DSB (Austria) - 2023-0.603.142

From GDPRhub
Revision as of 09:24, 28 February 2024 by Nzm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - 2023-0.603.142
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 31 GDPR
Article 33(1) GDPR
Article 33(3) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 12.12.2023
Published:
Fine: 5,900 EUR
Parties: n/a
National Case Number/Name: 2023-0.603.142
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: Datenschutzbehörde (in DE)
Initial Contributor: ar

The DPA fined a controller €5,900 for notifying a personal data breach in a too general way and over a month after the event occurred. After asking for further clarification, the DPA also found a violation of the duty to cooperate, as the controller provided an incomprehensible explanation.

English Summary

Facts

On 24 April 2023, a managing director of the controller (a company) submitted a data breach notification to the DPA by email in accordance with Article 33 GDPR, on behalf of the controller.

In the course of this notification, the controller informed the DPA that on 6 March 2023, a "ransomware attack" by unknown persons took place and that data was encrypted as a result. In addition, the controller stated that it was not known whether a theft had occurred. The controller clarified that 55 employees were subject to this attack and that information, such as their wage documents, had been affected. It further explained that it took measures to remedy the data breach: the entire network was disconnected from the Internet, and systems were reinstalled and secured. Concerning the measures taken to mitigate the possible adverse effects, the controller stated that encrypted hard drives of the system were securely deleted.

In response to this report, the DPA initiated a procedure and requested the controller for supplementary information, to which the controller replied with an unclear explanation. Thus, the DAP requested clarification, to which the controller replied on 27 April 2023 with an empty email directly attaching their previous statement. Following this reply, the DPA initiated administrative penalty proceedings against the controller and requested it to justify itself in a letter dated 5 June 2023. The controller did not submit any statement.

Holding

The Austrian DPA noted that the ransomware attack reported by the controller and the subsequent encryption of the IT infrastructure by an unknown attacker constituted a personal data breach within the meaning of Article 4(12) GDPR.

Therefore, the defendant was obliged to report the incident in question to the DPA immediately and, within 72 hours of becoming aware of the breach, provide the mandatory information in accordance with Article 33(3) GDPR. In this respect, the DPA noted that the controller failed to fulfil its obligation under Article 33(1) GDPR because it did not disclose the incident in question within 72 hours to the Austrian DPA as the competent supervisory authority pursuant to Article 55 GDPR, but over a month later.

Furthermore, the DPA stated that the controller’s notification did not contain the required information under Article 33(3) GDPR. Specifically, it lacked a description of the nature of the personal data breach, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data records concerned. Initially, the controller stated in its report that only 55 employees were affected. However, the DPA noted that in its supplementary statement of 26 April 2023, "guests" were also mentioned as categories of affected persons, but the subsequent request for clarification by the DPA remained unanswered.

In addition, it lacked a description of the measures taken or proposed by the controller to remedy the breach, as well as measures to mitigate its possible adverse effects in accordance with Article 33(3)(d) GDPR. It stated that the entire network was being reorganised and secured without specificities.

Indeed, the controller had limited itself to general information to satisfy its insurance company and get reimbursed for the damage and was not interested in providing a complete report for the assessment of the incident by the DPA, as claimed by the controller.

Furthermore, the DPA noted that the controller did not carry out a risk assessment for the rights and freedoms of the data subjects affected by the breach to assess whether to notify them pursuant to Article 34 GDPR.

Overall, the DPA concluded that it was obvious that the controller failed to comply with Article 33(1) and (3) GDPR.

Lastly, since the controller responded to the first request for a supplementary statement with an incomprehensible explanation and to the second request only referencing the previous statement, the DPA established that the controller failed to cooperate with the DPA, breaching Article 31 GDPR.

Therefore, the DPA fined the controller €5,900.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2023-0.603.142 from December 12, 2023 (Procedure number: DSB-D550.829)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.

Penalty finding

Accused legal entity: B*** GmbH (FN *5*0*1k)

The accused legal entity, based in **** I***tal, J***straße *2 (hereinafter “B***”), is the responsible party in accordance with Art. 4 Z 7 of Regulation (EU) 2016 /679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119 of 04.05.2016, p 1 as amended, the following facts were realized and the following administrative offenses were thereby committed: The accused legal entity with its registered office in **** I***tal, J***straße *2 (hereinafter “B***”), has as Controller in accordance with Article 4, Section 7, of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”) ), OJ No. L 119 of May 4, 2016, p. 1 as amended, realized the following facts and thereby committed the following administrative offenses:

I.Roman one. B***, in its role as responsible person in accordance with Art. 4 Z 7 GDPR in the period from April 24th, 2023 to at least June 5th, 2023, violated its obligation to report violations of the protection of personal data to the supervisory authority in accordance with Art. 33 Paragraph 1 and 3 GDPR by belatedly reporting to the data protection authority by email on April 24th, 2023 a security breach that had been known to it since March 6th, 2023 (6:30 p.m.) and also by providing general information about the security breach as part of the report Limited information because she only wanted to satisfy her insurance company with the report in order to receive compensation for the damage she claimed. Specifically, as part of the notification, the mandatory information pursuant to Art. 33 Para. 3 lit GDPR to check. B***, in its role as controller in accordance with Article 4, paragraph 7, GDPR, in the period from April 24, 2023 to at least June 5, 2023, violated its obligation to report personal data protection violations to the supervisory authority in accordance with Article 33, paragraph one, and 3 GDPR by belatedly reporting to the data protection authority by email on April 24th, 2023 a security breach that had been known to it since March 6th, 2023 (6:30 p.m.) and also by providing general information about the security breach as part of the report The information provided was limited because she only wanted to satisfy her insurance company with the report in order to receive compensation for the damage she claimed. Specifically, as part of the notification, the mandatory information under Article 33, Paragraph 3, Letters a and d GDPR was limited to general information that did not allow the data protection authority to ensure compliance with B***'s obligations under Articles 33 and 34 GDPR to check.

II.römisch II. B*** has also violated its duty to cooperate with the data protection authority (as the responsible supervisory authority) in accordance with Art 31 GDPR by not responding to the following requests for comments as part of the security breach procedure for GZ: D084.4838: B*** also acted in its role as controller in accordance with Article 4, Section 7, GDPR in the period from April 24, 2023 until at least June 5, 2023, violated its obligation to cooperate with the data protection authority (as the responsible supervisory authority) in accordance with Article 31, GDPR, by not responding to the following requests for comment as part of the security breach procedure for GZ: D084.4838:

      Request for additional report/statement dated April 24, 2023 (GZ: D084.4838 - 2023-0.309.559), delivered by email on April 24, 2023 to “info@b***.at”;

      Renewed request for a supplementary report/statement dated April 26, 2023 (GZ: D084.4838 - 2023-0.316.639), delivered by email on April 26, 2023 to “info@b***.at”.

As a result, B***, as the person responsible, did not cooperate with the request of a supervisory authority in carrying out their tasks.

