DSB (Austria) - 2023-0.637.760
From GDPRhub
| DSB - 2023-0.637.760 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 31 GDPR Article 58(1)(a) GDPR Article 58(1)(e) GDPR Article 83 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 16.11.2021 |
| Decided: | 07.12.2023 |
| Published: | 15.01.2024 |
| Fine: | 10,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 2023-0.637.760 |
| European Case Law Identifier: | ECLI:AT:DSB:2023:2023.0.637.760 |
| Appeal: | Not appealed |
| Original Language(s): | German |
| Original Source: | RIS (in DE) |
| Initial Contributor: | co |
The Austrian DPA imposed a fine in the amount of €10,000 on a controller for failing to cooperate with the DPA in the context of a complaints procedure, thereby violating Article 31 GDPR.
English Summary
Facts
In the context of a complaints procedure, the Austrian DPA (Datenschutzbehörde - DSB) sent several requests to the controller to submit its views on the case. Precisely, the DSB repeatedly summoned the controller via e-mail on 17 November 2021, 11 April 2022 and 03 June 2022, under Article 58(1)(a) and (e) GDPR, making reference to the controller’s obligation to collaborate with the DPA under Article 31 GDPR and alluding to the possible initiation of a sanctioning procedure for non-compliance.
On 3 June 2022, the DPO of the controller talked with the DSB on the phone and stated that they did not receive the e-mails due to technical problems and that the DSB should resend them to another e-mail address. The DSB did so on 9 June 2022, but the controller still failed to provide any submissions at least by the conclusion of the complaints procedure on 7 July 2022. In fact, the DSB had to handle the complaint without any input from the controller.
In light of all this, on 27 July 2022, the DSB initiated a sanctioning procedure against the controller for failure to collaborate with a Supervisory Authority and, thus, violating Article 31 GDPR.
On 30 August 2022, the controller reacted to the communication of the initiation of the sanctioning procedure stating that the lack of cooperation on its part was due to insufficiently effective communication within the company. The controller also submitted that, after this occurrence, it hired an external law firm to conduct a GDPR audit, offered its staff trainings and seminars on GDPR compliance and appointed a new DPO with legal expertise.
On 31 August 2022, the DSB suspended the proceedings until the CJEU issued its judgment in case C-807/21, which was published on 5 December 2023. On that day, the DSB reopened the case and considered the conditions and criteria to be taken into account for the imposition of a fine under Article 83 GDPR.
Holding
As regards the violation itself, the DSB held to be competent, under Article 57(1)(f) GDPR, to handle complaints brought by data subjects and, to that end, it could avail itself of all investigative means necessary, according to Article 58(1)(a) GDPR, to be read in conjunction with Article 31 GDPR. In this case, the DSB held that by (repeatedly) asking the controller to collaborate for the purpose of dealing with the complaint, it was clear that the controller had to comply with its obligation under Article 31 GDPR. In light of this, the DSB reiterated that Article 31 GDPR constitutes an obligation subject to a penalty if not complied with. Precisely, with respect to violations of Articles 25 to 39 GDPR, Article 83(4)(a) GDPR foresees that a fine of up to €10,000,000 or up to 2% of the annual turnover of an undertaking can be imposed.
The DSB further noted that controllers should not only take the appropriate measures to ensure compliance with the GDPR but they also have to prove that their processing activities adhere to GDPR provisions. In light of this, the DSB concluded that the objective scope of Article 31 GDPR was fulfilled, as the controller clearly failed to ensure cooperation with the DSB.
As regards the subjective scope of the Article, the DSB held that in light of CJEU Judgment in case C-870/21, the unlawful behavior of certain employees of the controller could be attributed to the controller itself. Further, the DSB held that the conduct of the controller should be classified as intentional behaviour under Article 83(2)(b) GDPR, as the controller and the DPO had been duly informed about the lack of cooperation with the DSB by the DSB itself, on several occasions, and still failed to comply with the request of the DSB.
As a consequence, taking into account the criteria of Article 83 GDPR and EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, the DSB considered the GDPR violation and the yearly turnover of the controller and found it appropriate to impose a fine in the amount of €10,000 on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text
GZ: 2023-0,637,760 from December 7, 2023 (procedure number: DSB-D550,705)
[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.
Penalty finding
Accused legal entity: H**** non-profit housing AG (FN 1*5*9* r)
The accused legal entity, based in **** R***stadt, W***straße 1*-5* (hereinafter “H****”), is the responsible party in accordance with Art. 4 Z 7 of the regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119 of 04.05 .2016, p. 1 as amended, realized the following facts and thereby committed the following administrative offense(s): The accused legal entity with its registered office in **** R***stadt, W***straße 1*-5* (hereinafter “H****”), is the controller in accordance with Article 4, Section 7, of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119 of May 4, 2016, p. 1 as amended, realized the following facts and thereby committed the following administrative offense(s):
The data protection authority called on H**** as a party to the proceedings or respondent in the complaint procedure for GZ: D124.5263 several times, specifically in a letter dated:
November 17, 2021 (first request for comment, GZ: D124.5263 - 2021-0.803.344), sent by post on the same day to the registered office of the accused legal entity in “**** R***stadt, W* **street 1*-5*",
April 11, 2022 (first urgent letter, GZ: D124.5263 - 2022-0.260.991), verifiably sent by RSb to the registered office of the accused legal entity on the same day,
June 3, 2022 (second urgent letter, GZ: D124.5263 - 2022-0.408.549), verifiably sent by email on June 9, 2022 to the email inbox of the accused's data protection officer (Erwin.L*** @***mail-it.org),
to comment in the complaint procedure and each time expressly pointed out the obligation to cooperate in accordance with Art. 31 in conjunction with Art. 58 Para. 1 lit. After the first letter of urgency dated April 11th, 2022, the responsible data protection authority officer telephoned the accused's data protection officer on June 3rd, 2022 and informed him about the ongoing complaint procedure and the accused's lack of cooperation. The data protection officer was specifically informed that the data protection authority had already asked the accused to respond twice and that no response had been received as of June 3, 2022. The data protection officer stated at the meeting that there were internal problems with the forwarding and that the data protection authority should send him the request for comment directly by email (Erwin.L***@***mail-it.org). The request for a statement was then sent to the specified email address on June 9, 2022. for a statement in the complaint procedure and each time expressly referred to the obligation to cooperate in accordance with Article 31, in conjunction with Article 58, paragraph one, Litera a, and e GDPR as well as the possible initiation of administrative criminal proceedings (in the event of lack of cooperation). After the first letter of urgency dated April 11th, 2022, the responsible data protection authority officer telephoned the accused's data protection officer on June 3rd, 2022 and informed him about the ongoing complaint procedure and the accused's lack of cooperation. The data protection officer was specifically informed that the data protection authority had already asked the accused to respond twice and that no response had been received as of June 3, 2022. The data protection officer stated at the meeting that there were internal problems with the forwarding and that the data protection authority should send him the request for comment directly by email (Erwin.L***@***mail-it.org). The request for comment was then sent to the email address provided on June 9, 2022.
However, the accused did not respond to all letters of request from the data protection authority until the complaint procedure was completed with a decision dated July 7, 2022 (GZ: D124.5263 - 2022-0.484.999).
