DSB (Austria) - DPA 2023-0.594.826

From GDPRhub
Revision as of 14:27, 10 April 2024 by Mg (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - 2023-0.594.826
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(1) GDPR
Article 3 GDPR
Article 4(7) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 18.12.2023
Published: 03.04.2024
Fine: n/a
Parties: OSCE
National Case Number/Name: 2023-0.594.826
European Case Law Identifier: ECLI:AT:DSB:2023:2023.0.594.826
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: ec

The DPA could not examine whether the data subject’s rights were violated by the controller due to the controller’s immunity and stated it is a matter for the Constitutional Court.

English Summary

Facts

Data subject one is an ambassador and worked for the controller. Data subject two is married to data subject one.

The controller is an international organisation, the Organization for Security and Co-operation in Europe (OSCE).

The controller initiated an internal investigation against data subject one after a sexual harassment and discrimination complaint about them by a former employee of the controller. Data subject one argued the allegations were not true. During the internal investigation, Whatsapp and Telegram messages between the data subjects were disclosed, which did not reveal any harassing or discriminatory behaviour. The work phone of data subject one was also confiscated during the investigation without their consent.

As part of the investigation, a large amount of content of the first complainant's work mobile phone was extracted and analysed. Content that had already been deleted was also restored. Although the employee's allegations was not confirmed, data subject one was informed that the extracted or deleted and restored photos contained both nudity and pornographic content and that therefore proceedings would be initiated against them for violation of the controller’s code of conduct.

The extracted data largely concerned the private and family life of data subject one. The health data of data subject one’s parents had also been revealed during the investigation. Therefore, data subject one requested the erasure of the unlawfully obtained data and to indicate which personal data had been obtained and which recipients the personal data was disclosed to.

The controller replied that it would not comply with the two requests due to its immunity.

The data subjects filed a complaint at the Austrian DPA (“Datenschutzbehörde”). The data subjects claimed there was a violation of their right to confidentiality as the controller analysed the work phone of data subject one on which (sensitive) personal data of the data subjects were stored. The data subjects argued that not only the professional data had been analysed, but also the private content, which had also been labelled as such. They argued there was no legal basis for this. The data subjects further argued that their right to access was violated, because they were not informed of the recipients who received their personal data. The data subjects further argued that their right to erasure was violated.

Holding

The DPA first examined whether they were competent to decide on the matter. The DPA explained that under Article 4(7) GDPR, international organisations are not excluded from being defined as a controller. The DPA held that the criterion of the territorial scope under Article 3 GDPR was also fulfilled, as the controller had an official seat in Vienna. Moreover, the material scope under Article 2(1) GDPR also applied, as the DPA found that automated data processing took place within the office.

However, the DPA found that there was an agreement in place between the Republic of Austria and the controller which regulated the legal status and immunities of the controller (see Austrian Federal Law Gazette III No. 84/2018). Although international organisations do not enjoy complete immunity from their actions in the host state, the DPA only has jurisdiction if this is provided for or not explicitly denied by a headquarters agreement. The Headquarters Agreement with the controller provided that the laws of Austria (and thus also the GDPR) shall apply in the area of the official seat. Unless otherwise provided for in the Headquarters Agreement, acts and legal transactions carried out within the controller’s headquarters are subject to the jurisdiction of the courts and other competent authorities of the Republic of Austria on the basis of the applicable legal provisions.

The DPA found that the controller had relevant internal regulations in place, which included a right to appeal and a possibility to be granted legal protection. Therefore, the DPA held that the right to lodge a complaint with the DPA must be denied at this stage as the GDPR did not apply in material terms.

The DPA did note that the controller’s internal regulations regarding the protection of personal data are not comparable to the GDPR in terms of scope and, in particular, the possibility of legal protection. The DPA noted that the data subject’s constitutionally guaranteed rights may have been violated by the controller’s regulations. However, the DPA held that it could not examine whether these regulations were unconstitutional for this reason, as this was exclusively a matter for the Constitutional Court pursuant to Austrian national law (see Article 140a B-VG).

Therefore, the DPA dismissed the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Text

GZ: 2023-0.594.826 of December 18, 2023 (case number: DSB-D124.0809/23)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected. The name of the first respondent, an international organization with its own legal personality, could not be pseudonymized because the headquarters agreement concluded by Austria with the OSCE is part of the legal basis of the decision. The right to confidentiality (Section 1 DSG) and the interest in confidentiality of the first respondent, a legal entity, are offset by the statutory mandate pursuant to Section 23 Paragraph 2 DSG, whereby this is a decision of fundamental importance for the general public, since some legal questions were dealt with here for the first time. Therefore, despite the impossibility of complete pseudonymization, the decision had to be included in the decision documentation of the data protection authority because the general interest in publication outweighed it.][Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may have been abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected. The name of the first respondent, an international organization with its own legal personality, could not be pseudonymized because the headquarters agreement concluded by Austria with the OSCE is part of the legal basis of the decision. The right to secrecy (paragraph one, DSG) and interest in secrecy of the first respondent, a legal entity, is offset by the legal mandate under paragraph 23, paragraph 2, DSG, whereby this is a decision of fundamental importance for the general public, since some legal questions were dealt with here for the first time. Despite the impossibility of complete pseudonymization, the decision had to be included in the decision documentation of the data protection authority because the general interest in publication outweighed it.]

