HG Wien - 57 Cg 32/20m

From GDPRhub
Revision as of 09:33, 7 July 2021 by RRA (talk | contribs)
HG Wien - 57 Cg 32/20m
Courts logo1.png
Court: HG Wien (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(1)(a) GDPR
Article 6(4) GDPR
Article 13(1)(e) GDPR
Article 13(1)(f) GDPR
§ 6(3) KSchG
§ 28 KSchG
§ 1 DSG
Decided: 26.05.2021
Published: 29.06.2021
Parties: Sky Österreich Fernsehen GmbH
Verein für Konsumenteninformation (VKI)
National Case Number/Name: 57 Cg 32/20m
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: VKI vs. Sky Urteil (in German)
Initial Contributor: Lejla Rizvanovik

The Commercial Court of Vienna ruled that legal actions by an Austrian consumer protection institution under the Austrian Consumer Protection Act may also be based on violations of the GDPR, despite the lack of implementation of Article 80(2) GDPR in Austria. Further, it held that matching by a controller of customer data with data on the same customers at the Austrian Post was illegal due to, inter alia, a lack of legal basis and violation of the accuracy principle.

English Summary

Facts

The claimant is an Austrian consumer protection institution (Verein für Konsumentinformation). It filed a Verbandsklage pursuant to § 28 of the Austrian Consumer Protection Act (KSchG) against three (general terms and conditions) clauses with the Commercial Court of Vienna (HG Wien) . A Verbandsklage is a form of popular action in which associations are granted standing not to assert the violation of their own rights, but of the rights of the general public.

Clause 1: Pursuant to Sky's terms and conditions, consumers are obliged to immediately notify Sky of any changes to the data provided and notices sent to the last known address of consumers shall be deemed received. However, Sky customers received a letter with the Clause 1 informing them that their customer data should be passed on to Austrian Post for verification. If the data stored at the post office did not match the Sky data, the Sky data should be updated. Consent for the data comparison was not obtained from the customers. Sky rather invoked the legal basis of Article 6(1)(f) GDPR. If data subjects are against the verification, they should explicitly object to it.

Clause 2: The second clause dealt with the transfer of data and with storage periods. Among other things, it was stated here that data may be transferred to third parties who have a contractual relationship with the subscriber (e.g. IPTV providers) and to service providers who provide services on behalf of Sky. It also stated that Sky stores the data within the statutory retention periods (in particular according to the Austrian Company Code (UGB) and the Austrian Federal Tax Code (BAO)).

Clause 3: Finally, Sky's general terms and conditions stipulated that further framework data from the subscription contract may be processed for the purpose of direct advertising.

Holding

The court ruled that all clauses violate the GDPR and are therefore invalid.

Claim Entitlement of the VDI

First, the court found that the VDI itself may assert the infringement. In particular, the fact that Article 80(2) GDPR has not been implemented in Austria does not prevent this. After all, such an understanding would be incompatible with Article 7(2) of the directive on unfair terms in consumer contracts (93/13/EEC). Recital 42 of the GDPR explicitly refers to this directive. In the court's view, this means that the directive must also apply within the scope of the GDPR.

Clause 1: Various Breaches of the GDPR

The court first finds that the processing provided for in the clause cannot be based on a legitimate interest under Article 6(1)(f) GDPR, so that the principle of lawfulness under Article 5(1)(a) GDPR is violated. This is due to the fact that the data comparison is not necessary. This is because Sky's terms and conditions already provide that notifications to the last known address of consumers are deemed to have been received

In addition, there is a violation of the principle of accuracy, Article 5(1)(d) GDPR. The matching process does not check whether the data is "more correct" at the post office or not. There is no guarantee that consumers disclose their correct data to the Austrian Post. Therefore, it cannot be ruled out that correct data is exchanged for incorrect data during the comparison.

Processing for another purpose fails the compatibility test of Article 6(4) GDPR. Consumers could not have expected that their data would be verified by passing it on to a third party when the contract was concluded.

In the fact that it was not determined which data were specifically transferred to the Post Office, the court ultimately saw a violation of the principle of data minimisation according to Article 5(1)(c) GDPR.

Clause 2: Violation of the Transparency Principle under Article 5(1)(a) GDPR

The court ruled that the second clause violated the transparency obligation of Article 5(1)(a) GDPR, in particular because the requirements of Article 13(1)(e) and (f) GDPR were not met. These requirements extend in particular to naming the recipients or categories of recipients and, in the case of an intention to transfer to a third country, to showing whether an adequacy decision or other appropriate safeguards are in place.

