https://gdprhub.eu/index.php?title=Special:NewPages&feed=atom&hideredirs=1&limit=10&render=1GDPRhub - New pages [en]2024-03-19T06:43:06ZFrom GDPRhubMediaWiki 1.39.6https://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91479/2_-_OC_v_CommissionCJEU - C‑479/2 - OC v Commission2024-03-18T22:35:26Z<p>So.h: </p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C‑479/2 OC v Commission<br />
|ECLI=ECLI:EU:C:2024:215<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=283526&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3322609<br />
<br />
|Date_Decided=07.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=2018/1725<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/eli/reg/2018/1725/oj<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=OC<br />
|Party_Link_1=<br />
|Party_Name_2=European Commission <br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Reference_Body=<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=so.h<br />
|<br />
}}<br />
<br />
The CJEU held that the definition of personal data does not depend on whether an 'average reader' can identify the data subject.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
This is an appeal of the earlier case [[T‑384/20 - OC v European Commission.]] <br />
<br />
The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights). <br />
<br />
On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument: <br />
<br />
1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader (at para 32) does not analyse the factors that the specific reader in the case holds. Thus, contra the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test is therefore erroneous. <br />
<br />
2) The General Court had erred in arguing that the ‘means reasonable likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what the recital actually states (at para 33). <br />
<br />
The Commission asked for these two points, and subsequently the crux of the first ground, to be declared inadmissible by the court (at para 34).<br />
<br />
=== Holding ===<br />
The Court held that the General Court had made several errors of law and that the first ground of appeal must be upheld. <br />
<br />
First, the Court noted that the EUDPR (Regulation 2018/1725) and the GDPR share the same definition of personal data. Given that the legislator (at recital 4 and 5 of 2018/1725) intended to establish an equivalent law to the GDPR, both regimes must be read in the same way (at para 43). <br />
<br />
Second, identifiability is defined by Article 3(1) 2018/1725 [[Article 4 GDPR|(Article 4(1) GDPR)]]. The use of the word ‘indirectly’ in these Articles means that it is not necessary for information alone to be the factor that identifies someone (at para 47). It is not required that all the information enabling the identification be in the hand of one person (at para 48). The fact that additional information is necessary to identify a data subject does not mean that the data cannot be classified a personal (at para 44).<br />
<br />
Third, it is ‘reasonably likely’ that combining OLAF’s press report with additional information would be used as a way to identify the claimant (at para 50). The General Court had been wrong to limit this ‘reasonable means’ test by confusing it with liability. Article 3(1) 2018/1725 states that only acts attributable to an EU Institution can give rise to liability on part of the European Union, it took this to mean that the identification of the claimant must only have resulted from the press release alone (at para 52). On the facts the German journalist who identified the claimant had specialist information and so the General Court ruled that these were not ‘reasonable means’ and that the claimant could not be identified (at para 53). The Court made clear that liability and identification are separate (at para 54). The fact that additional information is needed and that it comes from a source other than the controller does not rule out the identifiable nature of the claimant and thus, the personal nature of the data (at para 55). This is supported by the fact that recital 16 (recital 26 GDPR) makes specific that identification can come from ‘any other person’. <br />
<br />
Fourth, the Court rejected the General Court’s invention of an ‘average reader’. The General Court had invented this test and used it for the first time in [[T‑384/20 - OC v European Commission]]. The fact that the reader of the press release is a journalist, cannot lead to the conclusion that data is not personal (at para 58). <br />
<br />
Last, the Court looked at the facts of the case and determined that the fact that the press release contained the claimant’s; gender, nationality, father’s occupation, grant amount for a scientific project and the geographical location of the entity hosting that project, would together allow the Claimant to be identifiable (at para 61). Furthermore, the Court applied the ‘reasonable means’ test and determined that identification could occur without a disproportionate effort in terms of time, cost and labour. There is no obligation on the claimant to prove that they had actually been identified by the time of the case as no such condition is contained in Article 3(1) 2018/1725 [[Article 4 GDPR|(Article 4(1) GDPR).]] It follows that the General Court erred in finding that the claimant was not identifiable and that therefore, the data was not personal.<br />
<br />
The court also upheld the second ground of appeal (presumption of innocence) and partially upheld the third ground of appeal (right to good administration). The Court sent the case back to the General Court to be decided again. <br />
<br />
== Comment ==<br />
This a potentially landmark case. The Court has gone the furthest since Breyer in scoping out what identifiability means as well as how the test of ‘reasonable means’ (recital 26 GDPR) relates to it.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>So.hhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954AEPD (Spain) - EXP2022029542024-03-18T17:51:59Z<p>Lm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202202954<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Agencia Española de Protección de Datos<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00070-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=31.01.2022<br />
|Date_Decided=26.01.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1c<br />
|GDPR_Article_3=Article 9(1) GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR#1<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Articulo 20(a), Ley Orgánica 3/2007, de 22 de marzo, para la igualdad efectiva de mujeres y hombres<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2007-6115<br />
|National_Law_Name_2=Articulo 26, Ley 12/1989, de 9 de mayo, de la Función Estadística Pública<br />
|National_Law_Link_2=https://www.boe.es/buscar/doc.php?id=BOE-A-1989-10767<br />
|National_Law_Name_3=Ley 2/2021, de 7 de junio, de igualdad social y no discriminación por razón de identidad de género, expresión de género y características sexuales<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2021-11382<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Consejería de Economía, Conocimiento y Empleo<br />
|Party_Link_1=https://www.gobiernodecanarias.org/ece/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The DPA imposed warning fines on a government agency that included ‘nonbinary’ as a response in a form question about sex, finding that the response constituted processing of a special category of data and violated the principle of data minimization.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 31 January 2022, a complaint was filed with the Spanish DPA concerning a government webpage that required certain personal data to submit a form for conciliation of labor disputes to the Canary Islands’ Department of Economy, Knowledge and Employment (controller). In particular, the form included a question concerning sex/gender that obliged a response of man, woman, or nonbinary. The complainant argued that the nonbinary response required disclosure of personal data related to sexual orientation and that such data is beyond the scope of the controller’s legal basis and the form’s purpose. <br />
<br />
The controller argued that there was no violation of Article 5(1)(c) or 9(1) GDPR and that it was in fact required to collect such information under Spanish law. In particular, Article 26 of Law 12/89 and Article 20(a) of Law 3/2007 obliges public institutions to collect sex/gender information in all forms for statistical purposes.<br />
<br />
=== Holding ===<br />
The DPA found that the controller exceeded its legal basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], violated the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], and improperly processed a special category of information under [[Article 9 GDPR#1|Article 9(1) GDPR]]. <br />
<br />
First, in finding a violation of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the DPA determined that the controller exceeded their legal basis for processing under Spanish legal requirements. A number of Spanish laws including Article 20 of Law 3/2007 and Article 26 of Law 12/1989 require public institutions to collect data about the applicant’s sex for statistical purposes and monitoring of gender equality. Article 26 of Law 12/1989 specifies ‘woman’ and ‘man’ as the responses to inquiries about sex. On the other hand, the DPA noted that no Spanish laws obliging sex to be documented require the nonbinary response to be included. Including it as a response thus exceeded the scope of the legal requirements that formed the basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. <br />
<br />
Second, the DPA held that the nonbinary response collected personal data that was not necessary for the purpose of processing in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It considered that the nonbinary response was not related to the purpose for which data was being collected in the form, which related to labor disputes between employers and employees. <br />
<br />
Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].<br />
<br />
The DPA imposed undisclosed warning sanctions for the controller’s violations of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 9 GDPR#1|9(1) GDPR]] pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in form inquiries of sex/gender from not only in the form arising in the case but also more broadly in the processing of forms and documents before its public institutions altogether.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
17/26<br />
And in its article 72, it considers for the purposes of prescription, which are: “Infringements<br />
considered very serious:<br />
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
considered very serious and will prescribe after three years the infractions that involve<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
a) The processing of personal data violating the principles and guarantees<br />
established in article 5 of Regulation (EU) 2016/679.<br />
(…)”.<br />
VII<br />
Second unfulfilled obligation: violation of article 9.1 of the GDPR<br />
Article 9 of the GDPR states:<br />
"1. The processing of personal data that reveals ethnic origin is prohibited<br />
or racial, political opinions, religious or philosophical convictions, or affiliation<br />
union, and the processing of genetic data, biometric data aimed at identifying<br />
univocally to a natural person, data relating to health or data relating to<br />
“the sexual life or sexual orientation of a natural person.”<br />
And in section 2:<br />
"2. Section 1 will not apply when one of the circumstances occurs<br />
following:<br />
a) the interested party gave explicit consent for the processing of said data<br />
personal data for one or more of the specified purposes, except when the Right to<br />
the Union or the Member States establishes that the prohibition referred to in<br />
section 1 cannot be lifted by the interested party;”<br />
Also article 9.1 of the LOPDGDD that:<br />
"1. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid<br />
discriminatory situations, the mere consent of the affected person will not be enough to<br />
lift the prohibition on the processing of data whose main purpose is to identify<br />
your ideology, union membership, religion, sexual orientation, beliefs or racial origin or<br />
ethnic."<br />
There is a special category of personal data, collected in the article<br />
9.1 RGPD, which differs from the rest of personal data in that its processing is<br />
is prohibited. However, this prohibition is not applicable in certain cases<br />
when any of the exceptions contemplated in article 9.2 do not apply<br />
of the GDPR.<br />
The Sentence handed down by the T.C. 67/2022, of 06/02/022, appeal for protection 6375-<br />
2019, considers the question raised to be of special constitutional importance because<br />
allows him to establish doctrine on a problem related to a fundamental right that does not<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
18/26<br />
had been sufficiently treated, defining in the presence of what cause of<br />
discrimination we find when analyzing the assumption that is presented for its<br />
analysis, starting from the distinction between the notions of sex and gender, without forgetting<br />
personal conditions such as sexual orientation and identity<br />
gender.<br />
“Sex, which allows people to be identified as female living beings,<br />
masculine or intersex, is given by a complex series of characteristics<br />
morphological, hormonal and genetic, to which certain<br />
physical characteristics and potentialities that define us. Features such as<br />
example and without intending to formulate an exhaustive description, the internal genitalia and<br />
external factors, hormonal structure and chromosome structure (characteristics<br />
primary) or muscle mass, hair distribution and height (characteristics<br />
high schools).<br />
These biological characters, which may not be mutually exclusive in<br />
statistically exceptional situations, such as those that occur in people<br />
intersex, tend to formulate a binary classification, and only exceptionally<br />
tertiary, of the living beings of the human species.”<br />
For its part, although gender is connected to the realities or characteristics<br />
biological, does not fully identify with them, but rather defines the social identity<br />
of a person based on the social, educational and cultural constructions of the<br />
roles, personality traits, attitudes, behaviors and values<br />
that are associated or attributed, differentially, to men and women, and that include<br />
norms, behaviors, roles, external appearance, image and social expectations<br />
associated with one or another gender. While sex is linked to the concurrence of<br />
a series of objectively identifiable or measurable physical characters, the characters<br />
associated with gender are relative and circumstantial and can vary from one society to<br />
another and from one historical time to another.”<br />
And he continues “Sex and gender are not mutually exclusive, but neither are they<br />
synonyms, in such a way that their translation to the legal field requires assuming the difference<br />
existing between the two to evaluate the normative consequences of such a distinction and<br />
ensure adequate respect for legal certainty (art. 9.3 CE). He comes to verify the<br />
distinction between both notions, from the legal point of view, the mention<br />
differentiated to sex and gender, as diverse characteristics of the human being,<br />
contained in art. 4.3 of the Council of Europe Convention on prevention and control<br />
against violence against women and domestic violence (Istanbul Convention,<br />
of 2011), when it establishes that the "application by the parties of the provisions of the<br />
this Convention, in particular measures to protect the rights of<br />
victims, must be ensured without any discrimination, based in particular on the<br />
sex, gender […] sexual orientation, gender identity, […] or any other<br />
situation". Regardless of the normative scope given to the notions of<br />
sex and gender, neither one nor the other can be defined in a strict sense as rights,<br />
but as conditions or states that have an impact on the exercise of rights<br />
fundamental and that make up one of the many identity elements that can<br />
come to define the right to personal self-determination or to develop, with full<br />
respect for human dignity (art. 10 CE), one's own personal identity.”<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
19/26<br />
Also the T.C. in his sentence he refers to the sexual orientation and identity of<br />
gender, pointing out that “Sexual orientation and gender are also personal conditions.”<br />
gender identity, the first referring to the preference for establishing relationships<br />
affective relationships with people of either sex, and the second to the identification of a<br />
person with gender-defining characteristics that may or may not coincide with<br />
the sex attributed to it, by virtue of the predominant biological characteristics that<br />
presented since birth. But in addition to being personal conditions, they are<br />
elements fundamentally linked to the right to develop a<br />
certain private and family life (art. 8 ECHR), as derived from a<br />
consolidated jurisprudence of the European Court of Human Rights that attributes<br />
to the concept of "private life" a broad definition, which encompasses the right to<br />
physical and psychological integrity of a person, including in that notion of integrity<br />
your sexual life and sexual orientation…; some aspects of physical identity and<br />
social of the person…; or the gender identity of trans people… Furthermore, the<br />
art. 8 ECHR protects the right of transgender people to personal development and<br />
physical and moral security.”<br />
It must be remembered that the variable present in the form was “sex/gender”, and<br />
the possible answers or options “man/woman/non-binary”.<br />
The model form with the question raised by the respondent does not comply with the<br />
purpose pursued, supposedly to obtain data for statistical purposes,<br />
issue that has already been explained in the previous foundations and that violates the<br />
principle of minimization because it is considered that the data collected in this way does not<br />
They are necessary and excessive.<br />
On the other hand, the inclusion of the non-binary response/option within the variable<br />
sex/gender is also not related strictlyu sensu to the sex option, which would be the<br />
included in the standard for statistical purposes in order to effectively guarantee the<br />
integration of the gender perspective in its scope of action in accordance with<br />
Article 20.a) of Organic Law 3/2007, for the effective equality of women and<br />
men and article 11 of law 1/2020, Canary Islands on Equality between Women and<br />
Men, who similarly establish: a) Systematically include the variable<br />
sex in the statistics, surveys and data collection that they carry out”, but rather<br />
would link with a question of gender identity and that is introduced in the<br />
form without any justification.<br />
The inclusion of said response in the “sex” variable alters the meaning of the norms<br />
since in the planned data collection the concept would normally be modified<br />
accepted when moving to the concept of “felt sex”, embedded in the identity of<br />
gender.<br />
The completion of said variable is based on the standards defined by the INE,<br />
which in relation to the statistical variable "sex" indicates the following: "Sex is<br />
refers to the biological sex of the person. According to the WHO, “sex” refers to the<br />
biological and physiological characteristics that define men and women”, while<br />
What “gender” refers to refers to the social and cultural construction that defines<br />
different emotional, affective, intellectual characteristics, as well as the<br />
behaviors that each society assigns as typical and natural of men or<br />
