DSB (Austria) - 2023-0.789.858

DSB - 2023-0.789.858
Authority:	DSB (Austria)
Jurisdiction:	Austria
Relevant Law:	Article 12(3) GDPR Article 15 GDPR Article 83 GDPR Article 83(2)(b) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	24.02.2023
Decided:	11.12.2023
Published:	15.01.2024
Fine:	9,500 EUR
Parties:	n/a
National Case Number/Name:	2023-0.789.858
European Case Law Identifier:	ECLI:AT:DSB:2023:2023.0.789.858.
Appeal:	Not appealed
Original Language(s):	German
Original Source:	RIS (in DE)
Initial Contributor:	co

The Austrian DPA imposed a fine in the amount of €9,500 on a controller for failing to comply with an access request of a data subject and instead deleting their personal data.

English Summary

Facts

On 23 January 2023, a data subject filed an access request under Article 15 GDPR with an Austrian Bank she was a client of. Since the data subject did not receive any information within one month from the request, she felt that her right to access had been violated by the bank, as a controller, and filed a complaint with the Austrian DPA on 24 February 2023.

The data subject submitted that she received an email from the controller on 2 March 2023 stating that they would proceed with the deletion of her personal data, even though she did not request deletion but access to her data.

In its submissions, the controller only claimed that it complied with the request of deletion of the data subject.

The DSB thus asked the controller to show the deletion request of the data subject and the controller submitted the access request of 23 January 2023.

Holding

The DSB found that it was clear that the controller wrongfully took the access request of the data subject as a deletion request. Hence, the DSB held that the controller had violated the data subject’s right to access to her personal data, thus acting contrary to Article 15 GDPR and Article 12(3) GDPR.

Further, the DSB started a sanctioning procedure against the controller and allowed it to bring arguments in its defence. The controller could only state that the DPO was mistaken about the request and thus proceeded with a deletion procedure. Further, the controller submitted that it would hire another employee to help with data protection issues and that it would consider external consultancy for future data subject requests.

On 21 August 2023, the DSB suspended the sanctioning proceedings until the CJEU would issue its judgment in case C-807/21, which was published on 5 December 2023.

Taking into account the yearly turnover of the controller and the nature of the violation, which was clear and unjustified in this case the DSB further assessed whether the conduct of the DPO could be attributed to the controller in order to impose a fine under Article 83(5) GDPR. Making reference to the CJEU Judgment in case C-807/21, the DSB considered that such conduct is attributable to the controller as a legal person if the violation could first be attributed to a natural person who acts in the context of economic activities of the controller on its behalf. In this case, the DSB concluded that the conduct of the DPO is clearly attributable to the controller. Moreover, the DSB referred to the subjective element of whether the controller acted intentionally or negligently was intentional or negligent in violating the GDPR. In this respect, the DSB could not find any elements proving that the controller acted intentionally, as neither the controller nor the DPO himself could understand how such a mistake had happened. Thus, the DSB held that the controller acted negligently under Article 83(2)(b) GDPR.

In light of all this, the DSB took into account the criteria in Article 83(2) GDPR and the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, and it categorised the violation with a low level of seriousness, also because it only concerned one data subject. Hence, considering also some mitigating factors, the DSB held that a fine in the amount of €9,500 was appropriate for the purpose of preventing future violations and raise awareness on the controller’s obligations under Articles 12 to 22 GDPR.

Comment

This decision by the DSB is an important one as it counts among the very few in which a fine was imposed on a legal entity. As a matter of fact, the DSB has imposed fines on individuals, as controllers in several occasions, but it has always been reluctant to do so against legal entities acting as controllers, even when blatantly violating the GDPR. Hopefully, this marks a change in approach by the DSB.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2023-0,789,858 from December 11, 2023 (Procedure number: DSB-D550,834)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.

Penalty finding

Accused legal entity: C*** Bank AG (FN *3*9*5p)

The accused legal entity, based in **** I***stadt, T***platz *2 (hereinafter “C***B”), is the responsible party in accordance with Art. 4 Z 7 of the Regulation (EU). 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ L 119 of 04/05/2016, P. 1 as amended, the following facts were realized and the following administrative offense was thereby committed: The accused legal entity with its registered office in **** I***stadt, T***platz *2 (hereinafter “C***B”), has as controller in accordance with Article 4, paragraph 7, of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: " GDPR"), OJ No. L 119 of May 4, 2016, p. 1 as amended, realized the following facts and thereby committed the following administrative offense:

In its role as responsible party, C***B has one in **** I***stadt, T***platz *2, for an unspecified period of time, but at least between January 23rd, 2023 and February 20th, 2023 The person concerned (Dr. Luise O***) violated their right to information in accordance with Art. 15 GDPR by not providing any information within the meaning of Art. 12 in conjunction with Article 15 Para personal data that it processed from the person concerned at the time of receipt of the request for information, but treated this request internally as a request for deletion and subsequently deleted the data. In addition, only general information was provided to those affected. By deleting the data instead of providing information, the data subject's right to information was violated. C***B, in its role as responsible party, in a period that cannot be determined in more detail, but in any case between January 23rd, 2023 to February 20th, 2023 **** I***stadt, T***platz *2, a data subject (Dr. Luise O***) violated her right to information in accordance with Article 15 of the GDPR by, at the request of the data subject January 23, 2023 did not provide any information within the meaning of Article 12, in conjunction with Article 15 paragraph one, of the GDPR regarding the personal data that it processed from the data subject at the time of receipt of the request for information, but rather treated this request internally as a request for deletion and subsequently deleted the data. In addition, only general information was provided to those affected. By deleting the data instead of providing information, the data subject's right to information was violated.