Measured against this, the following results:
H****, in her role as responsible person in accordance with Art. 4 Z 7 GDPR in the period from November 17th, 2021 to and including July 7th, 2022 in **** R***stadt, W***straße 1*-5* , violated its obligation to cooperate or its obligation to cooperate with the data protection authority (as the responsible supervisory authority) in accordance with Art. 31 GDPR by not complying with the requests for comments as part of the complaint procedure described in more detail above. As a result, H****, in her role as controller, did not cooperate with the request of a supervisory authority in fulfilling her tasks. In her role as controller, H**** did not cooperate in accordance with Article 4, Section 7, GDPR in the period from November 17, 2021 to including July 7th, 2022 in **** R***stadt, W***straße 1*-5*, violate their obligation to cooperate or their obligation to cooperate with the data protection authority (as the responsible supervisory authority) in accordance with Article 31, GDPR, by it did not respond to the requests for comment as part of the complaint procedure described in more detail above. As a result, H****, in her role as responsible party, did not cooperate with the request of a supervisory authority in carrying out her tasks.
Administrative offense(s) according to:
Art. 31 in conjunction with Art. 83 paragraph 1 and 4 lit. a GDPR OJ L 2016/119, p. 119, p. 1, as amended
Due to this administrative violation(s), the following penalty is imposed in accordance with Article 83 of the GDPR:Article 83 of the GDPR imposes the following penalty:
Fine of euros
According to
€10,000
Art. 83 para. 4 lit. a GDPR OJ L 2016/119, p. 1, as amended
Furthermore, you must pay in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG: Furthermore, in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG, you must pay:
1,000
Euros as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 Euros;
Euros as a replacement for cash expenses
The total amount payable (penalty/costs/cash expenses) is therefore
11,000
Euro
Payment deadline:
If no complaint is made, this penalty is immediately enforceable. In this case, the total amount must be paid into the account [shortened here] in the name of the data protection authority within two weeks of the entry into legal force. The business number and the completion date should be stated as the intended purpose.
If no payment is made within this period, the total amount can be collected. In this case, a flat-rate contribution of five euros must be paid. If payment is still not made, the outstanding amount will be enforced.
Reason:
1. The following facts relevant to the decision are established based on the evidence procedure carried out:
1.1. About the procedure
On November 16, 2021, a data subject as a complainant lodged a complaint against the accused as the respondent or responsible party to the data protection authority (hereinafter “DPO”) and essentially stated that by processing or disclosing their personal data in the When the accused sent an email to several recipients on November 9, 2021 and used an open mailing list, the defendant's right to secrecy in accordance with Section 1 Paragraph 1 of the DSG was violated. This resulted in the disclosure of their personal data to all interested parties in connection with a viewing of an apartment in a property in **** R***stadt, P***platz 3*. On November 16, 2021, a data subject submitted a complaint filed a complaint against the accused as the respondent or responsible party to the data protection authority (hereinafter “DPO”) and essentially stated that they were injured by the processing or disclosure of their personal data in the course of an email sent by the accused on 09.11.2021 to several recipients and using an open distribution list as violated in their right to secrecy according to paragraph one, paragraph one, DSG. This resulted in the disclosure of their personal data to all interested parties in connection with a viewing of a property in **** R***stadt, P***platz 3*.
In response, the accused was initially asked to comment as a party (respondent) by the DSB in the proceedings on GZ: D124.5263 in the request dated November 17, 2021. The first request for a statement (hereinafter “AzS”) was sent on the same day by letter to the registered office of the accused legal entity in **** R***stadt, W***straße 1*-5*.
The accused did not respond to the AzS dated November 17, 2021.
The DSB subsequently asked the accused again to comment on the complaint procedure in an urgent letter dated April 11, 2022. The first letter of urgency was delivered to the accused by RSB at their registered office.
The accused also did not respond to the urgent letter of April 11, 2022.
Subsequently, on June 3, 2022, the responsible DSB clerk telephoned the accused’s data protection officer (hereinafter “DSBA”) and informed him about the ongoing complaint procedure and the accused’s lack of cooperation. The DSBA was specifically informed that the DSB had already asked the accused to respond twice and that no response had been received as of June 3, 2022.
The DSBA brought to the meeting the fact that there were internal problems with the forwarding and that the DSB should send him the request for a statement directly by email (Erwin.L***@***mail-it.org).
The person concerned informed the DSBA of the matter before submitting the complaint to the DSB by sending him an email including attachments to the email address mentioned on November 10, 2021.
The second urgent letter was then delivered to the DSBA's specified email address on June 9, 2022. There were no error messages related to the delivery of the email. The DSBA did not inform the DSB about the delivery of the AzS discussed or informed the DSB that he had not received an email message from the DSB. The DSBA has no longer contacted the DSB or responded to the letter in any way.
The domain “@***mail-it.org” is used by H**** Wohnen & IT GmbH, FN 4*4*5*w (hereinafter “H****IT”). This is a 100% subsidiary of the accused. H****IT provides the entire IT infrastructure of the accused and the H**** Group and provides various IT services in this context. The DSBA worked as an employee of H****IT and held the role of data protection officer for the entire H**** Group at the time of the crime.
The urgent letter previously delivered via RSB (before the email to the DSBA) was received by the accused's post office and forwarded within the H**** group to H****IT for processing.
Within the framework of the above-mentioned AzS, the DSB has expressly informed the accused each time of the obligation to cooperate in accordance with Art. 31 in conjunction with Art. 58 Para. 1 lit . However, H**** did not respond to all letters of request from the DSB. Within the framework of the above-mentioned AzS, the DSB each time expressly reminded the accused of the obligation to cooperate in accordance with Article 31, in conjunction with Article 58, paragraph one, letter a , and e GDPR as well as the possible initiation of administrative criminal proceedings (in the event of lack of cooperation). However, H**** has not responded to all letters of request from the DSB.
The DSB therefore had to deal with the complaint of the affected person without the involvement of the accused and determined in a decision dated July 7, 2022 that the accused violated the affected person's right to secrecy.
Assessment of evidence: The findings arise from inspection of the administrative act relating to the above-mentioned complaint procedure. The defendant was accused of failing to respond to the above-mentioned AzS as part of the request for justification in the administrative criminal proceedings in question. The accusation was not denied by the accused. In this context, she admitted that due to internal problems, the recording of deliveries and in particular the forwarding of official documents to the responsible department or employees of the accused as well as internal communication did not function sufficiently during the period of the crime. According to the accused's written justification, the lack of reaction is due to these circumstances within the accused's organization. The accused therefore took the initiation of administrative criminal proceedings as an opportunity to review the internal processes in order to avoid such misconduct in the future. The accused therefore admitted the accusation in its entirety. The accused did not make any allegations that would contradict the findings made.
The findings regarding the phone call between the DSB clerk and the DSBA are based on an internal file note dated July 5, 2022 regarding the phone call, which is located in both the administrative criminal act and the administrative file relating to the complaint procedure. Furthermore, this was not disputed by the accused. The accused simply could not understand why further processing was not carried out by the DSBA and also admitted misconduct by the DSBA.
The findings regarding the activities/services of H****IT and DSBA and membership of the H**** Group result from the accused's own statements as part of their written justification and are therefore also undisputed. The finding regarding the internal forwarding of the urgent letter to H****IT for processing is also based on the accused's own statements.
The DSB subsequently initiated the administrative criminal proceedings against the accused in a letter dated July 27, 2022 and accused her of a lack of cooperation in the above-mentioned complaint procedure. The accused was also asked to disclose her sales.
