DSB - DSB-D122.844/0006-DSB/2018
|DSB - DSB-D122.844/0006-DSB/2018|
|Relevant Law:||Article 12(5) GDPR|
|Decided:||21. 5. 2018|
|National Case Number:||DSB-D122.844/0006-DSB/2018|
|European Case Law Identifier:||ECLI:AT:DSB:2018:DSB.D122.844.0006.DSB.2018|
|Original Source:||RIS (in DE)|
The DSB found that a fee of €30 for a copy of historic bank transaction data, that is not available via online banking anymore, violates the right to access under Article 15 GDPR. GDPR is also applicable to cases that were brought under Directive 95/46 but were pending before the DPA on 25. 5. 2018.
English Summary[edit | edit source]
Facts[edit | edit source]
A citizen requested a copy of historic bank transaction data for the past five years in relation to his house management company. Bank transaction data was only visible for the past two years in the online banking system. The bank (the controller) usually charges a fee of € 30 per year for copied of historic transaction data. The data was however held on normal servers, but not visible to the data subject. The data subject made an access request under Article 15 GDPR and demanded free access to the historic bank transaction data. The bank argued that this would be a misuse of Article 15 GDPR and the fees under the contract override the provisions in Article 12(6) GDPR that require fee access to data. The case was brought under Directive 95/46, but decided after the coming into force of the GDPR on 25. 5. 2018.
Dispute[edit | edit source]
Can a controller charge for access to historic account data under Article 15 GDPR?
Is GDPR applicable to a case that was still pending before the DPA on 25. 5. 2018?
Holding[edit | edit source]
GDPR applies to cases pending before the Austrian DPA given a specific transition provision in § 69 of the Austrian Data Protection Act ("Datenschutzgesetz") that makes GDPR retroactively applicable to pending cases before the Austrian DPA.
The DPA found that GDPR overrides fee provisions in terms or contracts of the bank.
Comment[edit | edit source]
Especially in industry sectors that historically charged for access to certain information (e.g. banks), Article 15 GDPR can be a way for data subjects to avoid these fees, as long as data is linked to the person and thereby constitutes personal data.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the German original for more details.
DSB-D122.844/0006-DSB/2018 dated 21.6.2018 Note Processor: Names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymisation reasons. Obvious spelling, grammar and punctuation errors have been corrected. Sentence revised in accordance with decision of the Federal Administrative Court of 24.5.2019, GZ: W258 2205602-1/8E.] DECISION HOLDING The data protection authority shall decide on the data protection complaint of Mr Alfred A*** (complainant) of 22 January 2018 against N*** Bank AG (respondent) for violation of the right to information as follows: 1. it is established that the respondent infringed the complainant's right to information by not providing him with information about his data, namely transfers to the property management "XXXX" and the property management "XXXX" of the past 5 years, in response to his request of 28 November 2017. 2 The respondent shall be ordered to provide information within a period of two weeks in accordance with Art. 15 DSGVO in the event of any other execution. Legal basis: §§ 32 ff of the Payment Services Act 2018 - ZaDiG 2018, BGBl. I No. 17; §§ 24 and 69 of the Data Protection Act (DSG), BGBl. I No. 165/1999 as amended; Art. 5 Para. 1 lit. e, Art. 15, Art. 5 of the Data Protection Act (DSG), BGBl. 12(5)(a), Art. 55(1), Art. 56(1), Art. 57(1)(f), Art. 58(2)(c) and Art. 77 of Regulation (EU) 2016/679 (Data Protection Basic Regulation - DSGVO), OJ No. L 119, p. 1. 1. EXPLANATORY MEMORANDUM A. Arguments of the parties and course of proceedings 1) By submission of 22 January 2018, the complainant complained that he needed proof of transfer from the respondent for the last five years and could only inspect proof of transfer which dated back no more than one year. As a result, the complainant requested the respondent to submit the evidence for the other years. However, the respondent would have charged EUR 30 per year for the provision of the proof of transfer. The complainant would then have submitted a request for information under data protection law and would not have received any information until the expiry of the time limit. 2) By request for comments dated 29 January 2018, GZ: DSB-D122.844/0001-DSB/2018, the data protection authority called on the respondent to remedy the violation and to provide information directly to the complainant or, if necessary, to take a position. In its submission of 10 February 2018, the respondent stated that duplicate account statements that could not be retrieved electronically via e**banking would be charged with EUR 30 according to the notice. 3) The data protection authority granted the respondent a right to be heard on 23 February 2018, GZ: DSB-D122.844/0002-DSB/2018. In his submission of 14 March 2018, the complainant submitted his position and stated in summary that, in principle, information under data protection law would have to be provided free of charge and that, according to the case-law of the data protection authority, only costs actually incurred could be prescribed as compensation. In the present case, it was not clear how the prescribed costs were incurred and he requested that the costs be determined accordingly and that the respondent be ordered to comply with the request for information. 4) In a further request for comments dated 18 April 2018, GZ: DSB-D122.844/0003-DSB/2018, the data protection authority stated that reimbursement of costs could only be prescribed for costs actually incurred and that the respondent should explain the composition of the costs claimed. 