Administrative offense according to:

Art. 15 Paragraph 1 in conjunction with Art. 83 Paragraph 1 and 5 Letter b GDPR OJ L 2016/119, p. GDPR OJ L 2016/119, p. 1, as amended

Due to this administrative violation, the following penalty is imposed in accordance with Article 83 of the GDPR: Due to this administrative violation, the following penalty is imposed in accordance with Article 83 of the GDPR:

Fine of euros

according to

€9,500

Art 83 Paragraph 5 Letter b GDPR OJ L 2016/119, p. 1, as amended Article 83, Paragraph 5, Letter b, GDPR OJ L 2016/119, p. 1, as amended

Furthermore, you must pay in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG: Furthermore, in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG, you must pay:

950,-

Euros as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 Euros;



Euros as a replacement for cash expenses



The total amount payable (penalty/costs/cash expenses) is therefore

10,450,-

Euro

Payment deadline:

If no complaint is made, this penalty is immediately enforceable. In this case, the total amount must be paid into the account [shortened here] in the name of the data protection authority within two weeks of the entry into legal force. The business number and the completion date should be stated as the intended purpose.

If no payment is made within this period, the total amount can be collected. In this case, a flat-rate contribution of five euros must be paid. If payment is still not made, the outstanding amount will be enforced.

Reason:

1.     The following facts relevant to the decision are established based on the evidence procedure carried out:

1.1. A data subject (Dr. Luise O***) submitted a request for information to C***B in accordance with Art. 15 GDPR in a letter dated January 23, 2023. The person concerned handed the request for information personally to C***B (at a counter in **** I***stadt, T***platz *2). There was a business relationship between C***B and the data subject. A data subject (Dr. Luise O***) submitted a request for information to C***B in accordance with Article 15, GDPR, in a letter dated January 23, 2023. The person concerned handed the request for information personally to C***B (at a counter in **** I***stadt, T***platz *2). There was a business relationship between C***B and the person concerned.

1.2. There was no response from C***B. The person concerned did not receive any information regarding the measures taken in response to her request for information within a month.

1.3. The person concerned felt that their right to information had been violated and subsequently submitted a complaint to the data protection authority in accordance with Art. 77 GDPR in conjunction with Section 24 DSG against C***B on February 24, 2023. The person concerned felt that this meant that they were infringed violated their right to information and subsequently lodged a complaint against C***B with the data protection authority in accordance with Article 77, GDPR in conjunction with Paragraph 24, DSG on February 24, 2023.

1.4. The data protection authority then initiated a complaint procedure regarding GZ: D124.0368/23 and asked C***B to comment.

1.5. On March 2, 2023, the data subject informed the data protection authority by email that he had received a letter from C***B today. In it, C***B confirmed receipt of her request on January 23, 2023 and also the deletion of her personal data. The person concerned could not understand this because she did not submit a request for deletion, but rather for information. Specifically, C***B stated the following in the letter (dated February 20, 2023) (note: underlining by the data protection authority): “We received your request to delete your personal data on January 23, 2023. “We will comply with your request within one month.”

1.6. The specific time of deletion could not be determined. However, the deletion was carried out between January 23, 2023 and February 20, 2023.

1.7. In response to the request for comment from the data protection authority, C***B announced that, as previously reported by the data subject, they had complied with the data subject's request for deletion. The accused limited the statement to fulfilling the data subject's request for deletion.

1.8. The data protection authority was unable to understand the deletion and asked C***B to submit the specific request for deletion from those affected.

1.9. C***B subsequently received the request for information dated January 23, 2023.

1.10. With a decision dated May 17, 2023 (GZ: D124.0368/23 - 2023-0.282.190), the complaint procedure was settled and it was determined that the person concerned's right to information was violated by C***B because of the request for information those affected were not complied with. The decision became legally binding due to a lack of legal recourse.

1.11. The data protection authority subsequently initiated administrative criminal proceedings against the accused and, in a letter dated July 3, 2023, asked her to justify and disclose her annual turnover.

1.12. After an extension of the deadline, the accused admitted the alleged offense and stated that “the data protection officer responsible for issuing requests for information” (Mr. Mag. D***) had unfortunately “legally erred” in assuming that the person concerned was a The data protection officer (hereinafter “DSBA”) requested that their data be deleted and was also mistaken during the complaint procedure. The DSBA itself cannot understand why this error occurred on its part. It is difficult for both the accused and the DSBA to understand why the requested information was not provided at the latest during the complaint procedure in order to “eliminate the violation”.

