DSB (Austria) - 2020-0.103.803

From GDPRhub
(Redirected from DSB - 2020-0.103.803)
DSB - 2020-0.103.803
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law:
§ 1 DSG 2000
§ 2(1) MBG (Militärbefugnisgesetz - Military Powers Act)
§ 23 MBG (Militärbefugnisgesetz - Military Powers Act)
§ 24 MBG (Militärbefugnisgesetz - Military Powers Act)
§ 24(5) DSG
§ 31(1) DSG
§ 34(5) DSG
§ 36(1),(2) DSG
§ 43 DSG
§ 69(4) DSG
Type: Complaint
Outcome: Rejected
Started:
Decided: 25.02.2020
Published: 05.05.2020
Fine: None
Parties: Complainant: Iris A***
Respondent: Bundesministerium für Landesverteidigung/Abwehramt (Federal Ministry of Defence/Defence Department)
National Case Number/Name: 2020-0.103.803
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.103.803
Appeal: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes - RIS (in DE)
Initial Contributor: Marco Blocher

The Austrian Data Protection Authority (DSB) held, that the Austrian Federal Ministry of Defence does not violate the fundamental right to secrecy when collecting personal data of the sister of a member of the Austrian Armed Forces in order to asses the member in the context of an "extended reliability check" which is foreseen in national law.

English Summary

Facts

The Respondent (Defence Department as part of the Austrian Federal Ministry of Defence) obtained data (including residential address) of the sister of a member of the Austrian Armed Forces as part of a so called "extended reliability check" which is foreseen in the Austrian Military Powers Act (Militärbefugnisgesetz - MBG) before a member is granted access to certain military assets.

The data was provided by the member himself and with his consent in a "declaration of reliability". The sister (Complainant) had not been informed of this data collection by the Respondent but only learned about it from her brother.

Dispute

The Complainant argued, that her fundamental right to secrecy under § 1 DSG 2000 (Austrian Data Protection Act 2000, prior to the introduction of the GDPR) has been violated. Furthermore, she claimed that the Respondent has violated § 43 DSG (current Austrian Data Protection Act), as it did not inform her about the data collection.

Holding

After hearing the Respondent and conducting an audit at its premises, the DSB held, that § 1 DSG 2000 had not been violated: The Respondent qualifies as a state authority within the meaning of § 1(2) DSG 2000. §§ 23 and 24 MBG constitute a qualified appropriate legal basis under § 1(2) DSG 2000 that allows for the Respondent's intervention to the Complainant's right to secrecy.

With regard to the alleged violation of the information duties under § 43 DSG, the DSB held, that the complainant's data were not processed in a file system because the data only appear in the "supplement 2 to the extended declaration of reliability" and this supplement has to be specially selected from the total volume of data. Therefore §§ 36 et seqq. DSG, and thus also the obligation to inform the data subject under §43 DSG, did not apply.

Comment

The GDPR was not applicable, as the respondent was a controller within the scope of directive (EU) 2016/680.

As regards the substantive law, the matter was to be judged in accordance with the provisions of the DSG 2000, which were applicable before 28 February 2018 - the date of the alleged violation of the right to secrecy.

Regarding the alleged violation of information duties, the current DSG, which implements Directive (EU) 2016/680 was applicable, since the alleged violation would have continued as the respondent had not complied with the duties to provide information even in the ongoing proceedings before the DSB until their conclusion.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