of women, but there may be people who do not identify with these characteristics<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
20/26<br />
of men and women and thus, apart from the masculine and feminine there would be other genders. Of<br />
In this way, there are as many genders as there are identities, and therefore as many identity identities.<br />
gender as people.<br />
While “sexual orientation” is the emotional, romantic, sexual and<br />
psychological that the person feels in a sustained way over time and is described<br />
different from gender identity.<br />
The Universal Declaration of Human Rights, the International Covenant on Rights<br />
Civil and Political Rights and the International Covenant on Economic, Social and<br />
Cultural rights include in their guarantees on non-discrimination, lists of fundamentals<br />
prohibited from discrimination. These lists do not explicitly mention the orientation<br />
sexual or gender identity, but conclude with the expressions “any other<br />
condition” or “any other social condition.” The use of these expressions shows<br />
that the intention was for these lists to be open and illustrative; In other words, the<br />
foundations of discrimination are not closed.<br />
It is clear that sexual orientation and gender identity are different aspects. In<br />
its jurisprudence, general observations and concluding observations, the organs of the<br />
United Nations treaties have uniformly held that<br />
sexual orientation and gender identity are prohibited grounds of<br />
discrimination under international law. Furthermore, it has been a long time since<br />
special procedures of the Human Rights Council have recognized the<br />
discrimination that exists due to sexual orientation and gender identity.<br />
In the same sense, various mechanisms for the protection of Human Rights<br />
international level, such as the Committees, have affirmed that States have the<br />
obligation to protect people from discrimination due to their orientation<br />
sexual. This position is reflected in decisions of the Human Rights Committee<br />
Humans – (Toonen v. Australia case 1994) and in general observations of the<br />
Committee on Economic, Social and Cultural Rights, of the Committee on Human Rights<br />
of the child of the committee against torture, of the committee for the elimination of discrimination<br />
against women. For example, in its general comment, the human rights committee<br />
economic, social and cultural aspects points out that the States parties must ensure<br />
that a person's sexual preferences do not constitute an obstacle to doing<br />
reality the rights recognized by the pact. Gender identity is also<br />
recognized as a prohibited ground of discrimination. The Committee on the Rights of<br />
Niño has interpreted that the right to non-discrimination in article 2 of the<br />
Convention on the Rights of the Child includes sexual orientation and identity of<br />
gender.<br />
Now, the introduction of gender identity, identifying its holder, would have<br />
must be carried out in any case, as long as there is a relationship between what is being asked, with<br />
the purpose for which you want to obtain it so that the data must be processed, without<br />
try to obtain the data for the sake of having it, without any specific purpose and, in this case,<br />
the form “Prior conciliation in labor disputes” and whose purpose is for the<br />
employers and workers involved in labor-related claims achieve<br />
compromise and agreement avoiding judicial proceedings, the inclusion of the<br />
gender issue, nor is this aspect examined or considered, so it lacks<br />
It makes no sense to introduce a response with that scope, without any connection to the object<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
21/26<br />
of the same. In that sense, no need is seen in the treatment of said<br />
response when filling out the form.<br />
In any case, a form is presented in which, although it does not explicitly refer to<br />
sexual orientation or sexual life, it can be deduced that if the<br />
male/female response and the non-binary option is noted, it can be considered<br />
related to sexual life, since basically what is being discussed<br />
Manifesto is a question that could be related to expressing your beliefs<br />
since gender identity is an internal issue for each person, as derived from the<br />
definition made by the Inter-American Committee on Human Rights in<br />
compliance with resolution AG/RES. 2653 (XLI-O/11): Human Rights,<br />
Sexual Orientation and Gender Identity, 04/23/2012 which defines it as: “The<br />
Gender identity is the internal and individual experience of gender as each<br />
person experiences it deeply, which may or may not correspond to sex<br />
signed at the moment of birth, including the personal experience of the body (which<br />
could involve modifying bodily appearance or function through<br />
medical, surgical or other techniques, provided that it is freely<br />
chosen) and other expressions of gender, including clothing, speech<br />
and manners.”<br />
That is, he is questioning his perceived sex, with which he identifies, if<br />
coincides with that assigned at birth: female/male, or non-binary, when their sex is felt,<br />
with which he identifies, does not coincide with the one assigned at birth, which goes beyond the objective and<br />
the purpose of the form within the context of Prior Conciliation, which is not<br />
oriented or established in that sense and people should not be forced to<br />
express or declare about your personal and intimate beliefs. This prohibition,<br />
finds its foundation, as indicated in the transcribed precept, in avoiding<br />
discriminatory situations, such as those that could occur when there is an inventory or<br />
record in which the sexual orientation of the people is recorded or collection of the<br />
gender identity without a specific purpose or legitimate basis or belief.<br />
The same ruling of the TC referred to in section 2, of this same<br />
foundation points out in reference to gender identity that: “As it has been<br />
recognized, as an argumentative presupposition in the previous legal basis, the<br />
Gender identity is a circumstance that has to do with the free development of<br />
personality, closely linked to respect for human dignity (art. 10.1 CE),<br />
and this trait of identity, when it does not fit hetero-normative parameters<br />
classics, that is, where gender identity and sex of the person are not<br />
absolutely coincident, can make the individual a creditor of a position of<br />
historically rooted social disadvantage of those prohibited by art. 14 CE.”<br />
However, the prohibition of article 9.1 is not applicable in certain cases when<br />
any of the exceptions contemplated in article 9.2 of the RGPD apply and,<br />
In that sense, in accordance with the aforementioned, in the present case there is no<br />
exception to article 9.2 of the RGPD that lifts the prohibition contained therein.<br />
Therefore, it is concluded that the defendant has violated article 9.1 of the RGPD which<br />
It is classified in article 83.5.e) of the aforementioned Regulation.<br />
VII<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
22/26<br />
Classification of the violation of article 9.1 RGPD<br />
The infraction attributed to the defendant is classified in article 83.5<br />
a) of the RGPD, which considers that the violation of “the basic principles for the<br />
processing, including the conditions for consent pursuant to articles 5,<br />
6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the<br />
cited Regulation.<br />
The LOPDGDD in its article 71, Infractions, states that: “They constitute infractions<br />
the acts and conduct referred to in sections 4, 5 and 6 of article 83 of the<br />
Regulation (EU) 2016/679, as well as those that are contrary to this law<br />
organic”.<br />
And in its article 72, it considers for the purposes of prescription, which are: “Infringements<br />
considered very serious:<br />
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
considered very serious and will prescribe after three years the infractions that involve<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
(…)<br />
e) The processing of personal data of the categories referred to in the article<br />
9 of Regulation (EU) 2016/679, without any of the circumstances occurring<br />
provided for in said precept and in article 9 of this organic law.<br />
(…)”.<br />
VIII<br />
Regime applicable to Public Administrations<br />
Article 83 “General conditions for the imposition of administrative fines” of the<br />
GDPR in section 7 establishes: “Without prejudice to the corrective powers of the<br />
supervisory authorities under Article 58(2), each Member State<br />
may establish rules on whether, and to what extent, fines may be imposed<br />
administrative to authorities and public organizations established in said State<br />
member."<br />
The LOPDGDD in its article 77, Regime applicable to certain categories of<br />
responsible or in charge of the treatment, establishes the following:<br />
"1. The regime established in this article will apply to the treatments of<br />
who are responsible or in charge:<br />
(…)<br />
c) The General Administration of the State, the Administrations of the communities<br />
autonomous and the entities that make up the Local Administration.<br />
(…)<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
23/26<br />
2. When the persons responsible or in charge listed in section 1 commit<br />
any of the infractions referred to in articles 72 to 74 of this law<br />
organic, the competent data protection authority will dictate<br />
resolution declaring the violation and establishing, where appropriate, the measures that<br />
appropriate to adopt to cease the conduct or correct the effects of the infraction<br />
that had been committed, with the exception of that provided for in article 58.2.i of the<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27,<br />
2016.<br />
The resolution will be notified to the person responsible or in charge of the treatment, to the body of the<br />
that depends hierarchically, if applicable, and to those affected who have the condition<br />
of interested party, if applicable.<br />
3. Without prejudice to what is established in the previous section, the authority for the protection of<br />
data will also propose the initiation of disciplinary actions when there are<br />
sufficient evidence for this. In this case, the procedure and sanctions to apply<br />
will be those established in the legislation on disciplinary or sanctioning regime that<br />
results of application.<br />
Likewise, when the infractions are attributable to authorities and managers, and are<br />
prove the existence of technical reports or recommendations for the treatment that<br />
had not been duly attended to, in the resolution in which the<br />
sanction will include a reprimand with the name of the responsible position and<br />
will order the publication in the Official State or autonomous Gazette that<br />
correspond.<br />
4. The resolutions that<br />
fall in relation to the measures and actions referred to in the sections<br />
previous.<br />
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions<br />
of the autonomous communities the actions carried out and the resolutions issued<br />
under this article.<br />
6. When the competent authority is the Spanish Data Protection Agency,<br />
This will publish on its website with due separation the resolutions referring to<br />
the entities of section 1 of this article, with express indication of the identity<br />
of the person responsible or in charge of the treatment who had committed the infraction.<br />
When the jurisdiction corresponds to an autonomous authority for the protection of<br />
data will be, regarding the publicity of these resolutions, to what is provided by its<br />
specific regulations.”<br />
In the case examined, the present sanctioning procedure has its cause in the<br />
presumption that the defendant, as stated in the facts, has violated the<br />
regulations on the protection of personal data in relation to the<br />
principle of minimization and the prohibition of data processing especially<br />
protected or sensitive.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
24/26<br />
In accordance with the evidence available, said conduct constitutes,<br />
by the person complained of the violation of the provisions of articles 5.1.c) and 9.1 of the<br />
GDPR.<br />
It should be noted that the RGPD, without prejudice to the provisions of its article 83,<br />
Article 77 contemplates the possibility of declaring the infringement and establishing the<br />
appropriate measures to correct the processing of personal data that is not<br />
adapt to its forecasts, when the persons responsible or in charge listed in the<br />
section 1 commit any of the infractions referred to in articles 72<br />
to 74 of this organic law.<br />
Additionally, article 58 of the RGPD contemplates in section 2 d) that each<br />
control authority may “order the person responsible or in charge of the treatment to<br />
processing operations comply with the provisions of this<br />
Regulation, where appropriate, in a certain manner and within a period<br />
specified…".<br />
IX<br />
Corrective measures<br />
Once the violations have been confirmed, it is appropriate to impose on the person responsible the adoption of<br />
appropriate measures to adjust its actions to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the<br />
which each control authority may “d) order the person responsible or in charge of the<br />
treatment that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain manner and within a<br />
specified period.” The imposition of this measure is compatible with the sanction<br />
consisting of a warning, as provided in art. 83.2 of the GDPR.<br />
Therefore, it would be considered appropriate to order the defendant so that within the period of<br />
six months from the finality of this resolution to adapt the<br />
treatments that are the subject of this procedure to the applicable regulations and<br />
communicate to this organization. The text of this agreement establishes which<br />
were the events that gave rise to the violation of the regulations for the protection of<br />
data, from which it is clearly inferred what measures to adopt, without prejudice<br />
that the type of procedures, mechanisms or specific instruments to<br />
implementing them corresponds to the sanctioned party, since it is the one who fully knows<br />
your organization and must decide, based on proactive responsibility and focus<br />
of risks, how to comply with the RGPD and the LOPDGDD.<br />
These measures could be specified, in which the requirements of the<br />
regulations on data protection regarding the processing carried out<br />
evading the processing of the forms related to “Prior conciliation in<br />
labor conflicts” of claims and legal demands of a labor nature.<br />
non-binary response/option within the sex/gender variable included in the standard a<br />
statistical effects, as well as in all those procedures, forms,<br />
applications and documents processed before their public bodies, implementing the<br />
relevant measures.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
25/26<br />
Please note that failure to comply with the order imposed by this body may be<br />
considered as an administrative offense in accordance with the provisions of the RGPD,<br />
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by<br />
opening of a subsequent administrative sanctioning procedure.<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
The Director of the Spanish Data Protection Agency,<br />
RESOLVES:<br />
FIRST: Impose on the DEPARTMENT OF ECONOMY, KNOWLEDGE AND<br />
EMPLOYMENT, with NIF S3511001D,<br />
- For violation of article 5.1.c) of the RGPD, typified in article 85.3.a) of the RGPD,<br />
a warning sanction and.<br />
- For a violation of article 9.1 of the RGPD, typified in article 83.5.e) of the<br />
RGPD, a warning sanction.<br />
SECOND: File the DEPARTMENT OF ECONOMY, KNOWLEDGE AND<br />
EMPLOYMENT, with NIF S3511001D, for the violation of article 6.1 of the RGPD, classified<br />
in article 83.5.a) of the RGPD.<br />
THIRD: ORDER the DEPARTMENT OF ECONOMY, KNOWLEDGE AND<br />
EMPLOYMENT, with NIF S3511001D, which by virtue of article 58.2.d) of the RGPD, in the<br />
within six months from when this resolution is final and enforceable, accredit<br />
having proceeded to comply with what is stated therein, adjusting its actions to<br />
the data protection regulations, in the terms established in the Fundamentals<br />
of Law IX, especially regarding the treatments it carries out, avoiding in the<br />
processing of forms and documents before their public bodies, not<br />
only, as in the case analyzed, those related to “Prior conciliation in conflicts<br />
“borales” of claims and legal demands of a labor nature, the<br />
non-binary response/option within the sex/gender variable, implemented and<br />
collected for statistical purposes, implementing and establishing the relevant measures.<br />
FOURTH: NOTIFY this resolution to the DEPARTMENT OF ECONOMY,<br />
KNOWLEDGE AND EMPLOYMENT.<br />
FIFTH: COMMUNICATE this resolution to the Ombudsman, in accordance<br />
with the provisions of article 77.5 of the LOPDGDD.<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
26/26<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the final resolution through administrative channels if the<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
notification of this resolution would terminate the precautionary suspension.<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.42.2022UODO (Poland) - DKN.5131.42.20222024-03-18T17:26:36Z<p>Im: Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN.5131.42.2022 |ECLI= |Original_Source_Name_1=UODO |Original_Source_Link_1=https://www.uodo.gov.pl/decyzje/DKN.5131.42.2022 |Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKN.5131.42.2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://www.uodo.gov.pl/decyzje/DKN.5131.42.2022<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=27.07.2022<br />
|Date_Decided=19.12.2023<br />
|Date_Published=14.03.2024<br />
|Year=2023<br />
|Fine=2,324<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 33 GDPR<br />
|GDPR_Article_Link_1=Article 33 GDPR<br />
|GDPR_Article_2=Article 34(1) GDPR<br />
|GDPR_Article_Link_2=Article 34 GDPR#1<br />
|GDPR_Article_3=Article 34(2) GDPR<br />
|GDPR_Article_Link_3=Article 34 GDPR#2<br />
|GDPR_Article_4=Article 55(3) GDPR<br />
|GDPR_Article_Link_4=Article 55 GDPR#3<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Sąd Okręgowy w Krakowie<br />
|Party_Link_1=https://krakow.so.gov.pl/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA found that District Court of Kraków failed to notify a personal data breach related to legal proceedings resulting in a fine of €2,324.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Polish Minister of Foreign Affairs ('Minister') informed the DPA that the Consulate General of the Republic of Poland ('Consulate') sent, at the request of the District Court of Kraków ('Court'), correspondence through a postal operator to an addressee. The infringement covered a various categories of personal data, namely first and last names, ID numbers, addresses of residence, dates of birth, bank account numbers, photographs. Personal data of two children were also breached.<br />
<br />
The addressee informed the Consulate that a delivered parcel was damaged, additionally wrapped and was incomplete. <br />
<br />
The DPA identified the Court as a controller of the data affected by the breach. It invited the Court to indicate whether a risk analysis had been done to assess whether a data protection breach required notifying the President of the Data Protection Authority (DPA) and the affected individuals. In its defence, the Court referred to Article 175dd of the Law on the Common Court System, stating that the District Court of Kraków, under the President of the Court of Appeal in Krakow, is responsible for overseeing data processing in court proceedings and legal protection tasks.<br />
