DSB (Austria) - 2020-0.743.659
From GDPRhub
The Austrian DPA held that a Viennese restaurant was not allowed to collect data of a customer for contact tracing regarding COVID-19 infections: consent under Article 9(2)(a) GDPR could not be considered as freely given in this context and the Viennese Regulation on Contact Tracing did not contain a sufficient legal obligation under Articles 6(1)(c) and 9(2)(i) GDPR.
English Summary
Facts
The data subject (customer) filed a complaint against a Viennese restaurant claiming a violation of § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG) and Article 6 GDPR: the restaurant required customers to provide their name, phone number, email (optional) and table number upon being seated. In its data protection notice, the restaurant stated that it collected said data "to protect the life and health of our employees and our guests in connection with the occurrence of the coronavirus and the COVID-19 epidemic".
The customer provided his data by using a QR-Code Scanner on 2 October 2020 and sent an access request under Article 15 GDPR afterwards. In their reply the restaurant stated that the processing was based on the Viennese Regulation on Contact Tracing (Wiener Contact-Tracing Verordnung).
Dispute
Was it lawful under Articles 6 and 9 GDPR to collect data on the customer for the purposes stated by the restaurant?
Holding
The DSB held, that the data provided by the customer qualify as health data under Article 4(15) GDPR. Data such as name, phone number, email do not qualify as health data per se but in the context of COVID-19 contact tracing they contain information about the past, present and future physical or mental state of health of the customer. The data are supposed to be processed solely to protect the health of restaurant customers and to forward this data to the local authorities in accordance with the Austrian Epidemic Law. Accordingly, the data processing must also be compliant with the requirements of Article 9 GDPR.
In the DSB held that the processing violated Articles 5, 6 and 9 GDPR:
- Consent under Articles 6(1)(a), 7 and 9(2)(a) GDPR cannot be considered as freely given in the context at hand. It was obligatory for the customer to provide his data to the restaurant, otherwise he would not have been allowed to enter the restaurant or would have been asked to leave. In addition, there was no acceptable alternative for the customer, because all restaurants in Vienna would have made the access to their premises dependent on the customer providing his data for COVID-19 contact tracing.
- The processing could also not be based on a legal obligation of the restaurant under Articles 6(1)(c) and 9(2)(i) GDPR. The provisions of the Viennese Regulation on Contact Tracing do not contain an obligation for restaurants to collect data on customers (under Article 6(1)(c) GDPR) but only an obligation provide certain information (i.e name, phone number, e-mail address and table number) on customers to the local authorities. The DSB acknowledged that the collection of these data is prerequisite of providing such data to the authorities. However, the authorities could only order the restaurant to provide data it had legally obtained, they could not order it to provide non-existent data. Furthermore, the DSB held that theViennese Regulation on Contact Tracing did not meet the requirements of Article 9(2)(i) GDPR in terms of suitable and specific measures to safeguard the rights and freedoms of a data subject.
- Lastly, the DSB held that the restaurant had violated Article 5(1)(a) GDPR. The restaurant had created a misleading situation by basing the processing on both the customer's consent under Articles 6(1)(a) and 9(2)(a) GDPR and the (insufficient) legal obligation under Articles 6(1)(c) and 9(2)(i) GDPR. The customer was led to believe that the processing was subject to his control.
Comment
Please note that the Viennese Regulation on Contact Tracing expired by 31 December 2020, so further case-law on it is not to be expected. However, the Viennese legislator will certainly take into account the DSB's holding when passing a new Regulation on Contact Tracing.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decisive authority
Data protection authority
Decision date
11/19/2020
Business number
2020-0.743.659
Appeal at the BVwG / VwGH / VfGH
This decision is final.
text
GZ: 2020-0.743.659 from November 19, 2020 (case number: DSB-D124.3093)
[Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation be. Obvious spelling, grammar, and punctuation errors have been corrected.]
NOTIFICATION
SPEECH
The data protection authority decides on the data protection complaint from Dr. Uwe A *** (complainant) of October 5, 2020 against X *** Gaststätten GmbH (respondent), represented by Dr. Wilfried Q *** LL.M., lawyer in 1 ** 0 Vienna, for alleged violation of the right to secrecy as follows:
1. The complaint is allowed and it is established that the respondent has violated the complainant's right to secrecy by processing his personal data, namely first name, last name and telephone number, for the purpose of contact tracking.
2. Otherwise the complaint will be rejected as unfounded.
Legal basis: Art. 5 para. 1 lit. a to f, Art. 6 para. 1 lit. c, Art. 51 para. 1, Art. 57 para. 1 lit. f and Art. 77 para. 1 of the Regulation ( EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1; §§ 18 para. 1 as well as 24 para. 1 and para. 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; §§ 5 Paragraph 3 and § 40 of the Epidemic Act 1950 (EpiG), Federal Law Gazette No. 186/1950 as amended; Sections 1 to 3 of the Ordinance of the City of Vienna's Magistrate regarding the provision of information for contact tracing in connection with suspected cases of COVID-19 (Vienna Contact Tracing Ordinance), OJ No. 41/2020.
