DSB (Austria) - 2020-0.816.655
From GDPRhub
| DSB - DSB - 2020-0.816.655 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 3 GDPR Article 4(16)(a) GDPR Article 12(1) GDPR Article 14 GDPR Article 15(1) GDPR Article 57(1)(f) GDPR § 24 (6) DSG Article 8 (1) B-VG |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 07.01.2021 |
| Published: | 15.03.2021 |
| Fine: | None |
| Parties: | Brigitte A. (complainant) N*** & Co Material GmbH (respondent) |
| National Case Number/Name: | DSB - 2020-0.816.655 |
| European Case Law Identifier: | ECLI:AT:DSB:2021:2020.0.816.655 |
| Appeal: | Not appealed |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (in DE) |
| Initial Contributor: | Fabian Schuster |
The Court held that a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests until the conclusion of the proceedings before the data protection authority.
Furthermore, the principle of the place of market inherent in the GDPR implies that information and notifications must in principle be translated into the languages of those countries in which the entrepreneur offers the services in question, taking into account the nationality or place of residence of the data subject.
English Summary
Facts
On 17 January 2020, the complainant received a letter (dated 8 January 2020) from the respondent informing her that the windows she had bought in 2019 might have defective hardware and that she should therefore contact a call centre to have them checked. She then contacted the manufacturer and the seller of the windows on 21 January 2020, who sent her a scan of the respondent's request. The letter from the respondent to the seller of the windows was dated 8 August 2019, whereas the letter from the respondent to the complainant was dated 8 January 2020 (received on 17 January 2020). This meant that the respondent had processed her data for about 5 months without informing her. Moreover, the letter did not comply with the provisions of Article 14 of the GDPR. Copies of the letter of 8 January 2020 and the letter of 8 August 2019 (both in Polish) were attached to the submission.
Dispute
Violation of the right to information pursuant to Article 14 GDPR
Holding
A. The above-mentioned information must in principle be provided within a reasonable period of time, but within one month at the latest. If the personal data is to be used for communication with the data subject, at the latest at the time of the first communication (Art. 14(3)(a) and (b) GDPR).
However, Art. 14(1) to (4) GDPR shall not apply if and to the extent that the data subject already has the information (para. 5 leg. cit.).
Pursuant to Section 24(6) DPA, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests until the conclusion of the proceedings before the data protection authority.
(...)
As can be seen from the findings, the respondent provided information about the purposes of processing, the categories of data processed and the storage period in the ongoing proceedings before the data protection authority. It is also clear who is responsible for the data processing and was sufficiently informed about the rights of the data subjects and the right of appeal to a supervisory authority. With regard to these points, there is therefore a subsequent compliance within the meaning of Section 24 (6) of the Data Protection Act and the complaint in this regard was to be dismissed for lack of complaint.
B. The complainant can be agreed that information in the sense of the transparency requirement must be provided in comprehensible and simple language. However, this provision does not contain an explicit rule on the national language in which this has to be done and must therefore be based on the respective individual case. Due to the principle of the place of market inherent in the GDPR, it can be assumed that information and notifications must in principle be translated into the languages of those countries in which the entrepreneur offers the services in question, taking into account the nationality or place of residence of the data subject (cf. Paal in Paal/Pauly, Datenschutz-Grundverordnung (2017), para. 35). In view of the relatively general wording of Art. 12 leg. cit. and the fact that Art. 14 leg. cit. is an active obligation, it must be assumed that the respective controller has a certain degree of discretion (cf. Bäcker in Kühling/Buchner, Datenschutz-Grundverordnung (2017), para. 16).
In this regard, it should be noted that the complainant lodged the complaint in question directly with the Austrian data protection authority - despite the reference to the one-stop shop procedure and the related possibility to lodge a complaint with the Polish supervisory authority - and that the subsequent procedure was conducted in German. Nor did the complainant at any time claim that she was unable to grasp (linguistically) the information provided to her. Finally, it should be noted that only a submission by the respondent written in German made it possible to review the data protection authority within the meaning of Section 24(6) of the DPA (cf. Art. 8 of the Federal Constitution, according to which the use of the German language is mandatory for Austrian authorities).
