DSB (Austria) - DSB-D123456

From GDPRhub
DSB (Austria) - DSB-D123456
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(11) GDPR
Article 6(1)(a) GDPR
Article 5(2) Directive 95/46
Type: Complaint
Outcome: Upheld
Decided: 10.08.2021
Fine: 1000 EUR
Parties: noyb
National Case Number/Name: DSB-D123456
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: n/a

There was CCTV camera pointed at the office over the street. Controller argued that using the street is consent to CCTV. Austrian DPA held, that walking on the street is not unambiguous consent.

English Summary[edit | edit source]

Facts[edit | edit source]

There was CCTV camera pointed at the office over the street. Controller argued that using the street is consent to CCTV.

Holding[edit | edit source]

Austrian DPA held, that walking on the street is not unambiguous consent.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decisive authority

Data protection authority
Decision date

Business number

Appeal at the BVwG / VwGH / VfGH

This decision is final.


GZ: 2021-0.285.169 from May 3, 2021 (case number: DSB-D124.3448)

[Note processor: Names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be abbreviated and / or changed for reasons of pseudonymisation be. Obvious spelling, grammar, and punctuation errors have been corrected.]



The data protection authority decides on the data protection complaint from Markus A *** (complainant) of December 29, 2020, received on January 7, 2021, against Claudia N *** (respondent) for breach of the right to secrecy as follows:

-      The complaint is dismissed as unsubstantiated.

Legal basis: Art. 2 para. 2 lit. c, Art. 4 Z 1, Z 2 and 15, Art. 51 para. 1, Art. 57 para. 1 lit. f as well as Art. 77 para. 1 of the Regulation ( EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1; Section 1 (1), Section 4 (1), Section 18 (1) and Section 24 (1) and Section 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 8 and Art. 52 (1) of the Charter of Fundamental Rights of the European Union (EU-GRC), OJ No. C 202 of 7.6.2016, p. 389.


A. Arguments of the parties and course of the procedure

1. With an initial submission, the complainant alleged a violation of the right to secrecy by the respondent and alleged, in summary, that the respondent sent a court order on December 16, 2020 with sensitive health data concerning the complainant via WhatsApp to a third person, namely Erika A ** *, passed on.

2. In her submission of January 26, 2021, the respondent replied that she and the complainant had been divorced since December 2015. She has sole custody for their son Andreas. Erika A *** is the biological mother of the complainant and the former mother-in-law of the respondent.

Since the disputed divorce in 2015, the Respondent has at times had telephone contact with her former mother-in-law. They would often take care of Andreas on the visiting weekends actually assigned to their ex-husband (the complainant), who would spend whole weekends as well as the winter or summer week with his grandparents. As far as the Respondent is aware, the Complainant maintains good and regular contact with his parents, which is why the Respondent assumes that they are informed about his state of health.

The transmission of the message in question to Erika A *** in connection with the inquiry regarding the complainant's resilience arises solely from concern for their son Andreas, since the respondent is not sure whether the complainant's health situation, which sounds dramatic to her as a layman, is a problem reliable support for Andreas, which is necessary due to his special needs (e.g. hyperactivity, medication, etc.). Since a solid basis for discussion was as good as non-existent between the respondent and the complainant, it was far from the respondent to confront the complainant with the diagnosis recorded in the court order. In order to protect the health and the physical and mental integrity of Andreas, the Respondent wanted to obtain certainty from her former mother-in-law by asking her former mother-in-law whether the complainant was still able to look after their son.

The respondent also pointed out that the screenshot of the transmitted message provided by the complainant only referred to the "child's father" and that neither the complainant's name nor any other personal data could be found there.

3. The complainant made no further submissions within the scope of the hearing of the parties.

B. Subject matter of the complaint

Based on the complainant's submissions, the subject of the complaint arises as to whether the respondent violated the complainant's right to secrecy by transmitting a court order with the complainant's health data to a third person, namely Erika A ***, via WhatsApp.

C. Factual Findings

The parties to the proceedings have been divorced since December 2015. The Respondent has sole custody of their son Andreas. Erika A *** is the biological mother of the complainant, grandmother of Andreas and the former mother-in-law of the respondent and often looks after the common son of the parties to the proceedings.

Assessment of evidence: The findings on family relationships and the care situation with regard to the joint son of the parties to the proceedings result from the indisputable information provided by the respondent.

The Respondent sent the following message to Erika A *** via WhatsApp in December 2020 (formatting not reproduced 1: 1):

[Editor's note: the documents inserted here in the form of graphic files (screenshots) cannot be pseudonymized with reasonable effort. They are reproduced here as a text document with an approximate reproduction of the formatting.]