1.13. Regarding the process regarding the treatment of the rights of those affected, C***B stated that the DSBA receives these from the respective customer advisors and processes them within the statutory deadline. It was announced to the person concerned that C***B had a business relationship with her and that this had to be ended. Their products (savings books) had to be liquidated. Against this background of the termination of the contract, the DSBA incorrectly assumed that those affected wanted to assert their right to deletion. The accused cannot understand why the DSBA made this error during the complaint process.

1.14. Regarding the support of the DSBA, the defendant stated that she is currently looking for a full-time employee for “data protection agendas”. In addition, it was decided that external legal advice would be sought for future complaint procedures. If the data protection authority initiates proceedings against C***B in the future, the letter will be sent to the external legal representation “as an additional pair of external eyes”. This is intended to prevent similar violations in the future.

1.15. Finally, the accused stated that (in response to the decision in the complaint procedure) the person concerned was subsequently given information.

1.16. With a decision dated August 21, 2023 (GZ: D550.834 / 2023-0.586.049), the DSB suspended the administrative criminal proceedings in question in accordance with Section 24 VStG in conjunction with Section 38 AVG until the final decision by the Court of Justice of the European Union (ECJ) in case C -807/21 (Deutsche Wohnen SE). This suspension decision became legally binding due to a lack of legal remedies. With a decision dated August 21, 2023 (GZ: D550.834 / 2023-0.586.049), the DSB enforced the administrative criminal proceedings in question in accordance with Section 24, VStG in conjunction with Section 38, AVG until the final decision was made the Court of Justice of the European Union (ECJ) in case C-807/21 (Deutsche Wohnen SE). This suspension decision became legally binding due to a lack of legal recourse.

1.17. In a letter dated December 5, 2023, the DSB lifted the suspension decision of August 21, 2023 ex officio and continued the administrative criminal proceedings - taking into account the judgment of December 5, 2023 of the ECJ in case C-807/21.

1.18. In the 2022 financial year, the accused achieved annual sales totaling EUR 98.1*3.4**.43 (operating income - profit and loss account).

2.     The findings are made based on the following assessment of evidence:

2.1. The findings were essentially made through inspection of the administrative file relating to the above-mentioned complaint procedure as well as the file components of the administrative criminal proceedings in question. In addition, the accused did not contradict the findings made after a request for justification (“the subject of the justification is only the amount of the sentence” – point 4.2 of her written justification). The accused admitted the crime and referred to a one-off error by the DSBA.

2.2. The findings on the annual turnover (operating income of C***B in 2022) are based on the accused's own statements as part of their written justification (point 3.4). The accused also submitted its profit and loss statement for the 2022 financial year (Exhibit 5 for written justification). There is no doubt about its authenticity and correctness. By submitting Exhibit 5, the accused was able to clearly demonstrate her annual turnover.

2.3. The findings regarding the business relationship between C***B and the person concerned are also based on the accused's own statements as part of their written justification (point 2.3) and are therefore undisputed.

2.4. The relevant facts could therefore be established unequivocally and completely based on the available files.

2.5. Only the time of deletion could not be determined - contrary to the obligation to account under Article 5 Para. 2 GDPR - due to a lack of information from the accused. However, it emerged from the complaint of those affected and the reaction of the accused that the deletion was carried out in a period between receipt of the request for information (January 23, 2023) and the reply letter from C***B dated February 20, 2023. Only the The time of deletion could not be determined - contrary to the obligation to account under Article 5, Paragraph 2, GDPR - due to a lack of information from the accused. However, it emerged from the complaint of those affected and the reaction of the accused that the deletion was carried out in a period between receipt of the request for information (January 23, 2023) and C***B's response letter of February 20, 2023.

3.     Legally it follows:

3.1. On the responsibility of the data protection authority (DPO) and scope of application of the GDPR

Art. 83 Para. 5 lit a company can be fined up to 4% of its total worldwide annual turnover in the previous financial year, whichever is higher. stipulates that for violations of the rights of data subjects in accordance with Articles 12 to 22 of the GDPR, fines of up to 20,000,000 euros or, in the case of a company, of up to 4% of its total worldwide annual turnover of the previous financial year may be imposed, depending depending on which of the amounts is higher.

According to Section 22 Para. 5 DSG Paragraph 22, Paragraph 5, DSG, the responsibility for imposing fines on natural and legal persons for Austria as the national supervisory authority lies with the DSB.

According to Article 2 Paragraph 1 GDPRArticle 2, Paragraph One, GDPR, the Regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored or intended to be stored in a file system.

In the present case, there were no indications that the GDPR would not apply. The accused stated that she processed personal data of those affected during the course of the business relationship and also after it ended. There was therefore an obligation to provide information with regard to the data that it was processing at the time of the request for information. In light of the facts assumed to be proven, the accused is also to be qualified as the person responsible in accordance with Article 4, Paragraph 7 of the GDPR. The accused also did not deny her role as responsible party. As the person responsible, the accused is the recipient of the relevant (punishable) obligations of the GDPR in connection with the handling and guaranteeing of requests from those affected within the meaning of Art. 12 GDPR, which will be examined in more detail below. to qualify. The accused also did not deny her role as responsible party. As the person responsible, the accused is the recipient of the relevant (punishable) obligations of the GDPR in connection with the handling and guaranteeing of requests from those affected within the meaning of Article 12, GDPR, which will be examined in more detail below.