From the point of view of the respondent, it was therefore to be assumed that the information was sufficiently comprehensible within the meaning of Art. 12 (1) in conjunction with Art. 14 GDPR and the complaint was to be dismissed in this respect as well.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Deciding authority
Data protection authority
Decision date
07.01.2021
Business number
2020-0.816.655
Appeal to the Federal Administrative Court/Supreme Administrative Court/Constitutional Court (BVwG/VwGH/VfGH)
This decision is legally binding.
Text
GZ: 2020-0.816.655 of 7 January 2021 (procedure number: DSB-D124.2399)
[Editor's note: Names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may have been abbreviated and/or changed for pseudonymisation reasons. Obvious spelling, grammatical and punctuation errors have been corrected].
DECISION
Saying
The data protection authority decides on the data protection complaint of Brigitte A*** (complainant) of 24 January 2020 (ha. received on 29 January 2020), supplemented on 28 February 2020, against N*** & Co Material GmbH (respondent) for violation of the right to information as follows:
1. the complaint is partially upheld and it is found that the respondent has breached its information obligations by not providing information on the legal basis of the data processing.
The respondent is ordered to provide the complainant with information on the legal basis for the processing of personal data within the meaning of Article 14 (1) (c) of the GDPR within a period of 4 weeks, failing which the complainant is to be executed.
3. For the rest, the appeal is dismissed as unfounded.
Legal basis: Art. 3, Art. 4 line 16, Art. 12 para. 1, Art. 14 para. 1 to para. 5, Art. 15, Art. 51 para. 1, Art. 57 para. 1 lit. f and Art. 77 para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ. No. L 119, 4.5.2016 p. 1; §§ 18 para. 1 as well as 24 para. 1, para. 5 and para. 6 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 8 para. 1 of the Federal Constitutional Act (B-VG), Federal Law Gazette No. 1/1930 as amended.
Justification
A. Arguments of the parties and course of the proceedings
By submission of 24 January 2020 (ha. received on 29 January 2020), supplemented by submission of 28 February 2020, the complainant alleged a violation of the right to information and submitted the following in summary:
On 17 January 2020, the complainant received a letter (dated 8 January 2020) from the respondent informing her that the windows she had bought in 2019 might have defective hardware and that she should therefore contact a call centre to have them checked. She then contacted the manufacturer and the seller of the windows on 21 January 2020, who sent her a scan of the respondent's request. The letter from the respondent to the seller of the windows was dated 8 August 2019, whereas the letter from the respondent to the complainant was dated 8 January 2020 (received on 17 January 2020). This meant that the respondent had processed her data for about 5 months without informing her. Moreover, the letter did not comply with the provisions of Article 14 of the GDPR. Copies of the letter of 8 January 2020 and the letter of 8 August 2019 (both in Polish) were attached to the submission.
In the decision of the data protection authority of 18 February 2020, the complainant was informed of the possibility of lodging a complaint with the supervisory authority of her usual place of residence. This was rejected by the complainant in a submission of 28 February 2020.
In its decision of 3 March 2020, the data protection authority invited the respondent to submit comments.
On 24 March 2020, the respondent sent the complainant a letter entitled "Information request pursuant to Article 15 of the GDPR", a copy of which was also sent to the data protection authority.
In its decision of 17 April 2020, the data protection authority again pointed out to the respondent that the subject matter of the complaint procedure was an alleged violation of the right to information, but not of the right to access, and that a subsequent elimination pursuant to Section 24 (6) of the FADP must therefore comply with the requirements of Articles 13 and 14 of the GDPR. However, the respondent did not comment further.
By decisions of 23 October 2020 and 1 December 2020, the data protection authority granted the complainant an opportunity to be heard.
In its submission of 7 December 2020, the complainant argued that all of the respondent's paper letters had been written in Polish, but that the information of 24 March 2020 had (incorrectly) been written in German.