<br />
As a response, the DPA clarified that it, indeed, is the competent authority to investigate the infringement in question. However, the Court reiterated its stance, referencing various articles of the Law on the System of Common Courts and a decision by the CJEU from March 24, 2022 (Case C-245/20).<br />
<br />
The Court emphasized that the protection of judicial independence is paramount, stating that judicial functions should be exercised independently without external interference or pressure. They asserted that the administration of justice encompasses all operations related to judicial activities, including informing parties about court proceedings. Additionally, the Court referenced a decision by the DPA (no. ZSOŚS.440.109.2018) regarding the authority's reluctance to interfere with documents collected in court proceedings. <br />
<br />
Consequently, they argued that the DPA lacks the authority to control courts in matters related to adjudicatory activities.<br />
<br />
=== Holding ===<br />
In investigating the incident, the DPA assessed whether the reported event constituted a breach of personal data protection and whether the DPA was the competent authority to verify compliance with GDPR by the data controller (the Court) involved in the incident. <br />
<br />
Referencing [[Article 4 GDPR#12|Article 4(12) GDPR]], the DPA found that the event reported by the Minister, involving the delivery of damaged correspondence to the addressee, was considered a breach of personal data protection, as it compromised data confidentiality and availability. The Court did not disprove the occurrence of this event during the proceedings. <br />
<br />
The DPA, as the competent supervisory authority, determined that the delivery of correspondence did not constitute judicial or legal protection by the Court but rather a technical administrative task. Therefore, the DPA was within its rights to assess the infringement. As [[Article 55 GDPR#3|Article 55(3) GDPR]] specifies that supervisory authorities cannot supervise processing operations carried out by courts in the administration of justice, the opposite applies to administrative activities of the court, such as the delivery of correspondence.<br />
<br />
The Court's reference to C-245/20 was deemed unjustified as it pertained to information provision in court proceedings, not administrative activities. The DPA's intervention did not impinge on judicial independence but focused on rectifying data protection irregularities, aligning processing operations with GDPR provisions. These remedial actions did not interfere with pending proceedings or judicial competence but addressed administrative aspects of the court's activities.<br />
<br />
The Court's reference to the decision of the DPA is misapplied. This decision pertained to a case where an individual filed a complaint seeking to be recognized as a party to court proceedings under data protection legislation, not procedural rules. It involved the inclusion of personal data from a law firm's website in a court file by the district court, which the complainant argued was unnecessary as the document was not admitted as evidence. However, the decision by the DPA could not interfere with the Court's decision on evidence admission, as it falls under the court's jurisdiction.<br />
<br />
Furthermore, the Court of Appeal in Kraków cannot be considered the supervisory body over the Court in this case. According to Article 175dd of the Law on the Common Court System, judicial supervisory bodies are not authorized to receive notifications of personal data protection violations or assess high-risk situations resulting from such breaches.<br />
<br />
Consequently, the DPA assessed the incident as a breach of confidentiality and accessibility, regardless of the postal operator's fault. The assessment focused on the failure to report the breach and notify data subjects, which falls within the DPA's jurisdiction without interfering with court decisions.<br />
<br />
The DPA found a breach of [[Article 33 GDPR|Article 33 GDPR]] and Article 34(1) and (2) GDPR resulting in a fine of €2,324.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Based on Article. 104 § 1 and art. 105 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775) in connection with Art. 7(1) 1 and 2, art. 60, art. 102 section 1 point 1 and section 3 of the Personal Data Protection Act (Journal of Laws of 2019, item 1781) and Art. 57 section 1 letter a) and letter h), art. 58 section 2 lit. e) and letter i), art. 83 section 1 and 2, art. 83 section 4 lit. a) in connection with Art. 33 section 1, section 3 and section 5 and art. 34 section 1 - 2 and section 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data) (OJ EU L 119 of 4/05/2016, p. 1 and OJ EU L 127 of 23/05/2018, p. 2 and OJ EU L 74 of 4/03/2021, p. 35 ), hereinafter referred to as Regulation 2016/679, after administrative proceedings initiated ex officio regarding violations of the provisions on the protection of personal data by the District Court in Kraków with its registered office in Kraków at ul. Przy Rondo 7, President of the Personal Data Protection Office<br />
<br />
1) finding an infringement by the District Court in Kraków with its registered office in Kraków at ul. At Rondo 7 provisions: a) Art. 33 section 1 and section 3 of Regulation 2016/679, consisting in failure to report a personal data protection breach to the President of the Personal Data Protection Office without undue delay, no later than 72 hours after discovering the breach, b) Art. 34 section 1 and section 2 of Regulation 2016/679, consisting in failure to notify data subjects about a breach of personal data protection without undue delay,2) imposes a penalty on the District Court in Kraków for violating Art. 33 section 1 and section 2 and art. 34 section 1 and section 2 of Regulation 2016/679 an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys and 00/100),3) orders the District Court in Kraków to notify, within 3 days from the date of receipt of this decision, (...) persons, whose data were contained in the documents contained in the damaged postal item (i.e. the plaintiff, the defendant and their two children), about the violation of the protection of their personal data in order to provide them with the information required in accordance with Art. 34 section 2 of Regulation 2016/679, i.e.: a) description of the nature of the personal data protection breach; b) name and contact details of the data protection officer or designation of another contact point from which more information can be obtained; c) description of the possible consequences of the data protection breach personal data, taking into account the categories of persons and the scope of data subject to the breach; d) a description of the measures applied or proposed by the controller to remedy the breach - including measures to minimize its possible negative effects, taking into account the categories of persons and the scope of data subject to the breach, 4) in other respects discontinues the proceedings.<br />
<br />
Justification<br />
<br />
On July 27, 2022, the Personal Data Protection Office received a notification of a personal data protection breach submitted by the Minister of Foreign Affairs with its registered office in Warsaw at (...) (hereinafter: the Minister), consisting in the delivery to the addressee by the postal operator R. (...) of a damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in October at the request of the District Court in Krakow with its registered office in Krakow at ul. Przy Rondo 7 (hereinafter: Court or Administrator). As established, the Consulate General of the Republic of Poland in October, in a letter dated (...) July 2022, no. (...), informed the District Court in Kraków about the delivery of a damaged and incomplete shipment to the addressee. The notification of a personal data protection breach made by the Minister was registered under the reference number DKN.5130.8015.2022.<br />
<br />
The President of the Personal Data Protection Office, hereinafter also referred to as the President of the Personal Data Protection Office, as a result of the explanatory proceedings conducted regarding the reported personal data protection breach and the administrative proceedings initiated ex officio regarding the violation of the provisions of Art. 33 and art. 34 section 1-2 of Regulation 2016/679 by the District Court in Kraków, in connection with a breach of personal data protection consisting in "delivery to the addressee by the postal operator R. (...) of damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in October to request of the District Court in Kraków (...)", established the following factual situation.<br />
<br />
The Minister informed the supervisory authority that the Consulate General of the Republic of Poland in October, July 2022, at the request of the District Court in Kraków, sent correspondence via the postal operator R. (...). The addressee of the correspondence informed on (...) July 2022 the above-mentioned Consulate that he was delivered a damaged shipment and "there may have been a breach of correspondence." The information obtained from the addressee also showed that the correspondence was additionally packed in protective foil to protect the damaged envelope, as well as that it did not contain all documents to be delivered.<br />
<br />
The Consulate General of the Republic of Poland in October informed the Administrator about the event in a letter dated (...) July 2022 (which was delivered on (...) August 2022). Its content shows that the correspondence was delivered to the addressee on (...) July 2022 via the postal operator R. (...). Moreover, this letter also indicated that "the delivered parcel was delivered damaged and incomplete".<br />
<br />
The administrator of the data affected by the breach is the District Court in Kraków as the sender of the shipment.<br />
<br />
In a letter of (...) August 2022, the supervisory authority called on the Court to indicate whether an analysis of the risk of violating the rights and freedoms of natural persons was carried out, necessary to assess whether there was a data protection breach resulting in the need to notify the President of the Personal Data Protection Office and the persons affected by the breach. . In a letter of (...) August 2022, the Court indicated that "pursuant to Art. 175dd of the Act on the Organization of Common Courts (...), the body competent to supervise the processing of personal data processed in court proceedings as part of the administration of justice or the implementation of tasks in the field of legal protection, the administrator of which are the courts within the meaning of Art. 174da and 175db is for the District Court in Kraków, President of the Court of Appeal in Kraków (...).”<br />
<br />
In a letter of (...) September 2022, the supervisory authority again turned to the Court, demanding an answer to the question contained in the letter of (...) August 2022, at the same time informing that the President of the Personal Data Protection Office is the supervisory authority in this case and competent to investigate the infringement in question. In response, in a letter of (...) September 2022, the Court maintained its position, again referring to the content of Art. 174 da [no such provision in the Act], Art. 175 db and art. 175 dd of the Act on the Organization of Common Courts[1]. Moreover, the Court referred to the judgment of the Court of Justice of the European Union of 24 March 2022 in case C-245/20, in which the Court noted that "the protection of the independence of the judiciary assumes, in principle, that judicial functions are performed in a completely , independent; "the courts are not subject to any chain of command or subordination to anyone, nor do they receive orders or directions from any source, and are therefore protected from any external interference or pressure that may impair the independence of judgment of their members and influence their decisions." The CJEU came to the conclusion that the activity/process of administering justice cannot and is not limited only to the processing of personal data as part of specific court proceedings, but its broad scope covers all operations carried out as part of judicial activity. This also applies to code procedures for informing parties about ongoing and initiated court proceedings. The above means that the scope of understanding "the administration of justice by the courts" is broad and includes everything that can be related to the independence of the courts. The above was also emphasized by the Advocate General of the CJEU (...) in the opinion preceding the mentioned judgment, where he drew attention to the fact that these may also be decisions that at first glance are of an administrative nature, but in fact should be related to the adjudication, e.g. recording hearings , transmitting them or even applying security measures (see: C-245/20 - Opinion of the Advocate General, Court of Justice of the European Union, Article 55(3) of the Regulation). In turn, against the background of Art. 175 section 1 of the Constitution of the Republic of Poland, it is assumed that the administration of justice is the binding resolution of disputes about law by a court. “The essence of the justice system is the resolution of legal disputes (disputes arising from legal relations)” within the framework of special forms of proceedings (provisions of civil and criminal court proceedings) (see: judgment of the Constitutional Tribunal 28/97). The national supervisory authority is therefore not authorized to supervise courts to the extent to which they perform judicial activities, and such activities include adjudicating not only in the main case, but also in all incidental cases (see the judgment of the Supreme Administrative Court of May 26, 2020 r. I OSK 1533/19). (…)” In addition, the Court also referred to the decision of the President of the Office of Personal Data Protection, ref. no. ZSOŚS.440.109.2018, in which the authority found itself incompetent to interfere with the content of documents collected in the files of court proceedings.<br />
<br />
The Court, in a letter dated September 2022, indicated that, in the Court's opinion, the President of the Personal Data Protection Office does not have the authority to consider a case regarding the processing of personal data contained in the exercise of justice by this Court. In the opinion of the Court, the judicial activity of courts, which is a manifestation of the administration of justice, is determined by the provisions contained, among others, in the Act of November 17, 1964, Code of Civil Procedure (hereinafter: Code of Civil Procedure). Activities related to serving the statement of claim together with attachments to the defendant in a civil case are regulated in detail and comprehensively in the Code of Civil Procedure. The court explained that these norms create a detailed legal framework for the court's administration of justice in civil law cases. The court also referred to the judgment of the Court of Justice of March 24, 2022, ref. no. file: C-245/20, pointing out that "(...) processing operations whose supervision by the supervisory authority could directly or indirectly affect the independence of members of these courts or influence their decisions are excluded from the jurisdiction of the supervisory authority (see: judgment of the Court of Justice of March 24, 2022 C-245/20). Therefore, the administration of justice undoubtedly includes activities related to the delivery of procedural documents to the parties, including a copy of the lawsuit to the defendant. A copy of the statement of claim is a court document directly related to the court proceedings, for the transmission of which the applicable national law provides for formalized service (...).” Moreover, the Court indicated that "the above issues are regulated in the provisions of the Code of Civil Procedure, i.e. Title VI, Section I, Chapter II "Delivery" and Section II, Chapter 2a "Organization of proceedings". Pursuant to Art. 2051 § 1 and 2 of the Code of Civil Procedure the chairman orders the service of the lawsuit on the defendant and calls on him to submit a response to the lawsuit within a set deadline of no less than two weeks. The plaintiff is notified of the order to serve the statement of claim. (…) In the circumstances of the case, a copy of the complaint together with attachments in the case (…) was delivered to the defendant in accordance with the judge's order through the Consulate General of the Republic of Poland in October, by way of legal assistance pursuant to Art. 1130 et seq. k.p.c. and § 37 et seq. Regulation of the Minister of Justice of January 28, 2002 on detailed court activities in matters relating to international civil and criminal proceedings in international relations (Journal of Laws of 2014, item 1657). This regulation provides for delivery by Polish consuls. Correspondence sent to diplomatic missions is signed by a judge and the letter is marked with, among others: official seal (§ 14(1) and (2) of the Regulation). Taking into account the above, there is no doubt that the judge's actions in the case (...) in the scope of processed personal data, related to the delivery of a copy of the lawsuit with attachments to the defendant, took place within the framework of the administration of justice, i.e. to the extent not falling within the competence of the President of the Personal Data Protection Office. The President of the Personal Data Protection Office cannot interfere with the internal organization of the Court's work, and in particular with the rules for the circulation of procedural documentation, since this circulation takes place in connection with the administration of justice by the court. By serving a copy of the complaint with attachments to the defendant, the court acts as part of the administration of justice, because these activities have a measurable impact on the content of the judgment issued by the court in the proceedings. Therefore, in the circumstances of the case, it is justified to discontinue the proceedings due to the lack of material jurisdiction of the President of the Personal Data Protection Office in the scope of considering cases regarding the processing of personal data by courts in the course of administering justice. Pursuant to Art. 175 dd § 1 of the Act of 27 July 2001, u.s.p. the supervisory authority for the Court as the administrator of personal data processed in court proceedings as part of the administration of justice or the implementation of tasks in the field of legal protection is not the President of the Personal Data Protection Office, but - in relation to the subordinate district court - the president of the court of appeal. (…) The exercise by the President of the Personal Data Protection Office - as the authority competent in data protection matters - to supervise the processing of data in the scope of court rulings could constitute unacceptable interference in their judicial activities. The President of the Personal Data Protection Office, within the powers granted to him by law, cannot therefore interfere in the course of the proceedings or the manner in which they are conducted by other bodies authorized under separate provisions, including in particular courts. Therefore, the President of the Personal Data Protection Office cannot interfere with the principles of serving the defendant with a copy of the complaint together with attachments (often constituting part of the evidence). (…) Therefore, the President of the Personal Data Protection Office shall examine whether the controller has allegedly violated the provisions on the protection of personal data or failed to fulfill the obligations arising from Art. 33 and 34 section 1 and 2 of the GDPR remain irrelevant. (…) The lack of material jurisdiction of the body - the President of the Office of Personal Data Protection, who is not authorized to issue a substantive decision in the case in question, determines the groundlessness of the administrative proceedings. Regardless of the above, it should be noted that the allegation that the Court may have acted as a data controller in connection with a breach of personal data protection by delivering damaged and incomplete correspondence containing personal data to the addressee remains completely misplaced and groundless. In the case (...), the judge, acting on the basis of applicable legal norms, in a letter of May 11, 2022, asked the Consul General of the Republic of Poland in October, as part of legal assistance, to deliver to the defendant M.O. a copy of the lawsuit together with attachments (listed in detail in the cover letter) . The correspondence was set in motion and sent for shipment on (...) June 2022, in accordance with the rules arising from the Regulation of the Minister of Justice of January 28, 2002 on detailed court activities in matters relating to international civil and criminal proceedings in international relations . On (...) July 2022, the Consulate General of the Republic of Poland in October 2022 delivered the parcel to the addressee by registered mail with acknowledgment of receipt. According to the information available in the electronic system of the postal operator R. (...), the parcel was delivered to the addressee on (...) July 2022 (no annotations about any damage during transport - records in postal systems) (...)". The court attached a violation report describing the event to the explanations in question.<br />
