DSB (Austria) - 2023-0.583.644
From GDPRhub
| DSB - 2023-0.583.644 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 30 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 25.11.2021 |
| Decided: | 07.12.2023 |
| Published: | 17.01.2024 |
| Fine: | 20,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 2023-0.583.644 |
| European Case Law Identifier: | AT:DSB:2023:2023.0.583.644 |
| Appeal: | Pending appeal BVwG (Austria) |
| Original Language(s): | German |
| Original Source: | RIS (in DE) |
| Initial Contributor: | co |
The Austrian DPA imposed a fine of €20,000 on a controller for unlawfully making use of cameras recording its employees at work and for failing to maintain a record of its processing activities under Article 30 GDPR.
English Summary
Facts
Two data subjects, formerly employed in a restaurant, the controller, filed a complaint with the Austrian DPA (Datenschutzbehörde, DSB) because they noticed they had been recorded by a camera in the workplace and the recordings could be accessed by the employer at all times. The controller submitted that the cameras served the purpose of protecting its property and the workers and that the processing was based on the employee’s consent under Article 6(1)(a) GDPR. The controller added that recordings would be saved for a period of 14 days, then automatically deleted.
The DSB issued its decision decision on 26 September 2022 stating that the controller violated the data subjects’ right to privacy because it installed cameras that unlawfully recorded the kitchen working area of its premises, not just the outside. Further, the DSB added that the controller acted in violation of Article 30 GDPR as it failed to maintain a record of processing activities. The controller appealed this decision before the Federal Administrative Court (Bundesverwaltungsgericht, BVwG) and the case is still pending.
On 8 March 2023, the DSB initiated sanctioning proceedings against the controller and requested it to submit further justifications. The controller only provided generic statements apart from changing the legal basis for processing from Article 6(1)(a) GDPR to Article 6(1)(f) GDPR and did not provide any information about its annual global turnover, which the DSB had to research itself.
The DSB then suspended the sanctioning proceedings until the CJEU decision in C-807/21.
Holding
The DSB reopened the sanctioning proceedings on 5 December 2023, after publication of the CJEU judgment.
First of all, the DSB reassessed the facts of the case and ascertained that the controller had cameras in place that not only recorded the outside area of the restaurant but also the kitchen, bar, entrance and storage room and did not maintain any records of its processing activities at least since 2018.
The DSB asserted the legal bases relied upon by the controller. First, as regards consent, the DSB found that the controller was unable to prove that the data subjects had consented to the processing operations and thus was also unable to prove compliance with Article 5(2) GDPR. The DSB then ascertained whether the controller could lawfully rely on Article 6(1)(f) GDPR as a legal basis, which it only brought forward during the proceedings. The DSB held in this regard, making reference to Austrian case law and to the EDPB Guidelines, that switching from consent to legitimate interest as a legal basis just because the first one could not be relied upon is to be deemed unlawful. Thus the DSB concluded that the processing was unlawful as it could not be based on a valid legal basis under Article 6 GDPR and it also considered the storage period of the recordings to be too long and thus in violation of Article 5(1)(c) and (e) GDPR.
Further, the DSB also took into account the fact that the controller was unable to justify its failure to maintain a record of processing activities as mandated by Article 30(1) GDPR.
In conclusion, the DSB confirmed that the controller had violated Articles 5(1)(a), 5(1)(c), 6 and 30 GDPR. Taking into account the estimated turnover of the controller and the criteria set out in Article 83 GDPR and EDPB Guidelines 04/2022, the DSB considered the violation to be of a high level of seriousness and decided to impose a fine of €20,000 on the controller.
Comment
Please note that under Austrian Procedural Law, sanctioning proceedings constitute a separate set of proceedings which are split from the "assessment" part of the procedure.
Here, the "assessment" part of the DSB's decision confirming a violation of the GDPR, was appealed by the controller but the case number is not known. However, the controller did not appeal the separate sanctioning decision imposing a fine.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text
GZ: 2023-0.583.644 from December 7, 2023 (Procedure number: DSB-D550.731)
[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.
Penalty finding
Accused legal entity: N*** Gastronomie GmbH (FN 3*3*68b)
The accused legal entity, based at **31 K***hausen, O***straße *6/8/*7 (hereinafter “N***GG”), is the responsible party in accordance with Art. 4 Z 7 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119, dated 04.05.2016, p. 1 as amended, realized the following facts and thereby committed the following administrative violations: The accused legal entity with its registered office in **31 K***hausen, O***straße *6/8/*7 (hereinafter “ N***GG"), as the person responsible in accordance with Article 4, Section 7, of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC ( General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119 of May 4, 2016, p. 1 as amended, implemented the following facts and thereby committed the following administrative offenses:
I.Roman one. In its role as responsible party in accordance with Art. 4 Z 7 GDPR, N***GG has been at the location in **12 for a period of time that cannot be determined in more detail, but at least from July 31, 2020 to September 26, 2022 (hereinafter “period 1”) K***hausen, M***platz *3 (hereinafter “crime scene 1”) unlawfully processed personal data by operating an image processing system (video surveillance system) at crime scene 1, the recording area of the system being the interior of its premises (“ In its role as responsible party in accordance with Article 4, Section 7, GDPR, N***GG has been at the location in ** for a period of time that cannot be determined in more detail, but at least from July 31, 2020 to September 26, 2022 (hereinafter "period 1"). 12 K***hausen, M***platz *3 (hereinafter “crime scene 1”) unlawfully processed personal data by operating an image processing system (video surveillance system) at crime scene 1, the recording area of the system being the interior of its premises ( “N*** Delivery & Take away”) at crime scene 1 (including the workplaces of N***GG employees in the kitchen and pick-up area). The storage period for the recordings was 14 days and the recording was carried out continuously - that is, without interruptions (such as outside operating hours). As a result, the data processing by N***GG was not appropriate and significant for the purpose and was limited to what was necessary for the purposes of the processing and could not be based on any legal basis in accordance with Art. 6 Para. 1 GDPR. “) at crime scene 1 (including the workplaces of N***GG employees in the kitchen and pick-up area). The storage period for the recordings was 14 days and the recording was carried out continuously - that is, without interruptions (such as outside operating hours). As a result, the data processing by N***GG was not appropriate and significant for the purpose and was limited to what was necessary for the purposes of the processing and could not be based on any legal basis in accordance with Article 6, paragraph one, GDPR.
II.roman II. In addition, N***GG, in its role as controller in accordance with Art. 4 Z 7 GDPR, has acted for a period of time that cannot be determined in more detail, but at least since May 25, 2018 (or since the GDPR came into force). until March 8, 2023 (hereinafter “crime period 2”) in **31 K***hausen, O***straße *6/8/*7 (headquarters of N***GG – hereinafter “crime scene 2”) , violated its obligation to keep a register of processing activities within the meaning of Article 30 Paragraph 1 GDPR by not keeping such a processing register in the form specified in Article 30 Paragraph 3 GDPR (in writing or in an electronic format). In addition, N***GG, in its role as controller in accordance with Article 4, Section 7, GDPR, has been responsible for an unspecified period of time, but at least since May 25, 2018 (or since the GDPR came into force) until March 8, 2023 (hereinafter "Crime Period 2") in **31 K***hausen, O***straße *6/8/*7 (headquarters of N***GG - hereinafter "Crime Scene 2"), contrary to their duty to maintain a record of processing activities within the meaning of Article 30, paragraph one, GDPR by not maintaining such a processing record in the form specified in Article 30, paragraph 3, GDPR (in writing or in an electronic format).