DECISION

RULING

The data protection authority decides on the data protection complaint of Ambassador Dr. Theodor D*** (first complainant) and Charlotte D***, LL.M. (second appellant), both represented by B*** Rechtsanwälte OG, dated 18 April 2023 against the OSCE - Organization for Security and Cooperation in Europe (first respondent), Ursula G*** (second respondent), Irmgard H*** (third respondent), Otto J*** (fourth respondent) and Paul K*** (fifth respondent) for violation of 1) the right to confidentiality, 2) the right to information and 3) the right to erasure as follows:

1.   The complaint is dismissed with regard to the violation of the right to confidentiality, the right to information and the right to erasure by the second respondent, the third respondent, the fourth respondent and the fifth respondent alleged by the complainants.

2. The complaint is rejected with regard to the violation of the right to confidentiality, right to information and right to erasure by the first respondent alleged by the complainants.

Legal basis: Art. 15, Art. 17, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ L 119, 4 May 2016, p. 1; Sections 1, 18 Para. 1 and 24 Para. 1 and 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Agreement between the Republic of Austria and the Organization for Security and Cooperation in Europe (OSCE) on the Headquarters of the Organization for Security and Cooperation in Europe, Federal Law Gazette III No. 84/2018 as amended: Article 15, Article 17, Article 51, paragraph one, Article 57, paragraph one, letter f, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, p. 1; Paragraphs one, 18 paragraph one, and 24 paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part one, No. 165 of 1999, as amended; Agreement between the Republic of Austria and the Organization for Security and Cooperation in Europe (OSCE) on the Headquarters of the Organization for Security and Cooperation in Europe, Federal Law Gazette Part 3, No. 84 of 2018, as amended.

REASONS

A. Arguments of the parties and course of proceedings

1. In the submission initiating the proceedings dated April 18, 2023, the complainants, represented by lawyers, claimed that their right to information, right to erasure and right to confidentiality had been violated by the respondents named above.

In explanation, the complainants stated that the first complainant was the ambassador sent by the government of ****, who had been the project coordinator for W*** for the first respondent since May 1, 2022 for a period of 12 months. The first complainant has been married to the second complainant since May 13, 2022.

The first respondent is an international organization based in Vienna and enjoys - like its employees - immunity from Austrian jurisdiction. However, it cannot be deduced from the wording of the headquarters agreement that there is also an exemption from official proceedings, such as that before the data protection authority. In addition, the immunity of employees is always limited to the scope of their official function.

The complaint is directed against the first respondent as an international organization, against the second respondent, who performs the function of the first respondent's ****, against the third respondent, who is the director of the first respondent's Office for ****, against the fourth respondent, who is the first respondent's ***inspector, and against the fifth respondent, who is also an ***inspector of the first respondent.

On April 20, 2022, the first respondent initiated an internal investigation against the first complainant based on a complaint filed by her former employee on April 18, 2022, in which she alleged sexual harassment and discrimination. The first complainant then wrote a comprehensive statement showing that the allegations were not true.

In the course of the employee's complaint to the first respondent, WhatsApp and Telegram communications were disclosed, in particular between the employee and the first complainant and between the latter and the second complainant. However, the communications evident therein do not show any harassing or discriminatory behavior.

The first respondent takes such complaints very seriously and informed the first complainant on May 11, 2022 that investigations would be initiated. These investigations would be based on the regulation applied to the employees of the first respondent, called Staff Instruction No. 21/Rev.1, or its Annex 2, Paragraph 2.9 (Formal Procedures for addressing Allegations of Violation of the Professional Working Environment), which would also include investigations against employees.

The second respondent had decided to hand the matter over to the first respondent's Office of **** so that further investigations could be carried out against the first complainant. In July 2022, the first complainant was questioned by the fourth and fifth respondents and his work cell phone was also confiscated during this incident. However, the first complainant did not object to the confiscation of his work cell phone - specifically a Samsung smartphone S/N: *U*T*87*; OSCE Asset Tag Number *4*9***3*2 - nor the evaluation of the files on it or accessible via the company cell phone (digital forensics and analysis). The first respondent used the cell phone of the company M*** Forensics to evaluate the files. This resulted in a transfer to another EU country, but the first complainant was not informed of this. The evaluation of the company cell phone was arranged by the third respondent. The second and third respondents as well as the fourth and fifth respondents were also involved in the investigation process. The last two respondents carried out analyses of the data collected over a period of four months and came to incorrect conclusions.

As part of the forensics and analysis of the first complainant's work cell phone, which began on August 19, 2022, a large amount of content (referred to as digital artifacts) was extracted and analyzed. [Editor's note: figures shortened by the last 2 digits for pseudonymization reasons] approximately 3.8** contacts, 1,851.4** messages, 1.6** V*** emails and 1,246.6** files (apparently photos) were extracted. Content that had already been deleted was also restored. Although the employee's allegations were not confirmed, the first complainant was nevertheless informed in November 2022 that the extracted or deleted and restored photos contained both nudity and pornographic content and that, for this reason, proceedings would be initiated against the first complainant for violating the OSCE Code of Conduct and Financial and Administrative Instruction 12 "Policy on Use of OSCE Computing Resources". The extracted data largely concerned the first complainant's private and family life. Some of these messages sent or received contained photos that concerned the complainants' private sphere. The health data of the first complainant's parents were also affected. The company cell phone was also divided into two profiles ("private profile" and "work profile").