<br />
As a result of the above the event resulted in a breach of both confidentiality and data availability (point 4E of the notification form sent by the Minister). In the Minister's opinion, it concerned the following scope of data: name and surname, address of residence or stay, and other information related to the court proceedings themselves. In a letter of October 2022, the court explained that the breach covered personal data of (...) persons in the following scope: 1) the plaintiff: her name and surname, PESEL number, address, date of birth, data included in the medical documentation, bank account number, 2) the defendant: his name and surname, PESEL number, residential address, date of birth, image contained in the photograph, 3) personal data of two children: their names and surnames, PESEL numbers, residential address, dates of birth, data included in the psychological opinion, 4) personal data (...) of witnesses: their names and surnames, telephone numbers, residential addresses, e-mail addresses (in the case of (...) witnesses). Moreover, the Court stated that the court proceedings concerned the dissolution of a marriage.<br />
<br />
The case file includes a report from August 2022 sent by the Court regarding a personal data protection breach, which shows, among other things, that the damaged shipment concerned the lawsuit with attachments. The operator did not note any damage during transport, however, the addressee of the correspondence reported the above. The consulate is damaged and incomplete.<br />
<br />
In a letter of January 9, 2023, the Court, responding to the authority's request of January 4, 2023, regarding the indication of actions that allowed the Court to find that the correspondence was neither damaged nor incomplete, explained that "[b]here is also no reasons to conclude that the correspondence was sent incomplete or was not properly secured. All procedures resulting from the provisions of the Code of Civil Procedure were followed. However, the court did not explain how it found the above.<br />
<br />
The case files contain three photos of the parcel in question taken by its addressee. The first photo shows correspondence wrapped in foil with a visibly torn paper envelope inside, the second photo shows the package/correspondence without foil, but with a significantly torn paper envelope enabling removal of all the documents contained therein, and the third photo shows its addressee opening the damaged envelope to show its contents. The photos were sent to the authority by the Minister.<br />
<br />
After considering all the evidence collected in the case, the President of the Office for Personal Data Protection considered the following.<br />
<br />
The subject of these proceedings was the Administrator's violation of the provisions of Art. 33 and art. 34 section 1 and 2 of Regulation 2016/679, resulting from failure to report a personal data protection breach to the supervisory authority and failure to notify the affected persons in connection with the delivery to the addressee by the postal operator of damaged and incomplete correspondence containing personal data, sent by the Consulate General of the Republic of Poland in Warsaw at the request of the District Court in Krakow.<br />
<br />
When assessing the event in question, the President of the Personal Data Protection Office examined whether the event reported by the Minister constituted a breach of personal data protection, as well as whether the President of the Personal Data Protection Office is the competent supervisory authority to verify the correct compliance with the provisions of Regulation 2016/679 by the data controller (Court) covered by the above-mentioned. event, i.e. whether in this case the Court exercised justice or legal protection.<br />
<br />
Pursuant to Art. 4 point 12 of Regulation 2016/679, the concept of personal data protection breach should be understood as a security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Due to the fact that the event reported by the Minister consisted in the delivery of a damaged and incomplete parcel by the postal operator to the addressee, in the opinion of the President of the Personal Data Protection Office there was a breach of personal data protection due to the breach of data confidentiality (the correspondence was delivered in a damaged envelope) as well as their availability (the addressee reported the incompleteness of the shipment to the Minister). At no stage of the proceedings did the court demonstrate that the event described by the Minister did not occur.<br />
<br />
Moreover, it should be noted that, in the opinion of the President of the Personal Data Protection Office, he is the supervisory authority competent to assess the above-mentioned. violations. The delivery of correspondence does not constitute the administration of justice by the Court or legal protection, but a technical, administrative activity of the Court. Therefore, there is no premise excluding the competences of the President of the Personal Data Protection Office as a supervisory authority. Pursuant to Art. 55 section 3 of Regulation 2016/679, supervisory authorities are not competent to supervise processing operations carried out by courts in the course of their administration of justice. Moreover, according to recital 20 of Regulation 2016/679, the jurisdiction of supervisory authorities should not cover the processing of personal data by courts in the administration of justice - so as to protect the independence of the administration of justice. It should be possible to entrust the supervision of such data processing operations to specific authorities in the justice system of a Member State, and those authorities should, in particular, ensure compliance with the provisions of this Regulation, increase the knowledge of the judiciary of its obligations under this Regulation and deal with complaints related to such processing operations data. Pursuant to Art. 175 dd § 1 of the Act of July 27, 2001, Law on the Organization of Common Courts (Journal of Laws of 2023, item 217), supervision over the processing of personal data whose administrators are the courts, in accordance with Art. 175da and art. 175db, perform within the scope of the court's activities: district court - president of the district court; regional – president of the court of appeal; appeal – National Council of the Judiciary. Taking into account this legal status, it should be assumed that the supervisory bodies over common courts, as part of the administration of justice, are those listed in Art. 175 dd § 1 of the Act on the Organization of Common Courts. However, in matters that do not fall within the scope of the concept of "exercising justice", the competent supervisory authority for common courts is the President of the Personal Data Protection Office. In the opinion of the President of the Personal Data Protection Office, the concept of administering justice in the context of the personal data protection framework established by Regulation 2016/679 should be understood narrowly in this case. The Constitutional Tribunal in its judgment of December 1, 2008, ref. no. file: P 54/07, (Journal of Laws of 2008, item 218, no. 1400), pointed out that "[according to the dominant view of legal doctrine, the administration of justice is the activity of the state consisting in adjudicating, i.e. binding dispute resolution o law in which at least one of the parties is an individual or other similar entity [see L. Garlicki, Polish constitutional law. Outline of the lecture, Warsaw 2006, p. 342; Z. Czeszejko-Sochacki, On the administration of justice in the light of the Constitution, international standards and practice, "Państwo i Prawo" z. 9/1999, p. 3; S. Włodyka, The system of legal protection bodies, Warsaw 1968, p. 16]. It should be noted that, apart from the judicial sphere, courts also perform administrative activities, the essence of which is to ensure appropriate technical and organizational conditions for the court to perform the tasks entrusted to it in the field of administration of justice and legal protection. Pursuant to Art. 8 of the Law on the Organization of Common Courts, the administrative activity of courts consists in: ensuring appropriate technical, organizational and financial conditions for the functioning of the court and the performance by the court of the tasks referred to in Art. 1 § 2 and 3 (point 1); ensuring the proper conduct of the court's internal operations, directly related to the performance of the court's tasks referred to in Art. 1 § 2 and 3 (point 2). Therefore, activities of a strictly technical nature performed by a court official and then a postal operator, such as sending correspondence in accordance with a judge's order or order, do not fall within the sphere of "the administration of justice", but belong to the administrative sphere of the court's activities. At the same time, it should be emphasized here that the Administrator's reference to the judgment of the Court of Justice of the EU of March 24, 2022, ref. no. C-245/20, is unjustified because it does not concern the administrative activities of the court. This judgment refers to the disclosure of information about court proceedings to journalists (the case concerned the Kingdom of the Netherlands). In this ruling, the Tribunal interpreted Art. 55 section 3 of Regulation 2016/679, regarding the "temporary disclosure" by the court of pleadings containing personal data to journalists. In this judgment, the Court found that the "administration of justice" includes the "court's information policy" in order to ensure media coverage of a given case. Therefore, the above judgment cannot be applied to the present case, because in the analyzed case there was a violation of personal data protection in connection with the delivery of a damaged and incomplete parcel to the addressee by the postal operator, i.e. an activity of a technical and administrative nature. Moreover, it should be emphasized that the President of the Personal Data Protection Office, when dealing with the case in question, does not interfere with the rules for serving procedural documents or what documents should be served to the addressee. The supervisory authority is only interested in the loss of data confidentiality and its incompleteness as a result of the postal operator's actions, which is within the scope of the court's administrative activities. Therefore, the competences of the President of the Personal Data Protection Office do not violate judicial independence, because they do not concern the judge's competences in the proceedings. Moreover, they are remedial powers which, by their nature, do not have a nature that may affect ongoing proceedings (e.g. they do not lead to the suspension of ongoing proceedings or to order the removal of part of a witness's testimony) and concern the administrative sphere of the court's activity. Identified irregularities violating the principle of "integrity and confidentiality" expressed in Art. 5(1) 1 letter f) of Regulation 2016/679, correspond to the corrective powers of the President of the Personal Data Protection Office, which do not affect the independence of the court, as they only consist in ordering the controller to adapt the processing operations to the provisions of Regulation 2016/679.<br />
<br />
At the same time, the Court's reference to the decision of the President of the Personal Data Protection Office with reference number ZSOŚS.440.109.2018 is also inappropriate. The decision indicated by the Court was issued in a case in which a natural person filed a complaint and wanted to create his or her situation as a party to court proceedings on the basis of the provisions on the protection of personal data, and not on the proper procedure. The complaint concerned the inclusion in the court files kept by the district court of a printout from the website of a law firm, containing the complainant's personal data regarding his image. According to the complainant, in the above-mentioned In this case, it was unnecessary for evidentiary purposes, because the document to which this printout was attached was not admitted by the court as evidence in the case. The President of the Personal Data Protection Office could not take a position in such a case (and order, in accordance with the complainant's request, the removal of the image from the court case files), because the admission of evidence in the case or not depends solely on the court's decision (and is an element of the administration of justice). However, the judgment referred to by the Court (judgment of the Supreme Administrative Court of May 26, 2020, file ref. no. I OSK 1533/19) refers to the provisions on the protection of personal data that are no longer in force - the Act of 1997[2]. Moreover, this case also concerned a situation in which the complainant questioned court actions after applying for exemption from court costs. The court asked the complainant to prove her assets by submitting an asset declaration and to complete the application in formal terms. In this judgment, the Supreme Administrative Court stated that neither the authority nor the administrative court can make a substantive assessment of summons issued to the parties by a common court (and therefore, again, in the scope of the administration of justice).<br />
<br />
Taking the above into account, it should be noted that both the above-mentioned decision, as well as the above-mentioned the judgment of the Supreme Administrative Court, concern procedural activities undertaken by the court as part of the administration of justice, and not administrative (technical) activities, as is the case in the case in question.<br />
<br />
Regardless of the above, it should be noted that the President of the Court of Appeal in Kraków, as the body indicated in Art. 175 dd § 1 of the Act on the Organization of Common Courts, in the present case cannot be considered a supervisory body over the Court. Pursuant to the wording of Art. 175dd of the Law on the Organization of Common Courts, judicial supervisory authorities (including the President of the Court of Appeal in Kraków) are not authorized to receive reports of personal data protection breaches (Article 33 of Regulation 2016/679), nor to assess whether in connection with a breach of protection personal data, there was a high risk of violating the rights and freedoms of natural persons, resulting in the need to notify data subjects about the breach (Article 34 of Regulation 2016/679).<br />
<br />
When examining the event in question, the President of the Personal Data Protection Office assessed it as a breach of confidentiality (data security issues - a damaged envelope, the contents of which could have been accessed by unauthorized persons) as well as a breach of availability (some documents were missing). It does not matter that the postal operator was at fault by damaging the shipment, because the subject of these proceedings is the failure to report a data protection breach and the failure to notify data subjects about the breach of the protection of their personal data. Moreover, it should be emphasized that the President of the Personal Data Protection Office, when analyzing the breach of personal data protection reported by the Minister, concerning data of which the District Court in Krakow is the administrator, does not in any way affect the independence of the court, as it does not affect the Court's decision or individual decisions taken by the Court within the framework of ongoing proceedings. It is also worth emphasizing that while the President of the Personal Data Protection Office is not an entity that controls or supervises the application of substantive or procedural law by courts in the course of their administration of justice (which takes place in the course of an instance), nor does he interfere with the rules for serving court documents (e.g. whether by registered letter, ordinary letter or by delivery at a hearing), or what documents should be served on the party to the proceedings by the court, the authority is entitled to control and verify the correct application of the provisions on the protection of personal data, including the security measures applied by the administrator data (including the administrator's response to a data protection breach) and the implementation of obligations arising from Art. 33 and art. 34 of Regulation 2016/679. The method of securing personal data by the Court is not subject to judicial review as part of its judicial function and does not relate to the administration of justice by the court. Therefore, it is subject to the control of the President of the Personal Data Protection Office, as is the implementation of the administrator's obligations arising from the above-mentioned. provisions of Regulation 2016/679.<br />
<br />
Taking the above into account, it should be noted that if there has been a breach of personal data protection in connection with the administrative part of the court's activities, it should be reported in the manner provided for in Art. 33 section 1 of Regulation 2016/679 to the President of the Personal Data Protection Office, as the competent supervisory authority. The fact that the judicial competences of the supervisory authorities referred to in Art. 175 dd § 1 of the Act on the Organization of Common Courts, it is not necessary to accept reports of personal data protection violations or evaluate them substantively. The scope of competences of these bodies is listed exhaustively in Art. 175 dd § 2 and 3 of the Act on the Organization of Common Courts (and should be treated as a closed catalogue).<br />
<br />
Article 33 of Regulation 2016/679 states that in the event of a breach of personal data protection, the data controller shall report it without undue delay - whenever possible, no later than 72 hours after discovering the breach - to the supervisory authority competent in accordance with Art. 55, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification submitted to the supervisory authority after 72 hours is accompanied by an explanation of the reasons for the delay (section 1). The notification referred to in section 1, must at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach; b) contain the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained; c) describe the possible consequences of a personal data breach; d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects (paragraph 3).<br />
<br />
Referring to the rights and freedoms of persons affected by the violation, it should be noted that Art. 34 section 1 of Regulation 2016/679 indicates that in a situation where a breach of personal data protection may result in a high risk to the rights and freedoms of natural persons, the controller is obliged to notify the data subject of such a breach without undue delay. Pursuant to Art. 34 section 2 of Regulation 2016/679, a proper notification should: 1) describe the nature of the personal data protection breach in clear and plain language; 2) contain at least the information and measures referred to in Art. 33 section 3 lit. b), c) and d) of Regulation 2016/679, i.e.: name and surname and contact details of the data protection officer or designation of another contact point from which more information can be obtained; a description of the possible consequences of a personal data breach; a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimize its possible negative effects.<br />