REASON
A. Arguments of the parties and course of the procedure
1. With the initiation of the procedure on October 5, 2020, the complainant submitted that the respondent collects the personal data first name, first name, via its processor when entering its business premises in 1 ** 0 Vienna, Y *** straße *, within the meaning of the Vienna Contact Tracing Ordinance, Last name, phone number, email (optional) and table number.
In addition, the Respondent informed that she was using this data to protect "the life and health of our employees and our guests in connection with the occurrence of the coronavirus or the COVID-19 epidemic" and to "support the district administrative authority in identifying contact persons in the event of an infection ”. In the response to the information, however, the respondent based the processing on the Vienna Contact Tracing Ordinance, which probably means processing in accordance with Article 6 (1) (c) GDPR. The respondent made the conclusion of the contract dependent on the provision of personal data.
This violates the complainant's fundamental right to data protection in accordance with Section 1 (1) of the GDPR, since the respondent is processing the personal data listed above unlawfully because there is no legal basis within the meaning of Art. 6 GDPR.
The complaint was accompanied by a request for information and a copy of the information given by the respondent.
2. With the settlement of October 14, 2020, GZ: 2020-0.647.953, the data protection authority requested the respondent to comment.
3. With the submission of October 27, 2020, the Respondent replicated and alleged that on October 2, 2020 the Appellant had visited the restaurant operated by the Respondent in Y *** straße *, 1 ** 0 Vienna. In accordance with the legal requirements of the Vienna Contact Tracing Ordinance, the Respondent offered her guests the option of registering in the aforementioned restaurant. Registration is possible offline (paper form) or online. The online registration used by the complainant takes place using a QR code, which is scanned in via the mobile phone. You will then be redirected to the registration mask. The data protection declaration according to Art. 13 GDPR can be found below this registration mask. The data protection declaration is confirmed accordingly by the user before submitting his data. As already stated in the data protection declaration itself, guests are not required to provide their contact details. For the sake of completeness and in accordance with the general house rules, it is also made clear that if you refuse to provide the contact details, access to the restaurant can be refused. As the respondent's information dated October 5, 2020, the complainant registered on October 2, 2020 at 12:39:17 p.m. and disclosed the following data, namely name: Uwe A *** and telephone: 066 * * 7 ** 3 *. As already stated in the information dated October 5, 2020, the Respondent collects the data voluntarily disclosed by the guests on the basis of the Vienna Contact Tracing Ordinance for the intended period of 4 weeks, during which they would be securely stored and then deleted. A processing of the data for purposes other than to fulfill the legal obligation according to the Vienna Contact Tracing Regulation expressly does not take place.
In the data protection declaration made available to the guests, the processing purposes are "protection of the life and health of our employees and our guests in connection with the occurrence of the coronavirus or the COVID-19 epidemic" and "support of the district administrative authority in identifying contact persons when it occurs a case of infection ”.
In the information given by the Respondent to the Complainant on October 5, 2020, it was stated that the guest data collected will be processed on the basis of the Vienna Contact Tracing Regulation.
In addition, the complainant alleged that the respondent made the conclusion of the contract dependent on the provision of personal data and that the data processing would take place without a legal basis in accordance with Art. 6 GDPR and thus unlawfully.
The complaint - for whatever reason - fails to mention many facts and circumstances, is based on a legally incorrect assessment and is not justified. The processing of the data voluntarily provided by the guests and subsequently processed by the respondent as the person responsible takes place lawfully on the basis of Art. 6 Para. 1 lit. c GDPR, namely to fulfill their legal obligations according to the Vienna Contact Tracing Regulation. The data processing purposes stated in the data protection declaration are obviously only a description of the purposes of the Vienna Contact Tracing Ordinance. Section 1 (1) Vienna Contact Tracing Ordinance clarifies why, in the view of the legislature, such a (for restaurateurs with a considerable Effort-related) regulation requires: "In order to prevent the spread of COVID-19, in the event of a suspected case of COVID-19 occurring, the following information must be provided by the following offices at the request of the district administrative authority: [...]".
In addition, point 3 of the data protection declaration makes it clear that the data is processed on the basis of the Vienna Contact Tracing Regulation. Neither the data protection declaration made known to the complainant before the submission of his data nor the information given to him give reason to suspect that the personal data will be processed for purposes other than those to meet the requirements of the Vienna Contact Tracing Regulation. The motivation for the complainant to disregard all of this in his complaint remains open.
Likewise, it is not understandable on which factual or legal basis the complainant claims that the conclusion of the contract (probably the purchase of food / drinks from the respondent) is dependent on the provision of the personal data: already in the data protection declaration itself under point 2 , last sentence, clarified that the disclosure of any data is voluntary. The Respondent was not legally obliged to make access dependent on the disclosure of any data, nor would it have any other interest in it. It is also significant that the complainant himself only provided part of the data provided in the (online) form, but that he was evidently neither denied access nor the “conclusion of a contract”. The complaint therefore turns out to be unfounded.
