HG Wien - 57 Cg 32/20m

From GDPRhub
Revision as of 15:57, 1 July 2021 by MacRiz (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=HG Wien |Court_With_Country=HG Wien (Austria) |Case_Number_Name=HG W...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HG Wien - HG Wien - 57 Cg 32/20m
Courts logo1.png
Court: HG Wien (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(1)(a) GDPR
Article 6(4) GDPR
Article 13(1)(e) GDPR
Article 13(1)(f) GDPR
[ § 6 Abs 3 KSchG]
[ § 1 DSG]
Decided:
Published: 29.06.2021
Parties: Sky Österreich Fernsehen GmbH
VKI Verbraucherrecht
Sozialministerium
National Case Number/Name: HG Wien - 57 Cg 32/20m
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: VKI vs. Sky Urteil (in German)
Initial Contributor: Lejla Rizvanovik

The Regional Court for Commercial Matters Vienna (HG Wien) found that there was no legitimate interest in checking customer data and processing it accordingly by transmitting the data to Austrian Post. Because according to the already applicable terms and conditions, consumers are obliged to immediately notify Sky of any changes to the data provided. In addition, messages from Sky to the last known address of the consumer are deemed to have been delivered. According to the HG Wien, the data comparison is therefore not even necessary. It also considered the principle of data accuracy to be violated. The intended provision provides that the customer data available to Sky is compared with that of Austrian Post and, if necessary, replaced without taking into account whether the data of Austriann Post is correct. Since there is no guarantee that consumers will disclose their correct data to Austrian Post, it cannot be ruled out that correct data will be replaced by incorrect data.

English Summary

Facts

In May 2020, Sky customers received a letter informing them that their customer data should be passed on to Austrian Post for verification. Consent for the data comparison was not obtained from the customers. Instead, the customers would have had to actively object to the data being passed on. The Regional Court for Commercial Matters Vienna (HG Wien) judged this to be unlawful. The court also found a clause in Sky’s general terms and conditions on the transfer of data to third parties (“e.g. IPTV providers”) to be inadmissible. Consumers could not understand to which recipient or recipient category the data would be passed on. There is thus a violation of the principle of transparency.

Dispute

Do consumers have to expect their data to be checked by passing them on to third parties when concluding a contract?

Holding

The Regional Court for Commercial Matters Vienna (HG Wien) judged Sky’s underlying contractual condition for the comparison of customer data with the Austrian Post as inadmissible.

Comment

The decision is not yet final.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



  
      
  


  
  
    
  
    Sky: Comparison of customer data not permitted
  
  


  

    
      
          June 29, 2021

                                    Telecommunication & Media
      

      
    

  



  
    
      In order to check whether existing customer data is still up-to-date, Sky Österreich Fernsehen GmbH wanted to send it to Austrian Post for comparison. Sky Austria therefore sent customers an email to this effect. The VKI sued on behalf of the Ministry of Social Affairs. The HG Vienna found the clause in the emails and data protection clauses in the terms and conditions to be inadmissible.
    
  


  
    In May 2020, Sky Austria informed its customers via email about an imminent comparison of customer data with Austrian Post. If data has changed, it would be updated. The comparison was carried out without consent. Consumers should have actively contradicted the data exchange.

The HG Vienna refused to interrupt the proceedings in advance. The court rejects the objection that the VKI is not legitimate because the Austrian legislator has not implemented Art 80 (2) GDPR. An agreement on the active legitimation of the VKI would be incompatible with Article 7 (2) of the Clause RL (Directive 93/13 / EEC), according to the Vienna Commercial Court. The fact that compliance with the provisions of the Clause RL also corresponds to the will of the EU legislature in the area of application of the GDPR results from recital 42 of the GDPR, which expressly refers to this. The decision 4 Ob 84 / 19k brought into the meeting by the defendant, however, was based on a different situation because it was not a representative action according to § 28 KSchG.