3.2. On the violation of the right to information (objective side of the crime)

According to Art. 15 Para. 1 GDPRArticle 15, paragraph one, GDPR, the data subject has the right to request confirmation from the controller as to whether personal data concerning him or her is being processed; If this is the case, you have the right to information about this personal data. The data subject must be provided with several pieces of information (see also Recital 63 GDPR). In accordance with Article 15 Paragraph 3 GDPRArticle 15 Paragraph 3 GDPR, the controller provides a copy of the personal data that is the subject of processing.

The right to information according to Art. 15 GDPRArticle 15, GDPR is the pivotal point for the data subject to be able to check the lawfulness of the processing and also the assertion of the remaining rights of the data subject. The right to information is guaranteed by the constitution (Section 1 Paragraph 3 Z 1 DSG)(Paragraph One, Paragraph 3, Number One, DSG) and is also set out in Article 8 Paragraph 2 EU-GRCArticle 8, Paragraph 2, EU-GRC standardized. As a rule, it is only by exercising the right to information that a data subject is able to assert their further rights (cf. ECJ of December 20, 2017, C‑434/16, paragraph 57). However, the provisions according to Art. 15 Para. 1 and 2 GDPR only standardize the standard. As a rule, it is only by exercising the right to information that a data subject is put in a position to assert their further rights (see ECJ of December 20, 2017, C‑434/16, paragraph 57). However, the provisions of Article 15, paragraphs one and 2 of the GDPR only standardize the content of the right to information. With regard to guaranteeing the rights of those affected, the general obligations for those responsible are standardized in Article 12, GDPR. With regard to guaranteeing the rights of those affected, the general obligations for those responsible are standardized in Article 12, GDPR.

Pursuant to Article 12(1) GDPRArticle 12, paragraph one, GDPR, the controller shall take appropriate measures to provide the data subject with all information pursuant to Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, understandable and easily accessible form, using clear and simple language. According to Art. 12 Para. 3 GDPRArticle 12, Paragraph 3, GDPR, the person responsible for the data subject must immediately provide information about the measures taken upon request in accordance with Articles 15 to 22 GDPR, but in any case the person responsible for the data subject must provide information about the upon request in accordance with Articles 15 to 22 GDPR, the measures taken shall be made available immediately, but in any case within one month of receipt of the request. This deadline may be extended by a further two months in certain circumstances, but the person concerned must be informed of any extension, together with the reasons for the delay, within one month.

According to the DSB's ruling practice, the deletion of personal data (in addition to disregarding the principle under Article 5 Para. 1 lit. a GDPR) represents a According to the DSB ruling practice, the deletion of personal data (in addition to disregarding the principle under Article 5 , paragraph one, letter a, GDPR) constitutes a violation of the right to information if this is carried out by the person responsible after receipt of the request for information (DSB dated June 27, 2019, DSB-D124.071/0005-DSB/2019).

In the present case, at the time of receipt of the request for information, the accused processed the data subject's personal data for the purposes of the business relationship and the data subject expressly and exclusively asserted the right to information in his application dated January 23, 2023.

The accused has already violated the data subject's right to information by not processing their application in accordance with Article 12, Paragraph 3 of the GDPR within one month or by not informing them of the measures taken in accordance with Article 12, Paragraph 3 of the GDPR within one month or she was not informed about the measures taken (there was initially no reaction from the accused). Only after submitting a complaint to the data protection authority and a request for a statement did the accused send a reply letter dated February 20, 2023 to those affected on March 2nd, 2023.

However, in the above-mentioned reply letter from the accused, the person concerned was not given any information within the meaning of Article 12 in conjunction with Article 15 GDPR, as requested by her, but rather the (unrequested) Deletion of your data confirmed. In addition, only general information was provided and reference was made to “statutory retention periods” (there was also reference to an enclosed list of “deletion and retention periods”), but this list was not presented to either the data subject or the DPO during the complaint process ). As a result, the accused violated the data subject's right to information in accordance with Art. 15 GDPR. However, this list was not presented to either the data subject or the DPO during the complaint procedure). As a result, the accused violated the data subject's right to information in accordance with Article 15 of the GDPR.

The objective side of the administrative violation in question is ultimately fulfilled.

3.3. On the criminal liability of the accused as a legal person

The requirements for the imposition of fines against both natural persons and legal entities are standardized in Article 83 GDPR. However, the national legislature has standardized further “general conditions for the imposition of fines” in Section 30 Paragraphs 1 and 2 DSGParagraph 30, paragraph one, and 2 DSG.

According to § 30 para. 1 DSGParagraph 30, paragraph one, DSG, the data protection authority can impose fines on a legal entity if violations of the provisions of the GDPR were committed by persons who acted either alone or as part of an organ of the legal entity and in a management position within the legal entity due to (1) the power to represent the legal entity (2) the power to make decisions on behalf of the legal entity or (3) a control power within the legal entity.