The accused legal entity therefore violated the following requirements of the GDPR:

   The obligation to report a breach of personal data protection in a timely manner to the data protection authority in accordance with Article 33 Paragraph 1 GDPR together with the (mandatory) information referred to in Article 33 Paragraph 3 lit of the protection of personal data to the data protection authority in accordance with Article 33, paragraph one, GDPR together with the (mandatory) information referred to in Article 33, paragraph 3, letters a, and d GDPR

   The obligation to cooperate with the data protection authority upon request in the performance of its tasks in accordance with Article 31, GDPRThe obligation to cooperate with the data protection authority upon request in the performance of its tasks in accordance with Article 31, GDPR

Administrative offenses according to:

Ad. I.: Ad. Roman one:

Art. 33 Para. 1 and 3 lit. a and d in conjunction with Art. 83 Para. 1 and 4 lit in conjunction with Article 83, paragraph one, and 4 Litera a, GDPR OJ L 2016/119, p. 1, as amended

Ad. II.: Ad. Roman II:

Art. 31 in conjunction with Art. 83 paragraph 1 and 4 lit. a GDPR OJ L 2016/119, p. 119, p. 1, as amended

For these administrative violations, the following penalty is imposed in accordance with Article 83 of the GDPR: For these administrative violations, the following penalty is imposed in accordance with Article 83 of the GDPR:

Fine of euros

According to

€5,900

Article 83 paragraph 1 and 4 lit. a GDPR OJ L 2016/119, p. 1, as amendedArticle 83, paragraph one, and 4 lit

Furthermore, you must pay in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG: Furthermore, in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG, you must pay:

590

Euros as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 Euros;



Euros as a replacement for cash expenses



The total amount payable (penalty/costs/cash expenses) is therefore

6,490

Euro

Payment deadline:

If no complaint is made, this penalty is immediately enforceable. In this case, the total amount must be paid into the account [shortened here] in the name of the data protection authority within two weeks of the entry into legal force. The business number and the completion date should be stated as the intended purpose.

If no payment is made within this period, the total amount can be collected. In this case, a flat-rate contribution of five euros must be paid. If payment is still not made, the outstanding amount will be enforced.

Reason:

1.     The following facts relevant to the decision are established based on the evidence procedure carried out:

1.1. On April 24, 2023, Mr. Sebastian W*** (Managing Director of B*** - hereinafter “GF”) submitted a security breach report by email in accordance with Art. 33 GDPR to the data protection authority (hereinafter “DSB”) on behalf of from B*** a. A non-binding form provided by the DSB on its website was used for the report. Mr. Sebastian W*** (Managing Director of B*** - hereinafter “GF”) reported on April 24th, 2023 by email -Email a security breach report in accordance with Article 33, GDPR to the data protection authority (hereinafter “DPO”) on behalf of B***. A non-binding form provided by the DSB on its website was used for the report.

1.2. In the course of this report, the CEO announced to the DSB that there was a “ransomeware attack” by unknown people on March 6, 2023 and that data was encrypted as a result. In addition, the managing director stated that it was not known whether there had been “theft” and that there was no evidence of a “data leak”.

1.3. The managing director specified “employees” as the category of affected people and put the number of those affected at “55”. The managing director specified “confirmations, wage documents” as the affected categories of personal data.

1.4. Regarding the measures taken to address the personal data breach, the CEO stated the following: “Entire network has been disconnected from the Internet. Systems are currently being rebuilt and hardened.”

1.5. Regarding the measures taken to mitigate the possible adverse effects, the CEO stated the following: “Encrypted hard drives of the system were securely erased”.

1.6. The CEO stated the time of the security breach was March 6, 2023 (approx. 5:45 p.m.). The managing director stated the time of becoming aware of the security incident was March 6, 2023 (approx. 6:30 p.m.). With regard to the late report, the CEO stated at the meeting that based on a police report, they assumed that “a corresponding report was automatically forwarded.”

1.7. In response to this report, the DSB initiated a security breach procedure for GZ: D084.4838.

1.8. Based on the information provided by the CEO in the report dated April 24, 2023, the DSB was unable to conclusively assess the case and requested the B*** (per E-mail to info@b***.at, attention GF) for additional information. Specifically, the request for additional reporting was excerpted as follows (formatting not reproduced 1:1):

[Editor's note: The graphical reproduction of part of the relevant transaction reproduced here in the notice was replaced by a text version for the purpose of pseudonymization.]

“Subject: Request for additional reporting

Dear Mr. W***,

The data protection authority has received your report in accordance with Article 33 of the GDPR dated April 24, 2023 and records the following: The data protection authority has received your report in accordance with Article 33 of the GDPR of April 24, 2023 and records the following:

You will be asked to answer the following questions:

1.   Were the affected persons notified of the incident in accordance with Article 34 (1) GDPR? Based on your report, it is unclear whether the data subjects have already been notified of the incident or not. Have the data subjects been notified of the incident in accordance with Article 34, paragraph one, GDPR? Based on your report, it is unclear whether the affected individuals have already been notified of the incident or not.

2.   Why do you assume that there is no high risk and therefore no notification is required in accordance with Article 34 (1) GDPR? Please break down your risk assessment. Why do you consider that there is no high risk and therefore no notification is required under Article 34, paragraph one, GDPR? Please break down your risk assessment.

3.   What measures have been taken to avoid such an incident in the future (e.g. training measures, introduction of the dual control principle, etc.)?

You are invited to comment on this within two weeks of receiving this letter.”

1.9. The CEO then responded specifically as follows in an email dated April 26, 2023:

“Dear data protection authority,

Thanks for the mail

We have not and will not inform our guests about this because we do not want to burden our guests unnecessarily with such sick incidents... we are conscious and only exude pure love [Editor's note: Special characters Herzerl and Sternderl removed for reasons of representation.] and a good mood

Since we know that thoughts and actions create matter, nothing bad will happen. We know that it will be like that!!!

We have of course taken precautions with the company k*** security to prevent something like this from happening in the future.

We only made this report so that our insurance company would be satisfied and we would be reimbursed for the damage

I ask you to leave this incident alone with this email and I am happy to be reached by phone if you have any further questions at 0043***3*5*7*4

With warm [Editor's note: Special character Herzerl removed for reasons of displayability.] Greetings from the B***

Sebastian W***

www.b***.at””

1.10. In response, a renewed request for additional reporting was sent to B*** in a letter dated April 26, 2023 (GZ: D084.4838 - 2023-0.316.639). In addition to the initial questions as part of the first request for a supplementary report, the person responsible was asked to provide more details based on the information in the report in conjunction with the feedback from April 26, 2023. The person responsible was also expressly informed of the obligation to cooperate in accordance with Article 31 in conjunction with Article 58 Paragraph 1 Letters a and e of the GDPR and of the possible initiation of administrative criminal proceedings (in the event of a lack of cooperation). Specifically, the second request for a supplementary report was excerpted as follows (formatting not reproduced 1:1): In response to this, a new request for a supplementary report was made in a letter dated April 26, 2023 (GZ: D084.4838 - 2023-0.316.639). Report to B***. In addition to the initial questions as part of the first request for a supplementary report, the person responsible was asked to provide more details based on the information in the report in conjunction with the feedback from April 26, 2023. The person responsible was also expressly informed of the obligation to cooperate in accordance with Article 31, in conjunction with Article 58, paragraph one, letters a, and e of the GDPR, as well as the possible initiation of administrative criminal proceedings (in the event of a lack of cooperation). Specifically, the second request for additional reporting was excerpted as follows (formatting not reproduced 1:1):

[Editor's note: The graphical reproduction of part of the relevant transaction reproduced here in the notice was replaced by a text version for the purpose of pseudonymization.]