3. With the settlement of November 3, 2020, GZ: 2020-0.701.142, the data protection authority granted the complainant a hearing.
4. The complainant stated in his hearing from the parties on November 10, 2020 that his complaint, contrary to what the respondent submitted in its statement of October 27, 2020, was neither directed against a breach of the duty to provide information within the meaning of Art. 13 GDPR if the complainant justifies a complaint with the fact that data collection and contract conclusion are conditional.
As made unequivocally in the complaint of October 5, 2020, the complainant sees his fundamental right to data protection in accordance with Section 1 (1) DSG violated by the fact that the respondent is illegally processing the data categories first name, last name and telephone.
The Respondent submits in her opinion several times that the Complainant voluntarily indicated the data categories at issue. As proof, she had enclosed a bundle of photos from which it should apparently be concluded that no registration was necessary in order to be able to consume food in the restaurant. In fact, however, there is of course a forced situation to provide the data categories that are the subject of the proceedings. On the one hand, this is due to the graphic preparation of an operator who primarily refers to the “COVID-19 guest registration”, which is generally recognized as mandatory due to the broad public reporting. Furthermore, the Respondent's submission must be countered by the fact that a passage in the data protection information submitted by the Respondent as an attachment, which states: "[...] the refusal to provide access to the restaurant cannot be granted", does not indicate voluntariness could.
Furthermore, the Respondent stated in this point of the statement that, as the person responsible for data protection, it would lawfully process the data categories that are the subject of the proceedings, because the processing is necessary to fulfill a legal obligation (Art 6 (1) (c) GDPR) to which the Respondent is subject would. This legal obligation would be derived from the Vienna Contact Tracing Ordinance (not determined in detail by the Respondent).
In fact, the aforementioned regulation does not oblige the respondent to systematically collect the data categories at issue. Specifically, it says with regard to establishments in the catering industry that they - based on Section 5 (3) EpiG - "in the event of a suspected case [...] at the request of the district administrative authority", first name, surname, telephone number, email address and table number of Customers have to "convey". Already the reference to Section 5 (3) EpiG, which merely regulates an obligation to provide information, but also the clear formulation of the text of the regulation, shows that the respondent under the regulation has no legal obligation to collect the data categories that are the subject of the proceedings.
A premature obedience on the part of the respondent - as it were a data retention - to collect personal data of their customers indiscriminately, can in any case not be based on Article 6 Paragraph 1 lit. c GDPR.
B. Subject matter of the complaint
Based on the submission of the complainant, it emerges that the subject of the complaint is the question of whether the respondent has violated his right to secrecy by using the complainant's personal data, namely first name, surname, which was electronically recorded on October 2, 2020 using a QR code scanner , Telephone number, email address and table number, at least until October 30, 2020 for the purpose of contact tracking.
C. Factual Findings
1. The respondent is recorded in the commercial register under FN * 35 ** 8v at the regional court G ** and operates a restaurant business in the coffee restaurant mode.
Evidence assessment: The findings made are based on a commercial register query from November 12, 2020 on FN * 35 ** 8v and a GISA query from November 12, 2020 on the GISA number: 78 *** 120.
2. On October 2, 2020 at 12:39 pm, the complainant visited the business premises of the respondent at the address Y *** straße, 1 ** 0 Vienna. When entering the business premises at the address mentioned, personal data of the complainant, namely name: Uwe A *** and telephone number: 0664 * 7 ** 3 *, was recorded using a QR code scanner. It cannot be established that any other data of the complainant were processed.
Evaluation of evidence: The findings made are based on the consistent and credible information provided by the parties to the proceedings. The findings regarding the data recorded including the time of the survey are based in particular on the information submitted by the complainant and given by the respondent on October 5, 2020. The accuracy of the information was not disputed. In the absence of corresponding evidence, however, it cannot be determined that the complainant has processed other data of the complainant beyond this data, such as e-mail address or table number, by the respondent.
3. In a letter dated October 2, 2020, the complainant submitted a request for information in accordance with Art. 15 GDPR to the respondent, which the respondent replied with a letter of October 5, 2020 as follows (formatting not reproduced 1: 1):
Subject: Information according to Art 15 GDPR
Dear Doctor. A ***,
Thank you for visiting our restaurant and for your request for information from October 2nd, 2020, 1:48 p.m., which we hereby comply with accordingly:
The data collected on the basis of the Vienna Contact Tracing VO is safely stored under strict technical and organizational measures (e.g. in the case of handwritten registration, separated and sealed by days) for the period of 4 weeks provided for in the VO and then deleted. These data can only be opened or viewed under the statutory requirements and taking internal measures into account.