In response, the accused submitted a written justification on August 30, 2022 and essentially stated that she fully admitted the lack of cooperation and stated in the meeting that this was due to internal deficiencies in connection with the forwarding of documents to the responsible department and not adequately functioning communication. In addition, she stated that she had initiated the administrative criminal proceedings as an opportunity to take the following measures in order to avoid such misconduct in the future (the measures taken by the accused are assumed to be proven):
The accused commissioned a law firm specializing in data protection law to represent and participate in the administrative criminal proceedings and also to carry out an internal “data protection audit” in order to subject the accused’s data protection management system to a legal review. In addition to the obligation to cooperate, other obligations of the accused in their role as responsible parties, such as maintaining a processing register in accordance with Art. 30 GDPR, were also examined. The external consultants also examined the processes and structures for complying with reporting obligations and guaranteeing the rights of those affected. This review should identify any deficiencies or gaps in the data protection management system. In other words: The accused carried out a complete review of its data protection obligations as a responsible person by engaging external consultants in order to identify any deficiencies." in order to subject the accused's data protection management system to a legal review. In addition to the obligation to cooperate, other obligations of the accused in their role as responsible parties, such as maintaining a processing register in accordance with Article 30, GDPR, were also examined. The external consultants also examined the processes and structures for complying with reporting obligations and guaranteeing the rights of those affected. This review should identify any deficiencies or gaps in the data protection management system. In other words: By engaging external consultants, the accused carried out a complete review of its data protection obligations as the person responsible in order to identify any deficiencies.
The external consultants carried out internal (data protection) training for the accused's employees, which focused in particular on protecting the rights of those affected and dealing with reports of data protection violations.
The accused arranged for several managers from various departments (property management, legal departments, internal auditing and sales) to take part in multi-day (data protection) seminars in September 2022.
The position of data protection officer for the accused was reassigned to a lawyer within her legal department after the administrative criminal proceedings were initiated. It was planned that the new DSBA would report to the board members of the accused about the relevant data protection issues in the company and about current developments in data protection law at approximately three-month intervals.
In response to the present accusation of lack of cooperation in the complaint process, the board members of the accused have decided on a “security system” in connection with the processing of official documents. This system ensures that all RSa and RSb letters are forwarded unopened to the legal department for processing after they have been recorded in the “incoming mail book”. The opening and first “rough inspection” is then carried out by an employee of the legal department in order to ensure that it is forwarded to the responsible department.
The DSB then suspended the proceedings in question in accordance with Section 24 VStG in conjunction with Section 38 AVG in a decision dated August 31, 2022 until the final decision by the Court of Justice of the European Union (ECJ) in case C-807/21 (Deutsche Wohnen SE) and the The decision was sent via e-mail to the accused's representative on September 8th, 2022. The DSB then initiated the relevant procedure in accordance with paragraph 24, VStG in conjunction with paragraph 38, AVG in a decision dated August 31, 2022 until the final decision by the Court of Justice of the European Union (ECJ) in case C-807/21 (Deutsche Wohnen SE ) suspended and the decision was sent via e-mail to the accused's representative on September 8th, 2022.
The accused lodged a complaint against this suspension decision, which led to the conclusion that the administrative criminal proceedings should not have been suspended but should have been discontinued due to the measures taken. Therefore, the ECJ's answers are irrelevant in this specific case. Through the complaint, the accused wanted to avoid a “state of limbo” and obtain a discontinuation either by the DSB as part of a preliminary decision on the complaint or by the Federal Administrative Court (BVwG) through a finding. The DSB refrained from making a preliminary appeal decision and submitted the file to the BVwG on October 13, 2022. An oral hearing on this matter took place at the BVwG on January 11, 2023. The complaint procedure is currently pending under the GZ: W258 2260869-1.
In a letter dated December 5, 2023, the DSB lifted the suspension decision of August 31, 2022 of its own motion and continued the administrative criminal proceedings - taking into account the judgment of December 5, 2023 of the ECJ in case C-807/21. The Federal Administrative Court was also informed about the cancellation of the suspension decision.
Assessment of evidence: The findings result from the file components of the administrative offense, in particular from the written justification of the accused. The identified measures taken by the accused in response to the initiation of administrative criminal proceedings are based on the accused's own statements. There was no evidence during the investigation that these measures were not actually taken. In addition to proving her case regarding the measures taken, the accused offered to provide further evidence. The findings in connection with the complaint against the suspension decision and the pending complaint procedure can be found by inspecting the administrative act on the decision complaint procedure for the GZ: D062.2187 or the BVwG court file for the GZ: W258 2260869-1.
1.2. On the defendant's turnover
The accused achieved annual sales totaling EUR 176.*88.4*1.34.
Assessment of evidence: The determination of the accused's turnover is based on the accused's own statements as part of their written justification dated August 30, 2022.
2. Legally it follows:
2.1. On the responsibility of the DSB and the scope of application of the GDPR
Art. 83 Para. 4 lit , 25 to 39, 42 and 43 GDPR, fines of up to 10,000,000 euros or, in the case of a company, up to 2% of its total worldwide annual turnover of the previous financial year, whichever is higher, may be imposed.
According to § 22 para. 5 DSGParagraph 22, paragraph 5, DSG, the responsibility for imposing fines on natural and legal persons for violations of the DSG and the DSGVO lies with the DSB.
According to Article 2 Paragraph 1 GDPRArticle 2, Paragraph One, GDPR, the Regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored or intended to be stored in a file system.
There are no doubts as to the existence of processing of personal data within the meaning of Art. Those affected felt that the processing restricted their right to secrecy in accordance with Section 1 Para. 1 DSG and lodged a complaint against the accused with the DSB. The upholding of the complaint by means of a notice due to unlawful processing already became legally binding due to the lack of legal remedies. There is no doubt and has not been disputed by the accused. Those affected felt that the processing restricted their right to secrecy in accordance with paragraph one, paragraph one of the DSG and lodged a complaint with the DSB against the accused. The upholding of the complaint by means of a notice due to unlawful processing already became legally binding due to the lack of legal remedies.
The role of the accused as responsible persons in accordance with Article 4, Paragraph 7 of the GDPR was never disputed and there were no indications to the contrary in the proceedings. As the person responsible, the accused is the addressee of the relevant obligations of the GDPR. In her role as responsible person or respondent, the accused was the addressee of several AzS in a complaint procedure in accordance with Art. 77 GDPR in conjunction with Section 24 DSG. Article 77, DSGVO in conjunction with Paragraph 24, DSG. In this context, the accused was specifically subject to the obligation to cooperate with the DSB in accordance with Article 31 GDPRArticle 31, GDPR. According to Article 83 Paragraph 4 Letter a of the GDPR, this provision represents a punishable obligation for those responsible and is discussed in more detail below.
2.2. On the breach of the obligation to cooperate in the complaint procedure
Controllers and processors and, if applicable, their representatives must cooperate with the supervisory authority upon request in carrying out their tasks in accordance with Article 31 of the GDPR.
Both obligations to tolerate and to cooperate can be derived from Article 31 of the GDPR in conjunction with the powers of the supervisory authorities under Articles 57 and 58 of the GDPR. In accordance with Article 57 Paragraph 1 Letter a of the GDPR, the DSB must monitor and enforce the application of the GDPR for the entire Austrian federal territory (“in its territory”). This is one of the central tasks of the DSB.
In addition, according to Article 57 Paragraph 1 Letter f of the GDPR, the supervisory authorities in their respective territories have the obligation to deal with complaints from data subjects, to investigate the subject of the complaint to an appropriate extent and to inform the complainant of the progress and outcome of the investigation within a reasonable period of time. There is an obligation to treat incoming complaints within the scope of Art. 57 Paragraph 1 Letter f GDPR. The supervisory authority must receive such complaints within the scope of Article 57, paragraph one, letter f, GDPR. The supervisory authority must process such a complaint with all due care (see the ECJ judgment of July 16, 2020, C-311/18, paragraph 109 with further references).
In order to fulfill these tasks, the supervisory authorities are granted both investigative and remedial powers (Article 58, paragraphs 1 and 2 of the GDPR).