Legal persons can be held responsible for violations of the provisions of the GDPR in accordance with Section 30 Paragraph 2 of the GDPR, Paragraph 30, Paragraph 2 of the DSG, even in cases where a lack of supervision or control by a person named in Section 30 Paragraph 1 of the DSG results in the commission of these violations by a person working for the legal entity shall also be held liable in those cases if a lack of supervision or control by a person referred to in paragraph 30, paragraph one, of the DSG enabled the commission of these violations by a person working for the legal entity ( lack of control and supervision) unless the act constitutes a criminal offense within the jurisdiction of the courts.

In its ruling of May 12, 2020 on Ro 2019/04/0229, the Administrative Court dealt for the first time with the applicability of the criminal liability requirements of Section 30 DSG in proceedings pursuant to Art dealt with the applicability of the criminal liability requirements of Section 30, DSG in a procedure according to Article 83, GDPR and in this context determined that a legal person cannot act on its own and therefore its criminal liability according to Section 30 DSG can be a consequence of the act itself and therefore their criminal liability according to Section 30, DSG a consequence of the factual, illegal and culpable behavior of a natural (managerial) person within the meaning of Section 30 Paragraph 1 DSG, Paragraph one, DSG is. Accordingly, in order for the act of persecution directed against the legal person to be effective, it is necessary to accurately describe the act of the natural person (or the so-called “attributable person”). The attribution of the specific act by the leader to the legal entity must be included in the verdict and the person attributable must also be named as an identified natural person (cf. VwGH May 12, 2020, Ro 2019/04/0229, mwN). In other words: In a procedure pursuant to Art. 83 GDPR, the data protection authority must, in the decision of the penal decision, attribute the natural (managerial) person whose violation of the GDPR or the DSG to the legal person responsible within the meaning of Art. 4 Z 7 GDPR should be named by name in order to be able to subsequently impose a fine in accordance with Art. 83 GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and per se has party status (see VwGH May 12, 2020, Ro 2019/04/0229, with further references). In other words: In a procedure under Article 83, GDPR, the data protection authority must issue a criminal judgment against the natural (managerial) person whose violation of the GDPR or the DSG is the legal entity responsible within the meaning of Article 4, Section 7, GDPR should be attributed, name it in order to be able to subsequently impose a fine in accordance with Article 83 of the GDPR against the person responsible as a legal entity. This attributable person is to be listed as a defendant in the administrative criminal proceedings against the legal entity and has party status per se see Zaczek, The association responsibility model of Article 83 GDPR, in , The association responsibility model of Article 83, GDPR, in Jahnel (ed.), Yearbook Data Protection Law 2020, p . 257 ff).

By decision of December 6, 2021, the Berlin Court of Appeal asked the ECJ as part of a request for a preliminary ruling under Article 267 TFEU for an interpretation of Article 83 of the GDPR can be affected in the fine proceedings due to a violation of Article 83 GDPR and in this context presented the following questions with regard to the question of whether a company can be directly affected in the fine proceedings due to a violation of Article 83 GDPR and presented the following in this context questions

1.     Is Article 83 Paragraphs 4 to 6 GDPR to be interpreted as meaning that it incorporates the functional company concept assigned to Articles 101 and 102 TFEU and the function holder principle into domestic law with the result that, by expanding the legal entity principle underlying Section 30 OWiG a fine can be brought directly against a company and the fine does not require the establishment of an administrative offense committed by a natural and identified person, possibly fully criminally committed? Should Article 83, paragraphs 4, to 6 of the GDPR be interpreted as meaning Article 101 , and 102 TFEU and the functional entity principle are incorporated into domestic law with the result that, by extending the legal entity principle underlying Section 30, OWiG, fine proceedings can be conducted directly against a company and the fine does not depend on the determination of a natural and identified entity an administrative offense committed by a person, possibly fully criminal?

2.     If the answer to question 1 is yes: Should Article 83 Paragraphs 4 to 6 of the GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee (cf. Article 23 of the Regulation (EC ) No. 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company sufficient in principle to impose a fine (“strict liability”) )?If the answer to question 1 is yes: Should Article 83, paragraph 4, to 6 GDPR be interpreted as meaning that the company must have culpably committed the violation mediated by an employee, see Article 23 of Regulation (EC) No 1/2003 of the Council of December 16, 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to it sufficient for a company to be fined ("strict liability")?

Due to the preliminary ruling request from the Berlin Court of Appeal, it was questionable whether the provisions of Section 30 Paragraphs 1 and 2 DSG Paragraph 30, paragraphs one and 2 DSG may even be applied because they could violate the directly applicable provisions of the GDPR, and whether The VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Art. 83 GDPR could be upheld. Since the ECJ's decision on these questions may be applied at all because they could violate the directly applicable provisions of the GDPR, and whether the VwGH's statements in its ruling cited above on the criminal liability of legal entities in proceedings under Article 83, GDPR are upheld could. Since the ECJ's decision on these questions had a prejudicial effect on the proceedings in question, the administrative criminal proceedings were suspended.

The ECJ finally held in the judgment of December 5, 2023 that the directly applicable provisions according to Article 58 Paragraph 2 Letter i and Article 83 Paragraph 1 to 6 GDPR Article 58 Paragraph 2 Litera i and Article 83 Paragraph One , up to 6 GDPR are to be interpreted as contradicting a national regulation according to which a fine can only be imposed on a legal person in its capacity as controller for a violation referred to in Article 83 Paragraphs 4 to 6 GDPR if this violation previously one, according to which a fine for a violation referred to in Article 83, paragraphs 4 to 6 GDPR can only be imposed on a legal person in its capacity as controller if this violation was previously attributed to an identified natural person.