<br />
Reporting personal data protection breaches by controllers is an effective tool contributing to a real improvement in the security of personal data processing. When reporting a breach to the supervisory authority, controllers inform the President of the Personal Data Protection Office whether, in their opinion, there is a high risk of violating the rights and freedoms of data subjects and - if such a risk occurred - whether they have provided appropriate information to natural persons affected by the breach. In justified cases, they may also provide information that, in their opinion, notification is not necessary due to the fulfillment of the conditions specified in Art. 34 section 3 lit. a) – letter c) Regulation 2016/679. The President of the Personal Data Protection Office verifies the assessment made by the controller and may - if the controller has not notified the data subjects - request such notification from the controller. Reports of personal data protection breaches allow the supervisory authority to respond appropriately to limit the effects of such breaches, as the controller is obliged to take effective actions to ensure the protection of natural persons and their personal data, which will, on the one hand, allow for control of the effectiveness of existing solutions and, on the other hand, the assessment of modifications and improvements to prevent irregularities similar to those covered by the infringement.<br />
<br />
In the case in question, there was a violation of the protection of personal data of (...) persons, and (...) of them were at high risk of violating their rights and freedoms due to the scope of the personal data violated. In the case of the plaintiff, the violation included, among others: her PESEL number and data on her health condition contained in the medical documentation, in the case of the defendant, her PESEL number, and in the case of two children, information on their health condition (contained in the psychological opinion). These data were included in the documentation sent to the party to the divorce proceedings. Moreover, which should be emphasized again, the authority received information about a personal data protection breach from an entity other than the Administrator.<br />
<br />
It should be emphasized at this point that the President of the Personal Data Protection Office, before initiating the administrative proceedings, first asked the Court (twice) whether the Court had knowledge about the infringement in question, however, in its answer, the Court presented the position that the President of the Personal Data Protection Office was not the competent authority. to investigate the event in question, without providing answers to the questions asked by the authority (at the same time making it difficult to investigate the event in question, whether there was actually a breach of personal data protection and to assess the level of risk of violating the rights and freedoms of persons whose data was included in the correspondence in question, or scope of data covered by the breach). This approach of the Court resulted in the initiation of administrative proceedings by the President of the Personal Data Protection Office. According to the case material, the Court checked the information received from the Minister about the incomplete and damaged shipment only in the postal operator's system, concluding that the lack of annotations in this regard proves that no incident occurred (this is evidenced by the Report (...) from on (...).08/2022). In the course of the proceedings, the President of the Personal Data Protection Office established that the envelope and documents received by the addressee were significantly damaged (which is confirmed by the photos of the parcel received from the Minister). The damage to the envelope made it possible to get acquainted with its contents, i.e. documents containing personal data in the scope indicated above. It is also worth emphasizing that the President of the Personal Data Protection Office, in a letter of January 4, 2023, asked the Court about the actions taken by the Administrator, which allowed him to conclude that the correspondence was not damaged or incomplete, despite the information provided by the Minister. The Administrator, responding in a letter of January 2023, limited himself to stating that he did not find any shortcomings on the part of the Court in the delivery of correspondence. In the opinion of the Court, there are no grounds to assume that the correspondence reached the addressee incomplete or improperly secured. However, the President of the Personal Data Protection Office, based on the photos received from the Minister, made different findings (described above), stating that there was a risk of violation of data confidentiality as well as completeness (violation of availability). The content of the correspondence in question (the plaintiff's medical documentation, psychological opinions regarding the children), their PESEL numbers, but also the descriptions of the marriage itself mean that the handling of an event that includes such data should be considered as requiring special attention and diligence on the part of the data controller. . Each category of data, such as the PESEL number or information about health status, represents a high risk of violating the rights and freedoms of data subjects. In this case, the high risk of violating rights and freedoms concerned (...) people. It is also worth emphasizing the ease of identifying these people, based on the above-mentioned. data.<br />
<br />
As indicated in Guidelines 9/2022[3], a personal data breach involving high-risk data may potentially cause a number of negative consequences for the natural persons whose data is subject to the breach. The possible effects of a breach include: physical damage, material or non-material damage. Examples of such damages include, but are not limited to: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal information and significant economic or social damage. In this case, there is no doubt that due to the scope of data covered by the personal data protection breach in question, including the PESEL registration number with name and surname and health data, there is a high probability of the above-mentioned damages occurring.<br />
<br />
It should be noted here that the PESEL number, i.e. an eleven-digit numerical symbol containing the date of birth, serial number, gender designation and control number, uniquely identifies a specific natural person, and is therefore closely related to the private sphere of the natural person and, as such, is subject to also, as a national identification number, exceptional protection under Art. 87 of Regulation 2016/679. Due to the fact that the PESEL number is data of a special nature, its disclosure to unauthorized entities may result in a high risk of violating the rights and freedoms of natural persons (see: https://www.bik.pl/poradnik-bik/wyluczenie-kredytu- this is how scammers work - where a case was described in which: "Only the name, surname and PESEL number were enough for fraudsters to extort several loans worth tens of thousands of zlotys in total. Nothing else was correct: neither the ID number nor the residential address" It is also impossible to ignore that the analyzed personal data protection breach also concerned data other than the PESEL number, e.g. information about health status. Guidelines 9/2022 emphasize that a collection of various personal data is usually more sensitive than individual data.<br />
<br />
It is worth mentioning here one of the examples listed in the EDPB Guidelines 01/2021 on examples regarding reporting personal data protection breaches, hereinafter Guidelines 01/2021 (case no. 14, p. 31), referring to the situation of "sending by post by mistake highly confidential personal data.” In the above-mentioned case guidelines, the social security number, which is the equivalent of the PESEL number used in Poland, was disclosed. In this case, the EDPB had no doubt that the disclosed data in the scope of: name and surname, e-mail address, postal address, social security number indicate a high risk of violating the rights and freedoms of natural persons ("involvement of their [victims'] social security number social media, as well as other, more basic personal data, further increases the risk, which can be described as high). The EDPB recognizes the importance of national identification numbers (in this case the PESEL number), at the same time emphasizing that this type of personal data protection breach, which includes data such as: name and surname, e-mail address, correspondence address and social security number, requires the implementation of actions, i.e.: notification of the supervisory authority and notification of a breach to data subjects. The EDPB also has no doubt that an individually assigned number uniquely identifying a natural person should be subject to special protection, and its disclosure to unauthorized entities may involve high risk of violating the rights and freedoms of natural persons.<br />
<br />
The EDPB also points out in other examples provided in Guidelines 01/2021 that data that uniquely identifies a natural person may result in a high risk of violating rights or freedoms. Points 65 and 66 of Guidelines 01/2021 indicate: "(...) The breached data allows for the unambiguous identification of data subjects and contains other information about them (including gender, date and place of birth), and may also be used by the attacker to guess customer passwords or to conduct a spear phishing campaign aimed at bank customers. For these reasons, the data breach has been deemed likely to result in a high risk to the rights and freedoms of all data subjects. Therefore, material (e.g. financial losses) and intangible (e.g. identity theft or fraud) damage may occur.”<br />
<br />
The Provincial Administrative Court in Warsaw did not have similar doubts (that the disclosure of the PESEL number together with other personal data may result in a high risk of violating the rights and freedoms of natural persons), in its judgment of September 22, 2021, ref. no. no. II SA/Wa 791/21, stated that "[t]here is no doubt that the examples of damage mentioned in the guidelines may occur in the case of persons whose personal data - in some cases, including the PESEL registration number or the series and number of the ID card – were recorded on shared recordings. Not without significance for such an assessment is the possibility of identifying persons whose data were subject to the breach, based on the disclosed data. Further, the Court in the cited judgment indicated that "The data was made available to unauthorized persons, which means that there was a security breach leading to unauthorized disclosure of personal data, and the scope of this data, including in some cases also the PESEL registration number or the series and number of the ID card, determines the that there is a high risk of violating the rights and freedoms of natural persons.” When considering the above issues, it is also necessary to recall the position of the Provincial Administrative Court in Warsaw expressed in the judgment of July 1, 2022 issued in the case with reference number file II SA/Wa 4143/21. In justification of this judgment, the Court stated that: "[i]t should be agreed with the President of the Personal Data Protection Office that the loss of confidentiality of the PESEL number in connection with personal data, such as: name and surname, registered address, bank account numbers and the identification number assigned to the Bank's clients - CIF number, involves a high risk of violating the rights and freedoms of natural persons. In the event of a breach of data such as name, surname and PESEL number, identity theft or falsification is possible, resulting in negative consequences for the data subjects. Therefore, in the case in question, the Bank should have acted without undue delay, pursuant to Art. 34 section 1 GDPR, to notify data subjects about a personal data breach, so as to enable them to take the necessary preventive actions. It is also worth mentioning the judgment of August 31, 2022, ref. no. No. II SA/Wa 2993/21, in which the Provincial Administrative Court in Warsaw emphasized that "(...) the authority correctly assumed that there was a high risk of violating the rights and freedoms of persons affected by the violation in question due to the possibility of easy, based on the disclosed data , identification of persons whose data was subject to the breach. These data include name and surname, correspondence address, telephone number, and PESEL number of persons with Polish citizenship. In this situation, the controller was obliged to notify data subjects about the breach without undue delay. The Provincial Administrative Court in Warsaw expressed a similar opinion in its judgments of November 15, 2022, ref. no. no. II SA/Wa 546/22, and June 21, 2023, ref. no. no. II SA/Wa 150/23.<br />
<br />
From the latest infoDOK report[4] (which is prepared as part of the social Information Campaign of the RESTRICTED DOCUMENTS System, organized by the Polish Bank Association and some banks, under the patronage of the Ministry of Internal Affairs and Administration and in cooperation with, among others, the Police and the Consumer Federation) , it shows that in the second quarter of 2023, 2,116 attempts at credit and loan fraud were recorded, amounting to PLN 50.3 million. Over the last twelve months, the total amount of thwarted loan fraud attempts is PLN 191.6 million. Moreover, it should be noted that in the second quarter of 2022, 1,806 attempts at credit and loan fraud were recorded, amounting to PLN 54.4 million[5]. This means a significant increase in credit and loan fraud attempts in the presented period.<br />
<br />
Moreover, as evidenced by case law, judgments in loan fraud cases are not uncommon and have been issued by Polish courts in similar cases for a long time - as an example, the judgment of the District Court in Łęczyca of July 27, 2016 (reference number I C) 566/15), in which fraudsters taking out a loan using someone else's data used a PESEL number, a fictitious address and an incorrect ID number (invalid). In the course of the court proceedings, the defendant demonstrated that it had not incurred the above-mentioned obligations, even though someone used her PESEL number. However, this required evidentiary proceedings. However, there are many more such situations and they require injured persons (de facto victims of crime) to take action (in court or amicably) to prove that they were not the ones who performed specific actions resulting in, for example, incurring an obligation or theft of other people's funds (in the case of crimes related to e.g. internet fraud).<br />
<br />
To sum up, the personal data protection breach in question creates a high risk of violating the rights and freedoms of natural persons not only because it involves the PESEL numbers of the above-mentioned persons. people, but also their special categories of data - information about the plaintiff's health condition and information contained in the psychological opinions of two children. This information is related to, among others: names and surnames and the context of the divorce case may result in loss of control over the data and not only the risks associated with providing the PESEL number, but also may cause discrimination among these people, or even infringement of their personal rights.<br />
<br />
The Administrator did not take all these circumstances into account when analyzing the event, even one forced by a request from the President of the Personal Data Protection Office.<br />
<br />
It should also be borne in mind that the Administrator's performance of his obligation under Art. 33 section 1 and 34 section 1 of Regulation 2016/679 may not be made dependent on the materialization of the risk resulting from the violation of the rights and freedoms of natural persons whose data is affected by a personal data breach. As stated by the Provincial Administrative Court in Warsaw in the judgment of September 22, 2021 issued in case no. no. II SA/Wa 791/21: "[it] should be emphasized that the possible consequences of the event do not have to materialize. In the content of art. 33 section 1 of Regulation 2016/679 indicates that the very occurrence of a breach of personal data protection, which involves a risk of violating the rights and freedoms of natural persons, implies the obligation to report the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk of violating the rights and freedoms of natural persons. natural persons” (this Court ruled similarly in the previously cited judgment of July 1, 2022, issued in the case with reference number II SA/Wa 4143/21 and in the judgments of August 31, 2022, reference number II SA/Wa 2993/21, of November 15, 2022, ref. no. II SA/Wa 546/22 and of April 26, 2023, ref. no. II SA/Wa 1272/22).<br />
<br />
When analyzing the above, you should also not forget about the basic principles. When applying the provisions of Regulation 2016/679, it should be borne in mind that the purpose of this regulation (expressed in Article 1(2)) is to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and that the protection of natural persons in in connection with the processing of personal data is one of the fundamental rights (first sentence of recital 1 of the preamble). In case of any doubts, e.g. as to the performance of obligations by administrators - including in situations where there has been a breach of personal data protection - these values should be taken into account first.<br />
<br />
It is worth emphasizing in particular that when assessing the risk of violating the rights and freedoms of natural persons, which determines the notification of a personal data protection breach and the notification of the breach to the data subject, the probability factor and the importance of potential negative effects should be taken into account jointly. A high level of any of these factors affects the overall rating, which determines the fulfillment of the obligations specified in Art. 33 section 1 and art. 34 section 1 of Regulation 2016/679. Bearing in mind that due to the scope of personal data disclosed in the analyzed case, there was a possibility of significant negative consequences for data subjects (as shown above), the importance of the potential impact on the rights and freedoms of a natural person should be considered high. At the same time, the probability of a high risk occurring as a result of the breach in question is not small and has not been eliminated. Therefore, it should be stated that in connection with the breach in question, there was a high risk of violating the rights and freedoms of data subjects, which consequently determines the obligation to report the personal data protection breach to the supervisory authority and to notify the persons affected by the personal data protection breach.<br />
<br />
In Guidelines 9/2022, the EDPB, indicating the factors to be taken into account when assessing the risk, refers to recitals 75 and 76 of Regulation 2016/679, which suggest that the administrator should take into account both the probability of occurrence and the seriousness of the threat to the rights or freedoms of the person whose data applies. In the event of a personal data protection breach, the controller should focus on the risk of the breach resulting from the breach on a natural person. Therefore, when assessing the risk to an individual arising from a personal data breach, the controller should take into account the specific circumstances of the breach, including the severity of the potential impact and the likelihood of its occurrence. Therefore, when assessing the risk, the EDPB recommends taking into account criteria such as the type of breach, the nature, sensitivity and amount of personal data, as well as ease of identification, as they may affect the level of risk for natural persons. The risk of violating the rights or freedoms of a natural person in accordance with Guidelines 9/2022 will be greater when the consequences of the violation are more serious, as well as when the likelihood of their occurrence increases. The guidelines advise that in case of any doubts, the administrator should report a violation, even if such caution might prove excessive.<br />