The DSB is a supervisory authority within the meaning of Article 51 GDPR Article 51, GDPR (see also Section 18 Paragraph 1 DSG). The GDPR grants the DPO, among other things, the power to instruct the controller to provide all information necessary to carry out their tasks (see also paragraph 18, paragraph one, DPA). The GDPR grants the DPO, among other things, the power to instruct the controller to provide all the information necessary to carry out its tasks (Article 58 Paragraph 1 Letter a GDPR). (Article 58 Paragraph One Litera a, GDPR). This provision, in conjunction with Article 31 of the GDPR, results in an obligation to cooperate for the addressees of the norm (see also recital 82, second sentence of the GDPR). By submitting a complaint as part of a request for a statement, the subject of cooperation is sufficiently determined. Since the supervisory authority does not know the detailed circumstances in connection with the respective processing (contested or alleged by the data subject), the cooperation of the (alleged) controller is required to investigate the facts, especially at the beginning of an investigation (see , is particularly necessary at the beginning of an investigation Investigation procedure requires the participation of the (alleged) person responsible to investigate the facts (see Bogendorfer in Knyrim, DatKomm Art 31 GDPR Rz 7). In the event of a lack of cooperation, the Union legislature therefore stated in DatKomm Article 31, GDPR paragraph 7). In the event of a lack of cooperation, the Union legislature therefore introduced the possibility of sanctions in Article 83 Paragraph 4 Letter a GDPR.
In addition, in light of the national procedural principles in accordance with Section 37 AVG, Paragraph 37, AVG, an authority must investigate the relevant facts in the investigation procedure (material truth) and must therefore take the necessary investigative measures in accordance with Section 39 AVG ex officio. Paragraph 39, AVG ex officio. The principle of material truth states that the authority must investigate the real facts of its own motion and is not bound by the submissions of the parties in an adversarial procedure. According to the case law of the Administrative Court on the principle of official jurisdiction in administrative proceedings, a party to the procedure is obliged to participate in determining the relevant facts. A party's obligation to cooperate is particularly important where a matter can only be clarified in cooperation with the party because the authority is unable to obtain knowledge of circumstances that lie exclusively within the party's sphere of its own motion (cf. Administrative Court of Justice May 27, 2019, Ra 2019/14/0153). can be clarified because the authority is unable to obtain knowledge ex officio of circumstances that are exclusively within the sphere of the party (see Administrative Court of Justice May 27, 2019, Ra 2019/14/0153).
In this context, reference can finally be made to a judgment of the ECJ in case C-252/21. The ECJ found that the person responsible for processing bears the burden of proof for compliance with the principles pursuant to Article 5 Paragraph 1 of the GDPR. This means that the controller must, for example, prove that the data is collected for specified, clear and legitimate purposes and is processed lawfully, in good faith and in a manner that is understandable for the data subject (cf. ECJ of July 4, 2023, C-252/21, Rz 95; see also BVwG of August 28, 2023, W245 2255957-1). This means that the controller must, for example, prove that the data was collected for specified, clear and legitimate purposes and in a lawful manner, processed in good faith and in a manner that is understandable for the data subject see ECJ of July 4, 2023, C-252/21, paragraph 95; see also BVwG of August 28, 2023, W245 2255957-1).
In a recent decision, the ECJ recalled that, in light of their obligations under the GDPR, controllers must not only take appropriate and effective measures, but also be able to demonstrate that their processing activities are in accordance with the GDPR and that the measures taken are also effective to ensure this harmony (cf. ECJ of December 5, 2023, C-807/21, paragraph 38). in order to ensure this consistency see ECJ of December 5, 2023, C-807/21, paragraph 38).
In the present case, in light of the facts that were assumed to be proven, all of the DSB's requests were not followed by the accused during the complaint procedure. She also did not dispute the defendant's lack of cooperation. The lack of cooperation was due to internal deficiencies in day-to-day operations in connection with the receipt and forwarding of official documents to the responsible department. Furthermore, the accused herself cannot understand why her DSBA did not forward or pursue the case after being informed by the DSB.
As a result, due to these circumstances, the accused did not cooperate with the DSB as the responsible supervisory authority in carrying out its tasks and thereby fulfilled the objective factual side of Article 31 GDPR.
2.3. On the criminal liability of the accused as a legal person according to Article 83 GDPROn the criminal liability of the accused as a legal person according to Article 83 GDPR
The requirements for the imposition of fines against both natural persons and legal entities are standardized in Article 83 GDPR. However, the national legislature has standardized further “general conditions for the imposition of fines” in Section 30 Paragraphs 1 and 2 DSGParagraph 30, paragraph one, and 2 DSG.
According to § 30 para. 1 DSGParagraph 30, paragraph one, DSG, the data protection authority can impose fines on a legal entity if violations of the provisions of the GDPR were committed by (natural) persons who acted either alone or as part of an organ of the legal entity and hold a leadership position within the legal entity by virtue of (1) the power to represent the legal entity (2) the power to make decisions on behalf of the legal entity, or (3) a power of control within the legal entity.
Legal persons can be held responsible for violations of the provisions of the GDPR in accordance with Section 30 Paragraph 2 of the GDPR, Paragraph 30, Paragraph 2 of the DSG, even in cases where a lack of supervision or control by a person named in Section 30 Paragraph 1 of the DSG results in the commission of these violations by a person working for the legal entity shall also be held liable in those cases if a lack of supervision or control by a person referred to in paragraph 30, paragraph one, of the DSG enabled the commission of these violations by a person working for the legal entity ( lack of control and supervision) unless the act constitutes a criminal offense within the jurisdiction of the courts.
In its ruling of May 12, 2020 on Ro 2019/04/0229, the Administrative Court dealt for the first time with the applicability of the criminal liability requirements of Section 30 DSG in proceedings pursuant to Art dealt with the applicability of the criminal liability requirements of Section 30, DSG in a procedure according to Article 83, GDPR and in this context determined that a legal person cannot act on its own and therefore its criminal liability according to Section 30 DSG can be a consequence of the act itself and therefore their criminal liability according to paragraph 30, DSG a consequence of the factual, illegal and culpable behavior of a natural (managerial) person within the meaning of Section 30 Paragraph 1 DSG, Paragraph one, DSG is. Accordingly, in order for the act of persecution directed against the legal person to be effective, it is necessary to accurately describe the act of the natural person (or the so-called “attributable person”). The attribution of the specific act by the leader to the legal entity must be included in the verdict and the person attributable must also be named as an identified natural person (cf. VwGH May 12, 2020, Ro 2019/04/0229, mwN). In other words: In a procedure pursuant to Art. 83 GDPR, the data protection authority must, in the decision of the penal decision, attribute the natural (managerial) person whose violation of the GDPR or the DSG to the legal person responsible within the meaning of Art. 4 Z 7 GDPR should be named by name in order to be able to subsequently impose a fine in accordance with Art. 83 GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and per se has party status (see VwGH May 12, 2020, Ro 2019/04/0229, with further references). In other words: In a procedure under Article 83, GDPR, the data protection authority must issue a criminal judgment against the natural (managerial) person whose violation of the GDPR or the DSG is the legal entity responsible within the meaning of Article 4, Section 7, GDPR should be attributed, name it in order to be able to subsequently impose a fine in accordance with Article 83 of the GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and per se has party status see Zaczek, The association responsibility model of Article 83 GDPR, in , The association responsibility model of Article 83 GDPR, in Jahnel (ed.), Yearbook Data Protection Law 2020, p . 257 ff).