In this context, the ECJ stated that legal entities are liable not only for infringements committed by their representatives, directors or managers, but also for infringements committed by any other person acting in the course of their business activities and on behalf of them of the legal entity. It must also be possible to impose the fines provided for in Article 83 of the GDPR. In addition, it must be possible to impose the fines provided for in Article 83 of the GDPR directly against legal entities (cf. ECJ of December 5, 2023, C-807/21, paragraph 44). 807/21, Rz 44).

The (material) requirements for the imposition of fines by supervisory authorities are regulated precisely and without any discretion for the Member States in Article 83, Paragraphs 1 to 6 of the GDPR. The GDPR does not contain any provision that the imposition of a fine on a legal entity as controller is conditional on a prior determination that that infringement was committed by an identified natural person. The GDPR only grants the Member States the possibility/authority to provide for requirements regarding the procedure to be used by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83 (1). and 6 GDPR was committed. The GDPR only grants Member States the possibility/authority to lay down requirements for the procedure to be followed by the supervisory authorities when imposing a fine, but in no way goes beyond these procedural requirements to standardize substantive requirements that are in addition to those in Article 83, paragraph one, and 6 GDPR (cf. ECJ C-807/21, paragraph 45 ff). see ECJ C-807/21, paragraph 45 ff).

The requirements for the imposition of a fine in accordance with Article 83 of the GDPR are therefore determined exclusively by Union law. There are no opening clauses for the Member States in this context.

The ECJ concluded that a national regulation that stipulates additional requirements for the imposition of fines in accordance with Article 83 of the GDPR violates Article 83 (1) of the GDPR because it violates the requirements for the imposition of fines in accordance with Article 83 of the GDPR normed, violates Article 83, paragraph one, GDPR because it weakens the effectiveness and deterrent effect of fines imposed on legal entities. It must be taken into account that fines are a key element of the GDPR and serve to enforce the objectives of this regulation or to ensure the protection of the rights of data subjects and to ensure a high level of protection throughout the Union (cf. ECJ C-807/21, paragraphs 51 and 73). . As a result, the ECJ found that the conditions for the imposition of a fine in accordance with Art. 83 GDPR (see ECJ C-807/21, paragraphs 51 and 73). As a result, the ECJ found that the requirements for the imposition of a fine under Article 83 of the GDPR are regulated conclusively in Article 83, Paragraphs 1 to 6 of the GDPR and are regulated in Article 83, Paragraphs 1 to 6 of the GDPR (paragraph 53).

3.4. On the subjective side of the crime

With regard to the second question referred, the ECJ has now explicitly stated, as already accepted by the data protection authority in its previous rulings, that only violations of provisions of the GDPR that the person responsible commits culpably, i.e. intentionally or negligently, lead to the imposition of a fine can (cf. ECJ of December 5, 2023, C-807/21, paragraph 68). commits, can lead to the imposition of a fine (see ECJ of December 5, 2023, C-807/21, paragraph 68).

With regard to the subjective side of the offense, it must be taken into account that the requirement of fault for the imposition of a fine under Article 83 GDPR should be interpreted autonomously within the Union and should be assessed in particular in the light of the case law of the ECJ. With regard to the question referred with regard to culpability, the ECJ also found that the Member States were not granted any discretion in this context by the Union legislature for national regulations, since the material requirements are conclusively regulated in Article 83 Paragraphs 1 to 6 of the GDPR Article 83, paragraph one, to 6 GDPR are precisely regulated (see also ECJ of December 5th, 2023, C-683/21, paragraph 64 ff). See also ECJ of December 5th, 2023, C-683/21, paragraph 64 ff).

Regarding the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such negligence already exists if the accused is not aware of the illegality of his behavior It could be unclear whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, paragraph 76). see ECJ C-807/21, paragraph 76).

With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons. With reference to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR towards legal persons is not an act once requires knowledge on the part of the management body of this legal entity (cf. ECJ of December 5, 2023, C-807/21, paragraph 77). see ECJ of December 5, 2023, C-807/21, paragraph 77).

The responsibility and liability of a person responsible extends to any processing of personal data carried out by or on behalf of him. In this context, the controller must not only take appropriate and effective measures, but he must also be able to demonstrate that his processing activities are in accordance with the GDPR and that the measures he has taken to ensure this compliance are also effective (cf. ECJ C-807/21, Rz 38, with reference to Recital 74). see ECJ C-807/21, paragraph 38, with reference to recital 74).

Applied to this case, this means the following:

First of all, it should be noted that during the investigation there was no evidence that the violations in question were committed by a person who was not acting within the scope of the entrepreneurial activity and on behalf of the legal entity. The accused herself stated that the request for information in question was processed by the DSBA on behalf of the accused. However, as already stated above, it is not the DSBA that is responsible for handling the request, but rather the accused in her role in accordance with Art. 4 Z 7 GDPR (see also Art. 5 Para. 2 GDPR). acted within the scope of the entrepreneurial activity and on behalf of the legal entity. The accused herself stated that the request for information in question was processed by the DSBA on behalf of the accused. However, as already stated above, it is not the DSBA that is responsible for handling the request, but rather the accused in their role in accordance with Article 4, Paragraph 7, GDPR (see also Article 5, Paragraph 2, GDPR).

