DSB (Austria) - 2020-0.605.768
|DSB - 2020-0.605.768|
|Relevant Law:||Article 40 GDPR|
Article 41(1) GDPR
Article 41(2)(c) GDPR
Article 57(1)(p) GDPR
Article 57(1)(q) GDPR
Article 70(1)(n) GDPR
§ 2 Überwachungsstellenakkreditierungs-Verordnung – ÜStAkk-V
§ 69(6) Datenschutzgesetz - DSG
|Parties:||A*** GmbH (commercial register code: FN *5*1*91r)|
|National Case Number/Name:||2020-0.605.768|
|European Case Law Identifier:||ECLI:AT:DSB:2020:2020.0.605.768|
|Original Source:||Rechtsinformationssystem des Bundes (RIS) (in DE)|
|Initial Contributor:||Marco Blocher|
The Austrian Data Protection Authority (DSB) accredited a company to monitor compliance with a code of conduct under Article 41 GDPR but rejected its request for accreditation to monitor two other codes of conduct because the holders of the DSB-approvals of these codes did not express their willingness to cooperate with the company.
English Summary[edit | edit source]
Facts[edit | edit source]
In December 2019, an Austrian company ("A*** GmbH") requested accreditation to monitor compliance with three different codes of conducts under Article 41 GDPR (redacted as "code S***", code M*** and code U***"). These codes had been approved by the DSB under Article 40(5) GDPR.
Inverstigations by the DSB showed that:
- The holder of the DSB-approval for code S*** explicitly wanted A*** GmbH to be accredited to monitor compliance with this code of conduct.
- The holder of the DSB-approval for code U*** was explicitly against A*** GmbH beeing accredited to monitor compliance with this code of conduct
- The holder of the DSB-approval for code M*** did not give a statement on whether they wanted A*** GmbH to be accredited to monitor compliance with this code of conduct. However, in August 2020, the DSB had received a request by another body wanting to be accredited to monitor compliance with code M***.
Dispute[edit | edit source]
- Can a body be accredited to monitor compliance with a code of conduct under Article 41 GDPR if the holder of the of the code's approval is against this accreditation ("non-consensual accreditation")?
- Can a body be accredited to monitor compliance with a code of conduct under Article 41 GDPR if the holder of the of the code's approval prefers a different body to be accredited to do so?
Holding[edit | edit source]
The DSB accredited A*** GmbH to monitor compliance with code S*** but rejected the request for accreditation for the monitoring of code U*** and code M***.
Regarding code U*** the DSB held that the holder of the DSB-approval for this code has expressly denied its cooperation with A*** GmbH regarding the monitoring for this code under Article 41 GDPR.
Regarding code M*** the DSB held that the holder of the DSB-approval for this code code has expressed its willingness to cooperate regarding the monitoring under Article 41 GDPR not towards A*** GmbH, but towards another body.
As a result, there were neither
- monitoring mechanisms to carry out the mandatory monitoring of compliance with the provisions of the code under Article 40(4) GDPR nor
- established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented under Article 41(2)(c) GDPR
in place. Hence, the request for accreditation were rejected.
Comment[edit | edit source]
The name of the company requesting accreditation or the respective codes of conduct under Article 40 are not revealed in the decision. The DSB later disclosed lawvision information systems GmbH (www.lawvision.eu) as the company. The codes mentioned in the decision concern the business sectors "Professional Association of Employers", "Smart Metering" and "Media Companies".