The accused legal entity therefore violated the following requirements of the GDPR:
The lawful processing of personal data on the basis of a legal basis pursuant to Article 6, Paragraph 1 of the GDPR. The lawful processing of personal data based on a legal basis pursuant to Article 6, Paragraph 1, of the GDPR
The obligation to keep a register of all processing activities in accordance with Article 30 of the GDPR The obligation of maintaining a register of all processing activities in accordance with Article 30 of the GDPR
Principle of processing personal data lawfully, in good faith and in a manner that is understandable for the data subject in accordance with Article 5 (1) (a) of the GDPR (“Lawfulness, processing in good faith, transparency”) Processing of personal data lawfully, fairly and in a manner understandable to the data subject in accordance with Article 5, paragraph one, letter a, GDPR (“Lawfulness, fair processing, transparency”)
Principle of processing personal data that is appropriate and significant for the purpose and limited to what is necessary for the purposes of the processing in accordance with Art Restricted processing of personal data necessary for the purposes of processing in accordance with Article 5, paragraph one, Litera c, GDPR (“data minimization”)
Administrative offenses according to:
Ad. I.:Ad. Roman one: Art. 5 Para. 1 lit. a and c as well as Art. 6 Para. 1 in conjunction with Art. 83 Para. 1 and 5 lit. Paragraph one, letter a, and c as well as Article 6, paragraph one, in conjunction with Article 83, paragraph one, and 5 letter a, GDPR OJ L 2016/119, p. 1, as amended
Ad. II.: Ad. Roman II: Art. 30 Paragraph 1 in conjunction with Art. 83 Paragraph 1 and 4 Letter a GDPR OJ L 2016/119, p. and 4 Litera a, GDPR OJ L 2016/119, p. 1, as amended
For these administrative violations, the following penalty is imposed in accordance with Article 83 of the GDPR: For these administrative violations, the following penalty is imposed in accordance with Article 83 of the GDPR:
Fine of euros
according to
€20,000
Art 83 Paragraph 5 Letter a GDPR OJ L 2016/119, p. 1, as amended
Furthermore, in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG, you must also pay in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG:
2,000,-
Euros as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 Euros;
Euros as a replacement for cash expenses
The total amount payable (penalty/costs/cash expenses) is therefore
22,000,-
Euro
Payment deadline:
If no complaint is made, this penalty is immediately enforceable. In this case, the total amount must be paid into the account [shortened here] in the name of the data protection authority within two weeks of the entry into legal force. The business number and the completion date should be stated as the intended purpose.
If no payment is made within this period, the total amount can be collected. In this case, a flat-rate contribution of five euros must be paid. If payment is still not made, the outstanding amount will be enforced.
Reason:
1. The following facts relevant to the decision are established based on the evidence procedure carried out:
1.1. About the procedure:
With a joint submission dated November 25, 2021, two former employees of N***GG (Mr. Johann A*** and Mr. Enrico B*** - hereinafter "affected") lodged a complaint with the data protection authority (hereinafter "DSB") for violation of the right to secrecy and essentially stated that the N***GG would monitor them at crime scene 1 at their workplace using a video surveillance system. The managing directors of N***GG have the opportunity to access the recordings from the video surveillance system via smartphone at any time.
The DSB then initiated a complaint procedure in accordance with Art. 77 GDPR in conjunction with Section 24 DSG on GZ: D124.5325 and asked the N***GG to comment on this. The DSB then initiated a complaint procedure in accordance with Article 77, DSGVO in conjunction with paragraph 24, DSG on GZ: D124.5325 and asked the N***GG to comment on this.
After numerous requests for comments and submission of screenshots of the recording area of the cameras, which were initially refused by N***GG without any objective justification, the accused finally submitted the requested documents (recording area of the system) in the complaint procedure in a statement dated June 21, 2022 stated that the use of the cameras served to protect the property of the accused and to protect N***GG's customers and employees and represented the most lenient means. The recordings from the cameras would be stored for a period of 14 days. The recordings would then be automatically deleted. The accused based the processing on the alleged consent of those affected in accordance with Art. 6 Para. 1 lit , the accused finally submitted the required documents (recording area of the facility) in the complaint procedure in a statement dated June 21, 2022 and stated that the use of the cameras was intended to protect the property of the accused and to protect customers and employees of N***GG serve and thereby represent the gentlest means. The recordings from the cameras would be stored for a period of 14 days. The recordings would then be automatically deleted. The accused based the processing on the alleged consent of the data subject in accordance with Article 6, paragraph one, letter a, GDPR.
As a result, the DSB settled the complaint procedure against N***GG in accordance with Art. 77 GDPR in conjunction with Section 24 DSG with a decision dated September 26, 2022 (GZ: D124.5325 / 2022-0.646.831). The DSB upheld the complaints of those affected and stated in the decision that the N***GG violated those affected in their right to secrecy by using a video surveillance system in the kitchen of its premises to process image recordings covering the entire kitchen work area captured. The N***GG was ordered under ruling point 2 to impose a time and location restriction with regard to the video surveillance system (restrict the recording area and operating hours). The DSB also found that the accused does not keep a record of processing activities (see point C.6, p. 11). The decision was contested by N***GG by means of a complaint dated October 27, 2022 and is currently pending at the Federal Administrative Court under a GZ unknown to the DSB. As a result, the DSB has initiated the complaint procedure against N***GG in accordance with Article 77, GDPR in conjunction with Paragraph 24, DSG completed with decision dated September 26, 2022 (GZ: D124.5325 / 2022-0.646.831). The DSB upheld the complaints of those affected and stated in the decision that the N***GG violated those affected in their right to secrecy by using a video surveillance system in the kitchen of its premises to process image recordings covering the entire kitchen work area captured. The N***GG was ordered under ruling point 2 to impose a time and location restriction with regard to the video surveillance system (restrict the recording area and operating hours). The DSB also found that the accused does not keep a record of processing activities (see point C.6, p. 11). The decision was contested by N***GG by means of a complaint dated October 27, 2022 and is currently pending at the Federal Administrative Court under a GZ unknown to the DSB.
In a letter dated March 8, 2023, the DSB initiated the administrative criminal proceedings against N***GG and asked them to justify themselves. As part of the request, the accused was also asked to disclose her annual sales for the previous year.
In response, the accused submitted a written justification in a letter dated April 6, 2023 and requested that the proceedings be discontinued with reasons that were essentially limited to general information. In addition, the defendant's representative's statement was unclear. Finally, annual sales were not disclosed either.
In a letter dated May 16, 2023, the DSB therefore asked the accused to provide a supplementary statement, to clarify the announcement of the power of attorney and to disclose their annual turnover. The accused refused to further participate in the administrative criminal proceedings and made no further statement in response.
With a decision dated June 14, 2023, the DSB suspended the proceedings in question in accordance with Section 24 VStG in conjunction with Section 38 AVG until the final decision by the Court of Justice of the European Union (ECJ) in case C-807/21 (Deutsche Wohnen SE). This suspension decision became legally binding due to a lack of legal recourse. With a decision dated June 14, 2023, the DSB suspended the relevant proceedings in accordance with Section 24, VStG in conjunction with Section 38, AVG until the final decision by the Court of Justice of the European Union (ECJ) in the case C- 807/21 (Deutsche Wohnen SE). This suspension decision became legally binding due to a lack of legal recourse.
With a decision dated December 5, 2023, the DSB lifted the suspension decision of June 14, 2023 ex officio and continued the administrative criminal proceedings - taking into account the judgment of December 5, 2023 of the ECJ in case C-807/21.
Assessment of evidence: The findings to date regarding the course of the procedure result from the relevant administrative offense and the administrative act on the complaint procedure (GZ: D124.5325).
1.2. To operate the video surveillance system:
N***GG has been practicing the regulated business of “hospitality in the restaurant operating mode” since December 18, 2013 and has been operating an establishment for this purpose at Tatort 1 since December 21, 2020 (“N*** Delivery & Take Away”).
The N***GG has installed a video surveillance system with a total of three video cameras within the premises at crime scene 1 for the purpose of protecting its property and its employees (“from dangerous attacks by third parties or from unjustified accusations by guests or other employees”) and at least in Operated from July 31, 2020 to September 26, 2022.
The recording area of the video surveillance system included the entire kitchen area, the storage room and the bar or counter including the entrance and guest area within the business premises. The recording area of the system during this period was as follows (formatting of the transmitted photographs was not reproduced 1:1):
[Editor's note: The digital photograph reproduced here in the original (screenshot of color images of the video surveillance in question, apparently from the display of a mobile phone) shows the settings in three parts of the image, i.e. the recording areas of three cameras, referred to as "kitchen", “Warehouse” and “Entrance”. It can be seen on the parts of the image that the day and time of the recording are shown.]
The recordings/recordings from the video surveillance system were saved/retained for a period of 14 days and were automatically deleted after this period.
There were no time restrictions on processing (e.g. operation/activation of the video surveillance system only outside of operating hours).
Assessment of evidence: The findings regarding the operation of the hospitality industry emerged from an inspection of the Austrian trade information system (GISA query as of the deadline: August 8, 2023).
The findings regarding the operation and purpose of the video surveillance system as well as the number of cameras at crime scene 1 are based on the accused's own statements and are therefore undisputed (see written justification dated April 6, 2023).
The determination that the video surveillance system was operated at crime scene 1 during crime period 1 is based on the following: First of all, it should be noted that the accused was accused of a specific crime period (July 31, 2020 to September 26, 2022) as part of the request for justification The accused did not dispute this in the course of their written justification and did not make any (contradictory) submissions in this context. The accused claimed that the statute of limitations had expired from a legal point of view, but referred to a letter from the DSB dated December 29, 2021, which obviously represented a request to comment in the complaint procedure (GZ: D124.5325 / 2021-0.832.353) and not a request to Justification in the present case.
In the request for a supplementary statement, the accused was again given the opportunity to make a statement in this context or to shed more light on the above-mentioned statement. The accused no longer complied with this request.