B. Subject matter of the appeal
The subject matter of the complaint is the question of whether the respondent violated the complainant's right under Art. 14 GDPR by not sufficiently fulfilling the duty to inform when collecting the personal data and by not remedying this deficiency during the proceedings before the data protection authority.
C. Findings of fact
The respondent is a company registered under FN 3***45n with its registered office in *020 M***, Z***gasse 5, whose business purpose includes the manufacture of window fittings.
Evaluation of evidence: The findings made are based on an official search of the commercial register (FN 3***45n) and the website of the respondent at https:www.material*.eu, both searched on 4 January 2021.
On 17 January 2020, the complainant received a postal letter from the respondent, dated 8 January 2020.
The content of the letter was essentially information that the windows previously purchased by the complainant from the company "E***" might have defective fittings. The letter was written in Polish.
The contact details of the complainant required for the enquiry (name and residential address) were provided to the respondent by the company "E***" on the basis of an enquiry made in this regard on 8 August 2019. Apart from this, there was no contractual relationship between the complainant and the respondent at any time.
By submission of 24 January 2020 (received by the data protection authority on 29 January 2020), the complainant lodged the complaint in question. On 23 March 2020, the respondent sent the following letter to the complainant in the ongoing complaint procedure, a copy of which was also sent to the data protection authority (formatting not reproduced 1:1):
23 March 2020
Provision of information pursuant to Art. 15 of the GDPR
Mrs A***,
we will respond to your request for information about the data stored about you within the time limit set by the data protection authority from the date we receive the request as follows:
We received your request for information pursuant to Article 15 of the GDPR and your data protection complaint to the data protection authority on 19 March 2020. We assume that you have sufficiently proven your identity to the data protection authority.
Within the two-week period set by the data protection authority, we hereby comply with your request.
In order to protect the rights of third parties, we have laid down the following rules for responding to your request, which form the basis of the information provided:
- In order to protect the rights of third parties, confidentiality in the context of ongoing investigations in criminal or civil law proceedings as well as the protection of trade and business secrets, any documentation, drawings, software code, notes, reports, memos, protocols, expert opinions or general data records relating to the person requesting information, which are used to identify, record or trace facts and which contain data of the person requesting information, will not be disclosed, will not be made available in machine-readable form and will not be copied. The information shall not be disclosed or passed on in machine-readable form, nor shall a copy of the data be provided.
- As a general rule, if a document or data record names other natural persons in addition to the person requesting information whose personal rights are to be protected within the meaning of the GDPR, these persons will not be provided with information, will not be passed on in machine-readable form and will not be provided with a copy of the data.
- Temporary data and log files that are generated by the system, overwritten again or are only required for administrative purposes and for reasons of reliability and operational safety of the IT systems and directly or indirectly (IP addresses) process data with personal reference are processed by specific IT applications. Please understand that we cannot provide information on temporary data or log files due to the excessive nature of the request.
Taking into account the protection of the rights of third parties, we provide the following information about you:
We process personal data about you under the following categories of data subjects:
Categories of persons concerned Description
- Customers (B2C) Consumer (end user)
We carry out the following processing activities for the data subjects listed above:
Processing activities
Purpose of the processing
Categories of affected
People
Complaints processing
End customer
Organise and provide a process to handle customer-related complaints.
to be able
Customers (B2C)
The following categories of personal data are processed in the listed processing activities:
Page 1/2
Report: GDPR - Request for information under Art. 15 (letter); Catalogue: CURRENTPrinted 23.03.2020
CONFIDENTIAL***
Categories of personal data
Processing activities
Customer data for complaints Name, address, title, e-mail
Complaints processing
Address, telephone number
End customer
In the context of the activities we carry out, we transmit personal data concerning you to the following recipients or categories of recipients:
Types of data
Receiver
Purpose of the transmission
Complaint data
Service provider for
Troubleshooting
Execution of service for the fulfilment of claims arising from product liability, warranty or guarantee.