“Subject: Request for additional reporting

The data protection authority has received your email dated April 26, 2023 and notes the following:

In a letter from the data protection authority dated April 24, 2023, you were asked to provide information as to whether the persons affected were notified of the incident or why you assume that there is no high risk for the persons affected and what measures were taken to prevent such incidents to avoid in the future.

Unfortunately, this information cannot be obtained from your input. You will be asked to complete the following information:

1.  It was not possible to determine from your information whether there is a high risk to the rights and freedoms of the data subjects. You will therefore be asked again to break down your risk assessment.

Your attention is drawn to the fact that, in accordance with Article 34 of the GDPR, the controller is obliged to notify the data subject of the personal data breach if the personal data breach is likely to pose a high risk to the rights and freedoms natural persons.

The data protection authority can also oblige the person responsible to make such a notification in accordance with Article 34 Paragraph 4 of the GDPR. The data protection authority can also oblige the person responsible to make such a notification in accordance with Article 34 Paragraph 4 of the GDPR.

2.  Please also explain what specific measures have been taken to avoid such incidents in the future.

3.  Furthermore, your entry indicates that you will not inform the affected guests. However, in your report dated April 24, 2023, you state that the people affected are employees.

Please specify your input:

-   Which categories of data subjects are actually affected by the data security incident?

-   Which personal data sets are specifically affected? Which data categories result from “confirmations, wage documents”? (e.g.: health information, bank details, ...)

You are informed of your obligation to cooperate in accordance with Article 31 in conjunction with Article 58 Paragraph 1 Letter a and Letter e of the General Data Protection Regulation (GDPR), according to which the data protection authority must be provided with all information necessary to fulfill its tasks. In addition, it is pointed out that in the event of a breach of this obligation to cooperate, a notice is issued in accordance with Article 31, in conjunction with Article 58, paragraph one, letter a and letter e, of the General Data Protection Regulation (GDPR), according to which all information must be provided to the data protection authority are necessary for the fulfillment of their tasks. In addition, please note that in the event of a breach of this obligation to cooperate, administrative criminal proceedings may be initiated against you.”

1.11. B*** then responded with an empty message via email dated April 27th, 2023 and attached the statement from GF dated April 26th, 2023 that had already been submitted. Otherwise, no statement has been submitted to date as part of the security breach procedure. All requests were served on B***.

1.12. The DSB subsequently initiated administrative criminal proceedings against B*** and asked her and her managing directors to justify themselves in a letter dated June 5, 2023. The request for justification (hereinafter “AzR”) was sent by RSa letter on June 9, 2023. As part of the AzR, the accused was informed that the criminal proceedings would be carried out without her being heard if the AzR was not followed.

1.13. The DSB did not receive any justification in response to the AzR. B*** did not take part in the administrative criminal proceedings and, even after administrative criminal proceedings had been initiated, did not submit a statement in the security breach proceedings.

1.14. With a decision dated July 17, 2023 (delivered via RSb to B*** on July 19, 2023), the DSB continued the proceedings in question in accordance with Section 24 VStG in conjunction with Section 38 AVG until the Court of Justice of the European Union (ECJ) made a final decision in the case C-807/21 (Deutsche Wohnen SE). This suspension decision became legally binding due to a lack of legal remedies. With a decision dated July 17, 2023 (delivered via RSb to B*** on July 19, 2023), the DSB continued the relevant procedure in accordance with Section 24, VStG in conjunction with Section 38, AVG until the final decision by the Court of Justice of the European Union (ECJ) in case C-807/21 (Deutsche Wohnen SE). This suspension decision became legally binding due to a lack of legal recourse.

1.15. In a letter dated December 5, 2023, the DSB lifted the suspension decision of July 17, 2023 ex officio and continued the administrative criminal proceedings - taking into account the judgment of December 5, 2023 of the ECJ in case C-807/21.

Assessment of evidence: The findings regarding the course of the procedure result from the relevant administrative offense and the administrative act on the security breach procedure (GZ: D084.4838).

The findings regarding the information provided by the CEO and B*** result from the initial submission and the additional statement in the security breach procedure. The findings on the specific requests or questions from the DSB also arise from the respective file components of the security breach procedure.

The determination that the CEO filed the security breach notification on behalf of B*** is based on the following:

Although the CEO stated his own name in the DSB form when stating “Responsible/Controller:”, the remaining information on the security breach report shows that the CEO made the report on behalf of B***. The report was not submitted via B***'s email address "reservierung@b***.at" (specifically on April 24, 2023 by an employee of B***, namely "Trixie"). The information regarding categories of data subjects and personal data also suggests this. As part of the additional statement, GF stated, among other things, “we have not and will not inform our guests about this […]”. Ultimately, the accused did not contest the accusation within the framework of the AzR and in particular her role as the person responsible in the present proceedings.

The determination that the security breach procedure could not be completed or that the report could not be conclusively assessed based on the information provided by the accused results from the requests for additional statements themselves and is also recorded in the file note on the initiation of administrative criminal proceedings dated May 3, 2023 . The determination of the failure to submit a statement after the blank report of April 27, 2023 is made by examining the administrative act of the security breach procedure.

The further findings regarding the course of the administrative criminal proceedings in question result from the file components of the administrative criminal act. The return receipts for deliveries of the AzR via RSa are in the file.

2.     Legally it follows:

2.1. On the responsibility of the DSB and the scope of application of the GDPR

Art. 83 Para. 4 lit in the case of a company, up to 2% of its total worldwide annual turnover for the previous financial year, whichever is higher. stipulates that violations of the provisions of Articles 8, 11, 25 to 39, 42 and 43 GDPR are subject to fines of up to 10,000,000 euros or, in the case of a company, of up to 2% of its total worldwide annual turnover of the previous financial year may be imposed, whichever of the amounts is higher.

According to § 22 para. 5 DSGParagraph 22, paragraph 5, DSG, the responsibility for imposing fines on natural and legal persons for violations of the DSG and the DSGVO lies with the DSB.

According to Article 2 Paragraph 1 GDPRArticle 2, Paragraph One, GDPR, the Regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored or intended to be stored in a file system.