As you will know from your visit to our restaurant, you have the option of registering in accordance with the Vienna Contact Tracing VO either electronically (QR code) or by hand by filling out an open form.
On October 2nd, 2020 at 12:39:17 p.m. you met electronically in our restaurant Y *** straße *,
1 ** 0 Vienna registered using the QR code and provided the following data:
Name: Uwe A ***
Telephone: 0664 * 7 ** 3 *
In the case of electronic registration, the data you provide will be transmitted to the IT company commissioned by us, located within the EU or EEA (processor within the meaning of Art 28 GDPR).
This is responsible for the technical support of the electronic registration platform you are using. A transfer to third countries does not take place. Likewise, neither automated decision-making nor profiling take place.
According to applicable law, you have the following rights, among others (if the respective requirements of the applicable law are met and our legal obligations, in particular the storage obligations of the Vienna Contact Tracing VO, do not conflict with this):
Correction or deletion of your personal data;
restriction of the processing of your personal data;
objection to the processing of your personal data;
to lodge a complaint with the data protection authority (www.dsb.gv.at).
Best regards
Otto M *** I managing director, franchise partner
X *** Gaststätten GmbH I Administration V *** Strasse 5 * 1 A-1 ** 0 Vienna
U *** I * P *** I N *** I S *** Gaststätten GmbH
Tel: + 43/1 / * 57 ** 12 * 9-3 *; Fax: + 43/1 / * 57 **** - * 4 Mobile: +43 66 * / * 39 6 * * 3; ATU * 12 ** 252 otto.m***@gaststaetten*betriebe.co.at I www.gaststaetten * betriebe.at More about X *** Gaststätten GmbH
3. The Respondent processes the data provided by its customers during a visit to their business premises for at least four weeks from their collection. The complainant filed the complaint in question on October 5, 2020.
Evidence assessment: As last.
4. The Respondent's data protection declaration is as follows (formatting not reproduced 1: 1):
1. Purposes of data processing
We will use the categories described below
personal data of guests to the following
Process purpose:
• Protecting the life and health of ours
Employees and our guests in
Connection with the occurrence of the
Coronavirus or the COVID-19 epidemic.
• Support of the district administrative authority
in identifying contact persons
Occurrence of an infection.
2. Description of the data application
We come to our legal obligation
Maintaining a guest list by collecting
Contact details (first and last name, telephone number, e-
E-mail address) of our guests before entering a
Restaurants * in operation. The guest also scans
his smartphone before entering the restaurant
the provided QR code
and fill out the contact form.
When leaving the restaurant, the guest can be over
Smartphone ´check out´, otherwise it will
checked out automatically after 45 minutes.
Guests are not required to provide their contact details
specify, however, if the
No access to the restaurant available
be granted.
3. Legal basis for data application
The processing of your personal data
is based on the following legal basis of
General Data Protection Regulation (´DSGVO´):
• Necessity of data processing for
Compliance with a legal obligation (Art. 6
Paragraph 1 lit. c GDPR in conjunction with § 1 Z 2 lit. e Regulation
of the City of Vienna City Council
Provision of information for contact tracing in
Connection with suspected cases of COVID
19).
4. Transmission of your personal data
Your data will only be used if a
Infection within four weeks
Provision and after appropriate
Request to the responsible
District administrative authority transmitted.
5. Storage period
Your data will be kept for a period of four weeks
secured and kept under lock and key and thereafter
irretrievably destroyed.
6. Your rights in connection with
personal data
Under current law, those from above are
affected guests
entitled to do so (if the respective requirements
of the applicable law are fulfilled),
Request information, including one
Confirmation of whether and which of them
personal data we process and
Receive copies of this data,
the authorization or deletion of their
to request personal data,
to ask us to process your
restrict personal data, and
complain to the supervisory authority
raise.
7. Our contact details
Our contact details are:
X *** Gaststätten GmbH
A-1 ** 0 Vienna, V *** Strasse 5 *
otto.m***@at.com
If you have any questions or concerns about the processing of your
personal data, please feel free to contact
contact us:
otto.m***@at.com
---------------------------------------
Assessment of evidence: This is evident from the screenshots submitted by the Respondent by email on October 27, 2020.
D. In legal terms it follows:
On point 1:
Section 5 of the EpiG reads in extracts including the heading (emphasis by the data protection authority):
Disease Incidence Surveys.
Section 5. (1) The competent authorities must immediately initiate the surveys and examinations required to determine the disease and the source of infection via the doctors at their disposal for every notification and for every suspicion of the occurrence of a notifiable illness. Sick people, suspected diseases and contagious persons are obliged to provide the competent authorities with the necessary information and to undergo the necessary medical examinations and the removal of test material. For the purpose of identifying pathogens, professional research institutes should be used wherever possible.
[...]
(3) At the request of the district administrative authority, all persons, in particular treating doctors, laboratories, employers, family members and staff from community facilities who could contribute to the surveys, are obliged to provide information.