[Screenshot from court order]

Due to the decision of the District Court *** of 04.07.2018 13 PU ****, the father is currently obliged to a monthly maintenance payment of EUR 3 **, 00 for my year old Andreas.

The minor is in the care and upbringing of the mother and, according to the files, has no income or assets.

The child's father suffered a leisure accident on July 2nd, 2013. Until 2014 he worked as a ****. The employment relationship was terminated during the sick leave (duration 1 year).

The child's father receives emergency assistance in the amount of EUR 4 *, 67 daily and is also marginally employed with an income of EUR * 34.00 including special payments at the facility ****. The income of the child's father is thus around EUR 1.00 per month.

The following clinical pictures were last diagnosed on June 5th, 2019:

 chronic depressive disorder

 Narcissistic or fearful avoidant personality structure

[Screenshot WhatsApp message]

Dear Erika, I had no idea how bad it was for Mark !! That explains a lot ... but unfortunately also raises the question of how much Andreas can rely on him or how much can Mark take care of him? 12:56

[Screenshot from court order]

 hypercholesterolemia

 Rapid mental exhaustion / excessive demands, so that the father is on a

specially created daily structure with many breaks.

He is also 60% disabled and an activity as a **** is no longer reasonable for him. According to the salary compass, the gross income as **** is between EUR 1. ***. 00 and EUR 2. ***. 00.

The child's father is constantly receiving psychiatric treatment.

The child's father is also legally responsible for Andreas N ***, born 1 * .0 * .1995, who is now studying at the FH in ******.

Evidence assessment:

The income of the child's father results from the submitted salary documents.

The clinical pictures of the child's father could be found in the patient's letter dated May 13, 2019. The neurologist's report dated March 6, 2015, included in the file, showed that a chronic course must be assumed and no improvement in health can be expected. It also emerges from this report that he can no longer practice the occupation as a **** at that time. The court also considers it credible and understandable if the child's father states in his interrogation that he is not able to work full-time and can only pursue marginal employment (rapid mental exhaustion / fatigue). The 60% disability of the father could be proven by the presented ID. The fact that the father is in psychiatric treatment could be credibly demonstrated by the father and was not denied by the district administration ***. The average earnings of a **** could be taken from the AMS salary compass. The fact that the child’s father is now legally responsible for his son Andreas again could be proven by means of a confirmation of enrollment.

Assessment of evidence: The findings on the content and the dispatch of the WhatsApp message at issue result from the insofar undisputed submission of the complainant in his submission that initiated the proceedings.

D. From a legal point of view, it follows:

D.1. For personal reference and the processing of data

In his submission that initiated the proceedings, the complainant complained about the disclosure of his health data by the respondent to a third person. The Respondent submits in this context that the screenshot provided by the complainant only speaks of the "child's father" and that neither the name nor any other personal data of the complainant are evident. At the outset, therefore, the question to be clarified is whether there is any processing of the complainant's personal data by the respondent.

According to Art. 4 No. 1 GDPR, “personal data” is all information that relates to an identified or identifiable natural person (“data subject”); A natural person is regarded as identifiable who, directly or indirectly, in particular by means of assignment to an identifier such as a name, to an identification number, to location data, to an online identifier or to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified.

The European Court of Justice (ECJ) has already stated with regard to Article 2 (a) of Directive 95/46 / EC that the term “personal data” is based on a broad understanding. Accordingly, the term is not limited to sensitive or private information, but potentially includes all types of information, both objective and subjective, in the form of opinions or assessments, provided that it is information “about” the person in question . "(See the judgment of the ECJ of December 20, 2017, C-434/16 [Nowak]).

These considerations can be applied to the current legal situation according to the GDPR, since the definition of "personal data" according to Article 2 (a) of Directive 95/46 / EC has been adopted in Article 4 (1) GDPR.

A person is clearly identified if the identity of the person is immediately apparent from the information itself (cf. in this regard the judgment of the ECJ of October 19, 2016, C-582/14 [Breyer], margin no. 38). On the other hand, a person can be identified if the information in itself is not sufficient to assign it to a person, but this succeeds as soon as the information is linked with further information. In other words: if the person concerned is not named, for example, but can still be determined with the help of reference data, personal data should be used (cf. Ernst in Paal / Pauly [ed.], General Data Protection Regulation. Comment, Art. 4, margin no. 8). In order to determine whether a natural person can be identified, all means must also be taken into account that are likely to be used by the person responsible or another person according to general discretion to identify the natural person directly or indirectly (see Recital 26 GDPR).

