DSB (Austria) - W101 2218962-2/33E

From GDPRhub
Revision as of 14:12, 10 March 2023 by L.fielden (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=W101 2218962-2/33E |ECLI=ECL...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - W101 2218962-2/33E
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law:
Article 133 (4) B-VG
Article 2 of the Basic Law
Article 7 of the Federal Constitutional Law
Section 1 (1) of the Austrian Data Protection Act 2000
Section 24 (1) and (5) DSG
Section 28(2) VwGVG
Type: Complaint
Outcome: Rejected
Started: 10.04.2019
Decided: 16.01.2023
Published: 01.02.2023
Fine: n/a
Parties: n/a
National Case Number/Name: W101 2218962-2/33E
European Case Law Identifier: ECLI:AT:BVWG:2023:W101.2218962.2.00
Appeal: Appealed - Overturned
The Federal Administrative Court of Austria
W101 2218962-2
Original Language(s): German
Original Source: Bundesverwaltungsgericht (BVwG) (in DE)
Initial Contributor: Leah Fielden

The complainant in the case at hand (the husband) incurred an obligation to disclose his assets as well as income to his wife as a beneficiary of maintenance in the course of divorce proceedings. This did not lead to a violation of the complainant's right to confidentiality by the processing of his personal data.

English Summary

Facts

The case at hand centres around a decision by the Austrian Data Protection Authority (hereinafter, DPA), on the dismissal of a complaint by a husband, during divorce proceedings, that his right to confidentiality had been infringed. The proceedings essentially arose while the complainant (the husband) was undergoing a divorce. In order to calculate his alimony, his (still) wife had commissioned a party involved in drawing up an 'expert opinion' on what the complainant owed in maintenance. The expert opinion contained the calculations for a sum of money owed to the (still) wife, who claimed that the calculated sum was based on publically available figures. However, the complainant alleged that the information was obtained, researched or processed in an unlawful manner and therefore violated his right to confidentiality under Section 1(1) of the (then) Data Protection Act.

Holding

The DPA made the following findings: The complaint in question arose from diverse proceedings, where the wife has commissioned a co-participating party to prepare an expert opinion on her maintenance and on the post-marital division of property.

However, It could not be determined how the co-participating party had obtained the data (with the exception of the publically accessible data). In accordance with Section 1 (1) of the Austrian Data Protection Act 2000; everyone has the right to the confidentiality of the personal data relating to him, particularly with respect to private and family life insofar as there is an interest deserving of protection. The DPA ruled that there was no such interest at stake.

The complainant also argued that the collection, storage, transmission, publication and making available of his personal data to third parties had taken place without a legal basis and therefore violated the right to confidentiality.

The claimant further alleged that it was not possible to establish how the involved party (the party contracted by the wife) had obtained the economic personal data of the complainant and therefore, the data protection complaint had to be dismissed on the grounds of a violation of the right to secrecy.

The DPA concluded that the processing had not been carried out in the vital interest of the complainant and there was no consent to the processing in the context of the expert opinion. Therefore, the question arose as to whether the overriding legitimate interests of any of the parties were involved.

In the balancing of interests pursuant to Section 1 (2) of the Data Protection Act, the interest of the obligation to fulfil a contract without defects outweighs the confidentiality interests of the complainant in this case.

Resultantly, the processing of the complainant's personal data had been lawful due to the existence of overriding legitimate interests of the complainant's wife.

Comment

The central connecting factor as to whether a fundamental right claim exists at all depends on the “worthy protection” of the interests at stake. When examining these, a balancing of interests must be carried out and the principle of lawfulness under data protection law must be taken into account.

In accordance with the established case law of the Supreme Court, a spouse entitled to maintenance cannot be expected to “sue in the dark” (i.e: to claim any income level that seems most likely and to base maintenance on that claim).