<br />
To sum up the above, it should be stated that in the case in question there is a high risk of violating the rights and freedoms of persons affected by the personal data protection breach, which in turn results in the Court's obligation to report the personal data protection breach to the supervisory authority, in accordance with Art. 33 section 1 of Regulation 2016/679, which must include the information specified in Art. 33 section 3 of Regulation 2016/679 and notification of data subjects about the breach, in accordance with Art. 34 section 1 of Regulation 2016/679, which must include the information specified in Art. 34 section 2 of Regulation 2016/679.<br />
<br />
Referring to the Administrator's obligation specified in Art. 34 section 2 of Regulation 2016/679, the President of the Personal Data Protection Office stated that the Administrator (taking into account the nature of the breach and the categories of data that have been breached) should indicate to the data subject the most likely negative consequences of the breach of his or her personal data. Certainly, in the event of a breach of data such as name, surname and PESEL registration number, it is necessary to point out, first of all, possible identity theft or falsification by third parties obtaining, to the detriment of the person whose data was breached, loans from non-bank institutions or insurance fraud or insurance funds, which may result in negative consequences related to an attempt to attribute responsibility to the data subject for committing such fraud. The description of possible consequences should reflect the risk of violating the rights and freedoms of that person, so as to enable him to take the necessary preventive actions. However, in the case of other data subject to a breach of personal data protection and resulting in a high risk of violating the rights and freedoms of natural persons (special categories of data within the meaning of Article 9 of Regulation 2016/679), the Administrator should indicate discrimination, violation of personal rights, slander or other form persecution of these people due to the disclosed health data.<br />
<br />
In a situation where, as a result of a breach of personal data protection, there is a high risk of violating the rights and freedoms of natural persons, the administrator is obliged to implement all appropriate technical and organizational measures to immediately determine the breach of personal data protection and quickly inform the supervisory authority, as well as the persons whose data applies. The administrator should fulfill this obligation as quickly as possible.<br />
<br />
Recital 85 of the preamble to Regulation 2016/679 explains: "[w]ithout an appropriate and rapid response, a breach of personal data protection may result in physical harm, material or non-material damage to natural persons, such as loss of control over their own personal data or limitation of rights, discrimination, identity theft or falsification, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage. Therefore, immediately upon becoming aware of a personal data breach, the controller should notify it to the supervisory authority without undue delay, where practicable and no later than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that it is unlikely that that the violation may result in a risk of violating the rights and freedoms of natural persons. If a report cannot be made within 72 hours, the report should be accompanied by an explanation of the reasons for the delay and the information may be provided gradually, without further undue delay.”<br />
<br />
In turn, recital 86 of the preamble to Regulation 2016/679 states: "The controller should, without undue delay, inform the data subject about a breach of personal data protection if it may result in a high risk to the rights and freedoms of that person, so as to enable that person to take necessary preventive actions. Such information should include a description of the nature of the personal data breach and recommendations for the individual concerned to minimize potential adverse effects. Information should be provided to data subjects as soon as reasonably possible, in close cooperation with the supervisory authority, respecting instructions provided by that authority or other relevant authorities, such as law enforcement authorities. For example, the need to minimize an immediate risk of harm will require immediate information to data subjects, while the implementation of appropriate measures against the same or similar data protection breaches may justify subsequent information.<br />
<br />
By notifying the data subject without undue delay, the controller enables the person to take the necessary preventive measures to protect the rights and freedoms against the negative effects of the breach. Article 34 section 1 and 2 of Regulation 2016/679 is intended not only to ensure the most effective possible protection of the fundamental rights and freedoms of data subjects, but also to implement the principle of transparency, which results from Art. 5(1) 1 letter a) Regulation 2016/679 (see W. Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary. ed. E. Bielak - Jomaa, D. Lubasz, Warsaw 2018). Proper fulfillment of the obligation specified in Art. 34 of Regulation 2016/679 is to provide data subjects with quick and transparent information about a breach of the protection of their personal data, along with a description of the possible consequences of the personal data protection breach and the measures they can take to minimize its possible negative effects. Acting in accordance with the law and demonstrating concern for the interests of data subjects, the controller should have provided data subjects with the best possible protection of personal data without undue delay. To achieve this goal, it is necessary to provide at least the information listed in Art. 34 section 2 of Regulation 2016/679, which the administrator failed to fulfill. Therefore, by deciding not to notify the supervisory authority and the data subjects about the breach, the controller in practice deprived them of reliable information about the personal data protection breach and the opportunity to counteract potential damage, provided without undue delay.<br />
<br />
It should also be noted here that the Court's Data Protection Inspector incorrectly assessed the level of risk of violating the rights and freedoms of natural persons in connection with the personal data protection breach in question. He pointed out that due to the fact that the documents were prepared in Polish and sent to Great Britain, this did not result in a high risk in this respect. In the opinion of the President of the Personal Data Protection Office, the fact that documents containing personal data were prepared in Polish and sent to a country where English is the primary language does not reduce the level of this risk. In the era of instruments enabling quick translation of entire documents, as well as due to the fact that in Great Britain a large part of the population speaks Polish, it cannot be assumed that this circumstance reduces the level of risk.<br />
<br />
The President of the Personal Data Protection Office obviously recognizes the fact that for providing the above-mentioned documentation was the responsibility of the postal operator, however, damage to it or loss of some of the documents by the postal operator gives rise to certain obligations on the part of the administrator (the Court) (resulting from the provisions of Regulation 2016/679), the failure of which results in his liability. The court, as the sender of this correspondence, has knowledge of its content, including whether the documents contained in the shipment contain personal data and to what extent. As indicated by the Provincial Administrative Court in Warsaw in its judgment of July 1, 2022, ref. no. II SA/Wa 4143/21, "[i]n case of irregularities in the delivery of the shipment, the obligation to protect the interests of the data subject from the point of view of the risk of violating the rights and freedoms of the data subject rests with the sender of the shipment, who, knowing the content of the lost correspondence, is able to assess the risks posed to the data subject. However, the postal operator and courier company may perform the administrator's duties, within the meaning of the provisions of the GDPR, but only in relation to the personal data of the senders and addressees of the parcels. Consequently, the Provincial Administrative Court in Warsaw emphasized that "It is the Bank [here: the District Court in Krakow as the sender of the shipment] that can assess the risk to the rights and freedoms of a natural person resulting from the loss of the shipment and therefore has the opportunity to fulfill the obligation to report a violation personal data protection to the supervisory authority and notification of a breach to the data subject. The courier company does not have such knowledge.<br />
<br />
Consequently, it should be stated that the Administrator did not report a personal data protection breach to the supervisory authority in fulfillment of the obligation under Art. 33 section 1 of Regulation 2016/679 and failed to notify data subjects without undue delay of a breach of data protection, in accordance with Art. 34 section 1 of Regulation 2016/679, which means a violation of these provisions by the Administrator.<br />
<br />
Therefore, the President of the Personal Data Protection Office found it justified to send a decision to the data controller, using his corrective powers, ordering the notification of data subjects about a breach of the protection of their personal data, in order to provide them with the information specified in Art. 34 section 2 of Regulation 2016/679.<br />
<br />
Pursuant to Art. 34 section 4 of Regulation 2016/679, if the controller has not yet notified the data subject about the personal data protection breach, the supervisory authority - taking into account the likelihood that the personal data breach will result in a high risk - may require him to do so or may determine that that one of the conditions referred to in section 3. In turn, according to the content of Art. 58 section 2 lit. e) of Regulation 2016/679 states that each supervisory authority has the corrective power to order the controller to notify the data subject about a data protection breach.<br />
<br />
Pursuant to art. 58 section 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in Art. 58 section 2 of Regulation 2016/679, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of the specific case. The President of the Personal Data Protection Office states that in the case under consideration there are circumstances justifying the imposition of an administrative fine on the Administrator based on Art. 83 section 4 lit. a) of Regulation 2016/679, which states, among others, that violation of the administrator's obligations referred to in Art. 33 and 34 of Regulation 2016/679, is subject to an administrative fine of up to EUR 10,000,000, and in the case of an enterprise - up to 2% of its total annual worldwide turnover from the previous financial year, whichever is higher. However, from Art. 102 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) states that the President of the Personal Data Protection Office may impose, by way of a decision, administrative fines of up to PLN 100,000 on: public finance sector units referred to in Art. 9 points 1-12 and 14 of the Act of 27 August 2009 on public finances, a research institute or the National Bank of Poland. From paragraph 3 of this article also states that the administrative fines referred to, among others, in section 1, the President of the Office shall impose on the basis and under the conditions specified in Art. 83 of Regulation 2016/679.<br />
<br />
Pursuant to the content of Art. 83 section 2 of Regulation 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 section 2 lit. a) - h) and letters j) Regulation 2016/679. When deciding to impose an administrative fine on the Court, the President of the Personal Data Protection Office - pursuant to Art. 83 section 2 lit. a) - k) of Regulation 2016/679 - took into account the following circumstances of the case, constituting the need to apply this type of sanctions in the present case and having an aggravating effect on the amount of the administrative fine imposed:<br />
<br />
1) The nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered by them [Art. 83 section 2 lit. a of Regulation 2016/679]. The violation found in this case is of significant importance and serious nature, because reporting personal data protection breaches by data controllers is an effective tool contributing to a real improvement in the security of personal data processing. First of all, based on the information provided by controllers in reports of personal data protection breaches, the supervisory authority may assess whether the controller has correctly analyzed the impact of the breach on the rights and freedoms of the data subjects covered by the breach and, consequently, whether there is a high risk of breach. rights or freedoms of natural persons and it is necessary to notify these persons about a breach of their data. Correctly fulfilled by administrators the obligations specified in Art. 33 section 1 and 34 section 1 of Regulation 2016/679 also allow for limiting the negative effects of personal data protection breaches and eliminating or at least limiting the risk of such breaches in the future, as controllers are obliged to take actions that will ensure proper protection of personal data by applying appropriate security measures and monitoring their effectiveness. . Moreover, reporting a violation to the supervisory authority gives the authority the opportunity to respond appropriately, which would limit the effects of the violation. Failure to notify data subjects about a breach of the protection of their personal data may lead to material or non-material damage, and the probability of its occurrence is high. The President of the Personal Data Protection Office considers the long duration of the infringement to be an aggravating factor. (...) has passed since the Administrator received information about a personal data protection breach ((...) August 2022 - i.e. the date of delivery of the letter from the Consulate General of the Republic of Poland in October, July 2022) to the date of issuance of this decision ( ...) months during which the risk of violating the rights or freedoms (...) of persons for whom such a high level of risk occurred could have materialized, and which these persons could not have counteracted due to the Administrator's failure to comply the obligation to notify them of the violation. It is also important that the personal data protection breach in question was related to the delivery of court correspondence to a party to divorce proceedings and in total concerned (...) persons (in the case of (...) persons there was a high risk of violating their rights or freedoms, which determines the obligation to notify them about a personal data protection breach). Therefore, the nature of the information contained in the above-mentioned correspondence indicates the family situation of the persons affected by the breach, and therefore the personal nature of this information. And this, in turn, affects the level of risk of violating the rights or freedoms of persons affected by the violation.<br />
<br />
2) Intentional nature of the infringement [Art. 83 section 2 lit. b) of Regulation 2016/679]. According to the Guidelines of the Article 29 Working Party on the application and determination of administrative fines for the purposes of Regulation No. 2016/679 WP253 (adopted on 3 October 2017, willfulness "covers both knowledge and "deliberate action, in connection with the characteristics of the prohibited act." The Administrator has made a conscious decision not to notify the President of the Personal Data Protection Office or the data subjects about a personal data breach. Special protection of personal data, including in particular the PESEL number and information about health condition is required from public trust institutions, which undoubtedly include the Administrator. Being aware of this, the Administrator decided to resign from reporting the violation to the President of the Personal Data Protection Office and notifying the data subjects, despite the fact that the President of the Personal Data Protection Office first informed Administrator about the administrator's obligations in connection with a data protection breach. Finally, the very initiation of these proceedings by the President of the Personal Data Protection Office regarding the obligation to report a personal data protection breach to the supervisory authority and to notify data subjects about the breach should at least raise doubts for the Administrator as to the validity of the position he has adopted.<br />
<br />
3) Categories of personal data affected by the breach [Art. 83 section 2 lit. g) of Regulation 2016/679]. The personal data protection breach in question covered the personal data of (...) persons (violation of Article 33(1) of Regulation 2016/679), of which in the case of (...) there was a high risk violation of their rights or freedoms (violation of Article 34(1) of Regulation 2016/679). This violation covered the following data: 1) the plaintiff: her name and surname, PESEL number, residential address, date of birth, data contained in the medical documentation, bank account number, 2) the defendant: his name and surname, PESEL number, residential address , date of birth, image contained in the photograph, 3) personal data of two children: their names and surnames, PESEL numbers, address of residence, dates of birth, data contained in the psychological opinion. Moreover, the Court stated that the court proceedings concerned the dissolution of a marriage. This scope proves that there is a high level of risk of violating the rights and freedoms of these persons, in particular due to the PESEL number and health information, which is data subject to special protection under Art. 9 of Regulation 2016/679.<br />
<br />
When determining the amount of the administrative fine, the President of the Personal Data Protection Office found no grounds to take into account mitigating circumstances that affect the final penalty. All the conditions listed in Art. 83 section 2 lit. a)-j) of Regulation 2016/679, in the opinion of the supervisory authority, constitute either aggravating or only neutral conditions. Also applying the premise specified in Art. 83 section 2 lit. k) of Regulation 2016/679 (ordering to take into account any other aggravating or mitigating factors applicable to the circumstances of the case), no mitigating circumstances were found, only neutral ones (as noted below in point 9).<br />
<br />
Other circumstances indicated below, referred to in Art. 83 section 2 of Regulation 2016/679, after assessing their impact on the violation found in this case, were considered by the President of the Personal Data Protection Office to be neutral in his opinion, i.e. having neither an aggravating nor mitigating effect on the amount of the administrative fine imposed.<br />
<br />
1. Actions taken by the controller to minimize the damage suffered by data subjects [Art. 83 section 2 lit. c) of Regulation 2016/679]. Based on the evidence collected in the case, no such actions were found to have been taken by the Administrator.<br />
<br />