There are no doubts regarding the existence of processing of personal data within the meaning of Art. The role of the accused as those responsible in accordance with Article 4, Paragraph 7 of the GDPR was never disputed. Although the CEO gave his own name in the report, the fact that the CEO made the report on behalf of the accused in his role as managing director was already examined in more detail during the assessment of the evidence.

As the person responsible, the accused is the addressee of the relevant obligations of the GDPR. In the specific case, the accused, as the person responsible, was subject to the obligation to report in accordance with Article 33 Paragraph 1 of the GDPR, Article 33, Paragraph 1, of the GDPR, as well as the obligation to cooperate with the DPO as part of the security breach procedure in accordance with Article 31 of the GDPR, Article 31, due to the security breach , GDPR. According to Article 83 Paragraph 4 Letter a of the GDPR, these two provisions represent obligations for those responsible that are punishable by law and are discussed in more detail below.

2.2. To report violations of the protection of personal data (point I.)To report violations of the protection of personal data (point 1.)

In accordance with Article 33 Paragraph 1 of the GDPR, in the event of a breach of the protection of personal data, controllers must report this to the supervisory authority responsible in accordance with Article 55 of the GDPR immediately and, if possible, within 72 hours of becoming aware of the breach. An exception exists if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. After becoming aware of the breach, report it to the supervisory authority responsible in accordance with Article 55 of the GDPR. An exception exists where the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons.

According to Art. 4 Z 12 GDPR Article 4, Paragraph 12, GDPR, the violation of the protection of personal data constitutes a breach of security, which, whether unintentional or unlawful, leads to the destruction, loss, alteration, or unauthorized disclosure of or to the unauthorized Access to personal data that has been transmitted, stored or otherwise processed.

Such a report must contain at least the following information in accordance with Article 33 Paragraph 2 GDPRArticle 33 Paragraph 2 GDPR:

     a description of the nature of the personal data breach, indicating, where possible, the categories and approximate number of individuals affected, the categories and approximate number of personal data sets affected;

     the name and contact details of the data protection officer or other contact point for further information;

     a description of the likely consequences of the personal data breach;

     a description of the measures taken or proposed by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

In accordance with Article 33 Paragraph 5 of the GDPR, the controller is also obliged to document the personal data breach, including all facts related to the personal data breach, its effects and the remedial measures taken. This documentation must enable the competent supervisory authority to verify compliance with this provision.

In the present case, the ransomware attack reported by the accused and the subsequent encryption of its own IT infrastructure by an unknown attacker constitutes a violation of the protection of personal data (so-called “data breach” or “security breach”) within the meaning of Art. 4 No. 12 GDPR within the meaning of Article 4, Paragraph 12, GDPR (cf. the guidelines of the former Article 29 Data Protection Working Party on security breaches, WP250 rev.01, examples on pages 7 and 9 on ransomware attacks). The use of encryption software in the course of a ransomware attack leads to (see the guidelines of the former Article 29 Data Protection Working Party on security breaches, WP250 rev.01, examples on pages 7 and 9 on ransomware attacks). The encryption software in a ransomware attack leads to the loss of availability of personal data. It is irrelevant whether the loss was unintentional or unlawful. Furthermore, it cannot be ruled out that the present security breach caused by the ransomware attack resulted in unauthorized disclosure of or access to the affected personal data.

The security breach related to personal data of the accused's employees and customers, which had previously been stored by it or processed for certain purposes. The accused was therefore obliged to report the incident in question to the DSB immediately and, if possible, within 72 hours of becoming aware of the violation (on March 6, 2023, 6:30 p.m.) and to provide the mandatory information in accordance with Art. 33 Para. 3 GDPR to transmit. to report it after becoming aware of the violation (on March 6, 2023, 6:30 p.m.) and to provide the mandatory information in accordance with Article 33, Paragraph 3, GDPR.

It should be pointed out at the outset that the accused did not fulfill her obligation under Article 33 Paragraph 1 of the GDPR simply because she had committed the incident in question did not comply because it did not report the incident in question to the DSB as the responsible supervisory authority in accordance with Article 55 of the GDPR within 72 hours; Email on April 24, 2023.

In addition, the report made did not contain the required information pursuant to Art. 33 Para. 3 GDPR. Specifically, there was a lack of description of the type of personal data breach, information about categories and the approximate number of persons affected, the categories affected and the approximate number of personal data records affected according to Article 33, Paragraph 3, GDPR. Specifically, there was a lack of description of the type of personal data breach, information about categories and the approximate number of data subjects affected, the categories affected and the approximate number of personal data records affected pursuant to Article 33(3)(a) GDPR Article 33 , paragraph 3, letter a, GDPR. There was also a lack of a description of the measures taken or proposed by the accused to remedy the personal data breach and, if necessary, measures to mitigate its possible adverse effects in accordance with Article 33 (3) lit. d GDPR Article 33, paragraph 3, letter d, GDPR.

The accused limited the information in the security breach report in question to general information. Essentially, she only wanted to fulfill the following purpose through the report: “We only made this report so that our insurance company would be satisfied and we would be reimbursed for the damage.” The accused was apparently not interested in a complete report for the DSB to assess the incident.

Regarding the categories and the approximate number of people affected, the defendant initially stated in her report that only 55 employees were affected by the breach. In their supplementary statement dated April 26, 2023, “guests” were also included in the meeting as categories of affected people (“we have not and will not inform our guests about this because we will not unnecessarily burden our guests with such sick incidents...”). The subsequent request for clarification on this was not followed by the accused and remained unanswered. In addition, the accused also limited the description of the security breach in question to general information, which is why the DSB was unable to carry out a risk assessment for the rights and freedoms of the persons concerned for a possible obligation to notify the accused in accordance with Art. 34 GDPR. The subsequent requests for clarification or disclosure of the risk assessment by the accused also limited the description of the security breach in question to general information, which is why the DSB did not carry out a risk assessment for the rights and freedoms of the people affected for a possible one Obligation to notify the accused in accordance with Article 34 of the GDPR could be carried out. The subsequent requests for clarification or disclosure of the risk assessment by the accused also remained unanswered.

Regarding the description according to Art. She simply stated that the entire network would be rebuilt and hardened. She left open how the accused carried out the “hardening” of her network. In her supplementary statement dated April 26, 2023, she stated that “of course, precautions have been taken to prevent something like this from happening in the future.” The accused leaves it open what precautions these involve. With regard to the consequences for those affected, the accused limits herself to her unsubstantiated knowledge that “nothing bad will happen.”

Overall, it is obvious that the accused did not make the report in order to fulfill her obligation as the person responsible in accordance with Article 33 of the GDPR, but rather in order to be able to settle the damage through her insurance company (as she herself stated). As a result, the accused has the Overall view, it is obvious that the accused did not make the report in order to fulfill her obligation as the person responsible in accordance with Article 33 of the GDPR, but in order to be able to settle the damage through her insurance company (as she herself stated). ). As a result, the accused has fulfilled the objective factual side of Article 33, Paragraphs 1 and 3 of the GDPR.objective side of the crime of Article 33, Paragraphs 1 and 3 of the GDPR has been fulfilled.