However, according to the ECJ ruling, in order to impose a fine on a legal entity, it is not necessary for the data protection authority to cite in its decision an identified natural person who acted in the context of the business activity and on behalf of the legal entity and the actions of this person person is attributed to the legal entity. In the present case, it is therefore not relevant to the decision whether and which board member of the accused (or manager within the meaning of Section 30 (1) DSG) is responsible for the violations in question. In this context, the ECJ expressly made it clear that no action and whether and which board member of the accused (or manager within the meaning of paragraph 30, paragraph one, DSG) is responsible for the violations in question. In this context, the ECJ expressly made it clear that no action or even knowledge of the violation on the part of the management body is necessary for the application of Article 83 GDPR (paragraph 77). It can therefore remain unclear whether the board members breached their supervisory duty towards the DSBA due to an objective breach of care. is required for the application of Article 83, GDPR (paragraph 77). It can therefore remain unclear whether the board members breached their supervisory duty towards the DSBA due to an objective breach of care.

In other words: The guilt of the accused in the present case is assessed based on the behavior of the DSBA and there is no need for a breach of supervisory duty by a manager within the meaning of Section 30 Paragraph 2 DSG in order to attribute the behavior of the DSBA to the legal entity and Article 83 GDPR to be applied. In other words: The guilt of the accused in the present case is assessed based on the conduct of the DSBA and there is no need for a breach of supervisory duty by a manager within the meaning of paragraph 30, paragraph 2, DSG in order to attribute the conduct of the DSBA to the legal entity and Article 83, GDPR to apply.

In light of the facts assumed to be proven, the data protection authority does not assume any intentional act by the accused. As the person responsible, the accused ultimately decided through her DSBA that the request for information would be treated as a request for deletion and that the deletion would be carried out as a result. The accused does not dispute the fulfillment of the subjective side of the crime (see written justification, point 4.3.). She herself stated that neither she nor the DSBA could understand this error.

In any case, during the course of the investigation there was no evidence to suggest that the accused was not at fault for violating the applicable administrative regulations. In the light of the case law of the ECJ, the accused could not have been in the dark about the illegality of her behavior, regardless of whether she was aware that she was violating the provisions of the GDPR (cf. ECJ C-807/21, paragraph 76 and 77; ECJ C-683/21, paragraphs 81 and 82 with further references). However, there was no evidence to suggest that the accused was not at fault for violating the relevant administrative regulations. In the light of the case law of the ECJ, the accused could not have been in the dark about the illegality of her behavior, regardless of whether she was aware that she was violating the provisions of the GDPR (see ECJ C-807/21, paragraphs 76 and 77); ECJ C-683/21, paragraphs 81 and 82 with further references). However, there was no evidence of (1) an intentional and (2) systematic violation of the right to information.

As a result, there is fault in the form of negligence (Article 83, Paragraph 2, Letter b, GDPR). Fault in the form of negligence (Article 83, Paragraph 2, Letter b, GDPR).

This means that the subjective side of the crime is also fulfilled.

4.     The following must be noted regarding the sentencing:

According to Art. 83 Para. 1 GDPR Article 83, paragraph one, GDPR, the data protection authority must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Art. 83 Para. 4, 5 and 6 GDPR) in each individual case The data protection authority must ensure that the imposition of fines for violations of the sanctioned provisions of the GDPR (Article 83, paragraphs 4, 5 and 6 GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Article 83 Paragraph 2 GDPR stipulates that certain criteria must be duly taken into account in each individual case when deciding whether to impose a fine and its amount.

As part of the assessment of penalties, the data protection authority has adopted the EDPB guidelines regarding the calculation of fines according to the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1 of May 24, 2023 - hereinafter see EDPB Guidelines 04/ 2022 on the calculation of administrative fines under the GDPR, version 2.1 from May 24, 2023 – hereinafter “fines guidelines”) applied.

The assessment of punishment within a statutory penalty framework is also a discretionary decision that must be made according to the criteria set by the legislature (cf. VwGH September 5, 2013, 2013/09/0106). , 2013/09/0106).

According to Section 19 Paragraph 1 of the VStG, paragraph 19, paragraph one, of the VStG, the basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83 Para. 8 GDPR and recital 148 with regard to the procedural guarantees to be guaranteed. The basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The income and financial circumstances and any care obligations of the accused must be taken into account when calculating fines (this naturally only applies to natural persons, but can be applied analogously to legal entities); However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83, paragraph 8, GDPR and recital 148 with regard to the procedural guarantees to be guaranteed.

In accordance with Article 83 Paragraph 5Article 83, Paragraph 5, GDPR, in the case of the violations mentioned therein, in accordance with paragraph 2, fines of up to 20 EUR 000 000 or, in the case of a company, up to 4% of its total worldwide annual turnover for the previous financial year, whichever is higher. In the present case, the dynamic penalty range of up to 4% of annual turnover does not apply.