The established period is also based on the information provided by those affected, both of whom have been employed at the defendant's premises as managers and cooks since at least July 31, 2020 and who, as part of this employment, were responsible for the operation of the video surveillance system in question and ultimately through their joint submission dated October 28, 2021 made the subject of a complaint procedure. In summary, they stated in the complaint that, after consulting with the Chamber of Labor, they would like to lodge a complaint because they are being monitored by the video surveillance system at their workplace. The operation of the video surveillance system was not disputed by the accused (neither in the complaint proceedings nor in the administrative criminal proceedings). Finally, in the course of the statement dated June 21, 2022, the accused submitted several photographs or screenshots of the recording area of the facility as evidence in the complaint proceedings (Annex ./6). A time stamp can be seen on these photographs (“June 15, 2022”). The accused did not make any changes to the video surveillance system throughout the complaint process, but instead insisted on the legality of the video surveillance. Therefore, at the end of the period, it could be assumed that the system was operated at least until the decision was issued in the appeal proceedings on September 26, 2022.
The recorded recording area of the video surveillance system within the premises is based on the accused's own information or on the photographs submitted by her as part of the statement dated June 21, 2022 in the complaint procedure (Attachment ./6) and is therefore undisputed. The findings regarding the storage period of 14 days and the lack of time restrictions also arise from the accused's own statements (see justification dated April 6, 2023).
With regard to the video surveillance system, the following clause on “camera recording” in the “safe and local area” was included in the employment contracts of N***GG employees under point 13 (formatting not reproduced 1:1):
[Editor's note: The excerpt from the contract text reproduced here as a facsimile (graphic file) cannot be pseudonymized with reasonable effort and is therefore reproduced as text (quotation marks not in the original).]
“13. Miscellaneous:
Camera recording:
The safe and bar area is video-monitored using cameras. Video surveillance is not intended to monitor employees, but rather serves exclusively to protect the employer's operating facilities and to protect employees. The employee gives his express consent to carry out the video surveillance shown.”
Assessment of evidence: This finding is based on the accused’s own statements. In the complaint proceedings, the accused presented the employment contracts she used as evidence.
The N***GG did not keep a register of processing activities that were subject to its jurisdiction from at least May 25, 2018 to March 8, 2023.
Assessment of evidence: This finding initially results from the N***GG's statement of August 25, 2022 in the complaint procedure. In the course of this statement, she stated, among other things, that due to the lack of processing activity (“or these image recordings are not processed”), it was not clear to her “which records should be kept here in accordance with Article 30 GDPR”. In addition, as part of the request for justification, the accused was specifically accused of violating Article 30 GDPR. The defendant responded to this accusation by saying that the video recordings can only be viewed by the commercial managing directors and only they have the login data. Additionally, the recordings would be automatically deleted after 14 days if preservation of evidence is not required. Therefore, it is not clear to them “which records should be kept here in accordance with Article 30 GDPR”. This shows without a doubt that the accused did not keep a processing register at least since the GDPR came into force on May 25, 2018 until the time of the request for justification. This finding initially results from the N***GG's statement of August 25, 2022 in the complaint procedure. In the course of this statement, she stated, among other things, that because there was no processing activity (“or these image recordings are not processed”), it was not clear to her “which records should be kept here in accordance with Article 30 of the GDPR”. In addition, as part of the request for justification, the accused was specifically accused of violating Article 30 of the GDPR. The defendant responded to this accusation by saying that the video recordings can only be viewed by the commercial managing directors and only they have the login data. Additionally, the recordings would be automatically deleted after 14 days if preservation of evidence is not required. Therefore, it is not clear to them “which records should be kept here in accordance with Article 30 of the GDPR”. This shows without a doubt that the accused did not keep a processing register at least since the GDPR came into force on May 25, 2018 until the time of the request for justification.
1.3. On the defendant's turnover
The relevant turnover of the accused could not be determined.
Assessment of evidence: The turnover could not be determined due to a lack of cooperation from the accused. No documents were provided in this context. As part of the request for justification, the accused was asked to disclose her turnover. The accused did not comply with this request in the course of her written justification. Subsequently, during the course of the procedure, she was again asked to disclose her turnover and pointed out that in the event of a lack of cooperation in this context, an estimate would have to be made. There was no further response from the accused to the latter request. The data protection authority finally carried out an official search within the company register (company register extract/annual financial statements) and inspected the available documents. Specifically, the defendant's annual financial statements for 2022 can be viewed in the commercial register, but this document does not contain an excerpt from the defendant's profit and loss statement in 2022 or any other information on the sales revenue generated. The only thing that can be seen from the annual financial statements available in the commercial register is that the accused achieved a balance sheet profit of EUR 22*.9*1.89.
2. Legally it follows:
2.1. On the responsibility of the data protection authority and the scope of application of the GDPR
Art. 83 Para. 5 lit of up to 4% of its total worldwide annual turnover for the previous financial year, whichever is higher. stipulates that violations of the provisions of Articles 5, 6, 7 and 9 GDPR may result in fines of up to 20,000,000 euros or, in the case of a company, of up to 4% of its total worldwide annual turnover for the previous financial year, whichever of the amounts is higher.
According to Section 22 Para. 5 DSG Paragraph 22, Paragraph 5, DSG, the responsibility for imposing fines on natural and legal persons for Austria as the national supervisory authority lies with the DSB.
According to Article 2 Paragraph 1 GDPRArticle 2, Paragraph One, GDPR, the Regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored or intended to be stored in a file system.
The image data recorded by the video cameras in the present case undoubtedly represents personal data within the meaning of Article 4, Paragraph 1, GDPR, Article 4, Number One, GDPR (cf. ECJ December 11, 2014, C-212/13, paragraph 2). The use of the video surveillance system in question resulted in processing in the sense of cf. ECJ December 11, 2014, C-212/13, paragraph 2). Through the use of the video surveillance system in question, processing was carried out within the meaning of Article 4, Paragraph 2, GDPR, Article 4, Number 2, GDPR. To the extent that the accused states in this context that there is “no processing activity” in the specific case and therefore no directory needs to be kept, it can be pointed out that the legal definition according to Art It can be pointed out that the legal definition according to Article 4, Section 2, GDPR does not require “minimum processing” (cf. BVwG of September 3, 2019, GZ: W214 2219944-1). From the wording of the definition it can be seen that the creation or recording of personal data constitutes processing. In addition, the accused herself claims that the recordings will be stored for a period of 14 days. Storage also represents independent processing within the meaning of Art. 4 Z 2 GDPR. See BVwG dated September 3, 2019, GZ: W214 2219944-1). From the wording of the definition it can be seen that the creation or recording of personal data constitutes processing. In addition, the accused herself claims that the recordings will be stored for a period of 14 days. Storage also represents independent processing within the meaning of Article 4, Number 2, GDPR.
In light of the facts assumed to be proven, the accused is to be qualified as the person responsible in accordance with Article 4, Paragraph 7 of the GDPR, as the person responsible in accordance with Article 4, Number 7, of the GDPR, since she operated a video surveillance system primarily to protect her property. The accused did not dispute her role as responsible party (neither in the complaint proceedings nor in the administrative criminal proceedings). As the person responsible, the accused is the addressee of the relevant obligations of the GDPR in connection with the video surveillance system in question, which will be examined in more detail below.
2.2. On the lawfulness of the processing by the video surveillance system (point I.) On the lawfulness of the processing by the video surveillance system (point 1.)
The defendant stated that the primary purpose of the video surveillance system was to protect her property. In addition, she also raised the issue of protecting her employees, as noted. The accused initially presented the consent of its employees (Article 6 Paragraph 1 Letter a of the GDPR) as the legal basis for the processing by the video surveillance system in the complaint procedure. However, in response to the request for justification in the present proceedings, the accused ultimately based the processing on legitimate interests pursuant to Article 6 Paragraph 1 Letter f of the GDPR.legitimate interests pursuant to Article 6, Paragraph One, Letter f, GDPR. As part of the complaint procedure, the accused initially based the processing (in the first statements) on the consent of its employees and subsequently on legitimate interests. In any case, both legal bases under consideration will be examined in more detail below. The remaining legal bases according to Art. 6 Para. 1 GDPR were also used in the complaint procedure. The accused initially based the processing (in the first statements) on the consent of its employees and subsequently on legitimate interests. In any case, both legal bases under consideration will be examined in more detail below. The remaining legal bases according to Article 6, paragraph one, GDPR were not put forward and are not relevant in the present case even after an ex officio examination.