The active legitimation of the plaintiff association is given based on these considerations. The court therefore saw no reason to interrupt the proceedings until the final decision of the ECJ in case C-319/20 or the BGH in proceedings on I ZR 186/17 was available.



Clause 1: "For this purpose, we will give your data to Austrian Post for comparison (based on legitimate interest, Art. 6 I f GDPR). If something has changed, your data will be updated.

If you do not agree with this review, you have the option here to object until May 20th, 2020. "

The HG Vienna found this clause inadmissible for several reasons. It violates the principle of legality, good faith, transparency, purpose limitation and data minimization within the meaning of Art 5 Paragraph 1 lit a, b, c GDPR and violates the requirement of correctness within the meaning of Art 5 Paragraph 1 lit d GDPR. The clause is also non-transparent within the meaning of Section 6 (3) KSchG and violates the basic right to data protection within the meaning of Section 1 DSG. In addition, it is an unlawful further processing of data according to Art 6 Para 4 GDPR.

With regard to the verification of the data, Sky relies on a legitimate interest within the meaning of Art 6 Paragraph 1 lit f GDPR. According to the court, however, there is no such thing. According to the terms and conditions, messages to the last known address of consumers are deemed to have been received. It is therefore not necessary to check the data via comparison. The clause is therefore unlawful and violates Art 5 Para 1 lit a GDPR and, subsequently, the fundamental right to data protection in accordance with Section 1 GDPR.

Furthermore, the clause violates the requirement of correctness within the meaning of Art 5 Para 1 lit c GDPR, since when comparing with the Post no consideration is given to whether the data is correct or not. Since there is no guarantee that consumers will disclose their correct data to Swiss Post, it cannot be ruled out that correct data would be corrected for incorrect data as a result of the data comparison.

According to the court, the purpose-changing further processing within the meaning of Art 6 (4) GDPR, which was put forward by the defendant, fails due to the compatibility check. When concluding a contract, consumers could not expect their data to be checked by passing it on to a third party. Furthermore, the clause does not stipulate which data are specifically passed on to Austrian Post, so that there is also a violation of Art 5 Para. 1 lit c GDPR ("data minimization"), according to which the processing of personal data is appropriate and significant for the purpose as well as on the must be limited to the extent necessary for the purposes of processing.

The court also found the clause to be non-transparent within the meaning of Section 6 (3) KSchG. Consumers cannot understand whether they are obliged to check changes to this comparison or whether incorrectly addressed mailings from the defendant are now at their expense.



Clauses from Sky Austria's GTC:



Clause 2: "[5.2] The personal data provided by the subscriber as well as data on the type and frequency of his use of the services provided by Sky are processed by Sky and stored within the statutory retention periods (in particular according to UGB and BAO), insofar as this is necessary for the Fulfillment of the contract, in particular for the implementation of customer service and the settlement of payments, is necessary (Art. 6 Para. 1 lit. b GDPR). Depending on the respective subscription, the data may be transmitted to third parties who have a contractual relationship with the subscriber (e.g. IPTV provider) and to service providers who provide services on behalf of Sky (order processing, Art. 28 GDPR). If a Sky service provider is located in a third country, suitable measures (in particular the use of EU standard contractual clauses) are used to ensure that the subscriber's rights as the data subject are preserved. "

In accordance with Art.13 (1) (e) GDPR, Sky may have to provide information about the recipients or categories of recipients of personal data and, in accordance with lit. Communicate guarantees. Even if it was assumed that the naming of recipient categories is sufficient, the information requirements according to Art 13 GDPR are not complied with, according to the HG Vienna. Since the clause is only exemplary - "e.g. IPTV provider "- there are obviously several recipients of data that were not named. The court also concluded that the naming of “service providers” does not represent a comprehensible recipient category. Furthermore, the clause does not disclose whether an adequacy decision or other suitable guarantees exist for the transfer to third countries. The clause consequently violates the principle of transparency within the meaning of Art 5 Paragraph 1 lit a GDPR. This also applies to the reference in the clause that processed data is stored “within the statutory retention requirements (in particular according to UGB and BAO)”. The average consumer does not know which regulations are specifically referred to or how long these deadlines are. In addition, according to the court, there is a violation of Section 6 (3) KSchG.