We store your personal data as long as this is required by law, is necessary for the purpose or the use in accordance with the legitimate interest of the company requires this. The deletion period listed below follows this storage period. The origin of the respective data is also indicated.
Categories of personal data retention period
Deletion period
Origin of the data
Customer data for complaints 10 years
1 year
Self-disclosure of the customer or by data transmission of the supplier to the
End customers (e.g. dealers, property developers, window manufacturers).
In the following processing operations, we use procedures for the automated processing of data for operational reasons.
decision-making/profiling based on the data collection logic described below.
Processing activities Profiling logic
At this point, we confirm that we do not process any personal data of yours beyond the data provided in compliance with the intellectual property rights of third parties.
In the previous section, we have explained to you which types of data or categories of data we process for which processing activities and for which purposes and legal bases for the groups of data subjects concerning you. In order to also provide you with a copy of the data processed for you, if requested, we ask you to specify the data in question, which you request in the form of a data extract.
In principle, you have the rights to rectification, deletion, restriction of processing, revocation and objection. To do so, please contact us. If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you have the right to lodge a complaint with the competent data protection authority.
Kind regards,
The Material* Legal Department
Evaluation of evidence: The findings made are primarily based on the credible submission of the complainant in that this was not disputed by the respondent in terms of content at any time despite (several) requests to comment.
D. In legal terms, it follows that:
D.1 General and relevant legislation
At the outset, it is noted that jurisdiction arises on the basis of the main establishment of the respondent (Art. 4(16)(a) GDPR) in Austria, whereby the complaint in question was lodged directly with the Austrian Data Protection Authority and was therefore to be dealt with by the latter (without applying the one-stop shop procedure under Art. 56 in conjunction with Art. 60 GDPR).
Pursuant to Article 12(1) of the GDPR, the controller shall take appropriate measures to provide the data subject with all information pursuant to Articles 13 and 14 relating to the processing in a precise, transparent, intelligible and easily accessible form and in plain and simple language.
If personal data are not collected from the data subject himself, the duty to provide information arises from Art. 14 GDPR, according to which, pursuant to para. 1 leg. cit. the following information must be provided:
a) the name and contact details of the person responsible;
(b) contact details of the data protection officer;
(c) the purposes of the processing and the legal basis for the processing;
(d) the categories of data processed;
(e) where applicable, the recipients or categories of recipients;
(f) where applicable, the controller's intention to transfer the personal data to a recipient in a third country or an international organisation.
In addition, the controller shall provide the data subject with the following information pursuant to para. 2 leg. cit., the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing vis-à-vis the data subject:
(a) the storage period or, if that is not possible, the criteria for determining that period;
(b) where applicable, the legitimate interests pursued by the controller;
(c) the existence of the right of access, rectification, erasure, restriction of processing, data portability and the right to object to processing;
(d) the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until withdrawal;
e) the existence of a right of appeal to a supervisory authority;
(f) the source of the data and, if applicable, whether it is from publicly available sources;
(g) where applicable, the existence of automated decision-making, including profiling.
The above-mentioned information must in principle be provided within a reasonable period of time, but within one month at the latest. If the personal data is to be used for communication with the data subject, at the latest at the time of the first communication (Art. 14(3)(a) and (b) GDPR).
However, Art. 14(1) to (4) GDPR shall not apply if and to the extent that the data subject already has the information (para. 5 leg. cit.).
Pursuant to Section 24(6) DPA, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests until the conclusion of the proceedings before the data protection authority.
D.2. on the merits
The data protection authority has already dealt with the question of whether the "information obligations" pursuant to Art. 13 and Art. 14 GDPR can conversely also be asserted as subjective data subject rights and, according to case law, assumes that a data subject can rely on Art. 13 and Art. 14 GDPR irrespective of the application (cf. the decision of the data protection authority of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).