2.3. On the obligation of those responsible to cooperate with the DSB (point II.)On the obligation of those responsible to cooperate with the DSB (point Roman II.)

Controllers and processors and, if applicable, their representatives must cooperate with the supervisory authority upon request in carrying out their tasks in accordance with Article 31 of the GDPR. According to Article 83 Paragraph 4 Letter a of the GDPR, this provision is also an obligation of the person responsible that is punishable by law.

Both obligations to tolerate and to cooperate can be derived from Article 31 of the GDPR in conjunction with the powers of the supervisory authority under Articles 57 and 58 of the GDPR. In accordance with Article 57 Paragraph 1 Letter a of the GDPR, the DSB must monitor and enforce the application of the GDPR for the entire Austrian federal territory (“in its territory”). This is one of the central tasks of the DSB as the supervisory authority responsible for Austrian territory. In addition, according to Article 57 Paragraph 1 Letter v GDPR, the DPO must fulfill any other task related to the protection of personal data. To carry out these tasks, the DPO is granted both investigative and remedial powers (Article 58, paragraphs 1 and 2 of the GDPR).

The GDPR grants supervisory authorities, among other things, the power to instruct the controller to provide all the information necessary to carry out their tasks (Article 58 Paragraph 1 Letter a GDPR). (Article 58 Paragraph One Litera a, GDPR). From this provision, taken together with Article 31 of the GDPR, Article 31 of the GDPR results in an obligation to cooperate for the addressees of the norm (see also recital 82, second sentence of the GDPR). In the event of a lack of cooperation, the Union legislature therefore introduced the possibility of sanctions in Article 83 (4) (a) GDPR. for the addressees of the norm (see also Recital 82, second sentence of the GDPR). In the event of a lack of cooperation, the Union legislature introduced the possibility of sanctions in Article 83, Paragraph 4, Letter a, GDPR.

In the present case, as already mentioned, the accused is to be qualified as the person responsible in accordance with Article 4, Paragraph 7 of the GDPR and therefore as the addressee of the relevant obligations of the GDPR. She submitted a security breach report to the DSB and was subsequently involved in the proceedings as a party. As established, all requests from the DSB were served on the accused as part of the security breach proceedings. However, the accused responded to the first request for a supplementary statement with an incomprehensible explanation and to the second request only with a reference to the previous submissions. It can in no way be assumed that the accused's reaction complied with the DSB's requests as part of the security breach proceedings. It therefore did not cooperate with the DSB as the responsible supervisory authority in carrying out its tasks.

In light of the facts that were assumed to be proven, the accused also fulfilled the objective side of the offense under Article 31 of the GDPR tasks worked together.

2.4. On the criminal liability of the accused as a legal person according to Article 83 GDPROn the criminal liability of the accused as a legal person according to Article 83 GDPR

The requirements for the imposition of fines against both natural persons and legal entities are standardized in Article 83 GDPR. However, the national legislature has standardized further “general conditions for the imposition of fines” in Section 30 Paragraphs 1 and 2 DSGParagraph 30, paragraph one, and 2 DSG.

According to § 30 para. 1 DSGParagraph 30, paragraph one, DSG, the data protection authority can impose fines on a legal entity if violations of the provisions of the GDPR were committed by persons who acted either alone or as part of an organ of the legal entity and in a management position within the legal entity due to (1) the power to represent the legal entity (2) the power to make decisions on behalf of the legal entity or (3) a control power within the legal entity.

Legal persons can be held responsible for violations of the provisions of the GDPR in accordance with Section 30 Paragraph 2 of the GDPR, Paragraph 30, Paragraph 2 of the DSG, even in cases where a lack of supervision or control by a person named in Section 30 Paragraph 1 of the DSG results in the commission of these violations by a person working for the legal entity shall also be held liable in those cases if a lack of supervision or control by a person referred to in paragraph 30, paragraph one, of the DSG enabled the commission of these violations by a person working for the legal entity ( lack of control and supervision) unless the act constitutes a criminal offense within the jurisdiction of the courts.

In its ruling of May 12, 2020 on Ro 2019/04/0229, the Administrative Court dealt for the first time with the applicability of the criminal liability requirements of Section 30 DSG in proceedings pursuant to Art dealt with the applicability of the criminal liability requirements of Section 30, DSG in a procedure according to Article 83, GDPR and in this context determined that a legal person cannot act on its own and therefore its criminal liability according to Section 30 DSG can be a consequence of the act itself and therefore their criminal liability according to Section 30, DSG a consequence of the factual, illegal and culpable behavior of a natural (managerial) person within the meaning of Section 30 Paragraph 1 DSG, Paragraph one, DSG is. Accordingly, in order for the act of persecution directed against the legal person to be effective, it is necessary to accurately describe the act of the natural person (or the so-called “attributable person”). The attribution of the specific act by the leader to the legal entity must be included in the verdict and the person attributable must also be named as an identified natural person (see VwGH May 12, 2020, Ro 2019/04/0229, mwN). In other words: In proceedings pursuant to Art. 83 GDPR, the data protection authority must, in the decision of the penal decision, attribute the natural (managerial) person whose violation of the GDPR or the DSG to the legal person responsible within the meaning of Art. 4 Z 7 GDPR should be named by name in order to be able to subsequently impose a fine in accordance with Art. 83 GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and per se has party status (see VwGH May 12, 2020, Ro 2019/04/0229, with further references). In other words: In a procedure under Article 83, GDPR, the data protection authority must issue a criminal judgment against the natural (managerial) person whose violation of the GDPR or the DSG is the legal entity responsible within the meaning of Article 4, Section 7, GDPR should be attributed, name them in order to be able to subsequently impose a fine in accordance with Article 83 of the GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and per se has party status see Zaczek, The association responsibility model of Article 83 GDPR, in , The association responsibility model of Article 83, GDPR, in Jahnel (ed.), Yearbook Data Protection Law 2020, p . 257 ff).

By decision of December 6, 2021, the Berlin Court of Appeal asked the ECJ as part of a request for a preliminary ruling under Article 267 TFEU for an interpretation of Article 83 of the GDPR can be affected in the fine proceedings due to a violation of Article 83 GDPR and in this context presented the following questions with regard to the question of whether a company can be directly affected in the fine proceedings due to a violation of Article 83 GDPR and presented the following in this context questions

1.     Is Article 83 Paragraphs 4 to 6 GDPR to be interpreted as meaning that it incorporates the functional company concept assigned to Articles 101 and 102 TFEU and the function holder principle into domestic law with the result that, by expanding the legal entity principle underlying Section 30 OWiG a fine can be brought directly against a company and the fine does not require the establishment of an administrative offense committed by a natural and identified person, possibly fully criminally committed? Should Article 83, paragraphs 4, to 6 of the GDPR be interpreted as meaning Article 101 , and 102 TFEU and the functional entity principle are incorporated into domestic law with the result that, by extending the legal entity principle underlying Section 30, OWiG, fine proceedings can be conducted directly against a company and the fine does not depend on the determination of a natural and identified entity an administrative offense committed by a person, possibly fully criminal?