2.2.1. Consent as a legal basis according to Article 6 Paragraph 1 Letter a GDPR Consent as a legal basis according to Article 6 Paragraph 1 Letter a GDPR
According to Article 4, Paragraph 11 of the GDPR, “According to Article 4, Paragraph 11, of the GDPR, “consent” of the person concerned is understood to mean any voluntary, informed and unambiguous expression of will in the form of a statement or other clear form for the specific case confirmatory act by which the data subject indicates that he or she consents to the processing of personal data concerning him or her.
According to Art. 7 Para. 4 GDPR Article 7, Paragraph 4, GDPR and taking into account Art this consent is not required to fulfill this contract. Consent is particularly involuntary if a disadvantage is to be expected if consent is not given (see the DSB's decision of April 16, 2019, GZ: DSB-D213.679/0003-DSB/2018). What is to be expected is the DSB's decision of April 16, 2019, GZ: DSB-D213.679/0003-DSB/2018).
Article 7 paragraph 1 GDPR Article 7 paragraph one GDPR clearly sets out the express obligation of the controller to prove the consent of the data subject. According to Art. 5 Para. 2 in conjunction with Art. 7 Para. 1 in conjunction with Art. 24 Para. 1 GDPR, the . According to Article 5, paragraph 2, in conjunction with Article 7, paragraph one, in conjunction with Article 24, paragraph one, GDPR, the burden of proof lies with the controller. Recital 42 of the GDPR states: “If the processing takes place with the consent of the data subject, the controller should be able to prove that the data subject has given their consent to the processing operation”.
In this context, the ECJ has expressly made it clear in a decision that the person responsible for processing bears the burden of proof for compliance with the principles pursuant to Article 5 Paragraph 1 of the GDPR. This means that the controller must, for example, demonstrate that the data is collected for specified, explicit and legitimate purposes and processed lawfully, fairly and in a manner that is understandable to the data subject. In addition, with regard to consent under Article 7 Para. 1 GDPR, the ECJ finally pointed out that in those cases in which the processing is based on consent, the controller is the . This means that the controller must, for example, demonstrate that the data is collected for specified, explicit and legitimate purposes and processed lawfully, fairly and in a manner that is understandable to the data subject. In addition, with regard to consent under Article 7, paragraph one, GDPR, the ECJ finally pointed out that in those cases where the processing is based on consent, the controller bears the burden of proof that the data subject has consented to the processing has consented to your personal data. In this context, the person responsible bears the burden of proof in particular as to whether the consent was actually given effectively, in particular voluntarily (cf. ECJ of July 4, 2023, C-252/21, paragraphs 95 and 152 ff). July 4, 2023, C-252/21, Rz 95 and 152 ff).
In a recent decision, the ECJ once again recalled that, in light of their obligations under the GDPR, controllers must not only take appropriate and effective measures, but also be able to demonstrate that their processing activities are in accordance with the GDPR and that the measures taken are also effective. to ensure this consistency (cf. ECJ of December 5, 2023, C-807/21, paragraph 38). in order to ensure this consistency see ECJ of December 5, 2023, C-807/21, paragraph 38).
In the specific case, the accused initially relied on the consent of the employees, but was unable to prove permissible consent for processing by the video surveillance system within the meaning of the above-mentioned provisions or requirements of the GDPR, in particular the voluntary nature of consent, during the complaint procedure. In addition, even the existence of such consent from the employees could not meet the voluntary criterion in the specific case (see the comments and cited case law in the DSB's decision of September 26, 2022, p. 13). Both in the context of the complaint against the decision of September 26, 2022 and in the course of the written justification of April 6, 2023, the accused stated that she viewed the video surveillance found in the kitchen of the business premises as “compare all of this with the statements and cited case law in Decision from the DSB dated September 26, 2022, p. 13). Both in the context of the complaint against the decision of September 26, 2022 and in the course of the written justification of April 6, 2023, the accused stated that she considered the video surveillance found in the kitchen of the business premises to be “absolutely necessary”. It is therefore evident that the accused would not have uninstalled or continued to operate the camera in question in the kitchen even if an employee had not given his consent. There was therefore no alternative for the employees if they had decided not to give consent for the operation of the video surveillance system. Due to a lack of consent, the employees would also have violated the established clause in their employment contract (“camera recording”) (ban on coupling in accordance with Article 7, Paragraph 4, GDPR).
Measured against this, the processing in question could not be based on any consent of the employees within the meaning of Article 6 Paragraph 1 Letter a in conjunction with Article 7 GDPR Article 6, paragraph one, letter a, in conjunction with Article 7 GDPR. Finally, in this context it should be noted that in her justification dated April 6, 2023, the accused only used a legitimate interest as the legal basis.
2.2.2. On the legitimate interest as a legal basis according to Article 6 Paragraph 1 Letter f GDPR On the legitimate interest as a legal basis according to Article 6 Paragraph 1 Letter f GDPR
With regard to the change of legal basis in the course of the proceedings, it should be noted at the outset that the DSB - in accordance with the guidelines of the European Data Protection Board (EDPB) - assumes that a subsequent change in the permissible circumstances of Art. 6 Para. 1 lit. a on lit. f leg. cit. in case of invalidity of the declaration of consent of Article 6, paragraph one, letter a, to letter f, leg. cit. is not permitted if the declaration of consent is invalid (cf. BVwG of September 28, 2023, W256 2227693-1, in connection with a customer loyalty program). Regardless of this, the legal basis according to Art. 6 Para. 1 lit. f GDPR will be examined in more detail in the specific case. see BVwG of September 28, 2023, W256 2227693-1, in connection with a customer loyalty program). Regardless of this, the legal basis according to Article 6, paragraph one, letter f, GDPR will be examined in more detail in the specific case.
With regard to the lawfulness of processing, it is noted that Article 5 GDPR sets out the principles of processing personal data and states in paragraph 1 lit. a that personal data must be processed lawfully, must be processed in good faith and in a manner that is understandable to the data subject and paragraph one, Litera a, stipulates that personal data must be processed lawfully, in good faith and in a manner that is understandable to the data subject (“Legality, fair processing, transparency”). Art. 5 Para. 1 lit. c GDPR also stipulates that the specific data processing must be appropriate and relevant to the purpose and limited to the extent necessary for the purposes of the processing. Article 5, paragraph one, letter c, GDPR also stipulates that the specific data processing must be appropriate and relevant to the purpose and limited to the extent necessary for the purposes of the processing (“data minimization”).
The requirements for lawful data processing are specified in Art. 6 GDPRArticle 6, GDPR. According to this, the lawfulness of any processing requires that the processing - cumulatively with the other principles regulated in Article 5 Paragraph 1 - must comply with at least one of the legal grounds conclusively set out in Article 6 Paragraph 1 GDPR (cf. the others in Article 5 , paragraph one, regulated principles - at least one of the legal reasons conclusively specified in Article 6, paragraph one, GDPR must be satisfied, see Selmayr in Ehmann/Selmayr, General Data Protection Regulation, Comment², Art 5 Rz 8f), General Data Protection Regulation, Comment², Article 5, paragraph 8f).
Art cumulative requirements: (i) perception of a legitimate interest; (ii) necessity of the processing and (iii) no outweighing of the rights and freedoms of others (cf. ECJ of December 11, 2019, Case C-708/18, paragraph 36 with further references). see ECJ of December 11, 2019, Rs C-708/18, paragraph 36 with further references).
With regard to the exercise of a legitimate interest, the ECJ has already pointed out that the protection of property and the protection of health and life can in principle represent legitimate interests for the operation of a video surveillance system (cf. ECJ judgment of December 11, 2019, Rs C-708 /18, paragraph 42). Data processing for the purpose of asserting, exercising or defending legal claims can also represent a legitimate interest (cf. Art. 9 Para. 2 lit. f, Art. 17 Para. 3 lit. e, Art. 18 Para. 2 or Art. 21 Para. 1 GDPR; cf. ECJ of June 17, 2021, C-597/19, paragraph 108 ff). already points out that the protection of property and the protection of health and life can in principle represent legitimate interests for the operation of a video surveillance system (see ECJ judgment of December 11, 2019, Rs C-708/18, paragraph 42). Data processing for the purpose of asserting, exercising or defending legal claims can also constitute a legitimate interest see Article 9, Paragraph 2, Letter f, Article 17, Paragraph 3, Letter e, Article 18, Paragraph 2, or Article 21, Paragraph one, GDPR; see ECJ of June 17, 2021, C-597/19, paragraph 108 ff). In the present case, a legitimate interest on the part of the accused cannot be ruled out.