By decision of December 6, 2021, the Berlin Court of Appeal asked the ECJ as part of a request for a preliminary ruling under Article 267 TFEU for an interpretation of Article 83 of the GDPR can be affected in the fine proceedings due to a violation of Article 83 GDPR and in this context presented the following questions with regard to the question of whether a company can be directly affected in the fine proceedings due to a violation of Article 83 GDPR and presented the following in this context questions
1. Is Article 83 Paragraphs 4 to 6 GDPR to be interpreted as meaning that it incorporates the functional company concept assigned to Articles 101 and 102 TFEU and the function holder principle into domestic law with the result that, by expanding the legal entity principle underlying Section 30 OWiG a fine can be brought directly against a company and the fine does not require the establishment of an administrative offense committed by a natural and identified person, possibly fully criminally committed? Should Article 83, paragraphs 4, to 6 of the GDPR be interpreted as meaning Article 101 , and 102 TFEU and the functional entity principle are incorporated into domestic law with the result that, by extending the legal entity principle underlying Section 30, OWiG, fine proceedings can be conducted directly against a company and the fine does not depend on the determination of a natural and identified entity an administrative offense committed by a person, possibly fully criminal?
2. If the answer to question 1 is yes: Should Article 83 Paragraphs 4 to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee (cf. Article 23 of the Regulation (EC ) No. 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company sufficient in principle to impose a fine (“strict liability”) )?If the answer to question 1 is yes: Should Article 83, paragraph 4, to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee, see Article 23 of Regulation (EC) No 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to it sufficient for a company to be fined ("strict liability")?
Due to the preliminary ruling request from the Berlin Court of Appeal, it was questionable whether the provisions of Section 30 Paragraphs 1 and 2 DSG Paragraph 30, paragraphs one and 2 DSG may even be applied because they could violate the directly applicable provisions of the GDPR, and whether The VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Art. 83 GDPR could be upheld. Since the ECJ's decision on these questions may be applied at all because they could violate the directly applicable provisions of the GDPR, and whether the VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Article 83, GDPR are upheld could. Since the ECJ's decision on these questions had a prejudicial effect on the proceedings in question, the administrative criminal proceedings were suspended.
The ECJ finally held in the judgment of December 5, 2023 that the directly applicable provisions according to Article 58 Paragraph 2 Letter i and Article 83 Paragraph 1 to 6 GDPR Article 58 Paragraph 2 Litera i and Article 83 Paragraph One , to 6 GDPR are to be interpreted as conflicting with a national regulation, according to which a fine is imposed for a violation referred to in Article 83, paragraphs 4 to 6 of the GDPR The above-mentioned violation can only be imposed on a legal person in its capacity as responsible party if this violation was previously attributed to an identified natural person.
In this context, the ECJ stated that legal entities are liable not only for infringements committed by their representatives, directors or managers, but also for infringements committed by any other person acting in the course of their business activities and on behalf of them of the legal entity. It must also be possible to impose the fines provided for in Article 83 of the GDPR. In addition, it must be possible to impose the fines provided for in Article 83 of the GDPR directly against legal entities (cf. ECJ of December 5, 2023, C-807/21, paragraph 44). 807/21, Rz 44).
The (material) requirements for the imposition of fines by supervisory authorities are regulated precisely and without any discretion for the Member States in Article 83, Paragraphs 1 to 6 of the GDPR. The GDPR does not contain any provision that the imposition of a fine on a legal entity as controller is conditional on a prior determination that that infringement was committed by an identified natural person. The GDPR only grants the Member States the possibility/authority to provide for requirements regarding the procedure to be used by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83 (1). and 6 GDPR was committed. The GDPR only grants Member States the possibility/authority to lay down requirements for the procedure to be followed by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83, paragraph one, and 6 GDPR (cf. ECJ C-807/21, paragraph 45 ff). see ECJ C-807/21, paragraph 45 ff).
The requirements for the imposition of a fine in accordance with Article 83 of the GDPR are therefore determined exclusively by Union law. There are no opening clauses for the Member States in this context.
The ECJ concluded that a national regulation that stipulates additional requirements for the imposition of fines in accordance with Article 83 of the GDPR violates Article 83 (1) of the GDPR because it violates the requirements for the imposition of fines in accordance with Article 83 of the GDPR normed, violates Article 83, paragraph one, GDPR because it weakens the effectiveness and deterrent effect of fines imposed on legal entities. It must be taken into account that fines are a key element of the GDPR and serve to enforce the objectives of this regulation or to ensure the protection of the rights of data subjects and to ensure a high level of protection throughout the Union (cf. ECJ C-807/21, paragraphs 51 and 73). . As a result, the ECJ found that the conditions for the imposition of a fine in accordance with Art. 83 GDPR (see ECJ C-807/21, paragraphs 51 and 73). As a result, the ECJ found that the requirements for the imposition of a fine under Article 83 of the GDPR are regulated conclusively in Article 83, Paragraphs 1 to 6 of the GDPR and are regulated in Article 83, Paragraphs 1 to 6 of the GDPR (paragraph 53).
In addition to this question, the ECJ also found that the term “company” within the meaning of Articles 101 and 102 TFEU (see Recital 150 GDPR) only applies to those within the meaning of Articles 101 and 102 TFEU (see Recital 150 GDPR). is relevant for the calculation of a fine imposed in accordance with Article 83 Paragraphs 4 to 6 GDPR (but not for the result summarized above in relation to the first question). Accordingly, what must be relevant is that imposed in accordance with Article 83, paragraphs 4 to 6 of the GDPR (but not for the result summarized above in relation to the first question). Accordingly, the definition of a company under competition law, according to which every entity carrying out an economic activity is included, regardless of its legal form and the type of financing, must be used as the basis for the decision on the amount of the fine (cf. ECJ C-807/21, paragraph 53 ff). . In other words: For the calculation of the fine, the worldwide , according to which every entity carrying out an economic activity is included regardless of its legal form and the type of financing, must be used as the basis for the decision on the amount of the fine see ECJ C-807/21 , Rz 53 ff). In other words, the global annual turnover of the economic entity must be used to calculate the fine if the addressee of the fine is or belongs to an undertaking within the meaning of Articles 101 and 102 TFEU. is or is part of an undertaking within the meaning of Articles 101 and 102 TFEU.
In this regard, the ECJ, like the Advocate General in his Opinion, stated that only a fine, the amount of which is determined based on the actual or material performance of the addressee on the basis of the concept of economic unity, ultimately satisfies the amount set out in Article 83 (1). 1 GDPR Article 83, paragraph one, GDPR can fulfill the requirements (effective, dissuasive, proportionate) (cf. ECJ C-807/21, paragraph 58 f). can fulfill compare ECJ C-807/21, paragraph 58 f).
2.4. On the subjective side of the crime
With regard to the second question referred, the ECJ has now explicitly stated, as already accepted by the data protection authority in its previous rulings, that only violations of provisions of the GDPR that the person responsible commits culpably, i.e. intentionally or negligently, lead to the imposition of a fine can (cf. ECJ of December 5, 2023, C-807/21, paragraph 68). commits, can lead to the imposition of a fine (see ECJ of December 5, 2023, C-807/21, paragraph 68).
With regard to the subjective side of the offense, it must be taken into account that the requirement of fault for the imposition of a fine under Article 83 GDPR should be interpreted autonomously within the Union and should be assessed in particular in the light of the case law of the ECJ. With regard to the question referred with regard to culpability, the ECJ also found that the Member States were not granted any discretion by the Union legislature for national regulations in this context, since the material requirements are conclusively regulated in Article 83 Paragraphs 1 to 6 of the GDPR in Article 83, paragraph one, to 6 GDPR are precisely regulated (see also ECJ of December 5, 2023, C-683/21, paragraph 64 ff). See also ECJ of December 5, 2023, C-683/21, Rz 64 ff).