Clause 3: "[5.7] So that the subscriber can make the best possible use of the Sky offer and purchase (possibly other) Sky products that are of interest to him, Sky uses address data that Sky has received in connection with the subscription contract to provide the subscriber, including via the Contract period to send information on Sky products from the area of pay TV by post (direct mail). "

From the sentence following the clause it emerges: "For this purpose, Sky may process further framework data from the subscription contract". The General Data Protection Regulation within the meaning of Art 4 Z 2 GDPR defines “processing”, among other things, also as “disclosure through transmission”. However, this also leaves the possible recipients of this data processing completely open, as it can be passed on to unspecified third parties using the term "processing". In any case, the clause is not transparent, according to the court.



The judgment is not final (as of June 29, 2021).
HG Vienna May 26th, 2021, 57 Cg 32 / 20m
Legal representative: Dr. Stefan Langer, lawyer in Vienna

To the news.
  

  
  

  
    
      Share this post

      
        
      

      
        
      

      
        
      

      
        
      

    
  
  


    
  
    Sky: Comparison of customer data not permitted
  
  


  

    
      
          June 29, 2021

                                    Telecommunication & Media
      

      
    

  



  
    
      In order to check whether existing customer data is still up-to-date, Sky Österreich Fernsehen GmbH wanted to send it to Austrian Post for comparison. Sky Austria therefore sent customers an email to this effect. The VKI sued on behalf of the Ministry of Social Affairs. The HG Vienna found the clause in the emails and data protection clauses in the terms and conditions to be inadmissible.
    
  


  
    In May 2020, Sky Austria informed its customers via email about an imminent comparison of customer data with Austrian Post. If data has changed, it would be updated. The comparison was carried out without consent. Consumers should have actively contradicted the data exchange.

The HG Vienna refused to interrupt the proceedings in advance. The court rejects the objection that the VKI is not legitimate because the Austrian legislator has not implemented Art 80 (2) GDPR. An agreement on the active legitimation of the VKI would be incompatible with Article 7 (2) of the Clause RL (Directive 93/13 / EEC), according to the Vienna Commercial Court. The fact that compliance with the provisions of the Clause RL also corresponds to the will of the EU legislature in the area of application of the GDPR results from recital 42 of the GDPR, which expressly refers to this. The decision 4 Ob 84 / 19k brought into the meeting by the defendant, however, was based on a different situation because it was not a representative action according to § 28 KSchG.

The active legitimation of the plaintiff association is given based on these considerations. The court therefore saw no reason to interrupt the proceedings until the final decision of the ECJ in case C-319/20 or the BGH in proceedings on I ZR 186/17 was available.



Clause 1: "For this purpose, we will give your data to Austrian Post for comparison (based on legitimate interest, Art. 6 I f GDPR). If something has changed, your data will be updated.

If you do not agree with this review, you have the option here to object until May 20th, 2020. "

The HG Vienna found this clause inadmissible for several reasons. It violates the principle of legality, good faith, transparency, purpose limitation and data minimization within the meaning of Art 5 Paragraph 1 lit a, b, c GDPR and violates the requirement of correctness within the meaning of Art 5 Paragraph 1 lit d GDPR. The clause is also non-transparent within the meaning of Section 6 (3) KSchG and violates the basic right to data protection within the meaning of Section 1 DSG. In addition, it is an unlawful further processing of data according to Art 6 Para 4 GDPR.

With regard to the verification of the data, Sky relies on a legitimate interest within the meaning of Art 6 Paragraph 1 lit f GDPR. According to the court, however, there is no such thing. According to the terms and conditions, messages to the last known address of consumers are deemed to have been received. It is therefore not necessary to check the data via comparison. The clause is therefore unlawful and violates Art 5 Para 1 lit a GDPR and, subsequently, the fundamental right to data protection in accordance with Section 1 GDPR.