The court stated that the wording "e.g. IPTV provider" made it clear that there were obviously other recipients. However, these were not named. Furthermore, "service provider" is not a comprehensible category of recipient. In addition, the clause does not show whether there is an adequacy decision or other suitable guarantees.

Finally, the storage "within the statutory retention periods (in particular according to UGB and BAO)" was also non-transparent. The consumer is not aware of the specific regulations. The duration of the storage period is also not clear from the clause.

Clause 3: Violation of the Transparency Principle under Article 5(1)(a) GDPR

The third clause is also invalid because of the unspecified use of the term "processing". The court stated that Article 4(2) GDPR defines "processing" as, among other things, "disclosure by transmission". Although a transfer to unspecified third parties is potentially covered, possible recipients are not named. Therefore, the clause is also intransparent.

Comment

The decision is not yet final.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



  
      
  


  
  
    
  
    Sky: Comparison of customer data not permitted
  
  


  

    
      
          June 29, 2021

                                    Telecommunication & Media
      

      
    

  



  
    
      In order to check whether existing customer data is still up-to-date, Sky Österreich Fernsehen GmbH wanted to send it to Austrian Post for comparison. Sky Austria therefore sent customers an email to this effect. The VKI sued on behalf of the Ministry of Social Affairs. The HG Vienna found the clause in the emails and data protection clauses in the terms and conditions to be inadmissible.
    
  


  
    In May 2020, Sky Austria informed its customers via email about an imminent comparison of customer data with Austrian Post. If data has changed, it would be updated. The comparison was carried out without consent. Consumers should have actively contradicted the data exchange.

The HG Vienna refused to interrupt the proceedings in advance. The court rejects the objection that the VKI is not legitimate because the Austrian legislator has not implemented Art 80 (2) GDPR. An agreement on the active legitimation of the VKI would be incompatible with Article 7 (2) of the Clause RL (Directive 93/13 / EEC), according to the Vienna Commercial Court. The fact that compliance with the provisions of the Clause RL also corresponds to the will of the EU legislature in the area of application of the GDPR results from recital 42 of the GDPR, which expressly refers to this. The decision 4 Ob 84 / 19k brought into the meeting by the defendant, however, was based on a different situation because it was not a representative action according to § 28 KSchG.

The active legitimation of the plaintiff association is given based on these considerations. The court therefore saw no reason to interrupt the proceedings until the final decision of the ECJ in case C-319/20 or the BGH in proceedings on I ZR 186/17 was available.



Clause 1: "For this purpose, we will give your data to Austrian Post for comparison (based on legitimate interest, Art. 6 I f GDPR). If something has changed, your data will be updated.

If you do not agree with this review, you have the option here to object until May 20th, 2020. "

The HG Vienna found this clause inadmissible for several reasons. It violates the principle of legality, good faith, transparency, purpose limitation and data minimization within the meaning of Art 5 Paragraph 1 lit a, b, c GDPR and violates the requirement of correctness within the meaning of Art 5 Paragraph 1 lit d GDPR. The clause is also non-transparent within the meaning of Section 6 (3) KSchG and violates the basic right to data protection within the meaning of Section 1 DSG. In addition, it is an unlawful further processing of data according to Art 6 Para 4 GDPR.

With regard to the verification of the data, Sky relies on a legitimate interest within the meaning of Art 6 Paragraph 1 lit f GDPR. According to the court, however, there is no such thing. According to the terms and conditions, messages to the last known address of consumers are deemed to have been received. It is therefore not necessary to check the data via comparison. The clause is therefore unlawful and violates Art 5 Para 1 lit a GDPR and, subsequently, the fundamental right to data protection in accordance with Section 1 GDPR.

Furthermore, the clause violates the requirement of correctness within the meaning of Art 5 Para 1 lit c GDPR, since when comparing with the Post no consideration is given to whether the data is correct or not. Since there is no guarantee that consumers will disclose their correct data to Swiss Post, it cannot be ruled out that correct data would be corrected for incorrect data as a result of the data comparison.

According to the court, the purpose-changing further processing within the meaning of Art 6 (4) GDPR, which was put forward by the defendant, fails due to the compatibility check. When concluding a contract, consumers could not expect their data to be checked by passing it on to a third party. Furthermore, the clause does not stipulate which data are specifically passed on to Austrian Post, so that there is also a violation of Art 5 Para. 1 lit c GDPR ("data minimization"), according to which the processing of personal data is appropriate and significant for the purpose as well as on the must be limited to the extent necessary for the purposes of processing.

The court also found the clause to be non-transparent within the meaning of Section 6 (3) KSchG. Consumers cannot understand whether they are obliged to check changes to this comparison or whether incorrectly addressed mailings from the defendant are now at their expense.