Regarding the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such negligence already exists if the accused is not aware of the illegality of his behavior It could be unclear whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, paragraph 76). see ECJ C-807/21, paragraph 76).
With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons. With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons is not an act once requires knowledge on the part of the management body of this legal entity (cf. ECJ of December 5, 2023, C-807/21, paragraph 77). see ECJ of December 5, 2023, C-807/21, paragraph 77).
Applied to this case, this means the following:
First of all, it should be noted that during the investigation there was no evidence that the violations in question were committed by a person who was not acting within the scope of the entrepreneurial activity and on behalf of the legal entity.
In any case, the data protection authority's clerk contacted the accused's data protection officer and informed him about the accused's lack of cooperation in the complaint process. Previously, other employees of the accused accepted the letters or requests from the data protection authority, but did not process them. With the exception of the data protection officer, the employees were not named to the data protection authority. However, in this context, the accused admitted that her employees and her data protection officer were at fault. The accused did not respond to the requests because, due to internal deficiencies in day-to-day operations in connection with the receipt, official documents were not forwarded to the responsible departments. In addition, the accused cannot understand the behavior of her data protection officer because he did not forward or follow up on the case despite contacting her.
However, according to the ECJ ruling, in order to impose a fine on a legal entity, it is not necessary for the data protection authority to cite in its decision an identified natural person who acted in the context of the business activity and on behalf of the legal entity and the actions of this person person is attributed to the legal entity. It is therefore not relevant to the decision in the present case whether and which of the board members listed as accused or which specific employee of the accused is (internally) responsible for the violations in question. As stated by the ECJ, it is not important that the accused's board of directors was aware of the violations. The imposition of a fine in accordance with Art. 83 GDPR expressly requires . It is therefore not relevant to the decision in the present case whether and which of the board members listed as accused or which specific employee of the accused is (internally) responsible for the violations in question. As stated by the ECJ, it is not important that the accused's board of directors was aware of the violations. The imposition of a fine in accordance with Article 83 of the GDPR expressly does not require any action or even knowledge on the part of the management body of the legal entity (paragraph 77).
In the present case, the guilt of the accused does not have to be assessed based on the actions of the persons authorized to represent them externally (here board members), but can also be assessed based on the actions of their employees who do not hold a management position within the meaning of Section 30 Paragraph 1 (paragraph 44 ).The culpability of the accused in the present case must therefore not be assessed based on the actions of the persons authorized to represent them externally (here board members), but can also be assessed based on the actions of their employees who do not hold a management position within the meaning of paragraph 30, paragraph one (Rz 44).
In light of the facts assumed to be proven, the data protection authority therefore assumes that the accused committed an intentional act:
The accused's employees accepted the requests from the data protection authority and, despite the information contained therein that the accused is obliged to cooperate and the lack of cooperation constitutes an administrative violation, these requests were not processed by the data protection authority. Finally, the data protection authority also informed the accused's data protection officer about the pending complaint procedure and the accused's lack of cooperation. Nevertheless, the accused failed to respond to the data protection authority's request or to respond to it in any way. There were also no questions regarding the discussed delivery of the request to the email address he provided.
Taking these circumstances into account, the accused seriously believed that the administrative violation in question could be carried out and, however, resigned herself to it (dolus eventualis). As a result, in the present case there is negligence in the form of intent (Art. 83 Para. 2 lit. b GDPR). (Article 83, paragraph 2, letter b, GDPR).
In any case, during the course of the investigation there was no evidence to suggest that the accused was not at fault for violating the applicable administrative regulations. In the light of the case law of the ECJ, the accused could not have been in the dark about the illegality of her behavior, regardless of whether she was aware that she was violating the provisions of the GDPR (cf. ECJ C-807/21, paragraph 76 and 77; ECJ C-683/21, paragraphs 81 and 82 with further references). see ECJ C-807/21, paragraphs 76 and 77; ECJ C-683/21, paragraphs 81 and 82 with further references).
This means that the subjective side of the crime is also fulfilled.
2.5. On the accused's application for discontinuation in accordance with Section 45 Paragraph 1 Item 4 VStG On the accused's application for discontinuation in accordance with Section 45, Paragraph One, Number 4, VStG
The accused fully admitted the accusation as part of her written justification, but requested that the proceedings be discontinued in accordance with Section 45 Para. 1 Z 4 VStG or in eventu in accordance with Section 11 DSG However, the discontinuation of the proceedings in accordance with paragraph 45, paragraph one, number 4, VStG or in eventu in accordance with paragraph 11, DSG “merely issue a warning” and for this purpose the measures identified that were taken by it in response to the administrative criminal proceedings were taken into account . In the specific case, the significance of the legal interest protected under criminal law and the intensity of its impairment by the crime and the guilt of the accused are low. In any case, a fine is not necessary for specific preventive reasons.
This view cannot be accepted and is examined in more detail below:
With regard to the application of Section 11 DSG, it should first be pointed out that the BVwG has already determined that from Section 11 DSG. With regard to the application of Section 11, DSG, it should first be pointed out that the BVwG has already determined that Paragraph 11, DSG, no priority of a warning can be inferred and stated specifically: “A priority of the procedure according to § 11 DSG cannot be inferred from the system and the priority of application of the GDPR; With regard to a possible attempt to bind the authority concerned (or the court) beyond the GDPR, there is a lack of a corresponding opening clause or authorization in the GDPR. In any case, the priority of the procedure according to paragraph 11, DSG can be given to the system and the priority of application of the GDPR do not remove; Regarding a possible attempt to bind the authority concerned (or the court) beyond the GDPR, there is a lack of a corresponding opening clause or authorization in the GDPR" (cf. BVwG of March 2, 2020, GZ: W211 2217212-1) .” compare BVwG of March 2, 2020, GZ: W211 2217212-1).
With regard to the discontinuation of administrative criminal proceedings in accordance with Section 45 Para. 1 Z 4 VStG or the issuance of a warning by means of a notice instead of a discontinuation (Section 45 Para. 1 last sentence VStG), one can first refer to the requirements and the case law issued in this regard by the Administrative Court (VwGH ) should be pointed out: According to the permanent RSP of the Administrative Court, the application of Section 45 Paragraph 1 Z 4 VStG requires that the circumstances mentioned therein with regard to the discontinuation of the administrative criminal proceedings in accordance with Section 45, Paragraph One, Number 4, VStG or the grant of a warning by means of a notice instead of a discontinuation (paragraph 45, paragraph one, last sentence VStG), reference can first be made to the requirements and the case law issued by the Administrative Court (VwGH): According to the permanent ruling of the VwGH, the application of paragraph 45, paragraph One, paragraph 4, VStG presupposes that the circumstances mentioned there are cumulative. In order to be able to discontinue the proceedings in accordance with this provision or issue a warning within the meaning of Section 45 Para. 1 last sentence VStG, this must be present. In order to be able to discontinue the proceedings under this provision or issue a warning within the meaning of paragraph 45, paragraph one, last sentence of the VStG, firstly the significance of the legal interest protected under criminal law, secondly the intensity of its impairment by the act and thirdly the culpability of the person must be taken into account Accused may be low (VwGH April 25, 2019, Ra 2018/09/0209). The meaning of the property protected under criminal law depends on its abstract meaning. If the protected legal interest is (particularly) important, a discontinuation or a warning is not possible. So even if the damaging result has essentially failed to materialize, Z 4 of the same can apply - even if there is little fault. If the protected legal interest is (particularly) important, a discontinuation or a warning is not possible. Even if the damaging result has essentially failed to materialize, paragraph 4 cannot be applied - even if there is little fault - if the protected legal interest is abstractly (particularly) significant (VwGH December 18, 2018, Ra 2016/04/0148; Kneihs in Raschauer/Wessely, VStG², § 45 Rz 8). (VwGH December 18, 2018, Ra 2016/04/0148; Kneihs in Raschauer/Wessely, VStG², paragraph 45, paragraph 8).