Furthermore, the clause violates the requirement of correctness within the meaning of Art 5 Para 1 lit c GDPR, since when comparing with the Post no consideration is given to whether the data is correct or not. Since there is no guarantee that consumers will disclose their correct data to Swiss Post, it cannot be ruled out that correct data would be corrected for incorrect data as a result of the data comparison.

According to the court, the purpose-changing further processing within the meaning of Art 6 (4) GDPR, which was put forward by the defendant, fails due to the compatibility check. When concluding a contract, consumers could not expect their data to be checked by passing it on to a third party. Furthermore, the clause does not stipulate which data are specifically passed on to Austrian Post, so that there is also a violation of Art 5 Para. 1 lit c GDPR ("data minimization"), according to which the processing of personal data is appropriate and significant for the purpose as well as on the must be limited to the extent necessary for the purposes of processing.

The court also found the clause to be non-transparent within the meaning of Section 6 (3) KSchG. Consumers cannot understand whether they are obliged to check changes to this comparison or whether incorrectly addressed mailings from the defendant are now at their expense.



Clauses from Sky Austria's GTC:



Clause 2: "[5.2] The personal data provided by the subscriber as well as data on the type and frequency of his use of the services provided by Sky are processed by Sky and stored within the statutory retention periods (in particular according to UGB and BAO), insofar as this is necessary for the Fulfillment of the contract, in particular for the implementation of customer service and the settlement of payments, is necessary (Art. 6 Para. 1 lit. b GDPR). Depending on the respective subscription, the data may be transmitted to third parties who have a contractual relationship with the subscriber (e.g. IPTV provider) and to service providers who provide services on behalf of Sky (order processing, Art. 28 GDPR). If a Sky service provider is located in a third country, suitable measures (in particular the use of EU standard contractual clauses) are used to ensure that the subscriber's rights as the data subject are preserved. "

In accordance with Art.13 (1) (e) GDPR, Sky may have to provide information about the recipients or categories of recipients of personal data and, in accordance with lit. Communicate guarantees. Even if it was assumed that the naming of recipient categories is sufficient, the information requirements according to Art 13 GDPR are not complied with, according to the HG Vienna. Since the clause is only exemplary - "e.g. IPTV provider "- there are obviously several recipients of data that were not named. The court also concluded that the naming of “service providers” does not represent a comprehensible recipient category. Furthermore, the clause does not disclose whether an adequacy decision or other suitable guarantees exist for the transfer to third countries. The clause consequently violates the principle of transparency within the meaning of Art 5 Paragraph 1 lit a GDPR. This also applies to the reference in the clause that processed data is stored “within the statutory retention requirements (in particular according to UGB and BAO)”. The average consumer does not know which regulations are specifically referred to or how long these deadlines are. In addition, according to the court, there is a violation of Section 6 (3) KSchG.



Clause 3: "[5.7] So that the subscriber can make the best possible use of the Sky offer and purchase (possibly other) Sky products that are of interest to him, Sky uses address data that Sky has received in connection with the subscription contract to provide the subscriber, including via the Contract period to send information on Sky products from the area of pay TV by post (direct mail). "

From the sentence following the clause it emerges: "For this purpose, Sky may process further framework data from the subscription contract". The General Data Protection Regulation within the meaning of Art 4 Z 2 GDPR defines “processing”, among other things, also as “disclosure through transmission”. However, this also leaves the possible recipients of this data processing completely open, as it can be passed on to unspecified third parties using the term "processing". In any case, the clause is not transparent, according to the court.



The judgment is not final (as of June 29, 2021).
HG Vienna May 26th, 2021, 57 Cg 32 / 20m
Legal representative: Dr. Stefan Langer, lawyer in Vienna

To the news.