Due to the violations of law revealed by the analysis of his private data and the fact that the incorrect analysis results obtained were allegedly used as the basis for disciplinary decisions, an application was submitted to the first respondent in a letter from his legal representatives dated November 18, 2022, in which the respondent was asked to delete the unlawfully obtained data and to inform the persons to whom the personal data attributable to the complainants had been transmitted or made accessible. The first respondent announced on November 23, 2022 that it would not comply with the two applications due to its immunity. The first complainant was suspended in June 2022 and his appointment ended on April 30, 2023.

The attachments are

    the notification of the initiation of proceedings (Appendix ./A),

    the Staff Instruction No. 21/Rev.1 (Appendix ./B),

 an extract from the forensic report dated 7 November 2022 (Appendix ./C),

 the OSCE Code of Conduct (Appendix ./D),

 the e-mail from the complainant's representative to the first respondent dated 18 November 2022 (Appendix ./E) and

 the first respondent's reply dated 23 November 2022 (Appendix ./F)

were attached.

2. In the supplementary submission of May 16, 2023, the represented complainants argued that, on the one hand, the attachments had now also been transmitted in German, and on the other hand, they again pointed out that the mobile phone contained their personal data, which, however, was predominantly attributable to their private life and, moreover, was sensitive data. The complainants had not given their consent. The first respondent did not comply with the request for deletion; in fact, it had refused. The question of who the complainants' data had been forwarded to with regard to the recipients of the transmission also remained unanswered. The first respondent as an international organization and the four natural persons named, all of whom had a service or employment relationship with it, were the respondents. The complainants would like to emphasize again that not only the professional data had been evaluated, but also the private content, which had also been marked as such. There was no legal basis for this.

Attached as attachments in German are

 the notification of the initiation of proceedings (Attachment ./A),

 the Staff Instruction No. 21/Rev.1 (Attachment ./B),

 an excerpt from the forensic report dated November 7, 2022 (Attachment ./C),

 the OSCE Code of Conduct (Attachment ./D),

 the email from the complainant's representative to the first respondent dated November 18, 2022 (Attachment ./E) and

 the response from the first respondent dated November 23, 2022 (Attachment ./F).

3. By means of a request for a statement dated 22 May 2023, the Data Protection Authority served the complaint dated 18 April 2023, amended on 16 May 2023, pursuant to Section 11 Paragraph 2 of the Service of Process Act to the designated respondents via the Federal Ministry for European and International Affairs (BMEIA). By means of a request for a statement dated 22 May 2023, the Data Protection Authority served the complaint dated 18 April 2023, amended on 16 May 2023, pursuant to Section 11 Paragraph 2 of the Service of Process Act to the designated respondents via the Federal Ministry for European and International Affairs (BMEIA).

4. During the hearing of the parties on 27 July 2023, the Data Protection Authority sent the complainants a copy of the proof of delivery dated 22 June 2023 received from the BMEIA and further informed them that no statement from the respondents had been received to date.

5. The complainants, who were represented by a lawyer, announced by telephone on 3 August 2023 that they would no longer submit a statement during the hearing of the parties on 27 July 2023.

6. With the settlement of the matter on 29 August 2023, the Data Protection Authority submitted a request for administrative assistance to the Austrian Permanent Mission to the OSCE asking whether the OSCE has internal data protection regulations and, if so, to transmit them. In addition, on 29 August 2023, the data protection authority asked the complainants to state whether the first respondent had internal regulations similar to the GDPR.

7. In their statement of 11 September 2023, the complainants, who were represented by lawyers, requested an extension of the deadline to 26 September 2023. Within the open deadline, the complainants submitted in a submission of 25 September 2023 that the second and third respondents as well as the fourth and fifth respondents were in an employment relationship with the first respondent.

In 2021 - after the first complainant joined the service of the first respondent - several regulations were introduced. These are regulations relating to:

- Information on the objectives of information security

- The OSCE Guidelines on Acceptable Use of OSCE Computer Resources (FA 12)

- The OSCE Guidelines on Information Security (FA 13)

The private use of mobile devices is regulated in the OSCE Guidelines on Acceptable Use of OSCE Computer Resources in Annex 3, whereby the mobile communication service devices were made available primarily for business purposes, but private use is also permitted. Point 6.4 regulates the protection of data, which stipulates that access to user data and information, including data recorded by the monitoring systems, can only be authorized for certain employees if there is a valid reason for doing so. Without the user's consent, authorization to access can only be granted by the Secretary General and only if there is suspected misconduct by an employee, e.g. if there is a suspicion of a policy violation, illegal activities or in emergencies. However, these reasons do not exist in the present case. There was no reason to evaluate the data on the first complainant's work cell phone, and certainly not that private content would be forensically evaluated with the help of a service provider in another EU country. The complainants were not aware of any other regulations that were similar to the GDPR or that contained similar regulations for the protection of personal data.

The first complainant was stationed in W*** and was therefore physically separated from his wife (formerly fiancée), who lived in Vienna. The first complainant and the second complainant therefore regularly sent each other emails and chat messages, from which data on sexual orientation could also be obtained. Furthermore, various vaccination certificates and test results of the first complainant were stored on the cell phone evaluated by the respondents.