Applied to the present case, the complainant's personal data is in any case available, since although the document attached to the WhatsApp message in question only speaks of the "father" or "child's father", the text message that was also transmitted expressly refers to " Mark “- meaning the complainant Markus A *** - takes. In this context, the Respondent herself states that, by means of the message at issue, she wanted to inquire from her former mother-in-law Erika A *** whether her son (the complainant), due to the state of health attested to him, was fulfilling his duties of care with regard to Andreas (their son of the parties to the proceedings). As a result, for both the respondent and the recipient of the WhatsApp message, Erika A ***, there was no question to whom the information or diagnoses contained in the attached document relate and the complainant was clearly identifiable for them as a result.

Since the WhatsApp message, which is the subject of the proceedings, also clearly shows information relating to the complainant's physical or mental health and from which information about the complainant's state of health emerges, there is also health data within the meaning of Art. 4 Z 15 GDPR.

The transmission of the WhatsApp message in question, i.e. the message to individually determined addressees (cf. Reimer in Sydow [Hrsg.], European General Data Protection Regulation. Handkommentar, Art. 4, Rz. 69) also clearly constitutes processing within the meaning of Art. 4 Z 2 GDPR.

D.2. General information on the fundamental right to secrecy

The fundamental right to secrecy enshrined in § 1 DSG, according to the first paragraph of which everyone, in particular with regard to respect for their private and family life, has the right to secrecy of the personal data concerning them, insofar as there is a legitimate interest in this, includes the protection of data subject before their data is determined and the data obtained about them are passed on. However, the basic right to secrecy is not absolute, but may be restricted by certain permissible interventions.

It should be noted that in the present case a violation of the right to secrecy according to § 1 Paragraph 1 DSG is to be examined and limitations of this claim from Paragraph 2 leg.cit., But not from Art. 6 Paragraph 1 (or Art . 9 para. 2) GDPR result.

Pursuant to Section 1 (2) DSG, restrictions on the right to confidentiality are only permitted to safeguard the overriding legitimate interests of another, insofar as the use of personal data is not in the vital interest of the person concerned or with his consent, whereby, in the event of intervention by a state authority, this only may take place on the basis of laws that are necessary for the reasons stated in Art. 8 Para. 2 ECHR.

However, the GDPR and in particular the basic principles anchored in it must be taken into account when interpreting the right to secrecy (see the decision of July 4, 2019, GZ DSB-D123.652 / 0001-DSB / 2019).

As a preliminary step, it must therefore first be checked whether the facts at hand are actually covered by the material scope of the GDPR (and subsequently the GDPR).

D.3. On the (non-) applicability of the GDPR and on the so-called "household exception"

According to Art. 2 Paragraph 2 lit. c, the GDPR does not apply to the processing of personal data by natural persons for the exercise of exclusively personal or family activities (colloquially also referred to as "household exception").

The standardization of the "budget exception" represents a balancing decision of the Union legislature with regard to the primary law stipulated in Art. 8 EU-GRC right to the protection of personal data. According to Art. 52 (1) EU-GRC, restrictions on the rights and freedoms guaranteed by them must be must therefore be provided for by law and respect the essence of these rights and freedoms.

According to the prevailing opinion, this exception should therefore be interpreted restrictively (cf. for the largely identical provision of Article 3 (2), second indent of Directive 95/46 / EC, the judgment of the ECJ of November 6, 2003, C-101/01 [Lindqvist] ).

The delimitation criterion is the absence of any reference to a professional or economic activity. That is, the central criterion for the applicability of the "household exception" - and thus for the inapplicability of the GDPR - is the attribution of the data processing to the private sector (cf. Heissl in Knyrim [ed.], DatKomm Art. 2 GDPR, margin no. 70).

It should be noted that the terms “personal” and “familiar” refer to the activity of the person who processes personal data and not to the person whose data is being processed. (See the judgment of the ECJ of July 10, 2018, C-25/17 [Jehovan todistajat], margin no. 41 with further references.).

The GDPR itself mentions the conduct of correspondence or the use of social networks and online activities in the context of personal or family activities (see recital 18 GDPR). However, this only applies to the extent that data is exchanged in closed groups that have no relation to the professional or economic activities of the users (cf. Ennöckl in Sydow [Hrsg.], European General Data Protection Regulation. Handkommentar, Art. 2, Rz. 13; cf. . also the previously cited judgment of the ECJ of July 10, 2018, C-25/17, margin no. 42 with further references The object is to make personal data accessible to an unlimited number of people, or if it extends even partially to the public space and is therefore directed to an area outside the private sphere of the person who processes the data ”). The exclusively private use of services such as WhatsApp is included in the scope of the "household exception" (cf. Bergauer in Jahnel [Hrsg.], GDPR). Comment, Art. 2, margin no ).