At the same time, however, the ECJ stated that any data processing must comply with the principles for processing set out in Article 5 Paragraph 1 of the GDPR in terms of its admissibility (cf. on the old, but identical legal situation, the ECJ judgment of May 13, 2014, C -131/12, Rz 71 mwN). With regard to the necessity of processing, the ECJ noted that the exceptions and limitations with regard to the protection of personal data relate to the. At the same time, however, the ECJ noted that any data processing, with regard to its admissibility, is subject to the provisions of Article 5, paragraph one , DSGVO principles for processing must be met (compare to the old, but identical legal situation) the judgment of the ECJ of May 13, 2014, C-131/12, paragraph 71 with further references). With regard to the necessity of processing, the ECJ stated that the exceptions and restrictions with regard to the protection of personal data must be limited to what is absolutely necessary (cf. the ECJ judgment of May 4, 2017, C compare the judgment of the ECJ of May 4, 2017, C-13/16, and of November 9, 2010, C-92/09 and C-93/09). In other words: It must be checked whether the same protective purpose can also be achieved through a less invasive means or whether the desired goal can be achieved with less intrusive data processing.
In the present case, the accused had - in summary - a legitimate interest in the operation of the video surveillance system (primarily protecting her property and also protecting her employees), but the specific processing or setting of the recorded recording area, the operating time and storage period of the recordings was of 14 days not necessary and therefore not the mildest means to guarantee the interests mentioned. With regard to the intensity of the processing, it should be noted that in this specific case there was a serious interference with the employees' fundamental right to confidentiality, as they were constantly/continuously monitored at their workplace. In particular, video surveillance was not restricted to times outside of operating hours.
The criterion of necessity is closely linked to the principle of data minimization (Article 5, paragraph 1, letter c, GDPR) and the principle of data minimization (Article 5, paragraph one, letter c, GDPR). Accordingly, the data processed must be appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing. Even if video surveillance appears to be absolutely necessary, measures must be taken to limit the recording area, such as applying a physical shutter or pixelating non-relevant areas (see European Data Protection Board (EDPB) Guidelines 3/2019 on the processing of personal data by video devices, Version 2.1, Rz 25-27). tied together. Accordingly, the data processed must be appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing. Even if video surveillance appears to be absolutely necessary, measures must be taken to limit the recording area, such as applying a physical shutter or pixelating non-relevant areas see European Data Protection Board (EDPB) Guidelines 3/2019 on the processing of personal data by video devices, version 2.1 ., margin numbers 25-27).
In this specific case, due to the set recording area, the set operating time of the camera in the kitchen area and the storage period of 14 days, there can be no need for processing within the meaning of Article 5 Paragraph 1 Letter c GDPR within the meaning of Article 5 Paragraph One Litera c , GDPR can be recognized. With regard to the recording area and the operating time of the camera in the kitchen area, reference can be made to the statements in the DSB's decision of September 26, 2022 (p. 15 f).
In addition, due to the disproportionately long storage period, there is no necessary processing or the most lenient means. The principle of storage limitation according to Art. 5 Para. 1 lit. This must be limited to the absolutely necessary minimum. The period or criteria used to determine the time of deletion must be limited to the minimum strictly necessary for the purposes of the processing. The determination of the deadlines or criteria therefore requires an individual case consideration in which the necessity of storing data is assessed based on the processing purposes (see specifies the principle of data minimization with regard to the storage period. This must be limited to the absolutely necessary minimum. The The deadline or the criteria according to which the time of deletion is determined must be limited to the minimum strictly necessary for the processing purposes. The determination of the deadlines or criteria therefore requires an individual case consideration, in which the necessity of storing data is based on the processing purposes Compare Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR, paragraph 49f), DatKomm Article 5, GDPR, paragraph 49f).
In the present case, the person responsible chose a storage period of 14 days. The data protection authority does not assume that in the event of a break-in or damage to property, the accused will need 14 days to become aware of this and subsequently access the recordings. In the event of break-ins, damage or other incidents in which a recording could be necessary for clarification, it must be assumed that such a recording would be saved promptly after the respective event and, for example, transmitted to the security authorities (cf. BVwG of June 2, 2021, W211 2232587-1, p. 23). With such video surveillance systems, the data protection authority usually assumes that in the event of a break-in or damage to property, the accused will need 14 days to notice this and subsequently access the recordings. In the event of break-ins, damage or other incidents in which a recording could be necessary for clarification, it must be assumed that such a recording would be saved promptly after the respective event and, for example, transmitted to the security authorities see BVwG of June 2, 2021, W211 2232587 -1, p. 23). The data protection authority generally assumes a storage period of 72 hours for such video surveillance systems (the responsible parties will be informed about this on the data protection authority's website at https://www.dsb.gv.at/download-links/fragen-und- Answeren.html#Stationaere_Videoueberwachung informed). There would have to be special reasons for a storage period of 14 days, which, however, were not explained by the accused (cf. also EDSA Guidelines 3/2019 on the processing of personal data through video devices, version 2.1., paragraph 121), although they are in accordance with Article 5 Paragraph 2 of the GDPR bears the burden of proof for this. see also EDPB Guidelines 3/2019 on the processing of personal data through video devices, version 2.1., Rz 121), although the burden of proof lies with them in accordance with Article 5, Paragraph 2, GDPR.
The accused was therefore unable to comprehensibly demonstrate the necessity of processing in relation to the above-mentioned settings, contrary to her obligation to provide evidence (see ECJ case law cited above regarding the obligation of those responsible to provide evidence), neither in the complaint procedure nor in the present procedure. With the request for a supplementary statement in the specific proceedings, the accused was expressly informed of this and asked to explain the necessity of the processing. The accused did not comply with this request.
Since the processing is not necessary, there is no need to balance the interests in the narrower sense between the interests of the accused and those affected.
As a result, the requirements of the legal bases according to Article 6 Paragraph 1 Letters a and f GDPR are not met for the specific processing. Any other legal basis pursuant to Article 6, Paragraph 1 of the GDPR is not possible and has not been put forward. The processing of the image data by the video surveillance system in question was therefore unlawful.
This means that the objective factual side of a violation of the principles for processing in Article 5 Paragraph 1 Letters a and c and Article 6 Paragraph 1 GDPR is fulfilled. Principles for processing in Article 5 Paragraph One, Letters a and c and Article 6, paragraph one, GDPR is fulfilled.
2.3. On the violation of Article 30 GDPR (point II.)On the violation of Article 30 GDPR (point II.)
In accordance with Article 30, paragraph 1 of the GDPR, each controller and, if applicable, his or her representative must keep a record of all processing activities that are subject to their responsibility. This list must contain the information listed in Article 30 Paragraph 1 Letters a to g GDPR Article 30 Paragraph One Letters a to g GDPR. Such a list must be kept in writing in accordance with Article 30 Paragraph 3 of the GDPR, although an electronic format is also permitted. According to Article 30 Paragraph 4 GDPRArticle 30 Paragraph 4 GDPR, those responsible must make this list available to a supervisory authority upon request.
In the present case, as established, the accused did not keep such a record of the processing activities within its responsibility. Therefore, she was unable to provide such a list at the request of the DSB as part of the complaint procedure.
In this context, the accused submitted - in summary - that only the managing directors of N***GG had access to the facility's records and that the records would be automatically deleted after 14 days if no evidence was deemed necessary. Therefore, in this specific case there is “no processing activity” and it is not clear which records need to be kept here. Finally, reference was made again to the purpose of the facility.
With regard to the fact that in this specific case there is processing within the meaning of Art. 4 Z 2 GDPR, reference can be made to the statements above under point 2.1. As already stated, the accused, in her role as controller, processed personal data from her employees and customers through the use of the video surveillance system. As a result, it is subject to the relevant obligations of the GDPR and therefore also the obligation to maintain a register of processing activities in accordance with Article 30 Para. 1 GDPR. The exception provision according to Art. 30 Para. 5 GDPR is already possible in the specific case due to the regular or permanent processing by the video surveillance system. With regard to the fact that in the specific case there is processing within the meaning of Article 4, Paragraph 2, GDPR Please refer to the statements above under point 2.1. As already stated, the accused, in her role as controller, processed personal data from her employees and customers through the use of the video surveillance system. This means that it is subject to the relevant obligations of the GDPR and therefore also the obligation to maintain a register of processing activities in accordance with Article 30, paragraph one, GDPR. The exception provision according to Article 30, paragraph 5, GDPR is not relevant in this specific case due to the regular or permanent processing by the video surveillance system (see Jahnel, Commentary on the General Data Protection Regulation Art. 30 GDPR, paragraph 13 (as of December 1, 2020 , rdb.at))., Commentary on the General Data Protection Regulation Article 30, GDPR, Rz 13 (as of December 1, 2020, rdb.at)).
This means that the objective side of the matter regarding Article 30 Paragraph 1 of the GDPR is also fulfilled. The objective side of the matter regarding Article 30, Paragraph 1 of the GDPR is therefore also fulfilled.