Consequently, a violation of the husband's right to confidentiality is out of the question from the outset. Where there is a legal right to information, there can be no right to confidentiality.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Reasons for decision:
I. Procedure:
On August 22, 2018, XXXX (= complainant before the Federal Administrative Court and applicant before the data protection authority) filed a data protection complaint against Mr. XXXX as managing director of XXXX GmbH (= involved party before the Federal Administrative Court and respondent before the data protection authority), because he violated his right to secrecy was violated. He justified his data protection complaint essentially as follows:
The complainant is currently in divorce proceedings and his (still) wife commissioned the party involved to prepare a corresponding expert opinion for the purpose of calculating maintenance. In this report, she stated, among other things, that her calculations were based on a large amount of publicly available information. However, this statement is objectively incorrect, since the data used by the party involved relates, for example, to the annual results of foundations or book values that are not shown or read in any public information source. Therefore, it is obvious that they obtained, researched and/or processed this data in an unlawful way. The party involved informed a third person of the financial figures of the XXXX private foundation and the income accruing to the complainant from this, thereby violating the complainant's right to secrecy under Section 1 (1) DSG.
In a statement dated November 5th, 2018, the party involved in relation to the complainant’s data protection complaint essentially stated the following:
Since the complainant's (still) wife and children are beneficiaries of the foundation, she considers the data protection complaint within the meaning of Article 6 (1) lit. a, b, c and f The statement was accompanied by a letter from the legal representative of the party involved to the data protection authority dated August 28, 2017, which stated that the report in question had been prepared on the basis of documents that the complainant's (still) wife had received from the complainant .
In a statement dated March 7, 2019, the complainant denied ever having given his (still) wife any documents relating to the foundation.
With ruling part 1 of the notice of April 10, 2019, GZ. DSB-D123.357/0001-DSB/2019, the data protection authority partially rejected the data protection complaint of August 22, 2018 (regarding the violation of the right to secrecy).
With regard to part 1 of the above decision, the data protection authority essentially made the following findings of fact:
The complainant is in divorce proceedings with his wife. She had commissioned the party involved to prepare an expert opinion on her maintenance and the post-marital division of assets.
The party involved is an auditor and generally sworn and court-certified expert as well as the managing director of XXXX GmbH.
It could not be determined how the party involved connected to the complainant's data processed in the present report - with the exception of the publicly accessible data - namely the economic key figures of the XXXX private foundation such as the income accruing to the complainant, book values of properties of the XXXX private foundation and the annual results of the XXXX private foundation.
The complainant's wife was a beneficiary of the XXXX private foundation.
On the basis of these factual findings, the data protection authority essentially concluded the following in legal terms:
According to Section 1 (1) DSG 2000, everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.
The complainant submits that the collection, storage, transmission, publication and making available of his personal data - namely the economic key figures of the XXXX Foundation such as the income accruing to the complainant, book values of properties of the XXXX private foundation and the annual results of the XXXX private foundation - to third parties regarding the expert opinion in question without any legal basis and therefore violated the complainant's right to secrecy.
Since it was not possible to determine how the party involved got hold of the economic personal data of the complainant - namely the economic key figures of the XXXX Foundation such as the income accruing to the complainant, book values of properties of the XXXX private foundation and the annual results of the XXXX private foundation , the data protection complaint had to be dismissed because of a violation of the right to secrecy due to the collection of the complainant's economic personal data.
In principle, a legitimate interest in maintaining secrecy regarding the personal data of the complainant is to be affirmed, since the key financial figures of the XXXX private foundation and the income accruing to the complainant from them are data of the complainant that are not generally available. Restrictions on this right to secrecy are only permissible under the conditions specified in Section 1 (2) DSG; in the present case, the processing was not carried out in the vital interests of the complainant and there is no doubt that there was no consent to the processing within the scope of the present report. Therefore, it should be checked whether overriding legitimate interests of the party involved or of another party, i.e. in particular the wife of the complainant, would justify the processing by the party involved. In the case of a balancing of interests to be carried out in accordance with Section 1 (2) DSG, the interests of the party involved, namely their obligation to the faultless fulfillment of the contract towards the complainant's wife, would outweigh the complainant's interests in secrecy. However, the interests of the complainant's wife weighed even more heavily than the interests of the party involved because she was in divorce proceedings with the complainant. As a result, the processing of the complainant's personal data was lawful due to the existence of overriding legitimate interests of the party involved and the complainant's wife. There is therefore no violation of the right to secrecy. At this point, it should also be pointed out that the complainant's wife, as a beneficiary of the XXXX private foundation, has a right to information against it. For example, Section 30 (1) of the Private Foundation Act (PSG) stipulates that a beneficiary of the private foundation can also obtain information about the fulfillment of the purpose of the foundation and inspect the annual financial statements, the management report, the audit report, the books, the foundation deed and in request the supplementary foundation deed. It follows from this that the complainant's wife has a legal right under Section 30 PSG to know the key financial figures of the XXXX private foundation.