2.     If the answer to question 1 is yes: Should Article 83 Paragraphs 4 to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee (cf. Article 23 of the Regulation (EC ) No. 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company sufficient in principle to impose a fine (“strict liability”) )?If the answer to question 1 is yes: Should Article 83, paragraph 4, to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee, see Article 23 of Regulation (EC) No 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to it sufficient for a company to be fined ("strict liability")?

Due to the preliminary ruling request from the Berlin Court of Appeal, it was questionable whether the provisions of Section 30 Paragraphs 1 and 2 DSG Paragraph 30, paragraphs one and 2 DSG may even be applied because they could violate the directly applicable provisions of the GDPR, and whether The VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Art. 83 GDPR could be upheld. Since the ECJ's decision on these questions may be applied at all because they could violate the directly applicable provisions of the GDPR, and whether the VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Article 83, GDPR are upheld could. Since the ECJ's decision on these questions had a prejudicial effect on the proceedings in question, the administrative criminal proceedings were suspended.

The ECJ finally held in the judgment of December 5, 2023 that the directly applicable provisions according to Article 58 Paragraph 2 Letter i and Article 83 Paragraph 1 to 6 GDPR Article 58 Paragraph 2 Litera i and Article 83 Paragraph One , up to 6 GDPR are to be interpreted as contradicting a national regulation according to which a fine can only be imposed on a legal person in its capacity as controller for a violation referred to in Article 83 Paragraphs 4 to 6 GDPR if this violation was previously attributed to an identified natural person., according to which a fine for a violation referred to in Article 83, paragraph 4, to 6 GDPR can only be imposed on a legal person in its capacity as controller if this violation was previously attributed to an identified natural person became.

In this context, the ECJ stated that legal entities are liable not only for infringements committed by their representatives, directors or managers, but also for infringements committed by any other person acting in the course of their business activities and on behalf of them of the legal entity. It must also be possible to impose the fines provided for in Article 83 of the GDPR. In addition, it must be possible to impose the fines provided for in Article 83 of the GDPR directly against legal entities (cf. ECJ of December 5, 2023, C-807/21, paragraph 44). 807/21, Rz 44).

The (material) requirements for the imposition of fines by supervisory authorities are regulated precisely and without any discretion for the Member States in Article 83, Paragraphs 1 to 6 of the GDPR. The GDPR does not contain any provision that the imposition of a fine on a legal entity as controller is conditional on a prior determination that that infringement was committed by an identified natural person. The GDPR only grants the Member States the possibility/authority to provide for requirements regarding the procedure to be used by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83 (1). and 6 GDPR was committed. The GDPR only grants Member States the possibility/authority to lay down requirements for the procedure to be followed by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83, paragraph one, and 6 GDPR (cf. ECJ C-807/21, paragraph 45 ff). see ECJ C-807/21, paragraph 45 ff).

The requirements for the imposition of a fine in accordance with Article 83 of the GDPR are therefore determined exclusively by Union law. There are no opening clauses for the Member States in this context.

The ECJ concluded that a national regulation that stipulates additional requirements for the imposition of fines in accordance with Article 83 of the GDPR violates Article 83 (1) of the GDPR because it violates the requirements for the imposition of fines in accordance with Article 83 of the GDPR normed, violates Article 83, paragraph one, GDPR because it weakens the effectiveness and deterrent effect of fines imposed on legal entities. It must be taken into account that fines are a key element of the GDPR and serve to enforce the objectives of this regulation or to ensure the protection of the rights of data subjects and to ensure a high level of protection throughout the Union (cf. ECJ C-807/21, paragraphs 51 and 73). . As a result, the ECJ found that the conditions for the imposition of a fine in accordance with Art. 83 GDPR (see ECJ C-807/21, paragraphs 51 and 73). As a result, the ECJ found that the requirements for the imposition of a fine under Article 83 of the GDPR are regulated conclusively in Article 83, Paragraphs 1 to 6 of the GDPR and are regulated in Article 83, Paragraphs 1 to 6 of the GDPR (paragraph 53).

2.5. On the subjective side of the crime

With regard to the second question referred, the ECJ has now explicitly stated, as already accepted by the data protection authority in its previous rulings, that only violations of provisions of the GDPR that the person responsible commits culpably, i.e. intentionally or negligently, lead to the imposition of a fine can (cf. ECJ of December 5, 2023, C-807/21, paragraph 68). commits, can lead to the imposition of a fine (see ECJ of December 5, 2023, C-807/21, paragraph 68).

With regard to the subjective side of the offense, it must be taken into account that the requirement of fault for the imposition of a fine under Article 83 GDPR should be interpreted autonomously within the Union and should be assessed in particular in the light of the case law of the ECJ. With regard to the question referred with regard to culpability, the ECJ also found that the Member States were not granted any discretion in this context by the Union legislature for national regulations, since the material requirements are conclusively regulated in Article 83 Paragraphs 1 to 6 of the GDPR Article 83, paragraph one, to 6 GDPR are precisely regulated (see also ECJ of December 5, 2023, C-683/21, paragraph 64 ff). See also ECJ of December 5, 2023, C-683/21, paragraph 64 ff).

Regarding the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such negligence already exists if the accused is not aware of the illegality of his behavior It could be unclear whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, paragraph 76). see ECJ C-807/21, paragraph 76).

With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons. With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons is not an act and not once requires knowledge on the part of the management body of this legal entity (cf. ECJ of December 5, 2023, C-807/21, paragraph 77). see ECJ of December 5, 2023, C-807/21, paragraph 77).

The responsibility and liability of a person responsible extends to any processing of personal data carried out by or on behalf of him. In this context, the controller must not only take appropriate and effective measures, but he must also be able to demonstrate that his processing activities are in accordance with the GDPR and that the measures he has taken to ensure this compliance are also effective (cf. ECJ C-807/21, Rz 38, with reference to Recital 74). see ECJ C-807/21, paragraph 38, with reference to recital 74).

Applied to this case, this means the following:

First of all, it should be noted that during the investigation there was no evidence that the violations in question were committed by a person who was not acting within the scope of the entrepreneurial activity and on behalf of the legal entity. The accused does not make any allegations in this context and it is evident from the files that the managing director submitted a security breach report to the data protection authority on behalf of the accused and subsequently communicated with the responsible officer of the data protection authority. As a result, the accused became aware, through its managing director, of (1) the lack of information when reporting the security breach and (2) the defendant's lack of cooperation in the security breach proceedings.