2.4. On the criminal liability of the accused as a legal person according to Article 83 GDPR
The requirements for the imposition of fines against both natural persons and legal entities are standardized in Article 83 GDPR. However, the national legislature has standardized further “general conditions for the imposition of fines” in Section 30 Paragraphs 1 and 2 DSGParagraph 30, paragraph one, and 2 DSG.
According to § 30 para. 1 DSGParagraph 30, paragraph one, DSG, the data protection authority can impose fines on a legal entity if violations of the provisions of the GDPR were committed by persons who acted either alone or as part of an organ of the legal entity and in a management position within the legal entity due to (1) the power to represent the legal entity (2) the power to make decisions on behalf of the legal entity or (3) a control power within the legal entity.
Legal persons can be held responsible for violations of the provisions of the GDPR in accordance with Section 30 Paragraph 2 of the GDPR, Paragraph 30, Paragraph 2 of the DSG, even in cases where a lack of supervision or control by a person named in Section 30 Paragraph 1 of the DSG results in the commission of these violations by a person working for the legal entity shall also be held liable in those cases if a lack of supervision or control by a person referred to in paragraph 30, paragraph one, of the DSG enabled the commission of these violations by a person working for the legal entity ( lack of control and supervision) unless the act constitutes a criminal offense within the jurisdiction of the courts.
In its ruling of May 12, 2020 on Ro 2019/04/0229, the Administrative Court dealt for the first time with the applicability of the criminal liability requirements of Section 30 DSG in proceedings pursuant to Art dealt with the applicability of the criminal liability requirements of Section 30, DSG in a procedure according to Article 83, GDPR and in this context determined that a legal person cannot act on its own and therefore its criminal liability according to Section 30 DSG can be a consequence of the act itself and therefore their criminal liability according to paragraph 30, DSG is a consequence of the factual, illegal and culpable behavior of a natural (managerial) person within the meaning of § 30 paragraph 1 DSG natural (managerial) person within the meaning of paragraph 30, paragraph one, DSG. Accordingly, in order for the act of persecution directed against the legal person to be effective, it is necessary to accurately describe the act of the natural person (or the so-called “attributable person”). The attribution of the specific act by the leader to the legal entity must be included in the verdict and the person attributable must also be named as an identified natural person (cf. VwGH May 12, 2020, Ro 2019/04/0229, mwN). In other words: In a procedure pursuant to Art. 83 GDPR, the data protection authority must, in the decision of the penal decision, attribute the natural (managerial) person whose violation of the GDPR or the DSG to the legal person responsible within the meaning of Art. 4 Z 7 GDPR should be named by name in order to be able to subsequently impose a fine in accordance with Art. 83 GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and per se has party status (see VwGH May 12, 2020, Ro 2019/04/0229, with further references). In other words: In a procedure under Article 83, GDPR, the data protection authority must issue a criminal judgment against the natural (managerial) person whose violation of the GDPR or the DSG is the legal entity responsible within the meaning of Article 4, Section 7, GDPR should be attributed, name it in order to be able to subsequently impose a fine in accordance with Article 83 of the GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and has party status per se see Zaczek, The association responsibility model of Article 83 GDPR, in , The association responsibility model of Article 83, GDPR, in Jahnel (ed.), Yearbook Data Protection Law 2020, p . 257 ff).
By decision of December 6, 2021, the Berlin Court of Appeal asked the ECJ as part of a request for a preliminary ruling under Article 267 TFEU for an interpretation of Article 83 of the GDPR can be affected in the fine proceedings due to a violation of Article 83 GDPR and in this context presented the following questions with regard to the question of whether a company can be directly affected in the fine proceedings due to a violation of Article 83 GDPR and presented the following in this context questions
1. Is Article 83 Paragraphs 4 to 6 GDPR to be interpreted as meaning that it incorporates the functional company concept assigned to Articles 101 and 102 TFEU and the function holder principle into domestic law with the result that, by expanding the legal entity principle underlying Section 30 OWiG a fine can be brought directly against a company and the fine does not require the establishment of an administrative offense committed by a natural and identified person, possibly fully criminally committed? Should Article 83, paragraphs 4, to 6 of the GDPR be interpreted as meaning Article 101 , and 102 TFEU and the functional entity principle are incorporated into domestic law with the result that, by extending the legal entity principle underlying Section 30, OWiG, fine proceedings can be conducted directly against a company and the fine does not depend on the determination of a natural and identified entity an administrative offense committed by a person, possibly fully criminal?
2. If the answer to question 1 is yes: Should Article 83 Paragraphs 4 to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee (cf. Article 23 of the Regulation (EC ) No. 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company sufficient in principle to impose a fine (“strict liability”) )?If the answer to question 1 is yes: Should Article 83, paragraph 4, to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee, see Article 23 of Regulation (EC) No 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to it sufficient for a company to be fined ("strict liability")?
Due to the preliminary ruling request from the Berlin Court of Appeal, it was questionable whether the provisions of Section 30 Paragraphs 1 and 2 DSG Paragraph 30, paragraphs one and 2 DSG may even be applied because they could violate the directly applicable provisions of the GDPR, and whether The VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Art. 83 GDPR could be upheld. Since the ECJ's decision on these questions may be applied at all because they could violate the directly applicable provisions of the GDPR, and whether the VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Article 83, GDPR are upheld could. Since the ECJ's decision on these questions had a prejudicial effect on the proceedings in question, the administrative criminal proceedings were suspended.
The ECJ finally held in the judgment of December 5, 2023 that the directly applicable provisions according to Article 58 Paragraph 58 Paragraph 2 Letter i and Article 83 Paragraph 1 to 6 GDPR2 Litera i and Article 83 Paragraph One , up to 6 GDPR are to be interpreted as contradicting a national regulation according to which a fine can only be imposed on a legal person in its capacity as controller for a violation referred to in Article 83 Paragraphs 4 to 6 GDPR if this violation was previously attributed to an identified natural person., according to which a fine for a violation referred to in Article 83, paragraph 4, to 6 GDPR can only be imposed on a legal person in its capacity as controller if this violation was previously attributed to an identified natural person became.
In this context, the ECJ stated that legal entities are liable not only for infringements committed by their representatives, directors or managers, but also for infringements committed by any other person acting in the course of their business activities and on behalf of them of the legal entity. It must also be possible to impose the fines provided for in Article 83 of the GDPR. In addition, it must be possible to impose the fines provided for in Article 83 of the GDPR directly against legal entities (cf. ECJ of December 5, 2023, C-807/21, paragraph 44). 807/21, Rz 44).
The (material) requirements for the imposition of fines by supervisory authorities are regulated precisely and without any discretion for the Member States in Article 83, Paragraphs 1 to 6 of the GDPR. The GDPR does not contain any provision that the imposition of a fine on a legal entity as controller is conditional on a prior determination that that infringement was committed by an identified natural person. The GDPR only grants the Member States the possibility/authority to provide for requirements regarding the procedure to be used by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83 (1). and 6 GDPR was committed. The GDPR only grants Member States the possibility/authority to lay down requirements for the procedure to be followed by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83, paragraph one, and 6 GDPR (cf. ECJ C-807/21, paragraph 45 ff). see ECJ C-807/21, paragraph 45 ff).
The requirements for the imposition of a fine in accordance with Article 83 of the GDPR are therefore determined exclusively by Union law. There are no opening clauses for the Member States in this context.
The ECJ concluded that a national regulation that stipulates additional requirements for the imposition of fines in accordance with Article 83 of the GDPR violates Article 83 (1) of the GDPR because it violates the requirements for the imposition of fines in accordance with Article 83 of the GDPR normed, violates Article 83, paragraph one, GDPR because it weakens the effectiveness and deterrent effect of fines imposed on legal entities. It must be taken into account that fines are a key element of the GDPR and serve to enforce the objectives of this regulation or to ensure the protection of the rights of data subjects and to ensure a high level of protection throughout the Union (see ECJ C-807/21, paragraphs 51 and 73). . As a result, the ECJ determined that the conditions for the imposition of a fine in accordance with Article 83 GDPR must be ensured (see ECJ C-807/21, paragraphs 51 and 73). As a result, the ECJ found that the requirements for the imposition of a fine under Article 83 of the GDPR are regulated conclusively in Article 83, Paragraphs 1 to 6 of the GDPR and are regulated in Article 83, Paragraphs 1 to 6 of the GDPR (paragraph 53).