In the complaint lodged against part 1 of this decision within the time limit, the complainant essentially submitted:
The data protection authority's view that the interest in the fulfillment of a contract for work (commission from the complainant's wife to the party involved to prepare the expert opinion in question) outweighs the interest in secrecy is completely wrong. The right to data protection is a constitutionally guaranteed right, while the interest in the correct fulfillment of a work contract relates exclusively to a purely economic interest. Such an interest can never outweigh a fundamental right.
In addition, there was no interest on the part of the party involved (= wife of the complainant) that would outweigh the interests of the complainant. It may be true that the client of the party involved has an interest in receiving certain key figures to quantify their claim. However, this cannot mean that this would be obtained in violation of a constitutionally guaranteed right. The party involved did not even claim that their client had obtained this data lawfully. Your client should therefore have gone the "official route" and asked the XXXX private foundation for the relevant key figures. Since she obviously did not do this, there is no reason to unlawfully receive and process the relevant data while eliminating the right to secrecy. You could therefore have no interest in the data being processed if you were to obtain them in a legally correct manner.
After all, according to the settled case law of the civil courts, a private expert opinion merely represents a private document that exclusively reflects the opinion of its author, i.e. the party involved. This document is therefore not suitable evidence for quantifying any claims in divorce proceedings.
The complainant thus submitted the applications that the Federal Administrative Court should
1. uphold his complaint and amend part 1 of the contested decision in such a way that, in granting the complaint, it is established that the party involved violated the complainant’s fundamental right to data protection; and
2. in eventu correct part 1 of the ruling of the contested decision and refer the matter back to the data protection authority for a new decision.
With a letter from the data protection authority dated May 21, 2019, the complaint against part 1 of the contested decision, including the administrative act, was sent to the Federal Administrative Court.
On April 27, 2022, an oral hearing took place before the Federal Administrative Court, in which all parties involved in the complaint proceedings took part and in which the (still) wife of the complainant was questioned as a witness.
With a decision dated June 27, 2022, Zl. W101 2218962-2/19E, the Federal Administrative Court upheld the appeal against the first part of the above-mentioned decision and found that the party involved, as the person responsible, had thereby violated the complainant’s right to secrecy , by processing his personal data worthy of protection in the (private) report of May 16, 2018.
The party involved lodged a complaint against this finding, essentially stating the following:
The contested finding violated the involved party because of the impossibility of applying the provisions of Section 1 (1) and (2) DSG, Art. 4 Z 7 Previous search term GDPR Next search term and Art. 6 Section 1 lit constitutionally guaranteed rights to equality before the law for all citizens, freedom of employment and freedom of expression. Above all, according to the case law of the Supreme Court, a spouse has no interest worthy of protection in keeping his income secret from his wife in order to avoid his statutory maintenance obligation (cf. RS0107203). A spouse who conceals parts of his income from the other spouse is acting in breach of the law and duties and this cannot justify an interest worthy of protection. After weighing the interests, the Federal Administrative Court should have come to the conclusion that the complainant's (still) wife's interest in asserting current and future statutory maintenance claims outweighed the complainant's desire for secrecy. Thus, there is a violation of the principle of equality according to Art. 2 StGG and Art. 7 B-VG.
With a decision of September 22, 2022, Zl. E 2078/2022, the Constitutional Court lifted the decision of June 27, 2022 because of the violation of the complainant in his constitutionally guaranteed right to equality of all citizens before the law according to Art. 2 StGG and Art. 7 B- VG because the complainant in the present constellation has no right to secrecy of his income data.
Due to the annulment of the judgment of June 27th, 2022, the Federal Administrative Court now has to make a replacement decision.
II. The Federal Administrative Court considered:
1. Findings:
The complainant moved out of the marital home, XXXX, in April 2015.
At the request of the (still) wife, the party involved, acting as a trustee, prepared an expert opinion dated May 16, 2018 on any maintenance claims against the complainant. The involved party comes to the conclusion that the assessment basis for the maintenance claim of the (still) wife amounts to EUR XXXX million annually and that her claim to pro rata marital savings after the dissolution of the marriage amounts to EUR XXXX to XXXX million. On the basis of this assessment basis, the party involved arrives at a monthly maintenance claim in the amount of EUR XXXX for the (still) wife.