Attached as annexes were

    a screenshot of the first complainant's mobile phone (Annex ./J),

    the Financial/Administrative Instruction 12 (Annex ./ I), the Financial/Administrative Instruction 12 (Annex ./ Roman one),

    the Financial/Administrative Instruction 13 (Annex ./ H) and

    information on the objectives of information security (Annex ./G).

8. In its statement of 5 October 2023, the BMEIA, on behalf of the Austrian Permanent Mission to the OSCE, submitted a submission on 5 October 2023 based on the request for administrative assistance of 29 August 2023, in which the applicable data protection service instruction of the first respondent ("OSCE Personal Data Protection Administrative Instruction No. 2/2022") and the Financial/Administrative Instruction 12 "OSCE Policy on Acceptable Use of OSCE Computing Resources" of the first respondent were enclosed in the appendix.

B. Subject matter of the complaint

1. Based on the arguments of the first complainant, the subject matter of the complaint is the question of whether the respondents violated the complainants' right to confidentiality by evaluating the first complainant's work cell phone, on which (sensitive) personal data of the complainants were stored.

2. The subject of the complaint is also the question of whether the first respondent violated the complainants' right to information by not informing the recipients who received the complainants' personal data.

3. The subject of the complaint is also the question of whether the first respondent violated the complainants' right to deletion by not deleting the complainants' personal data that was secured on the first complainant's work cell phone during the investigation.

However, it must first be examined whether the data protection authority is competent to decide on the matter.

C. Findings of fact

1. The first complainant is an ambassador sent by the government of ****, who assumed the role of project coordinator for the first respondent's branch office in Central Asia (W***) for a limited period of twelve months as of May 1, 2022 in accordance with the contractual conditions of April 30, 2022. The first complainant has been married to the second complainant since 13 May 2022.

[Editor's note: The organizational chart from the first respondent's website, reproduced here as a facsimile (graphic file), cannot be easily displayed in the RIS and has therefore been removed. There is an overview of special missions, offices and coordinators of the OSCE in Eastern and Southeastern Europe, the South Caucasus and Central Asia.]

Assessment of evidence: These findings are based on the submission initiating the proceedings dated 18 April 2023 and are also based on the official research of 25 August 2023 and 23 October 2023 at the URL < https://www.osce.org/files/f/documents/1/7/**4*1_2.pdf >.

2. The first respondent is an international organization which has its registered office in Austria at the postal address <Wallnerstrasse 6, 1010 Vienna>. The second respondent holds the position of **** at the first respondent. The third respondent holds the position of director of the Office for **** at the first respondent. The fourth and fifth respondent are the ***inspector and the inspector of the Office for ****. The second and third respondent as well as the fourth and fifth respondent all have a service or employment relationship with the first respondent.

Assessment of evidence: These findings arise from the submission of 18 April 2023 by the represented complainants initiating the proceedings and their supplementary statement of 16 May 2023. The finding that the second respondent is the **** of the first respondent and the third respondent is the Director of the Office of **** is based on the official searches of 16 August 2023 and 23 October 2023 at the URL <https://www.osce.org/**s> and <https://www.osce.org/node/*3*0*9>. The finding that the fifth respondent works as an inspector in the Office for **** also emerges from the official research carried out on August 25, 2023 and October 23, 2023 at the URL <https://at.linkedin.com/in/paulk***>. Furthermore, these findings were confirmed by the complainants in their final statement of September 25, 2023 (see point 1 of the statement). . Furthermore, these findings were confirmed by the complainants in their final statement of September 25, 2023 (see point 1 of the statement).

3. On April 20, 2022, the Human Resources Department of the first respondent initiated an internal investigation against the first complainant following a complaint dated April 18, 2023 from former employee Ms. Karla C***. This is based on the regulation applicable to the employees of the first respondent, called Staff Instruction No. 21/Rev.1 or Annex 2, Paragraph 2.9. The second respondent has decided to initiate more comprehensive investigations against the first complainant and informed him of this in the communication dated 11 May 2022 by Norman R***. In July 2022, the first complainant was questioned by the fourth and fifth respondents. During the questioning, the first complainant's work cell phone - Samsung smartphone S/N:*U*T*87*; OSCE Asset Tag Number: *4*9***3*2 - was confiscated. This procedure was initiated by the third respondent.

Notification of May 11, 2022 (formatting not shown 1:1):

[Editor's note: The letter from the human resources department of the first respondent, reproduced here as a facsimile (graphic file), contains, in addition to the content stated above, the names of the complainant, the employee who submitted the complaint and other persons. It cannot be pseudonymized with reasonable effort and has therefore been removed.]

Assessment of evidence: These findings are based on the submission initiating the proceedings dated April 18, 2023 and the attachments submitted therein. The finding that the first respondent has established an internal regulation for staff or employees arises from the complainants' submissions, which refer to the specific regulations, as well as from the attachments submitted.