GZ: 2020-0.103.803 of 25.2.2020 (Number of proceedings: DSB-D122.871)
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected].
DECISION
SPEAK
The data protection authority decides on the data protection complaint of Iris A*** (complainant) of 6 March 2018 against the Federal Ministry of National Defence/Abwehramt (respondent) on the grounds of 1) violation of the right to secrecy and 2) violation of the right to information as follows:
- The appeal is dismissed.
Legal basis: § 1 of the Data Protection Act 2000 (DSG 2000), BGBl. I No. 165/1999 as amended by BGBl. I No. 132/2015; §§ 24 para. 5, §§ 36 ff and 69 para. 4 of the Data Protection Act (DSG), BGBl. I No. 165/1999 as amended by BGBl. I No. 120/2017; §§ 22 ff of the Military Authorisation Act (MBG), BGBl. I No. 86/2000 as amended, §§ 1 ff of the Ordinance of the Federal Minister of Defence on the Declaration of Reliability, BGBl. II No. 195/2001 as amended.
JUSTIFICATION
A. Arguments of the parties and procedure
1 By submission of 6 March 2018, improved by letter of 14 March 2018, the complainant alleged a violation of the right to secrecy, summarised as follows: Her brother, Eugen A***, had had to disclose the complainant's residential address to the respondent in the context of an "extended reliability check". The complainant had only by chance been informed of this by her brother by telephone on 28 February 2018 and not by the "Austrian Armed Forces". The complainant's brother had been forced to, and therefore not voluntarily, pass on her data, as otherwise he would not be offered the position he had been aiming for, which would lead to considerable loss of income and career cuts. 
2 In its statement of 5 April 2018, the respondent submitted in summary that military services which would be entrusted with tasks of intelligence defence would be entitled in matters of military national defence to carry out a reliability assessment pursuant to Section 23 of the MLA, in particular with regard to persons who would have had access to military legal assets or should have gained such access. Pursuant to Section 24 MBG, a reliability examination in this regard would only be carried out on the basis of a declaration of reliability by the person concerned regarding his or her previous life and current circumstances and with his or her consent. With the decree of the Federal Minister of National Defence on the declaration of reliability, more detailed provisions had been made, inter alia, on the extended declaration of reliability, which would also provide information on the residence of certain relatives. Furthermore, the explanations on the MLA provided that the basic constitutional rights to data protection and respect for private and family life were to be observed, but would not apply in certain matters with regard to national defence. 
3 The complainant did not comment on the defendant's statement in the granted party hearing. 
(4) By letter of 17 July 2019, the DPA invited the defendant to provide additional comments. 
5 In a supplementary opinion of 6 September 2019, the respondent submitted in summary that the purpose of the reliability test pursuant to Sections 23 and 24 of the MPA was to prepare a hazard assessment of the person to be tested. Within the framework of the examination of the proportionality of the encroachment, a weighing of interests had to be carried out in each individual case with regard to the severity of any encroachment on fundamental rights. The desired success must be in a reasonable relationship to the damage or danger that the use of the power is likely to cause. In addition, the preparation of a reliable prognosis of the threat to a person was necessary here so that no military rights were endangered in the future. Success thus consisted in the protection of military legal interests and the preventive avoidance of attacks on military legal interests. Since the information obtained was also kept in accordance with the statutory requirements, misuse and thus a threat to the person concerned could be ruled out. In the matter under consideration there was neither a violation of the right to secrecy nor a breach of the obligation to provide information in accordance with the provisions of the DSG. The complainant therefore requested that her complaint be dismissed. 
6 The complainant did not comment on the defendant's supplementary statement in the hearing granted.
7 By letter of 25 October 2019, the DPA scheduled a visit to the premises of the DAR on 14 November 2019. The inspection was carried out on 14 November 2019. 
6 The complainant did not comment on the summary note on the inspection, which was presented at the hearing of the parties.
B. Subject matter of the complaint
The object of the complaint is the question of whether the defendant infringed the rights to confidentiality and information of the complainant by processing personal data of the complainant in the context of the reliability test of the complainant's brother.
C. Findings of the facts
The data protection authority first of all bases its decision on the facts of the case, as set out above under A. and documented in a file, and with regard to the declaration of reliability, it is established that the complainant's brother (Eugen A***) has completed and submitted such a declaration. 
Evaluation of evidence: The findings result from the concurring submissions of the parties to the proceedings in their letters to the Data Protection Authority.
Mr. A*** himself applied for the reliability test when establishing an employment relationship; the application was accepted by the S 2 service of the competent military command (here military command *** - MilKdo *). 