[...]
Section 40 of the EpiG reads in extracts (emphasis by the data protection authority):
Other violations.
§ 40. Who by acts or omissions
a) the requirements and prohibitions contained in the provisions of Sections 5, 8, 12, 13, 21 and 44 Paragraph 2 [...],
violates [...],
If the act is not threatened with a judicial penalty, is guilty of an administrative offense and is punished with a fine of up to 1,450 euros, in the case of failure to do so with imprisonment for up to four weeks.
The Vienna Contact Tracing Ordinance reads in extracts:
On the basis of Section 5 (3) of the 1950 Epidemic Act, Federal Law Gazette No. 186/1950 as amended by Federal Law Gazette I No. 103/2020, the following is ordained:
§ 1. In order to prevent the spread of COVID-19, in the event of a suspected case of COVID-19, the following information must be provided to the district administrative authority by the following bodies upon request:
[...]
2. Business premises:
[...]
e) in the case of gastronomy customers:
aa) first name
bb) name
cc) telephone number
dd) email address
ee) table number
§ 2. The data according to § 1 may be stored and processed by the bodies named in § 1 exclusively for the purpose of tracking contacts in the event of a suspected case of COVID-19. These data must be deleted 4 weeks after they have been recorded.
§ 3. This ordinance comes into force on September 28, 2020 and expires on December 31, 2020.
1. General information on the right to secrecy
The basic right to data protection anchored in § 1 DSG, according to the first paragraph of which everyone, in particular with regard to respect for their private and family life, has the right to confidentiality of personal data concerning them, insofar as there is a legitimate interest in it, includes the protection of Affected before the unlawful determination of his data and the disclosure of the data obtained about him.
The application of Section 1 (1) DSG requires, among other things, that the data is personal.
According to Section 1 (2) DSG, restrictions on the right to confidentiality by a person responsible are only permitted if the use of personal data takes place in the vital interest of the person concerned or with his consent, in the case of overriding legitimate interests of another or if there is a qualified legal basis.
Restrictions of Section 1 Paragraph 1 GDPR result from Paragraph 2 leg. Cit., But not from Art. 6 Paragraph 1 GDPR. However, in the opinion of the data protection authority, the GDPR and, in particular, the principles anchored in it must be taken into account and used accordingly when interpreting the right to secrecy (see the decision of October 31, 2018, GZ: DSB - D123.076 / 0003-DSB / 2018).
2. In the matter
2.1. On the qualification of the complainant's personal data and the legal basis for data processing in the present case
Art. 9 Para. 1 GDPR finally defines special categories of personal data (“sensitive data”). Insofar as this is relevant, it also includes health data. The processing of these data categories is only permitted on the basis of the exceptions listed in Art. 9 Paragraph 2 GDPR.
According to Art. 4 Z 15 GDPR, health data are "personal data that relate to the physical or mental health of a natural person, including the provision of health services, and from which information about their state of health can be obtained."
In the light of Art. 9 Para. 1 GDPR, health data is undoubtedly data that is particularly worthy of protection, whereby the term in the sense of Rsp. of the ECJ is to be interpreted broadly (cf. on Art. 8, Paragraph 1 of Directive 95/46, the judgment of the ECJ of November 6, 2003, C-101/01, margin no. 50). According to Art. 4 No. 15 GDPR in conjunction with recital. 35, second sentence of the GDPR, also numbers, symbols or labels that have been assigned to a natural person in order to clearly identify this person for health purposes.
In its consistent case law, the data protection authority advocates that health data must in any case provide information about the previous, present and future physical or mental health of the person concerned. Taking this into account, indicators in the sense of recital 35 second sentence GDPR does not qualify as a health date per se, but also with regard to such indicators there must be a certain reference to information about the state of health (cf. with regard to the social security number, for example, the decision of April 9, 2019, GZ: DSB- D123.526 / 0001-DSB / 2019).
The data of the complainant (first and last name, telephone number) processed by the respondent are undoubtedly his personal data.
It is questionable whether they are also - under the circumstances of the present case - health data.
According to the case law of the data protection authorities, the code numbers assigned to a person (such as the social security number) do not represent a health date if they are used as a mere identifier and regardless of a health context (see last notice of November 5, 2020, GZ: 2021-0.041.702).
In relation to the complaint, the complainant's data - as was also expressly emphasized by the respondent - were exclusively for the purpose of "protecting [it] the life and health of [the] employees and [the] guests [of the respondent] in connection with the occurrence of the coronavirus or the COVID-19 epidemic "as well as for the purpose of" supporting the district administrative authority in identifying contact persons in the event of an infection ".
It is clear from this that the data was collected in a purely health context and that the data collected should only be used in such a context, namely on the one hand to protect others and on the other hand to transmit this data to the district administrative authority as the health authority under the EpiG, if necessary.