4. As part of the investigation, a forensic investigation was carried out and data records (documents, messages and photos) that had already been deleted were restored. Despite the division of the work cell phone into a private and work area, all data was analyzed starting on August 19, 2022. The first complainant was informed on September 6, 2022 that further proceedings had been initiated against him for violating the Code of Conduct and Financial and Administrative Instruction 12 "Policy on Use of OSCE Computing Resources". The forensic report from November 2022 revealed that the first complainant's work cell phone contained, among other things, files containing nudity or pornographic content. The first complainant's Covid-19 vaccination and test certificates were also stored on the cell phone, as well as his correspondence, from which the sexual orientation of the two complainants emerged.

Communication of 7 November 2022 to the first complainant from the fourth respondent on behalf of the first respondent (formatting not shown 1:1):

[Editor's note: The letter from the first respondent reproduced here as a facsimile (graphic file) contains the name of the complainant, his function, the data analyses carried out and a draft of the investigation report with the number of files found on the work cell phone with questionable content according to the first respondent's code of conduct (pornographic images and nude pictures). It cannot be pseudonymised with reasonable effort and has therefore been removed.]

Assessment of evidence: These findings are based on the submission initiating the proceedings dated 18 April 2023 (see point 3.10 and point 3.11), the appendix therein entitled Attachment ./C.: These findings are based on the submission initiating the proceedings dated 18 April 2023 (see point 3.10 and point 3.11), the appendix therein entitled Attachment ./C. and the supplementary statement dated 25 September 2023 (see question 3 of the statement).and the supplementary statement dated 25 September 2023 (see question 3 of the statement).

5. In a letter dated 18 November 2022, the complainants submitted a request for information regarding the recipients of the files evaluated on the work cell phone and a request for deletion to the first respondent. The letter is illustrated in part as follows (formatting not shown 1:1):

Page 3 and page 4 of the letter dated November 18, 2022:

[Editor's note: The letter from the complainants' representatives, which is reproduced in part in the original of the decision as a facsimile (graphic file), was converted back into a text document using OCR for the purpose of reproduction in the RIS.]

"You are also obliged to name all persons who have had access to the contents of our client's mobile phone or your investigation results, including external service providers. You must oblige them to delete all existing content and choose confidentiality.

For the reasons stated above, we request that you meet the following requirements:

    to delete all content of a private nature belonging to our client to which OSCE has access and to confirm this deletion in writing;

    to keep all private content (communications, images, etc.) belonging to our client secret;

    to declare that the results of the investigations concerning our client's private content will not be used against him and his current and future position in the OSCE;

    to name all persons who have gained access to all or part of the contents of our client's mobile phone (including external service providers) and to provide their confidentiality agreements;

    to declare that all investigations against our client in connection with his private content will be discontinued.

The above measures must be carried out immediately, but no later than November 22, 2022."

Assessment of evidence: These findings arise from the submission initiating the proceedings dated April 18, 2023.

6. The third respondent responded on behalf of the first respondent and informed the complainants by letter dated November 23, 2022 that the requests would not be granted. The reply letter dated November 23, 2022 is shown as follows (formatting not shown 1:1):

[Editor's note: The letter (email) from the third respondent to the first complainant, reproduced here as a facsimile (graphic file), cannot be pseudonymized with reasonable effort and has therefore been removed. It contains, among other things, the following passages: "We note that the investigation into the use of an OSCE-issued phone (asset) and social media is part of an internal administrative procedure governed by the OSCE Common Rules and Administration System, which has been approved by the participating States and developed to comply with relevant international standards and administrative laws. On this basis, the internal administrative procedures fall under the privileges and immunities granted by the government of the host country.”]

Assessment of evidence: These findings are based on the submission initiating the proceedings dated 18 April 2023 and the annex submitted therein (email from the third respondent dated 23 November 2022 to the first respondent).

7. The first respondent has internal data protection regulations.

Assessment of evidence: These findings are based on the annex “OSCE Personal Data Protection Administrative Instruction No. 2/2022” submitted on 5 October 2023 by the BMEIA on behalf of the Austrian Permanent Mission to the OSCE as part of the request for administrative assistance dated 29 August 2023.

D. From a legal point of view, this leads to the following:

D.1. General

According to Article 77, Paragraph 1, GDPR or Section 24, Paragraph 1, DSG, every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or Section 1 or Article 2 of the first chapter of the DSG. the right to lodge a complaint with the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or Paragraph one or Article 2 of the first chapter of the DSG.

According to Article 55, Paragraph 1, GDPR, each supervisory authority is responsible for carrying out the tasks and exercising the powers conferred on it by the GDPR within the territory of its own member state. 

The data protection authority is therefore the supervisory authority responsible for the territory of the Republic of Austria (cf. Section 18, Paragraph 1, DSG). 

On point 1: 

D.2. Allocation of roles under data protection law

The determination of the allocation of roles under data protection law is of crucial importance for the complaint procedure according to Section 24 DSG or Article 77, Paragraph 1 GDPR, as it determines who is responsible for compliance with the respective data protection provisions, how the data subject can exercise their rights and, ultimately, against whom (i.e. which controller) the data protection complaint must be directed (respondent).The determination of the allocation of roles under data protection law is of crucial importance for the complaint procedure according to Paragraph 24 DSG or Article 77, Paragraph 1 GDPR, as it determines who is responsible for compliance with the respective data protection provisions, how the data subject can exercise their rights and, ultimately, against whom (i.e. which controller) the data protection complaint must be directed (respondent).