5) In its submission of 30 April 2018, the respondent stated that it had already provided the complainant with free information under the ZaDiG obligation and that, under this special statutory provision, the complainant was not entitled to any further free information. In this regard, the data protection authority would also have affirmed the existence of harassment in its case-law in the case where the data could still be viewed electronically via e**Banking. Furthermore, in 6 Ob 25/90, the Supreme Court affirmed a harassment with regard to those data which had already been communicated in account statements before the request for information had been made. In addition, the ZaDiG, which is equivalent to the Data Protection Directive in implementing the Payment Services Directive, provides that fees may be linked to the repeated provision of information. In any event, the fee was reasonable. The respondent also referred to the provisions of Article 12 (5) (a) and (b) of the DSGVO in force after 25 May 2018, according to which a fee may be charged. Nor could it be assumed of the Union legislature that the provisions of Art. 40 et seq. of Directive 2015/2366 would have to remain without scope of application and that this would be the case if the respondent were not allowed to charge an appropriate fee. Furthermore, not all payment transaction data were available without further effort. The information would tie up essential personnel resources and the information would involve monetary expenses where the respondent was dependent on third-party service providers. In the present case, the respondent would have incurred costs of EUR 9.92 for 2013. 6) By decision of 3 May 2018, GZ: DSB-D122.844/0005-DSB/2018, the data protection authority granted the complainant the right to be heard again. The complainant has not received any substantive comments. B. Subject-matter of the complaint The subject-matter of the complaint is the question whether the respondent infringed the complainant's right to information by not ruling on the request for information of 28 November 2018, and the question whether duplicate extracts may also be requested with the right to information. C. Establishing the facts of the case On 28 November 2017, the complainant submitted a request for information to the respondent and requested information on his own data, in particular on transfers of the years back to 2013. The respondent did not provide any information under data protection law and linked such information to costs of EUR 30.00 per year. For 2013, the respondent will incur costs of EUR 9.92 per year. Assessment of evidence: Evidence was taken up by the comments of the parties. The substance of the case is undisputed to the extent that the parties unanimously described the facts of the case and the clarification of the question relevant to the facts only lies in the legal assessment. D. From a legal point of view it follows: 1. general: In accordance with the legal situation applicable as of 25 May 2018, the proceedings previously conducted under § 31 DSG 2000, Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 83/2013, were to be continued as appeal proceedings under § 24 DSG, Federal Law Gazette I No. 165/1999 as amended (cf. in this regard § 69 (4) DSG). With regard to the applicability of the DSG in its current version and the DSGVO, it should be noted that there is no statutory transitional period pursuant to § 69 DSG and therefore the legal situation at the time of the official decision is decisive. In the present case, it does not matter what was legally valid on a specific date or in a specific period, since both the DSG 2000 and the DSG allow a respondent to obtain the information by the end of the official proceedings (cf. the decision of 28 February 2018, No. 1 of the Administrative Court of 28 February 2018, cited in the stRsp of the Administrative Court). Fe 2016/06/0001 mwN). Thus, the complainant's request at the time, which was based on the legal situation of § 26 DSG 2000 applicable at the time, is to be assessed under the now applicable right to information pursuant to Art. 15 DSGVO and compared with the ZaDiG 2018. 2. the justification of the appeal: The complaint is justified already because the respondent undisputedly failed to respond to the request for information under data protection law in the manner provided for in the DSG or the DSGVO. Even a failure to respond to a request for information constitutes a violation of the right to information (cf. the decision of the Data Protection Commission of 10 April 2013, GZ K121.924/0006-DSK/2013). In addition, the complainant alleges that the respondent infringed his right to information by linking (incomprehensible) costs to the information on certain account statements and led the Data Protection Commission's case-law on GZ: K121.394 to this effect, according to which the right to information was to be granted free of charge and only costs actually incurred could be prescribed. The cited case law of the Data Protection Commission refers to the legal situation prior to the entry into force of the DSGVO and concerns the content of rules which are not reflected in the current legal situation. Apportioned to the current case, it must therefore be explained: 2.1 On the request for information in relation to information duties: As information under data protection law, the complainant demands the (free) provision of information available to the respondent. The respondent charges a fee for the objective reply to the information, but does not dispute the existence of a request for information under data protection law. The respondent alleges to have fulfilled her obligations