In addition to this question, the ECJ also found that the term “company” within the meaning of Articles 101 and 102 TFEU (see Recital 150 GDPR) only applies to those within the meaning of Articles 101 and 102 TFEU (see Recital 150 GDPR). is relevant for the calculation of a fine imposed in accordance with Article 83 Paragraphs 4 to 6 GDPR (but not for the result summarized above in relation to the first question). Accordingly, what must be relevant is that imposed in accordance with Article 83, paragraphs 4 to 6 of the GDPR (but not for the result summarized above in relation to the first question). Accordingly, the definition of a company under competition law, according to which every entity carrying out an economic activity is included, regardless of its legal form and the type of financing, must be used as the basis for the decision on the amount of the fine (cf. ECJ C-807/21, paragraph 53 ff). . In other words: For the calculation of the fine, the worldwide , according to which every entity carrying out an economic activity is included regardless of its legal form and the type of financing, must be used as the basis for the decision on the amount of the fine see ECJ C-807/21 , Rz 53 ff). In other words, the global annual turnover of the economic entity must be used to calculate the fine if the addressee of the fine is or belongs to an undertaking within the meaning of Articles 101 and 102 TFEU. is or is part of an undertaking within the meaning of Articles 101 and 102 TFEU.
This economic unit consists of a uniform organization of personal, material and intangible resources that permanently pursues a specific economic purpose (cf. ECJ of October 6, 2021, C-882/19, paragraph 41 with further references). see ECJ of October 6, 2021, C-882/19, paragraph 41 with further references).
In this regard, the ECJ, like the Advocate General in his Opinion, stated that only a fine, the amount of which is determined based on the actual or material performance of the addressee on the basis of the concept of economic unity, ultimately satisfies the amount set out in Article 83 (1). 1 GDPR Article 83, paragraph one, GDPR can fulfill the requirements (effective, dissuasive, proportionate) (cf. ECJ C-807/21, paragraph 58 f). can fulfill compare ECJ C-807/21, paragraph 58 f).
2.5. On the subjective side of the crime
With regard to the second question referred, the ECJ has now explicitly stated, as already accepted by the data protection authority in its previous rulings, that only violations of provisions of the GDPR that the person responsible commits culpably, i.e. intentionally or negligently, lead to the imposition of a fine can (cf. ECJ of December 5, 2023, C-807/21, paragraph 68). commits, can lead to the imposition of a fine (see ECJ of December 5, 2023, C-807/21, paragraph 68).
With regard to the subjective side of the offense, it must be taken into account that the requirement of fault for the imposition of a fine under Article 83 GDPR should be interpreted autonomously within the Union and should be assessed in particular in the light of the case law of the ECJ. With regard to the question referred with regard to culpability, the ECJ also found that the Member States were not granted any discretion in this context by the Union legislature for national regulations, since the material requirements are conclusively regulated in Article 83 Paragraphs 1 to 6 of the GDPR Article 83, paragraph one, to 6 GDPR are precisely regulated (see also ECJ of December 5, 2023, C-683/21, paragraph 64 ff). See also ECJ of December 5, 2023, C-683/21, paragraph 64 ff).
Regarding the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such negligence already exists if the accused is not aware of the illegality of his behavior It could be unclear whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, paragraph 76). see ECJ C-807/21, paragraph 76).
With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons. With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons is not an act once requires knowledge on the part of the management body of this legal entity (cf. ECJ of December 5, 2023, C-807/21, paragraph 77). see ECJ of December 5, 2023, C-807/21, paragraph 77).
The responsibility and liability of a person responsible extends to any processing of personal data carried out by or on behalf of him. In this context, the controller must not only take appropriate and effective measures, but he must also be able to demonstrate that his processing activities are in accordance with the GDPR and that the measures he has taken to ensure this compliance are also effective (cf. ECJ C-807/21, Rz 38, with reference to Recital 74). see ECJ C-807/21, paragraph 38, with reference to recital 74).
Applied to this case, this means the following:
First of all, it should be noted that during the investigation there was no evidence that the violations in question were committed by a person who was not acting within the scope of the entrepreneurial activity and on behalf of the legal entity. However, according to the judgment of the ECJ, in order to impose a fine on a legal entity, it is not necessary for the data protection authority to cite in its decision an identified natural person who acted in the course of the business activity and on behalf of the legal entity and the actions of this person person is attributed to the legal entity. It is therefore not relevant to the decision in this case whether and which managing director of the accused is responsible for the violations in question.
In light of the facts assumed to be proven, the data protection authority does not assume any intentional act by the accused. The accused, as the person responsible, has decided in accordance with Art. 4 Z 7 GDPR that a video surveillance system will be installed and put into operation for the identified purposes, without inquiring in advance about the relevant administrative regulations. Simply accessing the data protection authority's website (see above) would have been enough to find out, for example, that only a storage period of 72 hours is considered permissible. In addition, the European Data Protection Board has also published recommendations as part of guidelines on video surveillance on its website (see Guidelines 3/2019 on the processing of personal data by video devices). accepted by the accused. The accused, as the person responsible, has decided in accordance with Article 4, Section 7, GDPR that a video surveillance system will be installed and put into operation for the identified purposes, without inquiring in advance about the relevant administrative regulations. Simply accessing the data protection authority's website (see above) would have been enough to find out, for example, that only a storage period of 72 hours is considered permissible. In addition, the European Data Protection Board has also published recommendations as part of guidelines on video surveillance on its website (see Guidelines 3/2019 on the processing of personal data by video devices).
In this context, reference can also be made to the decision of the Federal Administrative Court of April 8, 2022 on GZ: W214 2240128-1, according to which the complainant there also had to be aware “that there are relevant data protection regulations, even more so than the GDPR in theirs “It became widely known and discussed in public in 2018 and a large number of media articles appeared on this topic” (see point 3.3.2 on the fulfillment of the subjective side of the crime).
With regard to the unlawful processing of personal data through the operation of a video surveillance system (point I.) there is in any case fault in the form of negligence.
The violation of the mandatory maintenance of the processing register cannot be justified by any allegations made by the accused. The accused did not adequately inquire about the relevant administrative regulations either before or after the GDPR came into force. However, this would have been possible and reasonable for the accused. There is also fault in the form of negligence with regard to ruling point II. ruling point Roman II.
At the latest since the completion of the complaint procedure according to Article 77 of the GDPR in conjunction with Section 24 of the GDPR, it should have been clear to the accused that she was violating the requirements of the GDPR It must be clear to the accused that they are violating the requirements of the GDPR.
In any case, during the course of the investigation there was no evidence to suggest that the accused was not at fault for violating the applicable administrative regulations. In the light of the case law of the ECJ, the accused could not have been in the dark about the illegality of her behavior, regardless of whether she was aware that she was violating the provisions of the GDPR (cf. ECJ C-807/21, paragraph 76 and 77; ECJ C-683/21, paragraphs 81 and 82 with further references).During the course of the investigation, there was in any case no indication that the accused was not at fault for violating the applicable administrative regulations. In the light of the case law of the ECJ, the accused could not have been in the dark about the illegality of her behavior, regardless of whether she was aware that she was violating the provisions of the GDPR (see ECJ C-807/21, paragraphs 76 and 77); ECJ C-683/21, paragraphs 81 and 82 with further references).
This means that the subjective side of the crime is also fulfilled.
3. The following must be noted regarding the sentencing:
According to Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, the data protection authority must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Art. 83 Para. 4, 5 and 6 GDPR) in each individual case The data protection authority must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Article 83, paragraphs 4, 5 and 6 GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Art. 83 Paragraph 2 GDPR Article 83 Paragraph 2 GDPR stipulates that certain criteria must be duly taken into account in each individual case when deciding whether to impose a fine and its amount.
As part of the assessment of penalties, the data protection authority has adopted the EDPB guidelines regarding the calculation of fines according to the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 of May 24, 2023 - hereinafter "Fines guidelines" ) applied. see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 from May 24, 2023 – hereinafter “fines guidelines”) applied.
The assessment of punishment within a statutory penalty framework is a discretionary decision that must be made in accordance with the criteria set by the legislature in Section 19 VStG, Paragraph 19, VStG (see VwGH September 5, 2013, 2013/09/0106). established criteria must be carried out see VwGH 09/05/2013, 2013/09/0106).
According to Section 19 Paragraph 1 of the VStG, Paragraph 19, Paragraph One, of the VStG, the basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83 Para. 8 GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed. The basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83, Paragraph 8, GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed.
Article 83 Paragraph 3 of the GDPR Article 83, Paragraph 3 of the GDPR stipulates, in deviation from the cumulation principle standardized in Section 22 Paragraph 2 of the VStG, that in cases of the same or related processing operations (in the English language version: “the same or linked processing operations”), which intentionally or negligently violates several provisions of the GDPR, the total amount of the fine does not exceed the amount for the most serious violation. The absorption principle therefore applies within the scope of application of this provision (comparable to the combination principle standardized in Austrian criminal law in accordance with Section 28 Para. 1 StGB). (comparable to the combination principle standardized in Austrian criminal law according to paragraph 28, paragraph one, StGB).