As a result, the data processed about the complainant, namely his first and last name and his telephone number, which, apart from the present context, would not constitute data within the meaning of Art. 9 (1) GDPR, in the case of the complaint are health data and thus a special category of personal data Qualify data.
The lawfulness of the processing is therefore based on Art. 9 Para. 2 GDPR.
2.2. On the lawfulness of data processing
a) To voluntariness
i) The respondent bases its submissions, among other things, on the complainant's voluntary consent to data processing.
The processing of health data is permitted in accordance with Article 9 (2) (a) GDPR if the person concerned has expressly consented to the processing of their personal data.
The complainant countered this by stating that the provision of his data could not be said to be of a voluntary nature, since he would have found himself in a forced situation when collecting his data. On the one hand, due to the reference to the COVID-19 guest registration located at the entrance area of the business premises and the passage contained in the Respondent's data protection declaration, according to which if the data is refused, access to the restaurant may be denied.
ii) In the opinion of the data protection authority, the respondent's argument does not get caught up because, according to the case law of the European Court of Justice, consent requires an active and unambiguous (“without any doubt”) act of will on the part of the person concerned (cf. most recently the judgment of 11.11.2020, C-61/19 mwN). This applies all the more to the processing of health data because Article 9 (2) (a) GDPR - unlike Article 6 (1) (a) - requires express consent.
The Respondent was unable to prove this, even though she would be required to do so (cf. Art. 5 Para. 1 lit. a and Para. 2 in conjunction with Art. 7 and 9 Para. 1 lit. a GDPR).
In addition, a strict standard must be applied to consent. Accordingly, consent must be given voluntarily and may not be linked to the performance of a contract, although consent is not required for the performance of this contract. Consent is involuntary if a disadvantage is to be expected if the consent is not given (cf. the decision of April 16, 2019, GZ: DSB-D213.679 / 0003-DSB / 2018, as well as the judgment of the ECJ of November 11. 2020).
Since, in the event of a refusal to provide access, as submitted by the Respondent herself, access to the business premises can be denied - with reference to the domiciliary rights - and this fact is pointed out in the data protection declaration, from the point of view of an objective average customer, if consent is not given, it is clear Disadvantage was to be expected.
Furthermore, voluntariness presupposes that in the event of non-consent to data processing, the person concerned has a reasonable alternative available (see the notification of November 30, 2018, GZ: DSB-D122.931 / 0003-DSB / 2018).
This is also to be answered in the negative in the present case, because other catering establishments in the municipality of Vienna are also covered by the Vienna Contact Tracing Ordinance and from these - presumably - personal data of the complainant would be collected.
The data processing can therefore not be based on Art. 9 Para. 2 lit. a GDPR.
b) There is a legal obligation to collect or process customer data
i) The Respondent relies on the - here not relevant - permission in Article 6 (1) (c) GDPR and argues that it is the Viennese in accordance with Article 5 (3) of the EpiG in conjunction with Article 1 (2) (e) Contact tracing regulation for the processing and storage of the complainant's data for 4 weeks legally required.
The complainant denied the existence of a legal obligation and stated that from Section 5 (3) EpiG and the Vienna Contact Tracing Ordinance, only the duty of the respondent to provide information to the district administrative authority could be derived, but not to collect customer data.
ii) The processing of special categories of personal data on the basis of a legal obligation is - as far as relevant for the present case - according to Art. 9 Para. 2 lit. i GDPR, among other things, permissible if the processing is for reasons of public interest in the area of public health such as protection against serious cross-border threats to health, based on Union law or the law of a Member State, which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject.
It should therefore be noted that the (mandatory) processing of personal data for the purpose of contact tracking is covered by the GDPR, provided that there is a sufficiently precise legal basis in Austrian law that complies with the requirements of Art. 9 (2) (i) GDPR. In this context, reference should be made to the ministerial draft for an amendment to the EpiG (41 / ME XXVII. GP), where (voluntary) data collection for the purpose of contact tracing was provided (Art. 1 No. 4 of the draft), but ultimately not decided by the legislature has been:
"4. The following paragraph 6 is added to Section 5 (5):
(6) Businesses, organizers and associations are - irrespective of other legal bases of existing collection and storage obligations - obliged to provide personal contact details of guests, visitors, customers and employees, whose processing has been expressly consented to, for the purpose of fulfilling the obligation to cooperate in the context of the survey to be kept by contact persons during environmental investigations for a period of 28 days. Processing of the data for other purposes is not permitted. After the retention period has expired, the data must be deleted immediately. Companies, organizers and clubs must take appropriate data security measures. "
As already mentioned, a mandatory data collection could also find coverage in the GDPR (see the opinion of the data protection authority on the aforementioned ministerial draft, available at https://www.parlament.gv.at/PAKT/VHG/XXVII/SNME/SNME_00951 /imfname_816332.pdf).
