body that decides on the purposes and means of processing - must be distinguished. Regarding the alleged lack of responsibility under data protection law, the respondent overlooks the fact that, according to the provisions of the GDPR, between the "obligated person" - that is the body to which the request for Information is addressed - and the actual person responsible - in accordance with Article 4, paragraph 7, leg. cit. i.e. the body that decides on the purposes and means of processing - must be distinguished.

This results from the fact that - both according to established case law and unanimous literature - in the event that no personal data is (currently) being processed about the applicant, "negative information" must be given (cf., for example, Finding of the BVwG of June 24, 2021, GZ: W274 2240807-1, as well as This results from the fact alone that - both according to established case law and unanimous literature - in the event that the applicant does not (currently) have any personal data are processed, in any case a "negative report" must be given, compare, for example, the finding of the BVwG of June 24, 2021, GZ: W274 2240807-1, as well as Bäcker in Kühling/Buchner, General Data Protection Regulation (2017), Art. 15 para. 7 ; on the earlier legal situation, for example, the decision of the Administrative Court of May 27, 2009, GZ: 2007/05/0052, according to which § 26 DSG 2000 granted a right to negative information if there was reason to assume that a client was processing data on the person concerned). Against this background, it cannot be a matter of a "particular intensity" of the relationship between the person obliged to provide accommodation and the person concerned (cf., for example, the decision of the DSB of October 1, 2019, GZ: DSB-D123.625/0006-DSB/2019). Conversely, the fact that the data is actually processed is not a prerequisite for the status as a person entitled to information., General Data Protection Regulation (2017) Article 15, para. 7; on the earlier legal situation, for example, the ruling of the Administrative Court of May 27, 2009, GZ: 2007/05/0052, according to which paragraph 26, DSG 2000 granted a right to negative information if there was reason to assume that a client was processing data on the person concerned). Against this background, it cannot be a question of a "particular intensity" in the relationship between the person obliged to provide accommodation and the person concerned (compare, for example, the decision of the DSB of October 1, 2019, GZ: DSB-D123.625/0006-DSB/2019). Conversely, the fact that the data is actually processed is not a prerequisite for being a person entitled to information.

Consequently, a distinction must also be made between the (essential) obligation to react and the obligation to provide information on the content. While the latter - already in fact - can only exist for that (natural or legal) person or other body that has the essential decision-making authority with regard to the processing purposes and means of the (currently available) data, the obligation under Art. 12 para. 3 GDPR, to react within one month, can already be distinguished with the and the obligation to provide information on the content. While the latter can only exist for that (natural or legal) person or other body that has the essential decision-making authority with regard to the purposes and means of processing the (currently existing) data, the obligation under Article 12, paragraph 3 , GDPR to react within one month, already triggered with the receipt of the request. If the "party obliged to provide information" in this context - in particular after checking the existing database - comes to the conclusion that the provision of information is either legally not owed or factually impossible, he will inform the applicant without delay in accordance with Art. 12 Para. 4 DSGVO about the Reasons for this and the possibility of lodging a complaint with a supervisory authority or lodging a judicial remedy (cf. on the earlier - and fundamentally comparable - legal situation the decision of the DSK of 10 July 2009, GZ: K121.495/0013-DSK/ 2009, according to which, even in the case of a legally invalid application, an obligation to react was to be assumed as a rule). In accordance with Article 12, paragraph 4, GDPR, he informs the applicant without delay about the reasons for this and about the possibility of lodging a complaint with a supervisory authority or lodging a judicial remedy. Compare the earlier - and fundamentally comparable - legal situation with the decision of the DSK of 10 . July 2009, GZ: K121.495/0013-DSK/2009, according to which, even in the case of a legally invalid application, an obligation to react was generally to be assumed).

The Federal Administrative Court also assumes that there is an obligation to react, even if the recipient of an application for information cannot be considered responsible (ruling of October 20, 2015, GZ W214 2105746-1).

The (substantive) right to information is intended to put the data subject in a position to assert subjective rights guaranteed under Union law - such as rights to rectification and erasure, but also the right to lodge a complaint as a result of unlawful processing (cf. the decision of the VwGH of 27 May 2009, Zl. 2007/05/0052, mwN, as well as the judgment of the ECJ of May 7, 2009, Case C-553/07, The (substantive) right to information is intended to put the data subject in the situation, subjective rights guaranteed under Union law - For example, rights to rectification and erasure, but also the right to lodge a complaint as a result of unlawful processing - compare the decision of the Administrative Court of May 27, 2009, Zl. 2007/05/0052, with further references, and the judgment of the ECJ of May May 2009, Case C-553/07, Rijkeboer).

According to the will of the EU legislator, the obligation to react and inform is constructed to a certain extent - in the form of an exercise modality - as a (upstream) starting point for the assertion of data subject rights (representative: Art. 15 GDPR). If the body to which the request is addressed remains (entirely) inactive (Art. 12 Para. 3 GDPR) or if the applicant is not informed of the reasons for this (Art. 12 Para. 4 GDPR), it is for It is simply impossible for them to direct their request to the right place (responsible person) or to improve it and thus, as a result, to effectively assert their rights as a data subject (cf. the right to written rejection of a request for information after the earlier one - and which is comparable in terms of meaning and purpose - Legal situation the decision of the DSK of April 10, 2013, GZ: K121.924/0006-DSK/2013). is designed according to the will of the EU legislator to a certain extent - in the form of an exercise modality - as a (upstream) starting point for the assertion of data subject rights (representative: Article 15, GDPR). If the body to which the request is addressed remains (entirely) inactive (Article 12, Paragraph 3, GDPR) or if the applicant is not informed of the reasons for this (Article 12, Paragraph 4, GDPR), it is for It is simply impossible for them to direct their request to the right place (responsible person) or to improve it and thus, as a result, to effectively assert their rights as a data subject the decision of the DSK of April 10, 2013, GZ: K121.924/0006-DSK/2013).

The circumstance brought up by the Respondent that the legislature refers in § 24e Para. 1 GTelG 2012 with regard to the exercise of data subject rights to the "ELGA ombudsman's office" set up specifically for this purpose has no effect on the already triggered by the receipt of the complainant's application To change the Respondent's obligation to react or - in the event of non-action - to inform the Respondent. ELGA ombudsman's office" cannot change anything in the respondent's obligation to react or - if not take action - to inform the respondent, which was already triggered by the receipt of the complainant's application.

As a result, the Respondent violated its obligation under Art. 12 Para. 3 and Para. 4 GDPR by not responding and thereby deprived the Complainant of the right to information under Art. 15 Para. 1 leg. cit. injured. the Respondent has violated its obligation under Article 12, Paragraph 3 and Paragraph 4 of the GDPR by not responding and has thereby infringed the complainant's right to information in accordance with Article 15, Paragraph 1, leg. cit. injured.

It was therefore to be decided accordingly.

D.2. Regarding point 2

As for point D.1. As already explained in more detail, the Respondent violated the Complainant's right to information as a result of non-response and was therefore instructed to respond to the Complainant's request accordingly.

The performance mandate is based on Article 58 (2) (c) GDPR, according to which the supervisory authority can order that the data subject's requests to exercise the rights to which he or she is entitled under this regulation are to be complied with. is based on Article 58, paragraph 2, litera c, GDPR, according to which the supervisory authority can order that the requests of the data subject to exercise the rights to which they are entitled under this regulation are to be met.

A response period of four weeks seems reasonable in this context.

It was therefore to be decided accordingly.