However, according to the ECJ ruling, in order to impose a fine on a legal entity, it is not necessary for the data protection authority to cite in its decision an identified natural person who acted in the context of the business activity and on behalf of the legal entity and the actions of this person person is attributed to the legal entity. It is therefore not relevant to the decision in the present case whether and which managing director of the accused, who is also listed as a defendant in the administrative criminal proceedings, is responsible for the violations in question (e.g. due to a lack of supervision and control of the respective employees or due to an independent act/omission by the managing directors themselves). . In this context, the ECJ expressly made it clear that no action or even knowledge of the violation on the part of the management body is necessary for the application of Article 83 GDPR (paragraph 77). It can therefore remain an open question whether the defendant's managing director breached his supervisory duty towards the defendant's employees due to an objective breach of care. is required for the application of Article 83, GDPR (paragraph 77). It can therefore remain an open question whether the defendant's managing director breached his supervisory duty towards the defendant's employees due to an objective breach of care.

However, since, as already mentioned, the report of the security breach was submitted by Mr. Sebastian W*** (managing director) himself and the subsequent correspondence was conducted with him, the guilt of the accused in the present case can be assessed based on the behavior of the managing director and even if the entries were made to the data protection authority by an employee of the accused, there is no need for a breach of supervisory duty by a manager within the meaning of Section 30 (2) DSG in order to attribute the behavior of these employees to the legal entity and to apply Art. 83 GDPR. These (natural) persons within the organization of the accused do not have to be identified by the data protection authority and named in the decision (see above). However, as already mentioned, the report of the security breach by Mr. Sebastian W*** (Managing Director) himself and the subsequent correspondence was conducted with him, the guilt of the accused in the present case can be assessed based on the behavior of the managing director and even if the submissions to the data protection authority were made by one of the accused's employees, there is no need for a breach of supervisory duty by a manager in this sense of paragraph 30, paragraph 2, DSG, in order to attribute the behavior of these employees to the legal entity and to apply Article 83, DSGVO. These (natural) persons within the accused's organization do not have to be identified by the data protection authority and named in the decision (see above).

Based on the file situation and in the light of the facts assumed to be proven, the data protection authority assumes that the accused acted negligently with regard to the late reporting of the security breach and that the accused acted intentionally with regard to the remaining violations.

With regard to the timely reporting to a supervisory authority, the accused could not have been in the dark about the illegality of her behavior. The wording of the provision according to Art. 33 GDPR does not allow the accused to interpret that the report/report of the facts to the police is sufficient and the latter forwards the incident to the data protection authority. The data protection authority assumes that the accused was not aware of this provision or her remaining obligations arising from the GDPR and did not inquire about them. In this context, reference can also be made to the Federal Administrative Court's ruling of April 8, 2022 on GZ: W214 2240128-1, according to which the complainant there must also have been aware of ". The wording of the provision under Article 33 of the GDPR does not allow the accused to interpret that the report/report of the facts to the police is sufficient and the latter forwards the incident to the data protection authority. The data protection authority assumes that the accused was not aware of this provision or her remaining obligations arising from the GDPR and did not inquire about them. In this context, reference can also be made to the decision of the Federal Administrative Court of April 8, 2022 on GZ: W214 2240128-1, according to which the complainant there also had to be aware “that there are relevant data protection regulations, especially as regards the GDPR when it comes into effect was widely informed and discussed in public in 2018 and a large number of media articles appeared on this topic” (see point 3.3.2 on the fulfillment of the subjective side of the crime).

With regard to the late reporting of the security breach, there is therefore fault in the form of negligence (Article 83, paragraph 2, GDPR).Fault in the form of negligence (Article 83, paragraph 2, GDPR).

With regard to the remaining violations (no information on the mandatory information according to Article 33 Paragraph 3 lit. a and d GDPR and lack of cooperation in the security breach procedure initiated), the following should be noted: (No information on the mandatory information according to Article 33 Paragraph 3 , Litera a, and d GDPR and lack of cooperation in the context of the security breach procedure initiated), the following should be noted:

Due to the numerous requests from the data protection authority and the unambiguous information provided in the course of these requests, the accused was - objectively viewed - aware that the information they provided in the security breach report was not sufficient and that the data protection authority was not in a position to carry out its tasks based on the information disclosed to fulfill this context. She was also made aware of this and asked to participate. In this context, it was also clearly pointed out that the possibility of a sanction against the accused should they not comply with the data protection authority's requests. Nevertheless, the accused did not comply with these requests and failed to cooperate with the responsible supervisory authority.

Taking these circumstances into account, the accused seriously believed that the above-mentioned administrative violations could be carried out and, however, resigned herself to it (dolus eventualis). As a result, in the present case there is negligence in the form of intent (Article 83 Paragraph 2 Letter b GDPR)(Article 83 Paragraph 2 Letter b GDPR).

In any case, during the course of the investigation there was no evidence to suggest that the accused was not at fault for violating the applicable administrative regulations. In the light of the case law of the ECJ, the accused could not have been in the dark about the illegality of her behavior, regardless of whether she was aware that she was violating the provisions of the GDPR (cf. ECJ C-807/21, paragraph 76 and 77; ECJ C-683/21, paragraphs 81 and 82 with further references). see ECJ C-807/21, paragraphs 76 and 77; ECJ C-683/21, paragraphs 81 and 82 with further references).

This means that the subjective side of the crime is also fulfilled.

3.     The following must be noted for the purpose of sentencing:

According to Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, the DSB must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Art. 83 Para. 4, 5 and 6 GDPR) in each individual case The DSB must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Article 83, paragraphs 4, 5 and 6 GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Art. 83 Paragraph 2 GDPR Article 83 Paragraph 2 GDPR stipulates that certain criteria must be duly taken into account in each individual case when deciding whether to impose a fine and its amount.

As part of the assessment of penalties, the data protection authority has adopted the EDPB guidelines regarding the calculation of fines according to the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 of May 24, 2023 - hereinafter "Fines guidelines" ) applied. see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 from May 24, 2023 – hereinafter “fines guidelines”) applied.

The assessment of punishment within a statutory penalty framework is a discretionary decision that must be made according to the criteria set by the legislature (cf. VwGH 09/05/2013, 2013/09/0106). 2013/09/0106).

According to Section 19 Paragraph 1 of the VStG, Paragraph 19, Paragraph One, of the VStG, the basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83 Para. 8 GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed. The basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83, Paragraph 8, GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed.

Article 83 Paragraph 3 of the GDPR Article 83, Paragraph 3 of the GDPR stipulates, in deviation from the cumulation principle standardized in Section 22 Paragraph 2 of the VStG, that in cases of identical or related processing operations (in the English language version: “the same or linked processing operations”), which intentionally or negligently violates several provisions of the GDPR, the total amount of the fine does not exceed the amount for the most serious violation. The absorption principle therefore applies within the scope of application of this provision (comparable to the combination principle standardized in Austrian criminal law in accordance with Section 28 Para. 1 StGB). (comparable to the combination principle standardized in Austrian criminal law according to paragraph 28, paragraph one, StGB).