The reliability test was carried out on the basis of the standardised questionnaire provided by the respondent ("Extended Statement of Reliability pursuant to Section 1(1)(2) Statement of Reliability, Federal Law Gazette II No 195/2001"). A sample form is included in the file.
Subsequently, the application completed by Mr A*** was physically combined by the MilKdo * with the applications of other persons into a "collective file" and this collective file was then also physically submitted to the German Armed Forces for further examination.
Only a letter of discharge from the MilKdo *, in which reference is made to the submission of the summary file, together with a continuation sheet, was sent to the FDHA by way of information (electronically). The name of Eugen A*** does not appear on the first page of this settlement, but only on the following sheet. A search in the electronic file management system of the Federal Office of Defense Administration with the search parameters "Eugen A***" is negative. The data "Eugen A***" can only be assigned to the MilKdo * completion letter, and thus to the transaction number, within the framework of a so-called "full text search".
On the basis of the MilKdo *'s settlement letter * together with the business number, it is possible to find the physical application of Eugen A*** in the physical file (here: file box with the number Z*****-2018).
In the file box there are several examined applications, the application of Eugen A*** is not marked separately in the total volume and can therefore only be removed after all applications have been reviewed.
In the "Supplement 2 to the extended declaration of reliability" of the Eugen A***, the following handwritten entry appears - among other entries - (formatting not as in the original, handwritten entries set in italics):
"Reference to this person: brother/sister
Family name: A***
First name: Iris
former names: - 
Place and country of birth: */Austria
Date of birth: *.**.1974
Nationality(ies): Austria
Profession: *employee
Residence: **** Vienna, **gasse **/*"
The complainant's data were not electronically processed by the respondent in the context of the Eugen A*** reliability test. 
The electronic data processing of the complainant's data in the file management system of the Austrian Federal Office of Defence refers exclusively to the present appeal proceedings.
Evaluation of evidence: This follows from the inspection carried out on 14 November 2019, during which the data protection authority satisfied itself that the complainant's data are processed electronically exclusively in connection with the present appeal proceedings. This was proven by queries in the electronic file management system of the German Federal Office of Defense. Furthermore, the data protection authority was able to establish that the complainant's data in connection with the Eugen A***'s reliability check only appear in the Eugen A***'s application by analogy and that this application can only be extracted in the manner described above.
D. From a legal point of view, it follows that
D.1 The legal situation: 
D.1.1. infringement of Article 1(1) of the DSG 2000: 
A decision on this part of the complaint is to be made in accordance with the new legal situation (DSG as amended by Federal Law Gazette I No. 24/2018) under Section 24 (5) DSG. In substantive law, however, the matter is to be judged in accordance with the provisions of the DSG (2000) as amended by Federal Law Gazette I No. 83/2013, which were applicable before 28 February 2018 (date of the alleged breach of the right to secrecy).
An interference with the fundamental right to data protection does not depend on a specific form. According to the case law of the Administrative Court on § 1 para. 1 DSG 2000, these provisions grant a comprehensive right to confidentiality of personal data, irrespective of the technical and organisational conditions of their processing. The Constitutional Court has also ruled in the VfSlg. 19.937/2014 ruling that the right to secrecy under § 1.1 DPA 2000 is not restricted to data processed by computer or manual data (cf. the ruling [Comment of the Administrative Court] of 28 February 2018, Ra 2015/04/0087). 
The scope of application of Section 1 DSG 2000 is therefore in any case open.
There is no violation of the fundamental right to secrecy pursuant to Article 1, paragraph 1, DSG 2000 if the data processing is carried out with the consent of the data subject, in his or her vital interest or to safeguard the overriding legitimate interests of another, and in the case of intervention by a state authority only on the basis of a qualified legal basis (Article 1, paragraph 2, DSG 2000). 
Since in the present case the intervention of a state authority - the respondent - is to be attributed, it must be examined whether the intervention is covered by a qualified legal basis.
§§ Sections 23 and 24 MBG read in extracts:
Reliability check
§ (1) Military units entrusted with intelligence defence tasks may conduct a reliability test in matters of military national defence. A reliability test is the clarification of the reliability of a person on the basis of data that provide information as to whether there are indications that this person poses a threat to military security.
(2) […]
3. A background check may be carried out on persons who
1. have or are to have access to military legal assets pursuant to Article 1 para 7 no. 3, or
2. are in the spatial vicinity of persons or property whose protection and security is required within the framework of military guard duty.
(4) […].
Performance of the reliability test
§ (1) In the cases of § 23 para 3 subpara 1, a reliability examination shall only be carried out on the basis of a declaration by the person concerned regarding his or her previous life and current circumstances (declaration of reliability) and with his or her consent. The Federal Minister of Defence shall issue an ordinance containing more detailed provisions on the declaration of reliability.