However, it is questionable whether Section 5 (3) EpiG in conjunction with the Vienna Contact Tracing Regulation can be used as the legal basis within the meaning of Article 9 (2) (i) GDPR.
From the wording of Section 5 (3) EpiG, it follows that, upon request, all persons who could contribute to the surveys on the occurrence of a disease are obliged to provide information to the district administrative authority.
The Vienna Contact Tracing Ordinance issued on the basis of Section 5 (3) EpiG specifies this obligation and stipulates in Section 1 that, in order to prevent the spread of COVID-19 […] in the event of a suspected COVID-19 case of The following information is to be sent to the following bodies upon request of the district administrative authority ”.
The standard text of § 1 Z 1 and Z 2 of the Vienna Contact Tracing Ordinance contains an enumeration of the bodies obliged to provide information and thus specifies who under "all persons who could make a contribution to the surveys" within the meaning of § 5 Paragraph 3 EpiG is to be understood. Likewise, the mandatory content of such information is determined in § 1 Z 1 and Z 2 of the Vienna Contact Tracing Ordinance. Accordingly, in the event of a suspected case of COVID-19, the district administrative authorities are obliged to provide information about the first name, surname, telephone number, email address and telephone number of their customers.
According to the established case law of the VwGH, when interpreting laws, word interpretation in connection with the grammatical and systematic interpretation is to be given priority and extreme restraint towards the use of so-called "corrective interpretation methods" is required (cf. for example VwGH 3.10.2018, Ro 2018/12 / 0014; March 22, 2019, Ra 2018/04/0089).
According to the wording of the legal provisions in question (§ 5 Paragraph 3 EpiG in conjunction with § 1 Z 2 lit. e Vienna Contact Tracing Ordinance), an obligation to process personal data of customers who visit the business premises of a restaurant is not provided . Although the provisions apparently standardize an obligation to provide information to the district administrative authority and these provisions also stipulate what content (data) such information must contain, according to the unambiguous and clear wording there is no obligation to collect and process this data detect.
Also from the wording of § 2 of the Vienna Contact Tracing Ordinance, according to which data within the meaning of § 1 from the in § 1 leg. Cit. may be processed and stored, is not a legal obligation to process, but merely a legal ability to derive. It is not to be assumed that the legislator is subconsciously speaking of allowed, but is to be assumed that if he would have wanted to standardize a legal obligation, he would have made this explicitly clear.
However, an objection to such an interpretation could be that it would be practically impossible for owners of business premises in the catering trade without prior data collection to comply with the obligation to provide information stipulated by the ordinance and a violation of § 5 EpiG according to § 40 lit. a EpiG constitutes an administrative offense subject to penalties, which is punishable by up to 1,450 euros.
However, there can be no legal obligation to perform what is actually impossible, which is why the obligation to provide information can only relate to data that is available to the owner of a restaurant business without any special investigation effort.
It is therefore evident that the existence of a legal obligation to process the complainant's data - as put forward by the respondent - in no way clearly emerges from the wording of Section 5 (3) EpiG in conjunction with the Vienna Contact Tracing Regulation. Likewise, the obligation to provide information to the district administrative authority does not necessarily mean that the respondent is legally obliged to collect and process certain personal data. According to the wording of the statutory provisions, the obligation to provide information can only apply to personal data that is known to the owner of a restaurant business.
iii) For this reason alone, the Respondent fails to appeal to a statutory obligation to process the Complainant's personal data.
iv) But even in the event that one wanted to derive an obligation to process personal data within the meaning of Art. 9 Paragraph 2 lit. i GDPR from § 5 Paragraph 3 EpiG in conjunction with the Vienna Contact Tracing Regulation, data processing could not be based on this become:
c) Requirement for legal bases
i) According to the established case law of the European Court of Justice, regulations that intervene in the rights under Article 7 (respect for private and family life) or Article 8 (protection of personal data) EU-GRC must have clear and precise rules for the scope and application of these Provide measures and establish minimum requirements so that the persons whose personal data are affected have sufficient guarantees that enable their data to be effectively protected against misuse and against any unauthorized access to this data and any unauthorized use. The requirement of such guarantees is all the more important if the personal data are processed automatically and there is a considerable risk of unauthorized access to them (see ECJ of October 6, 2015, C-362-14, margin no. 91 with further references).
These guarantees are all the more important when data is processed with the help of automated systems and when it involves sensitive data (see ECJ of October 6, 2020, verb. Rs C-511/18, C-512/18 and C-520/18, 132).
The data to be processed on the basis of Section 5 (3) EpiG in conjunction with the Vienna Contact Tracing Ordinance are - as detailed above - health data in accordance with Art. 4 No. 15 GDPR.
The constant jurisprudence of the Constitutional Court on the quality of an encroachment norm within the meaning of Section 1 (2) DSG indicates that it has to meet certain requirements (see most recently the findings of December 11, 2019, G 72/2019 et al of December 12, 2019, G 164/2019 etc.).