According to Article 4(7) of the GDPR, the natural or legal person, public authority, agency or other body is responsible for processing which, alone or jointly with others, decides on the purposes and means of processing personal data. The key criterion here is the decision-making component. The role of the controller therefore arises primarily from the fact that a particular body has decided to process personal data for its own purposes. The “purpose” describes an expected result, while the “means” determine the manner in which the expected result is to be achieved (cf. the EDSA Guidelines of September 2, 2020 07/2020 on the concept of controller and processor, margin no. 15 ff.). for processing which, alone or jointly with others, decides on the purposes and means of processing personal data. The key criterion here is the decision-making component. The role of the controller therefore arises primarily from the fact that a specific body has decided to process personal data for its own purposes. The "purpose" describes an expected result, while the "means" determine the manner in which the expected result is to be achieved (cf. the EDSA Guidelines of 2 September 2020 07/2020 on the concept of controller and processor, margin no. 15 ff.).

Even if the DSG does not contain a legal definition of the term controller, according to established case law, even outside the material scope of application of the GDPR, the definition in Art. 4 no. 7 leg. cit. - thus to the decision-making authority with regard to purpose and means - to be used analogously (cf. for example the decision of the Federal Administrative Court of 30 September 2020, GZ: W274 2225135-1). Even if the DSG does not contain a legal definition of the term "controller", according to established case law, even outside the material scope of application of the GDPR, the definition in Article 4, paragraph 7, leg. cit. - thus to the decision-making authority with regard to purpose and means - to be used analogously (cf. for example the decision of the Federal Administrative Court of 30 September 2020, GZ: W274 2225135-1).

The former Article 29 Data Protection Working Party also stated that processing by a natural person working for a company and using the data within the company's activities is attributed to the company as the controller (cf. Article 29 Data Protection Working Party, Opinion 1/2010 on the terms "controller" and "processor", WP 169, 00264/10/DE S 21; see also the EDPS Guidelines 07/2020 of 2 September 2020).The former Article 29 -, D, a, t, e, n, s, c, h, u, t, z, g, r, u, p, p, e, also stated that processing by a natural person working for a company and using the data within the company's activities is attributed to the company as the controller (cf. Article 29 -, D, a, t, e, n, s, c, h, u, t, z, g, r, u, p, p, e,, Opinion 1/2010 on the terms "controller" and "processor", WP 169, 00264/10/DE p. 21; see also the EDPS Guidelines 07/2020 of 2 September 2020).

D.2.1. On the role of the second and third respondents and the fourth and fifth respondents under data protection law

As stated by the data protection authority in point 3 of the findings, the second and third respondents and the fourth and fifth respondents all have a service or employment law relationship with the first respondent.

An exceeding of their authority as **** (second respondent), as Director of the Office for **** (third respondent), as ***Inspector (fourth respondent) or as Inspector of the Office for **** (fifth respondent) cannot be inferred from the complainants’ allegations. Since the first respondent takes such complaints and allegations “very seriously” (see the complainants’ statement of April 18, 2023) and the internal regulations (Staff Instruction No. 21/Rev.1 and its Annex 2, Paragraph 2.9, and Codes of Conduct and Financial and Administrative Instruction 12 “Policy on Use of OSCE Computing Resources”) also provide for appropriate investigations in the event of such complaints, the respondents have been commissioned to conduct surveys. see the complainants' statement of 18 April 2023) and the internal regulations (Staff Instruction No. 21/Rev.1 or its Annex 2, Paragraph 2.9. or Codes of Conduct and Financial and Administrative Instruction 12 "Policy on Use of OSCE Computing Resources") also provide for appropriate investigations in the event of such complaints, the respondents have been commissioned to carry out investigations.

Since the individual actions carried out by the employees were carried out in the course of their professional activities for the first respondent and can therefore also be attributed to it, it could not be established that their authority had been exceeded, nor was this alleged by the complainants.

It can therefore be assumed that the second and third respondents and the fourth and fifth respondents are not responsible under data protection law, which is why the complaint must be dismissed as to all of the subject matters raised because they are not responsible within the meaning of Article 4(7) GDPR. must be dismissed as to all of the subject matters raised because they are not responsible within the meaning of Article 4(7) GDPR.

On point 2 of the ruling:

D.3. Jurisdiction of the data protection authority with regard to the first respondent

D.3.1. On the immunity of international organizations

The first respondent, an international organization within the meaning of Article 4(26) GDPR, has an official headquarters in Vienna. This indisputably means that it has a fixed and permanent establishment within Austrian territory. The definition of “responsible” in Article 4(7) GDPR does not exclude international organizations. The criterion of an establishment within the European Union for the territorial scope of the GDPR is also met in this case (cf. Art. 3 GDPR; see for details The first respondent, an international organization within the meaning of Article 4, paragraph 26, GDPR, has an official seat in Vienna. This indisputably means that it has a fixed and permanent establishment within Austrian territory. The definition of the "controller" in Article 4, paragraph 7, GDPR does not exclude international organizations. The criterion of an establishment within the European Union for the territorial scope of the GDPR is also met in this case (cf. Article 3, GDPR; see for details Schmidl, Die DSGVO und internationaleorganisationen, in Jahnel [ed.] Jahrbuch Datenschutzrecht 21 [2022], pp. 20 to 22).