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decisive authority Data protection authority Decision date 09/28/2020 Business number 2020-0.605.768 Appeal at the BVwG / VwGH / VfGH This decision is final. text GZ: 2020-0.605.768 of September 28, 2020 (case number: DSB-D198.001) [Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected. NOTIFICATION SPEECH The data protection authority decides on the application of A *** GmbH (registered under FN * 5 * 1 * 91r in the commercial register of the Commercial Court of Vienna, applicant), with registered office (main office) in ****, dated December 16, 2019 for accreditation as Monitoring body according to Art. 41 Para. 1 GDPR as follows: 1. The application is partially accepted and the applicant acts as the monitoring body for the "Data protection rules of conduct of the Association S *** - S *** CoC", approved by decision of November 5, 2019, GZ: DSB-D196.006 / 0005-DSB / 2019, as amended from time to time, accredited. 2. The application is otherwise rejected. 3. According to § 78 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51/1991 as amended, in conjunction with §§ 1, 3 Paragraph 1 and TP 1 Federal Administrative Fees Ordinance 1983, BGBl No. 24 as amended (BVwAbgV), the applicant has a Administrative fee of 6.50 euros to be paid. Legal basis: Art. 40, Art. 41, Art. 51 Paragraph 1, Art. 57 Paragraph 1 lit. p and lit. q of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), ABl. No. L 119 of 4.5.2016, p. 1; § 18 Paragraph 1 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 2 (1) and (2) and sections 3 to 6 of the ordinance of the data protection authority on the requirements for a body for monitoring compliance with rules of conduct (ÜStAkk-V), Federal Law Gazette II No. 264/2019; Section 78 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51/1991 as amended in conjunction with Sections 1, 3, Paragraph 1 and TP 1 of the Federal Administrative Tax Ordinance 1983 (BVwAbgV), Federal Law Gazette No. 24/1983 as amended. REASON I) Submissions of the applicant and course of the procedure 1. With the submission dated December 16, 2019, received by the data protection authority on December 19, 2019, the applicant applied to be accredited as a monitoring body for a total of three rules of conduct approved by the data protection authority in accordance with Art. 40 (5) GDPR. The applicant submitted appropriate documents (evidence in accordance with § 2 to 6 ÜStAkk-V) as enclosures to the application or in the further course of the procedure at the request of the data protection authority. 2. These are the following rules of conduct (each in the current version): A) "Data protection rules of conduct of the Association S *** - S *** CoC", approved by decision of November 5, 2019, GZ: DSB-D196.006 / 0005-DSB / 2019 (short code of conduct S ***) , Holder of the permit: Vereinigung S *** ("S ***" for short). B) "Rules of conduct for ****", approved by decision of May 13, 2019, GZ: DSB-D196.003 / 0001-DSB / 2019 (in short: Rules of Conduct M ***), holder of the permit: 1. Association J ***, 2nd union K ***; C) "Data protection rules of conduct for U ***", approved by decision of 6 August 2019, GZ: DSB-D196.001 / 0004-DSB / 2019 (for short: Rules of conduct U ***), holder of the approval: 1 Association T ***, 2nd Austrian V *** Association; 3. With a procedural order dated January 9, 2020, GZ: DSB-D198.001 / 0001-DSB / 2019, the data protection authority requested the applicant to submit documents from which it emerges that the applicant identified the three permit holders Code of conduct has been entrusted with the task of a monitoring body. 4. In a letter dated February 9, 2020, the applicant submitted that such evidence was not provided for in either the ÜStAkk-V or the GDPR. In addition, in the absence of a monitoring body having been named so far, the relevant rules of conduct are only approved with a suspension and are not yet applicable. Regardless of this interpretation of the law, however, the holders of the respective permits have been asked to send corresponding confirmations to the data protection authority. 5. The data protection authority thereupon requested all holders of the permits for the rules of conduct A) to C) with procedural order (request) of February 19, 2020, GZ: 2020-0.095.999, to comment on the following questions: 1. Did the license holder expressly appoint the applicant to be the monitoring body for the rules of conduct and have a corresponding agreement made with her? 2. Are you in favor of or against an accreditation of the applicant in the above sense? 6. Of those invited, only the S *** expressly spoke out in letters of February 10 and April 29, 2020 in favor of the applicant's accreditation as a monitoring body for the rules of conduct A). The holders of the approval for the rules of conduct C) have expressly spoken out in the statement of May 12, 2020 against an accreditation of the applicant as a monitoring body for their rules of conduct. The holders of the approval for the rules of conduct B) have not submitted a substantive statement despite repeated requests. However, on August 24, 2020 the data protection authority received the application from J *** Service GmbH for accreditation as a monitoring body for the rules of conduct B), which is expressly supported in writing by both license holders and which is currently being examined for procedure number DSB-D198.006 . II) Findings of the facts 7. The statements under point I), the documents submitted by the applicant and the declarations of the owners of the rules of conduct A), B) and C) are used as the basis for the findings of the facts. 8. Evaluation of evidence: The undisputed facts are based on the procedural results listed under point I). The finding that the owners of the rules of conduct B) and C) did not expressly speak out for or against the accreditation of the applicant for the respective rules of conduct was not disputed by the applicant after the parties were given a hearing, only the legal issue was disputed judging issue of the need for an appropriate consensus. III) From a legal point of view it follows: Responsibility of the data protection authority 9. The data protection authority is responsible for handling applications for accreditation of monitoring bodies within the meaning of Art. 41 Para. 1 GDPR, which pursuant to Art. 57 Para. 1 lit. q GDPR in conjunction with Section 2 (2) of the ÜStAkk-V can be submitted to this. On point 1 (partial accreditation) 10. The applicant's activity must be carried out on the basis of the documents submitted (and on which the findings of fact are based). 