under the ZaDiG 2018 and therefore assumes that the conditions of Art. 12 para. 5 lit. a and b DSGVO are fulfilled and that the complainant exercises his right harassingly. In this regard, it should be noted that Art. 15 DSGVO does not contain any provision identical to Art. 26 (6) DSG 2000 according to which the request for information under data protection law can only be exercised in a subsidiary manner to other rights of inspection. Rather, the fundamental right to information pursuant to Art. 15 DSGVO exists insofar as there is no permissible restriction pursuant to Art. 23 DSGVO. If, on the other hand, a more specific substantive provision applies under Union law, it takes precedence over the principle of lex specialis derogat legis generalis. The DSGVO cannot be interpreted as conclusively regulating the rights of the persons concerned. Rather, the DSGVO, in accordance with its scope of application, regulates the rights of data subjects in a general manner, whereby it is not ruled out that other legal acts of the Union may contain more specific provisions on data subjects' rights (cf. e.g. Art. 12 et seq. of Directive (EU) 2016/680; Art. 41 of Regulation (EC) No. 1987/2006 or Art. 37 of Regulation (EC) No. 767/2008). Since in the present case the ZaDiG 2018 (which was enacted in implementation of the Directive (EU) 2015/2366) does not standardise a special right of access, this cannot be restricted to the right of general data protection information about one's own data. In the opposite direction, the aforementioned Directive refers to Directive 95/46/EC (Data Protection Directive), which is decisive for the processing of personal data (ErwGr. 89, Art. 95 of Directive (EU) 2015/2366). Pursuant to Art. 94 Para. 2 DSGVO, references to the Data Protection Directive are deemed to be references to the DSGVO. 2.2 The scope of the data protection information: In his request for information, the complainant demands the provision of "account statements" for the period from 2013 to 2018: "A data subject should have a right of access to the personal data concerning him that have been collected and should be able to exercise this right easily and at reasonable intervals in order to be aware of the processing and to be able to verify its lawfulness [...]" (Recital 63 DSGVO) The complainant is entitled to receive a free copy of the personal data to be checked, whereby the right to receive a copy must not infringe the rights and freedoms of other persons (Art. 15 para. 3 and 4 DSGVO). The complainant may exercise the right of access in order to verify the processing of his personal data. Since payment documents usually contain far more than personal data of the data subject, in this case the complainant, the right of access under data protection law can also only go so far as to correspond to the purpose of the review of the lawfulness of the data processing (see the judgment of the ECJ of 17 July 2014 in Joined Cases C-141/12 and C-372/12). The respondent must therefore disclose personal data relating to the complainant in accordance with the request for information, taking into account the limitation of Article 15 (4) DSGVO. Nor can the contingent argument that the complainant was acting in a harassing manner and that the respondent was making legitimate use of its right under Article 12 (5) (a) DSGVO to prescribe costs in the case of excessive requests for information be accepted. In its opinion, the respondent refers to a general prohibition of harassment and states that the Supreme Court affirmed such a prohibition and that Art. 12 (5) (a) and (b) DSGVO is also intended to counter harassment in the exercise of rights. First of all, it must be stated that Austrian jurisprudence denies the existence of a "general prohibition of harassment" and only prohibits the exercise of a right which contravenes the morality of § 1295 (2) ABGB (cf. 2 Ob 576/55, 3 Ob 520/51 uaN, but see also OGH in the decision of 10 July 1986, 6 Ob 12/85 = SZ 59/123 = RdW 1986, 306 = JBl 1986, 643). However, with regard to a special claim of the respondent (the person responsible) under Art. 12 para. 5 lit. a and b DSGVO, which has to be assessed differently, it is conceded that in the case of the manifestly unfounded or excessive exercise of a right, the respondent would have a claim to the prescription of costs or a "right of refusal". The legislator is going to argue this point. The legislator assumes "particularly in the case of frequent repetition" that there must be a certain intensity which would make it unreasonable for the person responsible to have to accept the subjective right of control against him, which is basically without cause (Leiter in Gantschacher/Jelinek/Schmidl/Spanberger, Kommentar zur Datenschutz-Grundverordnung1 2017, zu Art. 12; see also the decision of the DSK of 14.9.2012, GZ K121.830/0008-DSK/2012). The complainant exercises the right to information against the respondent for the first time and requests very specific data. This also takes into account the fact that the complainant only requests information about data which he himself can no longer access via e**Banking and therefore the cooperation of the respondent is necessary. Thus, in exercising his right to information, the complainant did not engage in conduct that would make it unreasonable for the respondent to act without prescribing costs or to refuse to provide the information. It was therefore to be decided in accordance with the ruling of the court. Decision on DSB document (BVwG) By decision of 24.5.2019, GZ: W258 2205602-1/8E, the Federal Administrative Court (BVwG) dismissed the appeal lodged against this decision, but rewrote the content of the first sentence. The ordinary appeal to the Administrative Court (VwGH) has been declared admissible.