Clauses from Sky Austria's GTC:



Clause 2: "[5.2] The personal data provided by the subscriber as well as data on the type and frequency of his use of the services provided by Sky are processed by Sky and stored within the statutory retention periods (in particular according to UGB and BAO), insofar as this is necessary for the Fulfillment of the contract, in particular for the implementation of customer service and the settlement of payments, is necessary (Art. 6 Para. 1 lit. b GDPR). Depending on the respective subscription, the data may be transmitted to third parties who have a contractual relationship with the subscriber (e.g. IPTV provider) and to service providers who provide services on behalf of Sky (order processing, Art. 28 GDPR). If a Sky service provider is located in a third country, suitable measures (in particular the use of EU standard contractual clauses) are used to ensure that the subscriber's rights as the data subject are preserved. "

In accordance with Art.13 (1) (e) GDPR, Sky may have to provide information about the recipients or categories of recipients of personal data and, in accordance with lit. Communicate guarantees. Even if it was assumed that the naming of recipient categories is sufficient, the information requirements according to Art 13 GDPR are not complied with, according to the HG Vienna. Since the clause is only exemplary - "e.g. IPTV provider "- there are obviously several recipients of data that were not named. The court also concluded that the naming of “service providers” does not represent a comprehensible recipient category. Furthermore, the clause does not disclose whether an adequacy decision or other suitable guarantees exist for the transfer to third countries. The clause consequently violates the principle of transparency within the meaning of Art 5 Paragraph 1 lit a GDPR. This also applies to the reference in the clause that processed data is stored “within the statutory retention requirements (in particular according to UGB and BAO)”. The average consumer does not know which regulations are specifically referred to or how long these deadlines are. In addition, according to the court, there is a violation of Section 6 (3) KSchG.



Clause 3: "[5.7] So that the subscriber can make the best possible use of the Sky offer and purchase (possibly other) Sky products that are of interest to him, Sky uses address data that Sky has received in connection with the subscription contract to provide the subscriber, including via the Contract period to send information on Sky products from the area of pay TV by post (direct mail). "

From the sentence following the clause it emerges: "For this purpose, Sky may process further framework data from the subscription contract". The General Data Protection Regulation within the meaning of Art 4 Z 2 GDPR defines “processing”, among other things, also as “disclosure through transmission”. However, this also leaves the possible recipients of this data processing completely open, as it can be passed on to unspecified third parties using the term "processing". In any case, the clause is not transparent, according to the court.



The judgment is not final (as of June 29, 2021).
HG Vienna May 26th, 2021, 57 Cg 32 / 20m
Legal representative: Dr. Stefan Langer, lawyer in Vienna

To the news.
  

  
  

  
    
      Share this post

      
        
      

      
        
      

      
        
      

      
        
      

    
  
  


    
  
    Sky: Comparison of customer data not permitted
  
  


  

    
      
          June 29, 2021

                                    Telecommunication & Media
      

      
    

  



  
    
      In order to check whether existing customer data is still up-to-date, Sky Österreich Fernsehen GmbH wanted to send it to Austrian Post for comparison. Sky Austria therefore sent customers an email to this effect. The VKI sued on behalf of the Ministry of Social Affairs. The HG Vienna found the clause in the emails and data protection clauses in the terms and conditions to be inadmissible.
    
  


  
    In May 2020, Sky Austria informed its customers via email about an imminent comparison of customer data with Austrian Post. If data has changed, it would be updated. The comparison was carried out without consent. Consumers should have actively contradicted the data exchange.

The HG Vienna refused to interrupt the proceedings in advance. The court rejects the objection that the VKI is not legitimate because the Austrian legislator has not implemented Art 80 (2) GDPR. An agreement on the active legitimation of the VKI would be incompatible with Article 7 (2) of the Clause RL (Directive 93/13 / EEC), according to the Vienna Commercial Court. The fact that compliance with the provisions of the Clause RL also corresponds to the will of the EU legislature in the area of application of the GDPR results from recital 42 of the GDPR, which expressly refers to this. The decision 4 Ob 84 / 19k brought into the meeting by the defendant, however, was based on a different situation because it was not a representative action according to § 28 KSchG.

The active legitimation of the plaintiff association is given based on these considerations. The court therefore saw no reason to interrupt the proceedings until the final decision of the ECJ in case C-319/20 or the BGH in proceedings on I ZR 186/17 was available.



Clause 1: "For this purpose, we will give your data to Austrian Post for comparison (based on legitimate interest, Art. 6 I f GDPR). If something has changed, your data will be updated.