The complainant then asserted in his data protection complaint of August 22, 2018 that he had been violated in his right to secrecy by the party involved through the processing of his sensitive personal data in the expert opinion of May 16, 2018.
In this report, the complainant's personal data was processed by the party involved, a small part of which was publicly accessible, but which was mostly handed over by the (still) wife. The (still) wife was able to access the relevant documents of her (still) husband or the complainant because she still had access to the complainant's e-mail traffic after the marital union was dissolved.
The (still)husband or the complainant did not disclose his assets and his income to his (still)wife after expressing his desire for a divorce, although she, as the person entitled to maintenance, has a legal right to information and accounting from him.
This balancing of interests in favor of the (still) wife has an impact on the involved party commissioned by her.
It is therefore decisive that the party involved, as the person responsible, did not violate the complainant's right to secrecy of personal data by processing the personal data in the expert opinion of May 16, 2018.
2. Evidence assessment:
The findings on the relevant facts result in particular from the taking of evidence in the oral hearing on April 27, 2022 and are based on the following considerations:
The (still) wife already had access to the complainant's computer while they were living together in the apartment at the address given and she had often sent e-mails from the e-mail address XXXX on his instructions. After moving out of the apartment, the complainant did not bother that his (still) wife was blocked from this access. After the computer broke down and was subsequently picked up by a law firm employee, the (still) wife still had access to the complainant's e-mail traffic via an I-Pad that had been made available to her under the E -Mail address.
Both from the statements of the (still) wife, who had been questioned as a witness at the hearing, and those of the complainant himself at the hearing, it could be concluded that the (still) wife, due to the access to the e-mail -The complainant's account came into possession of the documents, which she then forwarded to the intervening party.
The finding that the complainant did not disclose his assets and his income to his (still) wife results from the statement made by the complainant in the oral hearing, in which he stated that he had no access to the processing of his personal data in these documents (Has) given his consent and that he did not know until January 2018 that his (still) wife still has access to his e-mail traffic at the stated address in the apartment. During the negotiation, he presented an e-mail exchange between his (former) law firm partner and the responsible tax advisor for the law firm (= Enclosure No. 1 of the negotiation protocol).
The other findings also result from the various statements made by the parties present and the witness at the hearing.
For the sake of completeness, it should be mentioned that the complainant or his legal representative presented several decisions of the civil courts (up to the Supreme Court) in the course of the hearing, according to which the (still) wife does not have a "beneficiary" position in the XXXX private foundation . Since the responsible senate has determined the relevant facts according to the above findings, this evidence is of no importance in the present appeal proceedings.
3. Legal assessment:
3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to illegality.
According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.
Pursuant to Section 27 (1) DSG, the Federal Administrative Court decides through the Senate on complaints against decisions due to violation of the duty to inform pursuant to Section 24 (7) leg. cit. and the duty of the data protection authority to make a decision. In accordance with Section 27 (2) first sentence DSG, the Senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees.
In this case, the Senate is responsible.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.
According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.
3.2. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders are made by way of a resolution, unless a finding is to be made.
Pursuant to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued.
According to § 28 para. 2 VwGVG, the administrative court has to decide on the matter itself if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.
3.3. to A)
3.3.1. Applicable Law
3.3.1.1. The relevant provisions of the Previous search termGDPRNext search term
Article 4
definitions
For the purposes of this Regulation, the term means:
1. "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "Processing" means any process carried out with or without the help of automated processes or any such series of processes in connection with personal data, such as collection, recording, organisation, ordering, storage, adaptation or modification, reading out, querying, use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction;
3rd - 6th (…)
7. "Responsible person" means the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States;
8th - 9th (…)
10. "Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct responsibility of the controller or processor, are authorized to process the personal data ;
11. "Consent" of the data subject means any voluntary, informed and unequivocal expression of will in the specific case, in the form of a declaration or other clear affirmative action, with which the data subject indicates that they are consenting to the processing of data concerning them agrees to personal data;
12.- 26. (…)
Article 5
Principles for the processing of personal data
(1) Personal data must
a) processed lawfully, fairly and in a manner that is transparent to the data subject ("lawfulness, fair processing, transparency");
b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be deemed incompatible with the original purposes pursuant to Article 89(1) ("purpose limitation");
c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimization");
d) accurate and, where necessary, up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay ("accuracy");