The prerequisite for the application of Art. 14 GDPR is that the controller did not collect the personal data from the data subject (no "direct collection"). As can be seen from the findings, personal data of the complainant (at least name and residential address) were undoubtedly requested by the respondent for the purpose of contacting a third party and thus "collected" within the meaning of the cited provision.
The information mentioned would have had to be provided at the latest at the time of the first notification - i.e. on the occasion of the letter of 8 January 2020 (cf. Art. 14(3)(b) leg. cit.).
However, according to the established practice of the data protection authority, there is no right to determine that certain information may not have been provided at the time of the cases standardised in Art. 14(3) of the GDPR (cf. on the analogous application of Section 24(6) of the Data Protection Act with regard to the information obligations of Art. 13f of the GDPR, the decision of the DPA of 22 August 2020, reference number: DPA-D130.206/0006-DPA/2019).
Against this background, it was therefore necessary to go into more detail on the subsequent equivalence within the meaning of Section 24 (6) of the FADP:
The data protection authority does not overlook the fact that a violation of the right to information pursuant to Article 14 - and not the right to information pursuant to Article 15 of the GDPR as alleged by the respondent - was alleged. However, Article 14 (1) to (4) of the GDPR do not apply if the complainant already has the relevant information. Moreover, it should be noted that the success of a complaint under Art. 77(1) in conjunction with Art. 24(1) DPA is in any case conditional on the existence of a concrete complaint (cf. on the lack of a subjective violation of the law VwSlg. 11.568 A/1984 mwN).
As a result, this means that the information obligations could also be fulfilled by providing information within the meaning of Art. 15 GDPR.
As can be seen from the findings, the respondent provided information about the purposes of processing, the categories of data processed and the storage period in the ongoing proceedings before the data protection authority. It is also clear who is responsible for the data processing and was sufficiently informed about the rights of the data subjects and the right of appeal to a supervisory authority. With regard to these points, there is therefore a subsequent compliance within the meaning of Section 24 (6) of the Data Protection Act and the complaint in this regard was to be dismissed for lack of complaint.
However, Art. 14(1)(c) of the GDPR explicitly provides that the information obligations include the legal basis of the processing in addition to the purposes of the processing. The complaint was therefore to be upheld on this point and a corresponding performance order issued.
During the final hearing, the complainant argued that the information provided to her had not been translated into her national language (Polish).
The complainant can be agreed that information in the sense of the transparency requirement must be provided in comprehensible and simple language. However, this provision does not contain an explicit rule on the national language in which this has to be done and must therefore be based on the respective individual case. Due to the principle of the place of market inherent in the GDPR, it can be assumed that information and notifications must in principle be translated into the languages of those countries in which the entrepreneur offers the services in question, taking into account the nationality or place of residence of the data subject (cf. Paal in Paal/Pauly, Datenschutz-Grundverordnung (2017), para. 35). In view of the relatively general wording of Art. 12 leg. cit. and the fact that Art. 14 leg. cit. is an active obligation, it must be assumed that the respective controller has a certain degree of discretion (cf. Bäcker in Kühling/Buchner, Datenschutz-Grundverordnung (2017), para. 16).
In this regard, it should be noted that the complainant lodged the complaint in question directly with the Austrian data protection authority - despite the reference to the one-stop shop procedure and the related possibility to lodge a complaint with the Polish supervisory authority - and that the subsequent procedure was conducted in German. Nor did the complainant at any time claim that she was unable to grasp (linguistically) the information provided to her. Finally, it should be noted that only a submission by the respondent written in German made it possible to review the data protection authority within the meaning of Section 24(6) of the DPA (cf. Art. 8 of the Federal Constitution, according to which the use of the German language is mandatory for Austrian authorities).
From the point of view of the respondent, it was therefore to be assumed that the information was sufficiently comprehensible within the meaning of Art. 12 (1) in conjunction with Art. 14 GDPR and the complaint was to be dismissed in this respect as well.
Therefore, the decision had to be in accordance with the ruling.
European Case Law Identifier
ECLI:AT:DSB:2021:2020.0.816.655