According to Article 1 Paragraph 1 GDPR Article One, Paragraph One, GDPR, the provisions of the GDPR serve to protect natural persons when processing their personal data and to ensure the free movement of such data. According to paragraph 2, paragraph 2, the fundamental rights and freedoms of natural persons (in particular their right to protection of personal data) should be protected. In this specific case, the legal remedies of those affected and the right to lodge a complaint with a supervisory authority are essentially affected. The lack of participation of those responsible in the process delays the complaint procedure in particular and restricts the rights of those affected. The handling of a complaint in the sense of an approval by the DSB “a limine” without involving the person responsible or granting the parties a hearing is - contrary to the allegations of the accused - impossible and procedurally inadmissible. In addition, as already stated, the authority is obliged to investigate the actual facts of the case ex officio and is not bound by the submissions of the parties in adversarial proceedings. Therefore, even if attachments/evidence are submitted by the data subject in the course of the complaint, the DSB cannot per se assume the accuracy and authenticity of the attachments, especially since it does not know the detailed circumstances in connection with the alleged/accused processing.
In connection with the requirements for a discontinuation/warning in accordance with Section 45 Para. 1 Z 4 VStG, the jurisprudence of the Administrative Court must also be taken into account, which refers to the scope of penalties set by the legislature regarding the meaning of the legal interest protected by criminal law. The value of a legal interest that has been impaired/infringed by a violation of a norm is therefore also expressed in the level of the legal penalty framework that has been set by the legislature for corresponding violations. With regard to § 99 Para. 3 lit. 2018, Ra 2017/02/0102). In connection with the requirements for a discontinuation/warning according to paragraph 45, paragraph one, number 4, VStG, the jurisprudence of the VwGH must also be taken into account, which refers to the scope of punishment set by the legislature regarding the meaning of the legal interest protected by criminal law. The value of a legal interest that has been impaired/infringed by a violation of a norm is therefore also expressed in the level of the legal penalty framework that has been set by the legislature for corresponding violations. With regard to paragraph 99, paragraph 3, letter a, StVO (with a penalty range for a fine of up to EUR 726), the Administrative Court assumed that the importance of the legal interest protected under criminal law is not small, see Administrative Court of June 19, 2018 , Ra 2017/02/0102).
In the present case, the Union legislature - due to the importance of the participation of those responsible in conjunction with the system of the GDPR (Article 5 (2) GDPR) - has included the obligation under Article 31 GDPR in the catalog of provisions of the regulation subject to penalties in accordance with Article 83 Paragraph 4 lit , GDPR is included in the catalog of provisions of the regulation subject to penalties in accordance with Article 83, paragraph 4, letter a, GDPR and a fine of up to EUR 10,000,000 or 2% of the total worldwide annual turnover of the previous financial year is provided for violations. In the present case, therefore, the value of the legal interest protected by the disregard of Article 31 GDPR cannot be classified as low. of the previous financial year. In the present case, therefore, the value of the legal interest protected by the disregard of Article 31 of the GDPR cannot be classified as low.
The first requirement therefore fails. Ultimately, it cannot be assumed that the significance of the legal interest protected under criminal law here is low. In any case, there is a high level of interest in the abstract. Whether the intensity of the impairment caused by the act and the fault of the accused is low is therefore not relevant and therefore cannot lead to the discontinuation of the proceedings in accordance with Section 45 Paragraph 1 Item 4 VStG. Ultimately, it cannot be assumed that the significance of the legal interest protected under criminal law here is low. In any case, there is a high level of interest in the abstract. Whether the intensity of the impairment caused by the act and the fault of the accused is low is therefore not relevant and therefore cannot lead to the discontinuation of the proceedings in accordance with paragraph 45, paragraph one, number 4, VStG.
Even if the significance of the protected legal interest were to be classified as low, nothing would be gained for the accused - taking into account the subjective side of the crime (no minor culpability). The DSB informed the accused's DSBA about the ongoing complaint procedure and the lack of cooperation to date. As a result, the DSBA nevertheless failed to pursue the matter further by not at least informing the accused's legal department about it or, in particular, not reporting it to a board member. In connection with the position of the DSBA, it must be taken into account that in accordance with Article 38 (3) third sentence of the GDPR, it must report directly to the highest management level of the person responsible. However, despite the knowledge of the defendant's lack of cooperation and the possibility of initiating administrative criminal proceedings, the DSBA apparently did not take any further measures. The DSB informed the accused's DSBA about the ongoing complaint procedure and the lack of cooperation to date. As a result, the DSBA nevertheless failed to pursue the matter further by not at least informing the accused's legal department about it or, in particular, not reporting it to a board member. In connection with the position of the DSBA, it must be taken into account that, in accordance with Article 38, paragraph 3, third sentence of the GDPR, it must report directly to the highest management level of the person responsible. However, despite the knowledge of the defendant's lack of cooperation and the possibility of initiating administrative criminal proceedings, the DSBA apparently did not take any further measures.
However, due to the fact that the board members did not set up an effective control system with regard to the recording and forwarding of official documents and only decided to implement a “security system” after the procedure in question had been initiated, minor fault can under no circumstances be assumed.
As stated in the subjective side of the offence, there is at least conditional intent, since the accused or their employees, despite being informed about the accused's lack of cooperation in the context of a pending complaint procedure, are serious about it with reference to the obligation to cooperate in Article 31 of the GDPR have considered it possible that in the event of (further) lack of cooperation they would commit an administrative offense and that administrative criminal proceedings would be initiated as a result, and have apparently accepted the risk and the consequences. Therefore, the result fails because in the present case, as stated in the subjective side of the crime, there is at least conditional intent, since the accused or her employees, despite the information about the accused's lack of cooperation in the context of a pending complaint procedure Reference to the obligation to cooperate in Article 31, GDPR, seriously considered it possible that in the event of (further) lack of cooperation, they would commit an administrative offense and that administrative criminal proceedings would be initiated as a result, and have apparently accepted the risk and the consequences . Therefore, the result fails because no minor fault can be assumed in the present case.
3. The following must be noted regarding the sentencing:
According to Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, the DSB must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Art. 83 Para. 4, 5 and 6 GDPR) in each individual case The DSB must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Article 83, paragraphs 4, 5 and 6 GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Art. 83 Paragraph 2 GDPR Article 83 Paragraph 2 GDPR stipulates that certain criteria must be duly taken into account in each individual case when deciding whether to impose a fine and its amount.
As part of the present penalty assessment, the data protection authority has adopted the EDPB guidelines regarding the calculation of fines under the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 of May 24, 2023 - hereinafter “Fines guidelines”. “) was applied. see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 from May 24, 2023 – hereinafter “fines guidelines”) applied.
The assessment of punishment within a statutory penalty framework is a discretionary decision that must be made according to the criteria set by the legislature (cf. VwGH 09/05/2013, 2013/09/0106). 2013/09/0106).
According to Section 19 Paragraph 1 of the VStG, Paragraph 19, Paragraph One, of the VStG, the basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the act. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83 Para. 8 GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed. The basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83, Paragraph 8, GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed.