Otherwise (outside the scope of Article 83, Paragraph 3 of the GDPR), the cumulation principle in accordance with Section 22, Paragraph 2 of the VStG applies (cf. mwN BVwG March 12, 2020 , GZ: W256 2223922-1). The Fines Guidelines also refer to and note that Art. 83 Para. 3 GDPR is limited in its application and does not apply to every case in which multiple violations of the GDPR are identified (see Fines Guidelines, 3rd Chapter - Rz 39). according to paragraph 22, paragraph 2, VStG for application see mwN BVwG March 12, 2020, GZ: W256 2223922-1). The Fines Guidelines also refer to and note that Article 83, Paragraph 3, GDPR is limited in its application and does not apply to every case in which multiple violations of the GDPR are identified, see Fines Guidelines, 3. Chapter - Rz 39).
In addition, within the meaning of Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, it should be noted that when determining the penalty of the “total amount of the fine” using the absorption principle according to Art. 83 Para. 3 GDPR according to Article 83, Para 3, GDPR, all violations of the GDPR that have been committed must be taken into account. The wording “amount for the most serious violation” refers to the penalty range or the maximum amounts specified by law (see Article 83 Paragraphs 4 to 6 GDPR). The EDPB noted that “ refers to the penalty framework or the maximum amounts prescribed by law (see Article 83, paragraph 4, to 6 GDPR). In this regard, the EDPB noted that within the scope of application of Article 83, Paragraph 3 of the GDPR, the other violations committed cannot be de facto rejected, but must be taken into account accordingly when determining the punishment (see Fines- Guidelines, Chapter 3 – Margin 43). Otherwise, this would lead to a privileging of those responsible and processors, who can be rejected de facto in the context of an established case, but must be taken into account when determining the penalty (see Fines guidelines, Chapter 3 - Paragraph 43). Otherwise, this would lead to privileges for those responsible and processors who have violated several provisions of the GDPR in the context of an established matter.
With regard to Article 83 Paragraph 3 of the GDPR, the GDPR does not otherwise contain any information about what is meant by “the same or related processing operations”. Nothing further can be found in the recitals either.
According to the Fines Guidelines, when assessing “same or related processing operations”, it must be taken into account that all obligations necessary for the lawful implementation of the processing operations can be taken into account. The wording (especially in the English language version) suggests that the scope of Article 83 (3) GDPR includes any violation that can be taken into account. The wording (particularly in the English language version) suggests that the scope of Article 83, paragraph 3, GDPR includes any infringement that relates to and may affect the same (“same”) or related processing operations ( see Fines guidelines, chapter 3 – margin no. 27 f). In this context, the Federal Administrative Court pointed out that, according to general usage, those cases in which “ refers to and can have an impact on” must also be subsumed under this provision (see Fines Guidelines, Chapter 3 – Paragraph 27 f). In this context, the Federal Administrative Court pointed out that, according to general usage, those cases in which several criminal offenses were committed through “one and the same act (processing)” should also be included under this provision and also referred to the English language version ( see mwN BVwG 12.03.2020, GZ: W256 2223922-1).” several criminal offenses were committed and also referred to the English language version see mwN BVwG 12.03.2020, GZ: W256 2223922-1).
In the light of these statements, the absorption principle according to Article 83 Paragraph 3 GDPR applies in the specific case for the violations identified. The penalty range depends on the most serious violation. Therefore, in the present case, the penalty framework according to Article 83 Paragraph 5 GDPR Article 83 Paragraph 5 GDPR applies.
Pursuant to Article 83, Paragraph 5, Article 83, Paragraph 5, of the GDPR, in the event of the violations referred to therein, in accordance with Paragraph 2, fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide profits annual turnover of the previous financial year, whichever is higher. In the event of the infringements referred to therein, in accordance with paragraph 2, fines of up to EUR 20 000 000 or, in the case of an undertaking, of up to 4% of its total worldwide annual turnover for the previous financial year, whichever is higher, shall be imposed is.
The term turnover in Article 83 Paragraphs 4, 5 and 6 GDPR is within the meaning of Article 83 Paragraphs 4, 5 and 6 GDPR is within the meaning of Article 2 Paragraph 5 of Directive 2013/34/EU Article 2, Paragraph 5, Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual accounts, consolidated accounts and related reports of undertakings of certain legal forms, amending Directive 2006/43/EC of the European Parliament and the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (hereinafter “Directive 2013/34/EU”). Revenue is the sum of all goods and services sold. Net turnover is the amount resulting from the sale of products and the provision of services after deducting sales deductions and value added tax (VAT) as well as other taxes directly related to turnover (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1, Rz 128 ff). of the European Parliament and of the Council of 26 June 2013 on the annual accounts, consolidated accounts and related reports of undertakings of certain legal forms, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Directive 78/660 /EEC and 83/349/EEC of the Council (hereinafter “Directive 2013/34/EU”). Revenue is the sum of all goods and services sold. Net turnover is the amount resulting from the sale of products and the provision of services after deducting sales deductions and value added tax (VAT) as well as other taxes directly related to turnover see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1, paragraph 128 ff).
From the document available to the data protection authority (the accused's annual financial statements in the commercial register), only the balance sheet profit can be seen. However, this is not the relevant turnover in the sense of the definition presented above.
Due to the defendant's lack of cooperation in determining the annual turnover, the data protection authority had to make an estimate (cf. VwGH 11.05.1990, 89/18/0179; 22.04.1992, 92/03/0019; 23.02.1996, 95/02/0174 ). In view of the Fines guidelines, the defendant will make the assessment in relation to its turnover and with a view to the imposition of an effective, dissuasive and proportionate fine in cf. VwGH 11.05.1990, 89/18/0179; April 22, 1992, 92/03/0019; 02/23/1996, 95/02/0174). In view of the Fines Guidelines, the assessment places the defendant in the lowest category (“Undertakings with a turnover up to € 2 million”) in relation to its turnover and with a view to the imposition of an effective, dissuasive and proportionate fine. This classification takes due account of the size of the company, in particular to ensure the proportionality of the fine.
The penalty range in the specific case is up to an amount of EUR 20,000,000 (static penalty range) in accordance with Article 83, Paragraph 5 of the GDPR. The dynamic penalty range (4% of annual turnover) does not apply.
In light of the facts assumed to be proven and taking into account the nature, severity and duration of the violation (Art. 83 Para. 2 lit. a GDPR)(Article 83, Paragraph 2, Litera a, GDPR) [Editor's note: in the original due to an obvious editorial oversight “Art. 83 Para. 1 lit. a GDPR"], the intent or negligence of the violation [Editor's note: in the original due to an obvious editorial oversight "Art. 83 paragraph one, letter a, GDPR"], the intentional or negligent nature of the violation (Art. 83 paragraph 2 lit. b GDPR)(Article 83, paragraph 2, letter b, GDPR) as well as the categories of personal data resulting from the violation are affected (Article 83, Paragraph 2, Letter g of the GDPR) (Article 83, Paragraph 2, Letter g, GDPR), the data protection authority will assess the seriousness of the infringement with a high level of severity of seriousness”).
In relation to the present case, (beyond the criteria already taken into account for determining the level of severity in accordance with Article 83 Paragraph 1 Letters a, b and g GDPR Article 83 Paragraph One, Letters a, b and g GDPR) was also taken into account When determining the sentence, the following are taken into account as aggravating factors:
n/a
In relation to the facts at hand, the following was also taken into account as a mitigating factor when determining the sentence:
The data protection authority has no previous relevant violations of the GDPR against the accused
According to the established jurisprudence of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the punishment (see VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89 /04/0061). The imposition of the specific fine was included see VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89/04/0061). In any case, the imposition of the specific fine was necessary in the sense of special prevention in order to deter the accused from committing further violations, in particular to protect them with regard to the principles of data processing according to Art Processing register in order to deter the accused from committing further violations, in particular to make them aware of the principles of data processing in accordance with Article 5, paragraph one, GDPR and their obligations as controllers, such as maintaining a processing register. The accused did not show any insight into the alleged offenses and it can be assumed that she will continue the processing in question without imposing a fine. The imposition of the fine was also necessary in the sense of general prevention in order to sensitize those responsible with regard to the legally compliant use of video surveillance systems, especially in the workplace, and the associated obligations under the GDPR.
The concrete penalty imposed as a result of EUR 20,000 therefore appears in view of the realized value of the crime, measured against the available penalty range of Article 83 Para. 5 GDPR (here up to EUR 20,000,000). on the actual value of the crime, measured against the available penalty range of Article 83, Paragraph 5, GDPR (here up to EUR 20,000,000) appropriate to the crime and guilt and is at the lowest end of the available penalty range (0.1% of the penalty range ).