The term turnover in Article 83 Paragraphs 4, 5 and 6 GDPR is within the meaning of Article 83 Paragraphs 4, 5 and 6 GDPR is within the meaning of Article 2 Paragraph 5 of Directive 2013/34/EU Article 2, Paragraph 5, Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual accounts, consolidated accounts and related reports of certain legal forms of undertakings, amending Directive 2006/43/EC of the European Parliament and the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (hereinafter “Directive 2013/34/EU”). Revenue is the sum of all goods and services sold. Net turnover is the amount resulting from the sale of products and the provision of services after deducting sales deductions and value added tax (VAT) as well as other taxes directly related to turnover (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1, Rz 128 ff). is the amount resulting from the sale of products and the provision of services after deducting sales deductions and value added tax (VAT) as well as other taxes directly related to sales see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR , Version 2.1, Rz 128 ff).

As established, the accused achieved annual sales of EUR 98.1*3.4**.43 in 2022 (operating income). Applying the Fines Guidelines, the defendant is placed in the category “Undertakings with a turnover of €50m up to €100m” in relation to its turnover and with a view to the imposition of an effective, dissuasive and proportionate fine. This classification takes due account of the size of the company, in particular to ensure the proportionality of the fine.

In the light of the facts assumed to have been proven and taking into account the nature, gravity and duration of the violation (Article 83, paragraph 1, letter a of the GDPR)(Article 83, paragraph 1, letter a, GDPR), the intentional or negligent nature of the violation ( Art. 83 Para. 2 lit. b GDPR)(Article 83, Paragraph 2, Letter b, GDPR) as well as the categories of personal data affected by the breach (Art. 83 Para. 2 lit. g GDPR) (Art. 83, Paragraph 2, Letter g, GDPR), the data protection authority sets the seriousness of the infringement with a low level of seriousness. In this context, the accused correctly argued that the violation affected a single natural person. The investigation revealed no evidence that the violation in question was carried out intentionally or systematically by the accused. The accused also acted negligently, as already stated above.

In relation to the present case, additional information (beyond the criteria already taken into account for determining the level of severity in accordance with Article 83 Paragraph 1 Letters a, b and g GDPR Article 83 Paragraph One, Letters a, b and g GDPR) was taken into account When determining the sentence, the following are taken into account as aggravating factors:

      n/a (the fact that the accused violated a data subject's constitutionally enshrined right to information - Section 1 Para. 3 Z 1 DSG; Art. 8 Para. 2 GRC - was already taken into account by the DSB when determining the level of severity taken into account - see above). already taken into account when determining the level of severity – see above).

In relation to the facts at hand, the following was also taken into account as a mitigating factor when determining the sentence:

      The DSB has no previous relevant violations of the GDPR against the accused.

      The accused participated in the present investigation before the DSB and thereby contributed to finding the truth by, in particular, not denying the alleged facts, admitting her wrongdoing and showing understanding after receiving the request to justify herself. The accused expressed her remorse and the DSB assumes that it will not carry out such a violation of the rights of a data subject in the future.

      The DSB also does not overlook the fact that after delivery of the decision in the complaint procedure, the accused at least provided the data subject with information about the personal data that still existed (not included in the deletion) in order to comply with the DSB's decision and to prevent the impairment of the data protected under administrative criminal law to reduce legal interests. In the specific case, this also led to a reduction in punishment, but taking into account that the person affected had to wait several months and exercise their right to complain according to Art. 77 GDPR in conjunction with Section 24 DSG., but taking into account that the person affected had to do several Had to wait months and exercise her right to complain under Article 77, GDPR in conjunction with Paragraph 24, DSG.

According to the established jurisprudence of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the fine (see VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89 /04/0061). The imposition of the specific fine was included see VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89/04/0061). The imposition of the specific fine was not necessary in the sense of special prevention in order to deter the accused from committing further violations. However, the imposition of the fine was necessary in the sense of general prevention in order to ensure that those responsible are aware of their obligations under the GDPR, in particular in connection with the (timely) treatment and guarantee of the rights of those affected in accordance with Articles 12 to 22 of the GDPR to raise awareness of their obligations under the GDPR, in particular in connection with the (timely) treatment and guarantee of the rights of those affected in accordance with Articles 12 to 22 GDPR.

The actual penalty imposed in the amount of EUR 9,500 therefore appears to be in view of the realized value of the offense, measured against the available penalty range of Article 83 Para. 5 GDPR (here up to EUR 20,000,000) and the determined annual turnover in the The amount of approximately EUR 98,000,000 therefore appears to be approximately EUR 98,000,000 in view of the realized value of the crime, measured against the available penalty range under Article 83, Paragraph 5, GDPR (here up to EUR 20,000,000) and the determined annual turnover of approximately EUR 98,000,000 is commensurate with the offense and guilt and is at the lowest end of the available penalty range (0.05% of the penalty range) due to the mitigating factors. There is no scope for a further reduction in the sanction. In the present case, an (even) lower amount would no longer meet the criteria for a fine set out in Article 83, Paragraph 1 of the GDPR.