Within the official headquarters - and also in the present case, as explained under point 2 of the findings - automated data processing took place in accordance with Article 4(2) GDPR (analysis of the data from the first complainant's work cell phone by the first respondent). This also opens up the material scope of application of Article 2 paragraph 1 GDPR; an exception under Article 2 paragraphs 2 to 4 is not apparent.Within the official headquarters - and also in the present case, as explained under point 2 of the findings - automated data processing took place in accordance with Article 4 paragraph 2 GDPR (analysis of the data from the first complainant's work cell phone by the first respondent). This also opens up the material scope of application of Article 2 paragraph 1 GDPR; an exception under Article 2 paragraphs 2 to 4 is not apparent.

In addition, the Agreement between the Republic of Austria and the OSCE on the Headquarters of the Organization for Security and Cooperation in Europe (Federal Law Gazette III No. 84/2018), which regulates the legal status and immunities of the OSCE, also applies.In addition, the Agreement between the Republic of Austria and the OSCE on the Headquarters of the Organization for Security and Cooperation in Europe (Federal Law Gazette Part 3, No. 84 of 2018), which regulates the legal status and immunities of the OSCE, also applies.

The data protection authority does not ignore the fact that international organizations - according to established case law of European supreme courts - do not enjoy complete immunity from actions by organs of the host state.

However, the courts and authorities of the host state only have general jurisdiction for actions within the host state if the respective host state agreement provides for this or does not explicitly deny it.

As an interim result, this means that international organizations cannot completely evade the legal requirements of the host state. In general, most host state agreements stipulate that the laws of the host state generally apply in the host state. The GDPR would only not apply if the respective international organization issues its own regulations for the host state - specifically for the protection of personal data (cf. Schmidl, op. cit., p. 27 ff.).

In its ruling of 29 September 2022 on SV 1/2021, the Constitutional Court states that, according to the case law of the European Court of Human Rights, the widespread practice of granting international organisations contractual immunity serves the legitimate aim of ensuring the proper functioning of the organisations free from unilateral interference by individual states. The importance of this practice must be seen in the light of the expansion and strengthening of international cooperation in all areas of modern societies (ECtHR 18 February 1999 [GC], Waite and Kennedy case, Appl. 26.083/94 [Z 63]; 18 February 1999 [GC], Beer and Regan case, Appl. 28.934/95 [Z 53]).

According to the European Court of Human Rights, whether the restriction on access to a court within the meaning of Article 6 paragraph 1 of the ECHR that accompanies the exemption of an international organisation from state jurisdiction is proportionate depends essentially on whether an appropriate alternative legal remedy exists (fundamentally, ECtHR, Waite and Kennedy case, para. 68; Case , para. 68;, Beer and Regan case, para. 58; see also ECtHR 6 January 2015, Case , para. 58;, see also ECtHR 6 January 2015, Klausecker case, Appl. 415/07, [para. 69 ff.]). It is not necessary that the alternative legal remedy correspond to a state court system in every respect; what is required is comparable, i.e. equivalent, not identical legal protection (see ECHR 9 September 2008, case , Appl. 415/07, [para. 69 ff.]). It is not necessary that the alternative legal protection corresponds to a state court system in every respect; what is required is comparable, i.e. equivalent, not identical legal protection (see ECHR 9 September 2008, case Boivin, Appl. 73.250/01 [para. 2]). Slightly lower guarantees do not constitute a violation of Article 6 para. 1 ECHR; however, there is a violation of Article 6 para. 1 ECHR if the alternative legal protection system of an international organisation is manifestly inadequate (see ECHR 12 May 2009, case , Appl. 73.250/01 [para. 2]). Slightly lower guarantees do not constitute a violation of Article 6, paragraph 1, ECHR; however, a violation of Article 6, paragraph 1, ECHR occurs if the alternative legal protection system of an international organisation is manifestly inadequate (see ECtHR 12 May 2009, Gasparini case, Appl. 10.750/03; 16 June 2009, Rambus case, Appl. 40.382/04).

For international organisations, it is generally assumed that an appropriate alternative legal remedy may consist in the possibility of appealing to quasi-judicial bodies within the organisation (see, for example, on the proceedings before the NATO Appeals Committee, ECHR, 11 May 2000, Case A.L., Appl. 41.387/98; on the proceedings before the Appeals Board of the European Space Agency, ECHR, Waite and Kennedy Case, para. 69; Case , para. 69;, Beer and Regan Case, para. 59). As the European Court of Human Rights has held, the possibility of appealing to the Administrative Tribunal of the International Labour Organisation or the possibility of arbitration may also constitute an appropriate alternative dispute resolution mechanism (see ECHR, Case , para. 59). As the European Court of Human Rights has stated, the possibility of appealing to the Administrative Court of the International Labour Organization or the possibility of arbitration may also constitute an appropriate alternative dispute resolution mechanism (cf. ECtHR, Klausecker case, para. 70 ff).

In the present case, therefore, the specific design of the headquarters agreement concluded between the Republic of Austria and the first respondent must be examined more closely:

Article V, Section 5(b), of the headquarters agreement with the OSCE provides that, in principle, Austrian law applies in the headquarters area, whereby the GDPR can be regarded as a directly applicable act of Union law and as an integral part of the Austrian legal system. Furthermore, letter c provides that, unless otherwise provided in the Headquarters Agreement, acts taken and legal transactions carried out within the OSCE headquarters shall be subject to the laws of Austria, whereby the GDPR, as a directly applicable act of Union law, can be regarded as an integral part of the Austrian legal system. Furthermore, letter c provides that, unless otherwise provided in the Headquarters Agreement, acts taken and legal transactions carried out within the OSCE headquarters shall be subject to the jurisdiction of the courts and other competent authorities of the Republic of Austria on the basis of the applicable legal provisions.

