DSB (Austria) - DSB-D179.309

From GDPRhub
DSB - DSB-D179.309
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 45(3) GDPR
Article 46(1) GDPR
Type: Other
Outcome: n/a
Started: 29.03.2022
Decided: 16.05.2022
Published:
Fine: n/a
Parties: Austrian Federal Minister of Finance (BMF)
National Case Number/Name: DSB-D179.309
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: MW

The Austrian DPA authorized the transfer of personal audit documents to the US Public Company Accounting Oversight Board following an application for approval by the Federal Minister of Finance. The transfer was based on an administive arrangement per Article 46(3)(b) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Austrian Auditor Oversight Authority (APAB) informed the Austrian DPA by letter dated March 3, 2022 about the planned conclusion of an administrative agreement between the Federal Minister of Finance (BMF) and the US Public Company Accounting Oversight Board (PCAOB) regarding the transmission of personal audit documents by the APAB.

The DPA solicited an opinion from the European Data Protection Board (EDPB) per Article 64(2) GDPR on the safeguards for the transfer of personal data to a third country which, in the absence of an adequacy decision, Article 46(1) GDPR required. The EDPB approved by majority vote.

The EDPB had previously approved a similar transfer to the PCAOB by French authorities.

Holding[edit | edit source]

The DPA pointed out that the previous adequacy decision for personal data transfers to recipients in the US, the so-called "Privacy Shield," had been annulled by the European Court of Justice, adding that it had not applied to data transfers between authorities anyway. In any case, suitable guarantees were required by Article 46(1) GDPR.

Per Article 46(3)(b) GDPR, those guarantees could be provided for by provisions inserted into administrative arrangements between public authorities or bodies subject to the approval of the competent supervisory authority.

As the administrative agreement submitted by the BMF was essentially identical to a previous EDPB-approved arrangement between French authorities and the PCAOB and because the EDPB through a majority vote issued a positive opinion on the current transfer, the DPA concluded that safeguards were adequate and approved the transfer.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.296.352 from May 16, 2022 (case number: DSB-D179.309)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.]

NOTICE

SAY

The data protection authority decides on the application of the Federal Minister of Finance (applicant) dated March 29, 2022 for approval of the administrative agreement pursuant to Art. 46 (3) lit. b GDPR with the US Public Company Accounting Oversight Board (PCAOB) to regulate the transfer personal data as follows:

 Approval of the proposed Administrative Arrangement for the transfer of personal data to the U.S. Public Company Accounting Oversight Board, as set forth in Attachment (“Attachment 1.pdf”) and forming an integral part of the award.

Legal basis: Art. 46 (3) b, Art. 51 (1), Art. 57 (1) r and Art. 58 (3) i of Regulation (EU) 2016/679 (General Data Protection Regulation). , hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1.

REASON

A. Submissions of the parties and course of the proceedings

The data protection authority was informed by letter from the Austrian auditor supervisory authority (APAB) dated March 3, 2022 about the planned conclusion of an administrative agreement between the applicant and the U.S. Public Company Accounting Oversight Board (PCAOB) regarding the transmission of personal audit documents by the APAB.

The applicant subsequently submitted an application to the data protection authority for approval of an administrative agreement pursuant to Art. 46 (3) (b) GDPR for the transfer of personal data to the PCAOB with a submission dated March 29, 2022.

After prior consultation of the expert group responsible for international data transfers, the data protection authority obtained an opinion from the European Data Protection Board on the administrative arrangement in question. The European Data Protection Board, as a result of a vote of its members, delivered a positive opinion on the safeguards provided for in the present Administrative Arrangement for the protection of the rights and freedoms of individuals whose data are transferred to the PCAOB between May 3rd and May 10th, 2022. Adoption of this decision was confirmed on May 13, 2022 by the Secretariat of the European Data Protection Board.

B. Findings of Facts

The course of the procedure summarized under point A., together with the submissions of the applicant documented in the files, form the basis for the findings of fact.

Evidence assessment: The present facts are undisputed and are based on the submissions of the Austrian auditor supervisory authority and the applicant. The said administrative agreement is documented in the file.

C. In legal terms it follows that:

Pursuant to Art. 46 Para. 1 GDPR, if no resolution pursuant to Art. 45 Para. 3 leg. cit. exists, only transfer personal data to recipients in a third country if they have provided appropriate guarantees and if the data subjects have enforceable rights and effective legal remedies.

The United States represent a third country iSd. Chapter V GDPR. In the absence of a corresponding adequacy decision by the European Commission, the transmission of personal data to recipients in the United States must therefore be based on suitable guarantees within the meaning of Art. 46 GDPR are supported. In this regard, it should be noted that the partial adequacy decision for the United States – the so-called “EU-U.S. Privacy Shield" - was not applicable to data transfers between authorities anyway (cf. the former Commission Implementing Decision (EU) 2016/1250, OJ L 2016/207, p. 1 and its repeal by the judgment of the European Court of Justice of 16 July 2020, C-311/18).

Appropriate guarantees for the transfer of personal data to recipients in third countries can be included in provisions to be included in administrative agreements between public authorities or public bodies and enforceable and effective rights in accordance with Art. 46 (3) (b) GDPR, subject to approval by the competent supervisory authority include for data subjects. The administrative agreement with the PCAOB submitted by the applicant is one such approval-based transmission tool.

According to Art. 46 Para. 4 GDPR, the European Data Protection Board had to be involved.

According to Art. 64 (2) GDPR, any supervisory authority can request that a matter of general application or having an impact in more than one Member State be examined by the European Data Protection Board in order to obtain an opinion. According to Art. 64 para. 3 leg. cit. an opinion on the matter submitted, unless he has already issued an opinion on the same matter.

In this regard, the European Data Protection Board has already issued Opinion 05/2021 on the guarantees for the protection of personal data contained in the administrative agreement between the French auditor supervisory authority ("Haut Conseil du Commissariat aux Comptes") and the PCAOB and stated that the agreement meets the requirements of the GDPR is equivalent to.

The administrative agreement submitted by the applicant is essentially the same as the agreement reviewed by the European Data Protection Board in its Opinion 05/2021, apart from some formal changes that are not objectionable. Against this background and after obtaining a positive opinion from the European Data Protection Board as a result of the vote taken by its members between May 3 and May 10, 2022, the data protection authority has no indication that the present administrative agreement does not provide sufficient protection for the transfer of personal data guaranteed to the PCAOB.

The present administrative agreement was therefore in accordance with Art. 46 Para. 3 lit. b in conjunction with Art. 57 Para. 1 lit. r and Art. 58 Para. 3 lit.

A more in-depth justification can, since the application was fully complied with, iSd. Section 58 (2) AVG no longer applies.

The request to pay the fee does not apply with regard to § 2 Z 1 of the Fees Act 1957.

Enclosure [editor's note: not reproduced here]