The term “family” is not to be interpreted strictly according to family law, but also includes other relationships that are referred to as “family” by the general public, regardless of marriage and childhood. In this respect, it is irrelevant whether there is a formal relationship or whether personal relationships exist on a purely informal basis (cf. Ernst in Paal / Pauly [ed.], General Data Protection Regulation. Comment, Art. 2, margin no. 18).

On the basis of these considerations, it should be stated in an intermediate step that in the present case the exception provision of Art. 2 Para. 2 lit c GDPR is applicable, since the transmission of the WhatsApp message in question to an individually determined recipient (and not to an indefinite or . Unlimited public addressees) on the occasion of a personal and at least indirectly familial correspondence between the Respondent and her former mother-in-law, who often looks after the respondent's son who is in the sole custody of the Respondent.

In the next step, the relationship between the GDPR and the GDPR with regard to the exceptions mentioned in Art. 2 Para. 2 GDPR must be dealt with.

According to Article 16 (2) TFEU, there is Union competence to enact provisions on the protection of natural persons with regard to the processing of personal data by the Member States in the context of the exercise of activities that fall within the scope of Union law.

To the extent that a matter falls within the scope of Art. 8 EU-GRC, any constitutional provisions that offer the same guarantee have to remain "dormant" to the extent of this conformity and the assessment is based exclusively on the provision of Union law (cf. recently the decision of the German Federal Constitutional Court of November 6, 2019, GZ 1 BvR 276/17, Rz 47 ff; cf. also VfSlg. 19.632 / 2012, where the Constitutional Court has already ruled that it will guarantee constitutional law in the event of compliance Rights with the EU-GRC using the latter as a control standard).

In the present case, it cannot be said that the scope of protection of § 1 DSG goes beyond that of Art. 8 EU-GRC, so that § 1 DSG does not apply at all.

But even if one were to see an application of § 1 DSG, the complaint would not be successful:

The (simple legal) provision of § 4 Paragraph 1 DSG declares, in addition to the DSG, the DSGVO for the fully or partially automated processing of personal data as well as for the non-automated processing of personal data that is or is stored in a file system as applicable, without specific to refer to the exceptions in Art. 2 Para. 2 GDPR.

In this regard, however, the provisions of the GDPR at national level have a basically unrestricted subject area of application (see Kunnert in Bresich / Dopplinger / Dörnhöfer / Kunnert / Riedl, DSG § 4, note 3), so that on the basis of Art. 2 Para. 2 lit c GDPR, processing operations that are excluded from the scope of the GDPR are also not covered by the GDPR (see ErlAB, 1761 BlgNR. XXV GP, p. 4).

The data protection authority does not overlook the fact that the "budget exception" standardized in Art. 2 Para. 2 lit. according to the relevant case of the European Court of Justice, the member states were not prevented from extending the scope of national legal provisions, which were enacted in implementation of the DS-RL, to areas not covered by the scope of the DS-RL, provided that no other provision of Community law opposed this (see the already cited Judgment of the ECJ of November 6, 2003, C-101/01, margin number 98). The Austrian legislature had made use of this possibility - created under the DS-RL - and laid down specific data protection regulations for processing activities for private or family purposes in the earlier provision of § 45 DSG 2000 (see master version of Federal Law Gazette I No. 165 / 1999). The provision just cited did not provide for a general exception to the fundamental right to data protection, which would not have been possible due to its simple legal nature (cf. Jahnel, Handbuch Datenschutzrecht, p. 433 ff).

With regard to the current legal situation, it should be emphasized that the GDPR itself - due to the essentially identical word for the definition of the "household exception" - does not fall behind the scope of protection of the DS-RL, but a provision by the Austrian legislature in the DSG that is similar to Section 45 DSG 2000 was not (no longer) provided in the following.

From this it can be concluded that the Austrian legislature did not want to extend the scope of protection of the DSG to facts that exclusively concern the personal or family area.

D.4. Result

On the basis of the above considerations, the provision of Art. 2 Paragraph 2 lit. c GDPR is also applicable in connection with an alleged violation of Section 1 Paragraph 1 GDPR and consequently the scope of application of the GDPR or the DSG is not opened up. As a result, the right to lodge a complaint in accordance with Section 24 (1) DSG is not available for the communication via WhatsApp in the context of personal and family activities.

It was therefore to be decided according to the ruling.
European Case Law Identifier

ECLI: AT: DSB: 2021: 2021.0.285.169