Pursuant to Article V, Section 6, letter a, of the Headquarters Agreement, the OSCE is empowered to issue regulations applicable to its headquarters which create all the conditions necessary for the full exercise of its roles and mandates in every respect. Laws or regulations of the Republic of Austria which are incompatible with one of the provisions issued by the OSCE within the framework of this section are not applicable to the headquarters of the OSCE to the extent that such incompatibility exists.

D.3.2. On the applicability of the GDPR in the present case

Applied to the present proceedings, this means that it must be examined upstream whether the first respondent has issued its own internal regulations.

It is true that the fact that the complainants denied the existence of their own regulations within the first respondent on the protection of personal data in their statement of September 11, 2023 is not ignored.

However, in the context of the request for administrative assistance of August 29, 2023, in the statement of October 5, 2023 by the BMEIA on behalf of the Austrian Permanent Mission to the OSCE, the data protection service instruction of the first respondent entitled "OSCE Personal Data Protection Administrative Instruction No. 2/2022" and the Financial/Administrative Instruction 12 "OSCE Policy on Acceptable Use of OSCE Computing Resources" were submitted to the data protection authority in the appendix.

The official review of the documents submitted has shown that the person concerned is granted the right to lodge a complaint due to violations of data protection law within the first respondent - with the responsible data protection office - and is also granted the possibility of legal protection.

Since the first respondent has relevant internal regulations in place, the opportunity to lodge a complaint with the data protection authority must be denied at this stage, as the GDPR or Section 1 DSG do not substantively apply and the jurisdiction of the data protection authority is derived from the GDPR and the DSG (see Article V, Section 6, letter a, of the Headquarters Agreement). , the opportunity to lodge a complaint with the data protection authority must be denied at this stage, as the GDPR or Paragraph 1 DSG do not substantively apply and the jurisdiction of the data protection authority is derived from the GDPR and the DSG (see Article V, Section 6, letter a, of the Headquarters Agreement).

Furthermore, it is noted that in their complaint initiating the proceedings dated April 18, 2023, the complainants argued under point 2.5 that “according to the wording of the agreement, there is only an exemption from jurisdiction; However, according to the clear wording of the agreement, there is no exemption from administrative procedures, such as the complaint procedure before the data protection authority.”

This legal opinion (of the complainants) is, however, contradicted by the fact that the explanations to the headquarters agreement show that this also includes immunity from the activities of administrative authorities (see 12 dB XXVI. GP S 2). (see 12 dB Roman XXVI. GP S 2).

The same applies – as is clear from Article XV Section 28 lit. a of the headquarters agreement – to the second and third respondents as well as to the fourth and fifth respondents, who are indisputably – and also as argued by the complainants – employees of the first respondent. The same applies – as is clear from Article XV, Section 28(a), of the Headquarters Agreement – to the second and third respondents as well as to the fourth and fifth respondents, who are indisputably – and as the complainants have also argued – employees of the first respondent.

The data protection authority does not ignore the fact that the OSCE's internal regulations on the protection of personal data are not comparable to the GDPR in terms of scope and, in particular, in terms of the possibility of legal protection.

However, the data protection authority cannot examine whether these regulations are unconstitutional for this reason, as this is exclusively a matter for the Constitutional Court pursuant to Article 140a, B-VG (see again the decision of September 29, 2022, SV 1/2021).VG is see again the decision of September 29, 2022, SV 1/2021).

D.3.3. Summary

In summary, it can be stated that although the GDPR is generally applicable to the present case both geographically (Article 3) and substantively (Article 2), the first respondent enjoys immunity from the actions of the data protection authority due to the headquarters agreement and the fact that it has issued independent regulations for the protection of personal data. There is no evidence that the headquarters agreement is manifestly contrary to EU law and should therefore not be applied.In summary, it can be stated that although the GDPR is generally applicable to the present case both geographically (Article 3) and substantively (Article 2), the first respondent enjoys immunity from the actions of the data protection authority due to the headquarters agreement and the fact that it has issued independent regulations for the protection of personal data. There is no evidence that the headquarters agreement is manifestly contrary to EU law and should therefore not be applied.

By virtue of this provision of international law, the first respondent named by the complainants cannot therefore be prosecuted by the data protection authority (cf. again in essence By virtue of this provision of international law, the first respondent named by the complainants cannot therefore be prosecuted by the data protection authority (cf. again in essence Schmidl, op. cit., p. 19 ff.), unless the first respondent waives the immunity granted to it. Such a waiver is not apparent from the course of the proceedings to date. Furthermore, it is not evident that the employees of the first respondent did not act within their area of responsibility.

Consequently, the complaint with regard to the first respondent had to be rejected.

For the sake of completeness, it is finally noted that the first respondent’s constitutionally guaranteed rights may have been violated by the first respondent’s own internal data protection regulations. However, the data protection authority is not responsible for such an examination.