However, the data protection authority makes it explicitly clear that it is neither their task - nor is it covered by their competence - to finally determine whether the procedural provisions contradict Section 1 (2) DSG or Article 8 EU-GRC.
However, the data protection authority is obliged to refrain from applying national regulations that are in obvious contradiction to EU law in the event of a conflict.
The principle of the primacy of Union law over national law (priority of application) applies. This is of particular importance where directly applicable Union law - such as the GDPR - meets conflicting national law. The priority of application means that in the event of a conflict, the rule of (directly applicable) Union law must be followed, not that of Austrian law (cf. VfSlg. 15.448 / 1999, 19.661 / 2012 with further references; Mayer / Kucsko-Stadlmayer / Stöger, Bundesverfassungsrecht11 [2015]) 246/9).
This principle must be observed by all Austrian authorities, so they have to leave national law inapplicable in such cases. The rank of Austrian law is irrelevant, Union law also takes precedence over national constitutional law in the event of a conflict (cf. VfSlg. 15.427 / 1999; 17.347 / 2003; Mayer / Kucsko-Stadlmayer / Stöger, Bundesverfassungsrecht11 [2015] margin no. 246/9).
The scope of an intervention must clearly emerge from the text of the standard itself. However, if subtle knowledge of data protection law, qualified legal qualifications and experience and downright archival diligence - above all through intensive study of legal materials and other aids - are required to determine the meaning (cf. analogous VfSlg. 12.420 / 1990), it cannot be said that make the effects of legally stipulated data processing easy to understand.
The (simple) traceability is, in turn, a prerequisite for those affected to be aware of the scope of an interference and to be able to claim their rights. This is already stipulated in Art. 5 (1) (a) GDPR (principle of legality, processing in good faith, transparency).
According to the case law of the European Court of Justice, it is not sufficient if data processing can be based on one of the legality facts finally mentioned in Art. 6 GDPR - or as here: Art. 9 Para. 2; In addition, all principles for the processing of personal data according to Art. 5 GDPR must be complied with (see also the judgment of December 11, 2019, C-708/18, margin no.36 on the legal situation under Directive 95/46 / EC).
ii) Applied to the present case, this means the following:
The data processing standardized in Section 5 (3) of the EpiG in conjunction with Section 1 (2) (e) of the Vienna Contact Tracing Ordinance for owners of business premises in the catering trade contains - as can be seen from the above - neither clear nor precise rules for the scope and Application of this measure. In particular, for those affected are the circumstances when there is an interference with the constitutional or primary law guaranteed right to data protection in § 1 DSG or Art. 8 EU-GRC and whether this data must be disclosed (see the above Versions), not clearly visible.
In the light of the case law of the ECJ, which - especially when it comes to the processing of sensitive data - to regulations that intervene in the rights according to Art. 7 (respect for private and family life) or Art. 8 (protection of personal data) EU-GRC , standardized clear and precise requirements for the scope and application of this measure, the provisions of Section 5 (3) EpiG in conjunction with the Vienna Contact Tracing Ordinance have to remain unapplied due to the primacy of Union law, so that there is an obligation to process personal data cannot be relied on.
The complaint therefore proves to be justified from this perspective as well.
d) Violation of the principle of "good faith"
i) However, the complaint also proves to be justified based on the following considerations:
The Respondent alleges that the Complainant provided his data voluntarily. As can be seen in the findings in its data protection declaration, however, it links the collection of its customers' data with access to its business premises or states that a customer who refuses to provide their data can be denied access . In its data protection declaration, it also refers to Article 6 (1) (c) GDPR in conjunction with Section 1 (2) (e) of the Vienna Contact Tracing Regulation with regard to the legal basis for processing.
ii) As already stated, it is not sufficient that data processing can be based on a permit, but must also be carried out in accordance with all the principles of Art. 5 GDPR. According to Article 5 (1) (a) GDPR, data must be processed in good faith in a manner that is understandable for the person concerned.
As a result, the complainant's practice of invoking an - inadequate - legal obligation to process the data, but at the same time making the collection dependent on the voluntary information provided by your customers, proves to be misleading. In this way, the affected person gets the impression that they can exercise control over the processing.
In this respect, the respondent has violated the principle of Art. 5 (1) (a) GDPR ("good faith") and thereby violated the complainant's right to secrecy in accordance with Section 1 of the GDPR (see above; October 31, 2018, GZ: DSB-D123.076 / 0003-DSB / 2018).
4. Result
The complaint therefore proves to be justified if a breach of the right to secrecy is alleged because the respondent has determined the first and last name and telephone number of the complainant without a legal basis, which is why the decision had to be made in accordance with the ruling.
Re point 2:
If the complaint is directed against the processing of data of the complainant other than those listed in the information, it turns out to be unfounded in the absence of actual processing.
It was therefore to be decided according to the ruling.
European Case Law Identifier
ECLI: AT: DSB: 2020: 2020.0.743.659