2. The degree of responsibility of the controller, taking into account the technical and organizational measures implemented by him pursuant to Art. 25 and 32 [art. 83 section 2 lit. d) of Regulation 2016/679]. The violation assessed in these proceedings (failure to report a personal data protection breach to the President of the Personal Data Protection Office and failure to notify about a personal data breach of data subjects) is not related to the technical and organizational measures used by the controller.<br />
<br />
3. Relevant previous infringements of the provisions of Regulation 2016/679 on the part of the controller [Art. 83 section 2 lit. e) of Regulation 2016/679]. The President of the Personal Data Protection Office did not find any previous violations of the provisions on the protection of personal data committed by the Administrator, therefore there are no grounds to treat this circumstance as an aggravating one. And since such a state (compliance with the provisions on the protection of personal data) is a natural state resulting from the legal obligations incumbent on the Administrator, it cannot have a mitigating effect on the assessment of the violation made by the President of the Personal Data Protection Office.<br />
<br />
4. The degree of cooperation with the supervisory authority in order to remove the violation and mitigate its possible negative effects [Art. 83 section 2 lit. f) of Regulation 2016/679]. In the course of the explanatory proceedings and in the course of initiated administrative proceedings, the Administrator provided answers to requests from the supervisory authority aimed at explaining all circumstances related to the breach of personal data protection.<br />
<br />
5. How the supervisory authority learned about the infringement [Art. 83 section 2 lit. h) Regulation 2016/679]. The President of the Personal Data Protection Office was informed by the Minister, not by the Administrator, about the occurrence of a personal data protection breach, i.e. about the postal operator delivering a damaged and incomplete parcel to the addressee. However, the failure to notify the supervisory authority of a breach of personal data protection and to notify data subjects about the breach of personal data protection (and therefore a violation of the provisions of Article 33(1) and Article 34(1) of Regulation 2016/679) is, however, the sole subject of these proceedings and in the circumstances of the considered facts, the supervisory authority assumed that it would not treat this condition as an aggravating circumstance.<br />
<br />
6. Compliance with previously applied measures in the same case, referred to in Art. 58 section 2 of Regulation 2016/679 [Art. 83 section 2 lit. and Regulation 2016/679]. Before issuing this decision, the President of the Personal Data Protection Office did not apply any measures listed in Art. 58 section 2 of Regulation 2016/679, therefore the Administrator was not obliged to take any actions related to their application, and these actions, assessed by the President of the Personal Data Protection Office, could have an aggravating or mitigating effect on the assessment of the identified violation.<br />
<br />
7. Application of approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679 [Art. 83(2)(a) j) of Regulation 2016/679]. The administrator does not use the instruments referred to in Art. 40 and art. 42 of Regulation 2016/679. However, their adoption, implementation and application are not - as provided for in the provisions of Regulation 2016/679 - mandatory for controllers and processors, therefore the fact of their non-application cannot be considered to the detriment of the Controller in this case. However, the adoption and use of this type of instruments as measures guaranteeing a higher than standard level of protection of processed personal data could be taken into account to the Administrator's advantage.<br />
<br />
8. Financial benefits or avoided losses obtained directly or indirectly in connection with the infringement [Art. 83 section 2 lit. k) of Regulation 2016/679]. The President of the Personal Data Protection Office did not find that the Administrator obtained any financial benefits or avoided such losses in connection with the violation. Therefore, there are no grounds to treat this circumstance as aggravating the Administrator. The finding of measurable financial benefits resulting from the violation of the provisions of Regulation 2016/679 should be assessed definitely negatively. However, the failure of the Administrator to obtain such benefits, as a natural state, independent of the violation and its effects, is a circumstance which, by its nature, cannot be mitigating for the Administrator. The same wording of the provision of Art. 83 section 2 lit. k) of Regulation 2016/679, which requires the supervisory authority to pay due attention to the benefits "achieved" - obtained on the part of the entity committing the infringement.<br />
<br />
9. Other aggravating or mitigating factors applicable to the circumstances of the case [Art. 83 section 2 lit. k) of Regulation 2016/679]. The President of the Personal Data Protection Office, comprehensively considering the case, did not note any circumstances other than those described above that could affect the assessment of the violation and the amount of the imposed administrative fine.<br />
<br />
In the opinion of the President of the Personal Data Protection Office, the administrative fine imposed, in the established circumstances of this case, meets the functions referred to in Art. 83 section 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.<br />
<br />
It should be emphasized that the penalty will be effective if its imposition leads to the Administrator fulfilling its obligations in the field of personal data protection in the future, in particular in the scope of reporting a personal data protection breach to the President of the Personal Data Protection Office and notifying persons of a personal data protection breach. affected by the infringement.<br />
<br />
In the opinion of the President of the Office for Personal Data Protection, the administrative fine will fulfill a repressive function as it will be a response to the Administrator's violation of the provisions of Regulation 2016/679. It will also have a preventive function; in the opinion of the President of the Personal Data Protection Office, it will indicate to both the Administrator and other data controllers the reprehensibility of disregarding the obligations of controllers related to the occurrence of a personal data protection breach, which are intended to prevent its negative and often painful effects for the persons affected by the breach, as well as removing these effects or at least limiting them.<br />
<br />
In connection with the above, it should be noted that an administrative fine in the amount of PLN 10,000 (in words: ten thousand zlotys) meets, in the established circumstances of this case, the conditions referred to in Art. 83 section 1 of Regulation 2016/679, due to the seriousness of the identified violation in the context of the basic objective of Regulation 2016/679 - the protection of fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data. At the same time, the amount of the administrative fine imposed by this decision on the administrator being a unit of the public finance sector (public authorities, including government administration bodies, state control and law enforcement bodies, as well as courts and tribunals - indicated in Article 9, point 1 of the Act of August 27, 2009 on public finances), falls within the scope specified in Art. 102 section 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), with a limit of PLN 100,000.<br />
<br />
Pursuant to Art. 33 section 5 of Regulation 2016/679, the controller documents all personal data protection breaches, including the circumstances of the personal data protection breach, its effects and the remedial actions taken. This documentation must enable the supervisory authority to verify compliance with this Article.<br />
<br />
Due to the fact that the Administrator submitted a document marked as: "Report (...)" in the course of the proceedings, it should be considered that the Administrator keeps documentation related to personal data protection breaches, including documentation regarding the personal data protection breach in question. It is true that the assessment of the event contained therein, in the opinion of the President of the Personal Data Protection Office, is incorrect (as already demonstrated above), but this cannot constitute an allegation of violation of the above-mentioned. provision of Regulation 2016/679. The above means that the proceedings in this respect are groundless and subject to discontinuation.<br />
<br />
Due to the above, pursuant to the provisions of Art. 105 § 1 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2023, item 775), hereinafter referred to as the Code of Administrative Procedure, when the proceedings have become groundless for any reason, the administrative authority issues a decision to discontinue the proceedings. The subject of the proceedings is related to the application of the provisions of substantive administrative law by a public authority. The doctrine indicates that: "the groundlessness of administrative proceedings, as stipulated in Art. 105 § 1 of the Code of Administrative Procedure means that one of the elements of a substantive legal relationship is missing, and therefore a decision cannot be issued to settle the matter by resolving it on its merits. The premise for discontinuing the proceedings may exist even before the initiation of the proceedings, which will be revealed only in the ongoing proceedings, and it may also arise during the proceedings, i.e. in a case already pending before the administrative body" (B. Adamiak, J. Borkowski, Code of Procedure administrative. Comment, C.H. Beck, Warszawa 2006, p. 489).<br />
<br />
Determination by a public authority of the existence of the condition referred to in Art. 105 § 1 of the Code of Administrative Procedure, obliges him, as emphasized in the doctrine and case law, to discontinue the proceedings, because if this condition exists, there are no grounds to resolve the case on the merits, and continuing the proceedings in such a case would constitute its defectiveness, which would have a significant impact on influence on the outcome of the case.<br />
<br />
In this factual and legal situation, the President of the Office for Personal Data Protection decided as in the operative part.<br />
<br />
[1] Act on the Organization of Common Courts - Act of 27 July 2001, Law on the Organization of Common Courts (Journal of Laws of 2020, item 2072, as amended).<br />
<br />
[2] Act of 1997 - Act of August 29, 1997 on the protection of personal data (Journal of Laws of 2016, item 922, as amended).<br />
<br />
[3] EDPB Guidelines 9/2022 on reporting personal data protection breaches in accordance with the GDPR;<br />
<br />
[4] https://www.zbp.pl/getmedia/45bb9af8-95a4-4cc2-9767-05c73e5b1eb3/Raport-InfoDOK-II-kwartal-2023;<br />
<br />
[5] https://www.zbp.pl/getmedia/b5257020-2baa-4507-828c-a1b78c769c6d/infodok-2022-04-06-wydanie-50-sklad-220725-gk05;<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_32/2024APD/GBA (Belgium) - 32/20242024-03-18T17:10:00Z<p>Nzm: /* Comment */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=32/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=GBA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-32-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Started=26.12.2023<br />
|Date_Decided=13.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 15(1) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#1<br />
|GDPR_Article_2=Article 15(3) GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR#3<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA held that when files constituted by other entities have been consulted in examining a data subject’s credit application, if the latter makes an access request, the controller must give him access to all the documents consulted during the examination.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents. <br />
<br />
The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as an image of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman. <br />
<br />
Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
=== Holding ===<br />
Under [[Article 15 GDPR#1|Article 15(1) GDPR]], the data subject has the right to obtain from the controller, a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by [[Article 15 GDPR#1|Article 15(1) GDPR]]. <br />
<br />
Moreover, [[Article 15 GDPR#3|Article 15(3) GDPR]] provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]].<br />
<br />
Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determines the means and purposes of the processing of the personal data in question. However, without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification. <br />
<br />
The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.<br />
<br />
== Comment ==<br />
As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/7<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision 32/2024 of February 13, 2024<br />
<br />
<br />
File number: DOS-2024-00078<br />
<br />
<br />
Subject: Complaint due to insufficient response to a request for access<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
<br />
hereinafter “WOG”;<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
Complainant: X, hereinafter “the complainant”<br />
<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 32/2024 — 2/7<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. On December 26, 2023, the complainant will submit a complaint to the Data Protection Authority<br />
<br />
against the defendant.<br />
<br />
2. The subject of the complaint concerns the exercise of the right of access by the complainant<br />
<br />
without receiving an adequate response from the controller.<br />
<br />
The complainant had exercised his right of access after his credit application was refused<br />
<br />
by the defendant. As a result, the defendant informed the complainant that there were three<br />
<br />
files were consulted in examining his credit application, namely that<br />
<br />
from the defendant itself, the Central Office for Credit to Private Individuals, and a<br />
financing company. The defendant sent “a complete content of the data<br />
<br />
that are in our files” to the complainant. Of the data in the remaining<br />
<br />
two files, the defendant shared only the identity and contact information of the<br />
<br />
respective controllers.<br />
<br />
The complainant disputed that the data he was given access to was complete. He asked<br />
<br />
namely that the defendant also had the “purpose of the credit” and an image<br />
<br />
of his identity card. He once again requested the defendant “to provide the files you as<br />
<br />
lender [sic] has in your possession, as you inform me, to transfer to me.” The complainer<br />
<br />
had also filed a complaint with the defendant's financial services ombudsman, and<br />
the documents available to the Disputes Chamber show that communication between the<br />
<br />
defendant and the complainant focused mainly on the rest for a certain period of time<br />
<br />
investigating the substantive reasons for the refusal of the credit, which is outside the<br />
<br />
scope of this decision. After some time, the complainant made contact again<br />
<br />
contacted the defendant to ask for confirmation that he had been given access to all<br />
<br />
his personal data. The defendant responded as follows:<br />
<br />
"Dear,<br />
<br />
We have other data in our possession, namely the one we received in the context<br />
<br />
of your complaint to the financial services ombudsman.<br />
<br />
3. On January 8, 2024, the complaint will be declared admissible by the First Line Service on the grounds<br />
<br />
of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62, § 1 of<br />
<br />
the WOG has been transferred to the Disputes Chamber.<br />
<br />
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations<br />
<br />
order of the GBA, the parties can request a copy of the file. If one<br />
<br />
both parties wish to make use of the opportunity to consult and<br />
<br />
copying the file, he or she must contact the secretariat of the<br />
<br />
Disputes Chamber, preferably via litigationchamber@apd-gba.be. Decision 32/2024 — 3/7<br />
<br />
<br />
II. Justification<br />
<br />
<br />
5. According to Article 15.1 GDPR, the data subject has the right to obtain from the<br />
<br />
controller to obtain clarity about whether or not to process<br />
<br />
personal data concerning him and, if applicable, to obtain access to it<br />
those personal data and the information referred to in Article 15.1.a) to h), GDPR.<br />
<br />
<br />
In accordance with Article 12.1 GDPR, read in conjunction with recital 58 hereof<br />
<br />
Regulation, the controller must take appropriate measures to ensure that<br />
the data subject the communications referred to in Article 15 GDPR in connection with the processing<br />
<br />
in a concise, transparent, understandable and easily accessible form and in<br />
<br />
receives clear and simple language”. Article 12.2 GDPR also stipulates that the<br />
<br />
controller must exercise the data subject's rights<br />
<br />
facilitate.<br />
<br />
6. The Disputes Chamber notes that the complainant submitted his request for access on 6<br />
<br />
October 2023.<br />
<br />
7. On October 17, 2023, the defendant informed the complainant that in the investigation of his<br />
<br />
file, three files were consulted. These files were those of (1) the<br />
<br />
defendant itself, (2) the Central Office for Credit to Private Individuals, and (3) a<br />
<br />
financing company. The same email contained, according to the defendant, “a complete<br />
<br />
content of the data contained in our files”. However, the complainant disputed<br />
that this information was complete. In particular, he stated that the defendant would also<br />
<br />
have the “purpose of the credit”.<br />
<br />
<br />
On December 26, 2023, the complainant asked the defendant to confirm that he had access<br />
had received in all his personal data. The defendant responded that also “other<br />
<br />
data” were processed, and referred to the data provided by the complainant<br />
<br />
provides financial services in the context of his complaint to the Ombudsman<br />
<br />
defendant. Since the defendant did not directly answer the question of the<br />
<br />
complainant whether he had been given access to all his personal data, the complainant did not obtain any<br />
<br />
clear information about whether or not certain personal data are processed.<br />
Consequently, the complainant has not been provided with sufficient clarity or insight as required in Article<br />
<br />
15.1 GDPR.<br />
<br />
<br />
8. Furthermore, the complainant states that the defendant has an image of his identity card<br />
processed, and failed to provide a copy of it in response to the<br />
<br />
request for inspection. In this context, the Disputes Chamber recalls that Article 15.3 GDPR<br />
<br />
provides that the controller “a copy of the personal data that<br />
<br />
are processed” must be provided to the data subject. If the defendant indeed Decision 32/2024 — 4/7<br />
<br />
<br />
processes an image of the complainant's identity card, the defendant must also have one<br />
<br />
provide a copy of this image to satisfy the complainant's right of inspection.<br />
<br />
<br />
9. Regarding the two other files that the defendant consulted, communicated<br />
<br />
the defendant only the identification details and addresses of the respective<br />
<br />
controllers. The results of the consultations by the defendant –<br />
<br />
namely the contents of the files – the defendant did not communicate this to the complainant. At<br />
<br />
the latter was told to contact the administrators of that<br />
<br />
files to exercise his right of access. To the extent that the defendant<br />
<br />
determines the purposes and means of the processing of the personal data concerned<br />
However, he is a data controller and is therefore obliged to follow up himself<br />
<br />
the complainant's right of access in accordance with Article 15.1 GDPR. In this respect it is<br />