11. The applicant has provided the evidence required according to §§ 2 to 6 ÜStAkk-V to the satisfaction of the data protection authority. 12. Further justification does not apply in accordance with Section 58 (2) AVG, because the applicant's position is met. On point 2 (summary rejection of the remaining parts of the accreditation application) Interpretation of Art. 41 GDPR 13. Art. 41 GDPR makes no explicit statement on the question of whether there is only a single monitoring body - this is indicated by the wording of the first sentence of Art. 41 (1) GDPR (“from one place”; underlining not in the original; other language versions too - such as the English, French, Spanish or Italian - coincide in this regard with the German) - may be entrusted with the monitoring of a set of rules, or whether the Council and Parliament as legislators of the European Union also make a kind of competition between monitoring bodies possible wanted to. 14. In the second case, the additional question arises as to whether an accreditation of (further) monitoring bodies can also be granted without consent, and in some circumstances even against the will of the owner of the rules of conduct to be monitored (hereinafter referred to as: non-consensus accreditation) . The latter seems to be the view of the applicant and accreditation applicant with regard to rules of conduct B) and C), since in both cases they will submit their application even after the lack of consensus (rules of conduct B)) or an express objection (rules of conduct C)) of the has not restricted the respective license holder accordingly. 15. In exercising its powers pursuant to Art. 70 Para. 1 lit n) GDPR, the European Data Protection Committee (EDPB for short) has issued guidelines 1/2019 on rules of conduct and monitoring bodies in accordance with Regulation (EU) 2016/679, version 2.0, of 4 June 2019 decided and published. 16. In this, the EDPS does not express a clear and unambiguous view on the question at issue here, but shows a clear preference for the possibility of accrediting several monitoring bodies for one set of rules. In particular, margin no. 60 states that “at least one monitoring body” (emphasis not in the original) with accreditation to the supervisory authority must be named in the rules of conduct. 17. The data protection authority therefore interprets Art. 41 GDPR in accordance with the EDSA in such a way that accreditation of several monitoring bodies for one and the same set of rules is possible (so also Strohmaier in Knyrim, DatKomm Art 41 GDPR (as of 1.12.2018, rdb.at ), Margin no. 17 with further references). However, this should only be understood in such a way that such multiple accreditation is not excluded according to the current legal situation. 18. The data protection authority concludes from the logical-systematic context of Articles 40 and 41 GDPR, in particular from Article 40 Paragraph 4 in conjunction with Article 41 Paragraph 2 lit. c) GDPR, namely further that a monitoring body has to work together with the licensee, who according to Art. 40 (2) GDPR must be a representative industry or professional association of responsible persons or contract processors, who accordingly speaks for its members - those to be monitored . This only appears to be possible if the associations concerned support the applicant for accreditation. According to the EDSA guidelines 1/2019 cited above (margin no. 15 f), it is therefore up to the license holder (s) to select and name a monitoring body that appears to be suitable. Multiple nominations are permitted. The decision as to whether multiple accreditation should be possible rests with the holders of codes of conduct. 19. As already mentioned, the interplay between Art. 40 Para. 4 and Art. 41 Para. 2 lit. c GDPR, as these procedural rules have to be coordinated if they are to have no effect. 20. However, the accreditation of a monitoring body to which the license holder expressly rejects is excluded, as is the accreditation of a competing monitoring body if the license holder has already expressly indicated their support for another applicant for accreditation. 21. Such a non-consensus accreditation, as the applicant strives for with regard to rules of conduct B) and C), would foreseeably lead to the license holder refusing to cooperate in the case described, and to the monitoring activity for which an accreditation was granted , in fact cannot be exercised. Likewise, in this case, an effective interaction of the respective procedural regulations cannot be guaranteed. However, it cannot be assumed that the legislators of the Union have adopted a regulation with which ineffective and therefore dysfunctional official approvals are to be issued. For this matter it follows: 22. As stated above (margin nos. 1 and 7), the applicant has also provided the evidence specified in the ÜStAkk-V for the accreditation with regard to the rules of conduct B) and C). 23. As above, however, under para. 6, the licensees of the rules of conduct C) have expressly spoken out against an accreditation of the applicant. The licensees of the rules of conduct B), on the other hand, have expressed their support for the accreditation application from another body to the data protection authority. 24. With regard to both codes of conduct, the investigation has thus shown that there is no basis for the necessary cooperation between the applicant and the four license holders concerned. This means that there are neither procedures nor structures within the meaning of Art. 40 Paragraph 4 and Art. 41 Paragraph 2 lit. c) GDPR, in order to be able to carry out the activity of a monitoring body successfully. The requirements for accreditation are therefore not met. 25. The application was therefore to be dismissed as in point 2). On point 3 (costs) 26. The cost item of the award (administrative charge) is based on the cited provisions. The application for approval of rules of conduct is not an entry according to § 24 DSG and is therefore not covered by the fee and tax exemption clause of § 69 Paragraph 6 DSG. 27. This sum is to be paid into the account BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, according to the data protection authority. The transaction number and the completion date should be given as the intended use. 28. The decision was therefore made in accordance with the ruling. [Fee notice not played] European Case Law Identifier ECLI: AT: DSB: 2020: 2020.0.605.768