If you do not agree with this review, you have the option here to object until May 20th, 2020. "

The HG Vienna found this clause inadmissible for several reasons. It violates the principle of legality, good faith, transparency, purpose limitation and data minimization within the meaning of Art 5 Paragraph 1 lit a, b, c GDPR and violates the requirement of correctness within the meaning of Art 5 Paragraph 1 lit d GDPR. The clause is also non-transparent within the meaning of Section 6 (3) KSchG and violates the basic right to data protection within the meaning of Section 1 DSG. In addition, it is an unlawful further processing of data according to Art 6 Para 4 GDPR.

With regard to the verification of the data, Sky relies on a legitimate interest within the meaning of Art 6 Paragraph 1 lit f GDPR. According to the court, however, there is no such thing. According to the terms and conditions, messages to the last known address of consumers are deemed to have been received. It is therefore not necessary to check the data via comparison. The clause is therefore unlawful and violates Art 5 Para 1 lit a GDPR and, subsequently, the fundamental right to data protection in accordance with Section 1 GDPR.

Furthermore, the clause violates the requirement of correctness within the meaning of Art 5 Para 1 lit c GDPR, since when comparing with the Post no consideration is given to whether the data is correct or not. Since there is no guarantee that consumers will disclose their correct data to Swiss Post, it cannot be ruled out that correct data would be corrected for incorrect data as a result of the data comparison.

According to the court, the purpose-changing further processing within the meaning of Art 6 (4) GDPR, which was put forward by the defendant, fails due to the compatibility check. When concluding a contract, consumers could not expect their data to be checked by passing it on to a third party. Furthermore, the clause does not stipulate which data are specifically passed on to Austrian Post, so that there is also a violation of Art 5 Para. 1 lit c GDPR ("data minimization"), according to which the processing of personal data is appropriate and significant for the purpose as well as on the must be limited to the extent necessary for the purposes of processing.

The court also found the clause to be non-transparent within the meaning of Section 6 (3) KSchG. Consumers cannot understand whether they are obliged to check changes to this comparison or whether incorrectly addressed mailings from the defendant are now at their expense.



Clauses from Sky Austria's GTC:



Clause 2: "[5.2] The personal data provided by the subscriber as well as data on the type and frequency of his use of the services provided by Sky are processed by Sky and stored within the statutory retention periods (in particular according to UGB and BAO), insofar as this is necessary for the Fulfillment of the contract, in particular for the implementation of customer service and the settlement of payments, is necessary (Art. 6 Para. 1 lit. b GDPR). Depending on the respective subscription, the data may be transmitted to third parties who have a contractual relationship with the subscriber (e.g. IPTV provider) and to service providers who provide services on behalf of Sky (order processing, Art. 28 GDPR). If a Sky service provider is located in a third country, suitable measures (in particular the use of EU standard contractual clauses) are used to ensure that the subscriber's rights as the data subject are preserved. "

In accordance with Art.13 (1) (e) GDPR, Sky may have to provide information about the recipients or categories of recipients of personal data and, in accordance with lit. Communicate guarantees. Even if it was assumed that the naming of recipient categories is sufficient, the information requirements according to Art 13 GDPR are not complied with, according to the HG Vienna. Since the clause is only exemplary - "e.g. IPTV provider "- there are obviously several recipients of data that were not named. The court also concluded that the naming of “service providers” does not represent a comprehensible recipient category. Furthermore, the clause does not disclose whether an adequacy decision or other suitable guarantees exist for the transfer to third countries. The clause consequently violates the principle of transparency within the meaning of Art 5 Paragraph 1 lit a GDPR. This also applies to the reference in the clause that processed data is stored “within the statutory retention requirements (in particular according to UGB and BAO)”. The average consumer does not know which regulations are specifically referred to or how long these deadlines are. In addition, according to the court, there is a violation of Section 6 (3) KSchG.



Clause 3: "[5.7] So that the subscriber can make the best possible use of the Sky offer and purchase (possibly other) Sky products that are of interest to him, Sky uses address data that Sky has received in connection with the subscription contract to provide the subscriber, including via the Contract period to send information on Sky products from the area of pay TV by post (direct mail). "

From the sentence following the clause it emerges: "For this purpose, Sky may process further framework data from the subscription contract". The General Data Protection Regulation within the meaning of Art 4 Z 2 GDPR defines “processing”, among other things, also as “disclosure through transmission”. However, this also leaves the possible recipients of this data processing completely open, as it can be passed on to unspecified third parties using the term "processing". In any case, the clause is not transparent, according to the court.



The judgment is not final (as of June 29, 2021).
HG Vienna May 26th, 2021, 57 Cg 32 / 20m
Legal representative: Dr. Stefan Langer, lawyer in Vienna

To the news.