Article 83 Paragraph 3 of the GDPR Article 83, Paragraph 3 of the GDPR stipulates, in deviation from the cumulation principle standardized in Section 22 Paragraph 2 of the VStG, that in cases of the same or related processing operations (in the English language version: “the same or linked processing operations”), which intentionally or negligently violates several provisions of the GDPR, the total amount of the fine does not exceed the amount for the most serious violation. The absorption principle therefore applies within the scope of application of this provision (comparable to the combination principle standardized in Austrian criminal law in accordance with Section 28 Para. 1 StGB). Otherwise (outside the scope of application of Art. 83 Para. 3 GDPR) this occurs (comparable to the combination principle standardized in Austrian criminal law according to Paragraph 28, Paragraph One, StGB). Otherwise (outside the scope of Article 83, Paragraph 3, GDPR), the cumulation principle according to Section 22 Paragraph 2 VStG applies (cf. mwN BVwG March 12, 2020, GZ: W256 2223922-1). according to paragraph 22, paragraph 2, VStG for application see mwN BVwG March 12, 2020, GZ: W256 2223922-1).
In addition, within the meaning of Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, it should be noted that when determining the penalty of the “total amount of the fine” using the absorption principle according to Art. 83 Para. 3 GDPR according to Article 83, Para 3, GDPR, all violations of the GDPR that have been committed must be taken into account. The wording “amount for the most serious violation” refers to the penalty range or the maximum amounts specified by law (see Article 83 Paragraphs 4 to 6 GDPR). In this regard, the EDPB noted that within the scope of application of Article 83 Para. 3 GDPR, the other violations committed cannot be de facto rejected, but must be taken into account accordingly when determining the penalty (cf. Fines Guidelines, Chapter 3 - Paragraph 43). Otherwise, this would lead to privileges for those responsible and processors who have repeatedly violated the provisions of the GDPR in the context of an established matter. “ refers to the penalty range or the legally prescribed maximum amounts (see Article 83, paragraph 4, to 6 GDPR). In this regard, the EDPB noted that within the scope of application of Article 83, paragraph 3, GDPR, the other violations committed cannot be de facto rejected, but must be taken into account accordingly when determining the penalty (see Fines Guidelines, Chapter 3 - Paragraph 43). Otherwise, this would lead to privileges for those responsible and processors who have repeatedly violated the provisions of the GDPR in the context of an established matter.
With regard to Article 83 Paragraph 3 of the GDPR, the GDPR does not otherwise contain any information about what is meant by “the same or related processing operations”. Nothing further can be found in the recitals either.
According to the Fines Guidelines, when assessing “same or related processing operations”, it must be taken into account that all obligations necessary for the lawful implementation of the processing operations can be taken into account. The wording (especially in the English language version) suggests that the scope of Article 83 (3) GDPR includes any violation that can be taken into account. The wording (particularly in the English language version) suggests that the scope of Article 83, paragraph 3, GDPR includes any infringement that relates to and may affect the same (“same”) or related processing operations ( see Fines guidelines, chapter 3 – margin no. 27 f). In this context, the Federal Administrative Court pointed out that, according to general usage, those cases in which “ refers to and can have an impact on” must also be subsumed under this provision (see Fines Guidelines, Chapter 3 – Paragraph 27 f). In this context, the Federal Administrative Court pointed out that, according to general usage, those cases in which several criminal offenses were committed through “one and the same act (processing)” should also be included under this provision and also referred to the English language version ( see mwN BVwG 12.03.2020, GZ: W256 2223922-1).” several criminal offenses were committed and also referred to the English language version see mwN BVwG 12.03.2020, GZ: W256 2223922-1).
In the light of these statements, the absorption principle according to Article 83, Paragraph 3 of the GDPR applies in this specific case. The penalty range results from the most serious violation (penalty range according to Art. 83 Para. 4 GDPRArticle 83, Paragraph 4, GDPR).
Pursuant to Article 83 Paragraph 4Article 83, Paragraph 4, GDPR, in the case of the violations mentioned therein, in accordance with paragraph 2, fines of up to 10,000 000 or, in the case of a company, up to 2% of its total worldwide annual turnover for the previous financial year, whichever is higher.
As established, the accused achieved an annual turnover of EUR 176.*88.4*1.34. Applying the Fines Guidelines, the defendant is classified in the category (“Undertakings with a turnover of €100m up to €250m”) in relation to its turnover and with a view to the imposition of an effective, dissuasive and proportionate fine. This classification takes due account of the size of the company, in particular to ensure the proportionality of the fine.
The penalty range in the specific case therefore extends to an amount of EUR 10,000,000 (static penalty range) in accordance with Article 83, Paragraph 4 of the GDPR. The dynamic penalty range (2% of annual turnover) does not apply.
In light of the facts assumed to have been proven and taking into account the nature, severity and duration of the violation (Article 83, paragraph 2, letter a, GDPR [Editor's note: in the original due to a obvious editorial oversight “Art. 83 Para. 1 lit. a GDPR”] [Editor’s note: in the original due to an obvious editorial oversight “Art. 83 Para 83 Para. 2 lit 2, Litera g, GDPR), the data protection authority determines the seriousness of the infringement to be low (“low level of seriousness”).
In relation to the present case, (beyond the criteria already taken into account for determining the level of severity in accordance with Article 83 Paragraph 2 Letters a, b and g GDPRArticle 83 Paragraph 2 Letters a, b and g GDPR [Editor's note /in: in the original due to an obvious editorial oversight “Art. 83 Para. 1 lit. 83 paragraph one, letters a, b and g GDPR]) the following is taken into account when determining the sentence:
n/a
In relation to the facts at hand, the following was also taken into account as a mitigating factor when determining the sentence:
The data protection authority has no previous relevant violations of the GDPR against the accused
The accused participated at least within the scope of the investigation in question and thereby made a contribution to finding the truth by, in particular, not denying the alleged facts or the lack of cooperation in the complaint proceedings and fully admitting her lack of cooperation due to internal deficiencies. The accused showed understanding, was remorseful and made a confession. This was taken into account as significantly mitigating the punishment.
The measures taken by the accused in response to the administrative criminal proceedings and identified by the DSB were also taken into account, but it was particularly important to take into account that the introduction of the “security system” for official documents as well as the internal training for the processes had a direct connection to the violation in question exhibit. The examination (by an external consultant) of the remaining obligations of the accused in their role as responsible parties was not part of the proceedings or was not directly related to the violation.
According to the established jurisprudence of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the punishment (see VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89 /04/0061). In the opinion of the DSB, the imposition of the specific fine should be included see VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89/04/0061). In the opinion of the DSB, the imposition of the specific fine was not necessary in the sense of special prevention in order to deter the accused from committing further criminal offenses of the same type. Based on the measures taken, the DSB assumes that the accused will respond to DSB inquiries in the future and participate in the respective proceedings. However, the imposition of the fine was necessary in the sense of general prevention in order to sensitize those responsible and processors, particularly in connection with their obligation to cooperate under Article 31 of the GDPR.
The concrete penalty imposed as a result of EUR 10,000 therefore appears in view of the realized value of the crime, measured against the available penalty range of Article 83 Para. 4 GDPR (here up to EUR 10,000,000) in conjunction with this The defendant's annual turnover of approximately EUR 176 million therefore appears in view of the realized value of the crime, measured against the available penalty range of Article 83, Paragraph 4, GDPR (here up to EUR 10,000,000) in conjunction with the annual turnover achieved of the accused in the amount of approximately EUR 176 million is appropriate for the offense and guilt and is at the lowest end of the available penalty range (0.1% of the penalty range!). In this context, it can finally be pointed out that, as already stated above, the DSB determined the seriousness of the infringement as “low” and, within the framework of this category, also set the starting amount for further calculations at the lowest end.