e) stored in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored for a longer period to the extent that the personal data are used exclusively for archiving purposes in the public interest or for scientific and historical research purposes, subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject, or processed for statistical purposes in accordance with Article 89(1) ("storage limitation");
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality");
(2) The person responsible is responsible for compliance with paragraph 1 and must be able to prove compliance with it (“accountability”).
Article 6
lawfulness of processing
(1) The processing is only lawful if at least one of the following conditions is met:
a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to protect vital interests of the data subject or another natural person;
e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;
f) processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.
2. Member States may maintain or introduce more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure a lawful and to ensure fair processing, including for other special processing situations as set out in Chapter IX.
(3) The legal basis for the processing pursuant to paragraph 1 letters c and e is determined by
a) Union law or
b) the law of the Member States to which the controller is subject.
The purpose of the processing must be specified in this legal basis or, with regard to the processing referred to in paragraph 1 letter e, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to Chapter IX. Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.
(4) If the processing for a purpose other than that for which the personal data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, is a necessary and proportionate measure to protection of the objectives referred to in Article 23(1), the controller shall, in order to determine whether the processing for another purpose is compatible with the one for which the personal data were originally collected, take into account, among other things
a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing,
b) the context in which the personal data was collected, in particular with regard to the relationship between the data subject and the person responsible,
c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offenses are processed pursuant to Article 10,
d) the possible consequences of the intended further processing for the data subjects,
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
3.3.1.2. The relevant provisions of the DSG
Article 7
Consent Conditions
(1) If the processing is based on consent, the person responsible must be able to prove that the data subject has consented to the processing of their personal data.
(2) If the data subject's consent is given in the form of a written statement which also concerns other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it is clearly distinguishable from the other matters is. Parts of the declaration are not binding if they constitute a violation of this regulation.
(3) The data subject has the right to revoke their consent at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation. The data subject will be informed of this before consent is given. Withdrawing consent must be as simple as giving consent.
(4) When assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data, which are not required for the performance of the contract.
article 1
(constitutional provision)
fundamental right to data protection
§ 1. (1) Everyone has the right to confidentiality of their personal data, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data are not accessible to a non-disclosure claim due to their general availability or due to their lack of traceability to the data subject.
(2) Insofar as personal data is not used in the vital interests of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws, which are necessary for the reasons stated in Art. 8 Para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data, which by their nature are particularly worthy of protection, to protect important public interests and must at the same time provide for appropriate guarantees for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the mildest way that leads to the goal.
(...)
Complaint to the data protection authority
Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the previous search term GDPR next search term or Section 1 or Article 2, Chapter 1.
(2) The complaint must contain:
1. the designation of the right deemed to have been infringed,
2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent party),
3. the facts from which the infringement is derived,
4. the grounds on which the allegation of illegality is based,
5. the desire to determine the alleged infringement and
6. the information required to assess whether the complaint was filed in a timely manner.
(3) A complaint may be accompanied by the application on which it is based and any response by the respondent. The data protection authority shall provide further assistance in the event of a complaint at the request of the data subject.
(4) The right to have a complaint dealt with shall lapse if the intervener does not file it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints are to be rejected.
(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sphere, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.
(6) Until the proceedings before the data protection authority have been concluded, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (Section 13(8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be considered.
(7) The complainant will be informed by the data protection authority about the status and the result of the investigation within three months of filing the complaint.
(8) Any data subject may appeal to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or the outcome of the complaint within three months.
(9) The data protection authority can - if necessary - involve official experts in the procedure.
(10) The decision period according to § 73 AVG does not include:
1. the time during which the proceedings are suspended until the final decision on a preliminary question;