2. The reliability test shall include the data collected by the military services responsible for intelligence tasks. In addition, the following may be determined by way of a request for information pursuant to Section 21 or Section 22 para. 2
1. in the case of § 23 par. 3 fig. 1, the data necessary to verify the accuracy and completeness of the information provided by the audited entity, and
2. in the case of § 23 para 3 no. 2, the data without which the reliability check could not be carried out.
When including data in a reliability check, proportionality must be ensured between the interests of the private and family life of the data subject and overriding public interests.
(3) In the case of a reliability examination pursuant to § 23 para 3 subpara 1, the investigations shall be limited to the verification of the declaration of reliability. If the results of such investigations contradict the declaration of reliability, the person concerned shall be given the opportunity to comment.
§ Section 3 of the Ordinance on the Declaration of Reliability states in extracts
§ 3 (1) The reliability test is to be performed on the basis of an extended reliability declaration
if the person concerned has or is to have access to military areas or military property or military secrets, the impairment of which would be a significant disadvantage for military security.
(2) In the context of the expanded Statement of Assurance, in addition to
under Section 2(2), only information on the following subjects is required:
[…]
3. name, place and date of birth, citizenship, profession and residence of
(a) children, siblings, former spouses or life partners; and
(b) any other closely related or closely related by marriage or by marriage to a person known to the applicant,
each with relevance to military security,
[…].
As noted, the complainant's brother gave an extended declaration of reliability. This was, as noted, checked by the Department of Defense. As far as the complainant is concerned, the data established above were processed.
All in all, therefore, the complainant's data processing in the proceedings is covered by the cited provisions, which is why there is no violation of the right to secrecy.
D.1.2. breach of information duties:
A decision on this part of the complaint is to be made in accordance with the new legal situation (DSG, Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 24/2018) under Section 24 (5) DSG. In terms of time, the alleged violation continues, since the respondent has not complied with the duties to provide information even in the ongoing proceedings before the data protection authority until their conclusion.
The data processing in question falls under the third main section of the DPA because it was carried out by a competent authority (cf. Article 36 (2) no. 7 lit. a DPA) for the purposes of military self-protection (cf. Article 36 (1) DPA in conjunction with Article 2 (1) no. 2 MBG).
The competence of the data protection authority is based on Section 31 (1) of the German Data Protection Act (DSG) and was not questioned.
§ Section 43 of the DSG obliges the data controller to provide the data subject with certain information about the processor of his or her data. 
The 3rd main section of the DSG implements Directive (EU) 2016/680. In accordance with Article 2(2) thereof, this Directive applies to the processing of personal data wholly or partly by automatic means and to the non-automatic processing of personal data which are or are to be stored in a filing system.
Paragraphs 36 et seq. of the DSG must therefore be interpreted in the light of this material scope of application.
As noted, the complainant's data were not automatically processed in the context of the reliability test of her brother. Accordingly, for the application of Sections 36 et seq. of the German Data Protection Act, it is necessary for the non-automated processing to be carried out in such a way that the data processed in this way are or are to be stored in a file system.
According to Section 36(2)(6) of the DSG, "file system" meant any structured collection of personal data accessible according to specific criteria, regardless of whether this collection is managed centrally, decentrally or according to functional or geographical criteria.
According to the case law of the European Court of Justice on the comparable definition under Directive 95/46/EC, a file is always present if there is a structured collection of personal data which ensures that a person can be easily retrieved (cf. the judgment of 10 July 2018, C-25/17 Rz 52 ff).
Applied to the present case, this means the following:
In order to retrieve the complainant's data, it is first necessary to know that she is the sister of Eugen A*** and that the latter has submitted an extended declaration of reliability.
Since the search for the declaration of reliability of the reference person - Eugen A*** - already involves a considerable amount of work and since the complainant's data only appear in the "Supplement 2 to the extended declaration of reliability" and since this supplement has to be specially selected from the total volume, it cannot be assumed that it is possible to easily find her data again. 
The complainant's data are therefore not processed in a file system, which is why Sections 36 et seq. of the DSG, and thus also the obligation to inform the data subject under Section 43 DSG, do not apply.
D.1.3 Summary
In summary, therefore, the alleged infringement is not present.
It was therefore appropriate to rule in accordance with the Rules of Procedure.