Otherwise (outside the scope of Article 83, Paragraph 3 of the GDPR), the cumulation principle in accordance with Section 22, Paragraph 2 of the VStG applies (cf. mwN BVwG March 12, 2020 , GZ: W256 2223922-1). The Fines Guidelines also refer to and note that Art. 83 Para. 3 GDPR is limited in its application and does not apply to every case in which multiple violations of the GDPR are identified (see Fines Guidelines, 3rd chapter – paragraph 39). according to paragraph 22, paragraph 2, VStG for application see mwN BVwG March 12, 2020, GZ: W256 2223922-1). The Fines Guidelines also refer to and note that Article 83, Paragraph 3, GDPR is limited in its application and does not apply to every case in which multiple violations of the GDPR are identified, see Fines Guidelines, 3. Chapter – Margin 39).

In addition, within the meaning of Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, it should be noted that when determining the penalty of the “total amount of the fine” using the absorption principle according to Art. 83 Para. 3 GDPR according to Article 83, Para 3, GDPR, all violations of the GDPR that have been committed must be taken into account. The wording “amount for the most serious violation” refers to the penalty range or the maximum amounts specified by law (see Article 83 Paragraphs 4 to 6 GDPR). In this regard, the EDPB noted that within the scope of application of Article 83 Para. 3 GDPR, the other violations committed cannot be de facto rejected, but must be taken into account accordingly when determining the penalty (cf. Fines Guidelines, Chapter 3 - Paragraph 43). Otherwise, this would lead to privileges for those responsible and processors who have violated several provisions of the GDPR in the context of an established matter. “ refers to the penalty range or the legally prescribed maximum amounts (see Article 83, paragraph 4, to 6 GDPR). In this regard, the EDPB noted that within the scope of application of Article 83, paragraph 3, GDPR, the other violations committed cannot be de facto rejected, but must be taken into account accordingly when determining the penalty (see Fines Guidelines, Chapter 3 - Paragraph 43). Otherwise, this would lead to privileges for those responsible and processors who have violated several provisions of the GDPR in the context of an established matter.

With regard to Article 83 Paragraph 3 of the GDPR, the GDPR does not otherwise contain any information about what is meant by “the same or related processing operations”. Nothing further can be found in the recitals either.

According to the Fines Guidelines, when assessing “same or related processing operations”, it must be taken into account that all obligations necessary for the lawful implementation of the processing operations can be taken into account. The wording (especially in the English language version) suggests that the scope of Article 83 (3) GDPR includes any violation that can be taken into account. The wording (particularly in the English language version) suggests that the scope of Article 83, paragraph 3, GDPR includes any infringement that relates to and may affect the same (“same”) or related processing operations ( see Fines guidelines, chapter 3 – margin no. 27 f). In this context, the Federal Administrative Court pointed out that, according to general usage, those cases in which “ refers to and can have an impact on” must also be subsumed under this provision (see Fines Guidelines, Chapter 3 – Paragraph 27 f). In this context, the Federal Administrative Court pointed out that, according to general usage, those cases in which several criminal offenses were committed through “one and the same act (processing)” should also be included under this provision and also referred to the English language version ( see mwN BVwG 12.03.2020, GZ: W256 2223922-1).” several criminal offenses were committed and also referred to the English language version see mwN BVwG 12.03.2020, GZ: W256 2223922-1).

In the light of these statements, the absorption principle according to Article 83 Paragraph 3 GDPR applies in the specific case for the violations identified. The penalty range depends on the most serious violation. Therefore, in the present case, the penalty framework according to Article 83 Paragraph 4 GDPR Article 83 Paragraph 4 GDPR applies.

Pursuant to Article 83 Paragraph 4Article 83, Paragraph 4, GDPR, in the case of the violations mentioned therein, in accordance with paragraph 2, fines of up to EUR 10,000,000 will be imposed in the case of the violations mentioned therein, in accordance with paragraph 2, , impose fines of up to EUR 10,000,000 or, in the case of a company, up to 2% of its total worldwide annual turnover for the previous financial year, whichever is higher.

Due to the defendant's lack of cooperation in determining the annual turnover, the data protection authority had to make an estimate (cf. VwGH 11.05.1990, 89/18/0179; 22.04.1992, 92/03/0019; 23.02.1996, 95/02/0174 ). In view of the Fines guidelines, the defendant will make the assessment in relation to its turnover and with a view to the imposition of an effective, dissuasive and proportionate fine in cf. VwGH 11.05.1990, 89/18/0179; April 22, 1992, 92/03/0019; 02/23/1996, 95/02/0174). In view of the Fines Guidelines, the assessment places the defendant in the lowest category (“Undertakings with a turnover up to € 2 million”) in relation to its turnover and with a view to the imposition of an effective, dissuasive and proportionate fine. This classification takes due account of the size of the company, in particular to ensure the proportionality of the fine.

The penalty range in the specific case therefore extends to an amount of EUR 10,000,000 (static penalty range) in accordance with Article 83, Paragraph 4 of the GDPR. The dynamic penalty range (2% of annual turnover) does not apply.

In light of the facts assumed to be proven and taking into account the nature, severity and duration of the violation (Art. 83 Para. 2 lit. a GDPR(Article 83, Paragraph 2, Litera a, GDPR [Editor's note: in the original due to a obvious editorial oversight “Art. 83 Para. 1 lit , Litera b, GDPR) as well as the categories of personal data affected by the violation (Art. 83 Para. 2 lit. g GDPR) (Article 83, Paragraph 2, Litera g, GDPR) the data protection authority will determine the gravity of the violation ( “Seriousness of the infringement”) is assumed to be medium/high level of seriousness.

In relation to the present case, (beyond the criteria already taken into account for determining the level of severity in accordance with Article 83 Paragraph 1 Letters a, b and g GDPR Article 83 Paragraph One, Letters a, b and g GDPR) was also taken into account When determining the sentence, the following are taken into account as aggravating factors:

      n/a

In relation to the facts at hand, the following was also taken into account as a mitigating factor when determining the sentence:

      The data protection authority has no previous relevant violations of the GDPR against the accused

According to the established jurisprudence of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the punishment (see VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89 /04/0061). The imposition of the specific fine was included see VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89/04/0061). In any case, the imposition of the specific fine was necessary in the sense of special prevention in order to make the accused aware of their duties as responsible persons and to deter them from committing further criminal acts of the same type. The imposition of the fine was also necessary in the sense of general prevention in order to sensitize those responsible and processors, particularly in connection with the obligation to cooperate under Article 31 of the GDPR.

The concrete penalty imposed as a result of EUR 5,900 therefore appears in view of the value of the crime realized, measured against the available penalty range of Article 83 Para. 5 GDPR (here up to EUR 20,000,000). on the realized value of the crime, measured against the available penalty range of Article 83, Paragraph 5, GDPR (here up to EUR 20,000,000) appropriate to the crime and guilt and is at the lowest end of the available penalty range (0.03% of the penalty range ).