2. the time during a procedure according to Art. 56, 60 and 63 Previous search term GDPR Next search term.
3.3.2. According to the constitutional provision of § 1 Para. 1 DSG, everyone has the right to confidentiality of personal data concerning him/her, in particular with regard to respect for private and family life, insofar as there is a legitimate interest in confidentiality. In this context, personal data worthy of protection is not only to be understood as easily recognizable personal information, such as a person's name, gender, address or place of residence, but also, for example, value judgments and thus personal information per se. All personal data - i.e. both automatically and manually processed data - must be kept secret if there is a legitimate interest in secrecy or processing of this data is not permitted.
The central starting point as to whether a fundamental right claim exists at all according to § 1 Para. 1 DSG is the existence of "worthy of protection" interests. A weighing of interests must be carried out when examining them. In particular, the principle of legality under data protection law must be taken into account here.
The involved party, as the person responsible within the meaning of Art. 4 Z 7 Previous search term GDPR Next search term for his client - the (still) wife of the complainant - prepared a (private) report dated May 16, 2018 in order to document their possible future maintenance claims against the complainant.
The (still) wife as the transmitter of most of the complainant's personal data, which was then processed by the party involved in the report, is in the given case constellation a "third party" within the meaning of Art. 4 Z 10 Previous search term GDPR Next search term.
In the above-mentioned ruling of September 22, 2022, the Constitutional Court stated in particular:
"3. In its decision, the Federal Administrative Court failed to recognize that the (still) husband in the present constellation has no right to secrecy about his income data.
3.1. According to the settled case law of the Supreme Court, a dependent spouse has a right to information and accounting from the other spouse. The person entitled to maintenance cannot be expected to "complain out of the blue", so to speak, to claim any income level that appears most likely and to base the maintenance request on it. The reciprocal marital information obligations continue to apply even after the dissolution of the marriage.
3.2. Against this background, a violation of the (still) husband's right to secrecy is out of the question from the outset. Where there is a legal right to information and accounting, there can be no right to secrecy of personal data. This balancing of interests in favor of the (still) wife has an impact on the complainant commissioned by her.
4. But even if one were to assume a right to secrecy regarding the income data of the (still) husband, the legitimate interest of the (still) wife in the processing of the data by the complainant would prevail.
The interest of the (still) wife in determining any (maintenance) claims to which she is entitled must be recognized as a legitimate interest within the meaning of Article 6 (1) lit. f Previous search term GDPR Next search term. In addition, there is no interest worthy of protection of the maintenance debtor in keeping his income secret from his spouse in order to avoid a statutory maintenance obligation. Neither does a private foundation have an interest worthy of protection in the secrecy of its assets or income that the maintenance debtor has given it to the maintenance beneficiary, in order to make it impossible to examine any maintenance claim."
Regarding the determination of Art. 6 (1) lit. f previous search term GDPR next search term, recital (47) specifically states:
"The lawfulness of processing may be based on the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or a third party, provided the interests or fundamental rights and freedoms of the data subject do not prevail; in doing so, the reasonable expectations of the data subject based on their relationship with the controller shall be taken into account. A legitimate interest could exist, for example, if there is a relevant and appropriate relationship between the data subject and the data controller, (...) In any case, the existence of a legitimate interest would have to be weighed up particularly carefully, whereby it should also be checked whether a data subject at the time of the collection of the personal data and given the circumstances in which it takes place, can reasonably foresee that processing for this purpose may take place. (...)" (cf. also Jahnel, comment on the General Data Protection Regulation Art. 6 Previous search term GDPR Next search term, margin no. 79 [as of 1.12.2020, rdb.at]; Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6. Previous search term GDPR , margin nos. 49 to 55 [as of May 7, 2020, rdb.at]).
Thus, in the present case, the complainant should have disclosed his assets and income to his (still) wife as a dependent in the course of a divorce process.
For the reasons set out, the responsible Senate therefore comes to the decisive conclusion that the complainant’s right to secrecy was not violated by the party involved as the person responsible through the processing of his personal data worthy of protection in the expert opinion of May 16, 2018.
Since the contested part 1 of the above decision is not illegal within the meaning of Art. 130 Para. 1 Z 1 B-VG for these reasons, the complaint raised against it according to § 28 Para. 5 DSG as amended.
3.4. Re B) Inadmissibility of the revision:
Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.
According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The present decision neither deviates from the previous case law of the Administrative Court, nor is there any case law; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be solved.
keywords
legitimate interest data protection data protection complaint data protection procedure data processing secrecy balancing of interests personal data private opinion legal opinion of the Constitutional Court divorce interests worthy of protection maintenance claim of responsible financial circumstances