<br />
appropriate to recall that the aim of the right of access is to ensure that<br />
<br />
the data subject “can inform himself of the processing and its lawfulness<br />
<br />
can check this” (recital 63 GDPR). The right of access thus supports it<br />
<br />
right to the protection of personal data, and facilitates the exercise of others<br />
<br />
rights included in the GDPR, and in particular the right to rectification. Without<br />
<br />
access to the data that the defendant did or did not consult with the two parties involved<br />
<br />
files, the complainant is unable to determine whether it is necessary to contact them<br />
<br />
with those responsible for those files to assert his right to rectification.<br />
<br />
Furthermore, it should be noted that Article VII.79 of the Code of Economic Law<br />
<br />
stipulates that the “lender shall immediately provide the consumer with the result of the loan free of charge<br />
<br />
consultation [communicates] as well as the identity and address of the person responsible for the<br />
<br />
processing the files he consulted” (emphasis added).<br />
<br />
<br />
10. The Disputes Chamber is of the opinion that based on the above analysis<br />
<br />
concluded that the defendant may have violated the provisions of the GDPR<br />
was committed, which justifies taking one in this case<br />
<br />
decision on the basis of Article 95, § 1, 5° of the WOG, more specifically the<br />
<br />
order the controller to comply with the exercise by the<br />
<br />
complainant of his right of access (Article 15.1 GDPR).<br />
<br />
<br />
11. This decision is a prima facie decision taken by the Disputes Chamber<br />
<br />
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,<br />
2<br />
in the context of the “procedure prior to the decision on the merits” and none<br />
<br />
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.<br />
<br />
<br />
<br />
<br />
<br />
<br />
1CJEU December 20, 2017, Peter Nowak v. Data Protection Commissioner, C-434/16, ECLI:EU:C:2017:994<br />
2Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 32/2024 – 5/7<br />
<br />
<br />
The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and<br />
<br />
Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request<br />
<br />
of the data subject to exercise his rights, in particular the right of access such as<br />
<br />
determined in Article 15 GDPR.<br />
<br />
<br />
12. The purpose of this decision is to inform the defendant of the fact that this<br />
<br />
may have committed an infringement of the provisions of the GDPR and this in the<br />
<br />
the opportunity to still comply with the aforementioned provisions.<br />
<br />
<br />
13. If the defendant does not agree with the content of the present primafacie<br />
<br />
decision and is of the opinion that it can apply factual and/or legal arguments<br />
<br />
that could lead to a different decision, this can be done via the e-mail address<br />
<br />
litigationchamber@apd-gba.be send a request to hear the merits of the case<br />
<br />
to the Disputes Chamber within 30 days after notification of this<br />
<br />
decision. The implementation of this decision will, if necessary, continue for a period of time<br />
<br />
suspended for the aforementioned period.<br />
<br />
14. In the event of a continuation of the merits of the case, the<br />
<br />
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG<br />
<br />
invite them to submit their defenses as well as any documents they consider useful in the case<br />
<br />
<br />
file to add. If necessary, the present decision will be permanently suspended.<br />
<br />
15. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits<br />
<br />
of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 3<br />
<br />
<br />
16. In accordance with Article 57WOG, and with regard to the language in which the complaint is submitted,<br />
<br />
Dutch is used as the procedural language.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3Article 100. § 1. The Disputes Chamber has the authority to:<br />
1° to dismiss a complaint;<br />
2° to order the dismissal of prosecution;<br />
3° order the suspension of the ruling;<br />
<br />
4° to propose a settlement;<br />
5° formulate warnings and reprimands;<br />
6° order that the data subject's requests to exercise his rights be complied with;<br />
7° to order that the person concerned is informed of the security problem;<br />
8° order that processing be temporarily or permanently frozen, restricted or prohibited;<br />
9° to order that the processing be brought into compliance;<br />
10°the rectification, limitation or deletion of data and its notification to the recipients of the data<br />
recommend data;<br />
11° order the withdrawal of the recognition of certification bodies;<br />
12° to impose penalty payments;<br />
13° to impose administrative fines;<br />
14° the suspension of cross-border data flows to another State or an international institution<br />
<br />
command;<br />
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the<br />
follow-up given to the file;<br />
16° decide on a case-by-case basis to publish its decisions on the website of the<br />
Data Protection Authority. Decision 32/2024 — 6/7<br />
<br />
<br />
<br />
III. Publication of the decision<br />
<br />
17. Considering the importance of transparency with regard to decision-making<br />
<br />
Dispute Chamber, this decision will be published on the website of the<br />
<br />
Data Protection Authority. However, it is not necessary that the<br />
<br />
identification details of the parties are disclosed directly.<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Disputes Chamber of the Data Protection Authority decides, with reservations<br />
<br />
from the submission of a request by the defendant for a hearing on the merits<br />
<br />
in accordance with Article 98 et seq. of the WOG, to:<br />
<br />
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the<br />
<br />
order the defendant to comply with the data subject's request<br />
<br />
to exercise its rights, in particular the right of access (Article 15 GDPR), by<br />
<br />
to grant the complainant access to all personal data relating to him<br />
<br />
processed by the defendant, as well as a copy of the data concerned<br />
<br />
provided, and this within a period of 30 days from the<br />
<br />
notification of this decision;<br />
<br />
- order the defendant to contact the Data Protection Authority (Dispute Chamber)<br />
<br />
by e-mail within the same period of the consequences<br />
<br />
this decision will be given via the email address litigationchamber@apd-gba.be;<br />
<br />
and<br />
<br />
<br />
- in the absence of timely implementation of the above by the defendant,<br />
to consider the merits of the case ex officio in accordance with Articles 98 et seq.<br />
<br />
of the WOG.<br />
<br />
<br />
<br />
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the<br />
<br />
notice, an appeal against this decision will be filed with the Market Court (court of<br />
<br />
appeal Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal can be lodged by means of an inter partes petition<br />
4<br />
must contain statements listed in Article 1034ter of the Judicial Code. It<br />
<br />
<br />
<br />
4The petition states, under penalty of nullity:<br />
1° the day, month and year;<br />
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or<br />
company number;<br />
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be<br />
summoned;<br />
4° the subject matter and brief summary of the grounds of the claim;<br />
5° the judge before whom the claim is brought; Decision 32/2024 — 7/7<br />
<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. , 5 or via e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
<br />
<br />
<br />
<br />
<br />
(get). Hielke IJMANS<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6° the signature of the applicant or his lawyer.<br />
5<br />
The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.<br />
deposited with the clerk of the court or at the registry.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_38/2024APD/GBA (Belgium) - 38/20242024-03-18T16:12:20Z<p>Nzm: Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=38/2024 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-38-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_So..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=38/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=APD<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-38-2024.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=09.08.2022<br />
|Date_Decided=21.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 7(3) GDPR<br />
|GDPR_Article_Link_1=Article 7 GDPR#3<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA dismissed a cookie complaint regarding the absence of a “withdraw consent” option as the controller set one up before the DPA’s investigation.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject represented by noyb (European Centre for Digital Rights) complained that a website did not provide a “withdraw consent” or similar options. Therefore, noyb considered that the cookie banner infringed both the GDPR as well as the ePrivacy directive as it was not as easy to give consent as it was to withdraw it. <br />
<br />
On 9 August 2022, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
=== Holding ===<br />
On 24 August 2022, the APD visited the controller’s website and discovered that the cookie banner included an "Accept all" button, a “Reject all” button and a “Cookie settings” button. The APD therefore considered that the sole infringement invoked by the data subject was no longer founded. These findings were still applicable on 19 February 2024, thus, the APD decided to close the case. <br />
<br />
Additionally, the APD also found that none of the categories of non-essential cookies were ticked by default.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
Decision 38/2024 of February 21, 2024<br />
<br />
<br />
File number: DOS-2022-03263<br />
<br />
<br />
Subject: Complaint due to the processing of personal data through<br />
<br />
of a website, without the valid consent of the person concerned<br />
<br />
<br />
<br />
The Litigation Chamber of the Data Protection Authority, made up of Mr.<br />
<br />
Hielke HIJMANS, president, sitting alone;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of natural persons with regard to the processing of personal data and<br />
<br />
to the free movement of these data, and repealing Directive 95/46/EC (general regulation on the<br />
data protection), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter<br />
<br />
“ACL”;<br />
<br />
<br />
Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to<br />
<br />
processing of personal data, hereinafter “LTD”;<br />
<br />
Having regard to the Internal Regulations as approved by the House of Representatives on<br />
<br />
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has taken the following decision regarding:<br />
<br />
<br />
<br />
The complainant: X, hereinafter “the complainant”, represented by NOYB - EUROPEAN CENTER FOR<br />
<br />
DIGITALR IGHTS, Goldschlagstraße 172/4/3/2 – 1140 Vienna (Austria)<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 38/2024 — 2/6<br />
<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. The complaint concerns processing of personal data through the page<br />
<br />
internal […], without the valid consent of the person concerned.<br />
<br />
The complainant states that she visited the website on 22-10-2021. This web page presented<br />
<br />
a “banner” of a consent management platform (hereinafter, “Z1”) provided by<br />
<br />
Z2. Ended on 10-06-2022, the complainant signs a mandate of representation, in accordance<br />
<br />
in Article 80(1) GDPR, with NOYB.<br />
<br />
The complaint mentions several personal data processing operations,<br />
<br />
in the context of providing the web page, allegedly based on consent<br />
<br />
of the person concerned. More precisely, the complaint alleges an infringement of the GDPR as well<br />
<br />
than the ePrivacy Directive (ePD), namely that it would not be as easy to withdraw your<br />
<br />
consent than giving it. According to the complaint, the option to accept the activities<br />
<br />
of processing concerned appears prominently in the banner, but the complainant does not<br />
<br />
was able to easily find the option allowing him to withdraw his consent. There was no<br />
<br />
notably no clearly visible button entitled “withdraw consent” or options<br />
<br />
similar. The complaint also specifies that despite the possibility that Z2 offers to display on<br />
<br />
all pages have a floating and permanently visible icon, allowing people to<br />
<br />
concerned to return to their cookie settings in order to withdraw their consent, the<br />
<br />
defendant deliberately chose not to activate this option.<br />
<br />
2. On August 9, 2022, the complainant filed a complaint with the Data Protection Authority.<br />
<br />
<br />
3. On August 9, 2022, the First Line Service of the Data Protection Authority<br />
<br />
declares the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it<br />
er<br />
to the Litigation Chamber in accordance with article 62, § 1 of the LCA.<br />
<br />
<br />
II. Motivation<br />
<br />
<br />
4. Based on the facts described in the complaint file as summarized above, and on the<br />
<br />
basis of the powers assigned to it by the legislator under article 95, § 1<br />
<br />
of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; as it happens,<br />
<br />
the Litigation Chamber decides to proceed with the classification without further action of the complaint,<br />
<br />
in accordance with article 95, § 1, 3° of the LCA, for the reasons set out below.<br />
<br />
<br />
5. In matters of dismissal, the Litigation Chamber is required to provide reasons for its decision.<br />
1<br />
decision by step and to:<br />
<br />
<br />
<br />
<br />
<br />
<br />
1Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. Decision 38/2024 — 3/6<br />
<br />
<br />
<br />
- pronounce a classification without technical follow-up if the file does not contain or not<br />
<br />
sufficient evidence likely to lead to a sanction or if it includes a<br />
<br />
technical obstacle preventing it from rendering a decision;<br />
<br />
- or pronounce a classification without further opportunity, if despite the presence<br />
<br />
of elements likely to lead to a sanction, the continuation of the examination of the<br />
<br />
file does not seem appropriate given the priorities of the Authority of<br />
<br />
data protection as specified and illustrated in the Privacy Policy<br />
<br />
classification without further action by the Litigation Chamber. 2<br />
<br />
<br />
6. In the event of dismissal based on several reasons for dismissal, these<br />
<br />
last (respectively, classification without technical follow-up and classification without follow-up<br />
<br />
opportunity) must be treated in order of importance.3<br />
<br />
<br />
7. In this case, the Litigation Chamber decides to proceed with a classification without further action.<br />
<br />
the complaint on grounds of expediency. The decision of the Litigation Chamber is based<br />
<br />
more precisely on a reason for which it considers it inappropriate to pursue<br />
<br />
the follow-up of the file, and therefore decides not to proceed, among other things, with an examination<br />
<br />
of the case as to its merits.<br />
<br />
8. In this case, the Litigation Chamber was able to note, on August 24, 2022, that the<br />
<br />
site concerned by the complaint presented a cookie banner including not only a<br />
<br />
button allowing you to reject all (non-essential) cookies, but also included<br />
<br />
a functional URL address at the bottom of the page, entitled “Cookie Settings”:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2<br />
In this regard, the Litigation Chamber refers to its policy of classification without further action as developed and published on the<br />
website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-<br />
classification-without-suite-of-the-contentious-chamber.pdf.<br />
3Cf. Title 3 – In what cases is my complaint likely to be dismissed by the Litigation Chamber? of the<br />
policy of dismissal without further action by the Litigation Chamber. Decision 38/2024 — 4/6<br />
<br />
<br />
<br />
It therefore appears that the only violation invoked by the complaint is no longer founded from the<br />
<br />
datementioned.TheContentiousChamberconsequentlydecidestoclassifywithoutfurther<br />
<br />
the complainant's grievance, taking into account the fact that the subject of the complaint has disappeared due to the<br />
<br />
measures taken by the controller before transferring the complaint to the Chamber<br />
4<br />
Litigation by the APD Front Line Service. The Litigation Chamber<br />
<br />
further emphasizes that the above findings still apply as of 19<br />
<br />
February 2024:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
9. In the alternative, the Litigation Chamber was also able to observe, on the occasion of this<br />
<br />
visit to the site concerned, that none of the categories of non-essential cookies were checked<br />
<br />
by default. The Litigation Chamber recalls in this regard that the European Committee of<br />
<br />
Data Protection (EDPB) adopted, on January 17, 2023, the report established by the group<br />
5<br />
work on cookie banners (“Cookie Banner Taskforce”), in which the<br />
<br />
European supervisory authorities have notably adopted a common position on<br />
<br />
the prohibition of using pre-selected preferences authorizing the placement and<br />
<br />
reading of non-essential cookies, as well as the obligation to provide the possibility for<br />
users to easily withdraw their consent at any time. Bedroom<br />
<br />
litigation notes that the data controller has, in the present case, configured<br />
<br />
the cookies banner in accordance with the requirements listed in the report<br />
<br />
aforementioned.<br />
<br />
<br />
10. Finally, the Litigation Chamber specifies that it is not necessary to rule on<br />
<br />
the complainant's interest in taking action in the specific case, given the reasons for dismissal<br />
<br />
stated above.<br />
<br />
<br />
<br />
4Cf. criterion B.6 in the Dispute Chamber's policy of dismissal.<br />
<br />
5EDPB – Report on the work undertaken by the Cookie Banner Taskforce (adopted on 17 January 2023), available at the link<br />
following: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf. Decision 38/2024 — 5/6<br />
<br />
<br />
<br />
III. Publication and communication of the decision<br />
<br />
<br />
<br />
11. Considering the importance of transparency regarding the process<br />
<br />
decision-making and the decisions of the Litigation Chamber, this decision will be published on the<br />
<br />
website of the Data Protection Authority. However, it is not necessary for this<br />
<br />
so that the identification data of the parties are directly communicated.<br />
<br />
<br />
12. In accordance with its policy of dismissal, the Litigation Chamber<br />
6<br />
will communicate the decision to the defendant. Indeed, the Litigation Chamber decided to<br />
<br />
communicate the decisions of dismissal to the defendants by default. There<br />
<br />
Chambre Litigation, however, refrains from such communication when the complainant<br />
<br />
requested anonymity vis-à-vis the defendant and when the communication of the decision to the<br />
<br />
defendant, even pseudonymized, nevertheless risks allowing his reidentification. This 7<br />
<br />
is not the case in the present case.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Litigation Chamber of the Data Protection Authority decides, after<br />
<br />
deliberation, to classify this complaint without further action in application of article 95,§ 1, 3° er<br />
<br />
of the LCA.<br />
<br />
<br />
<br />
<br />
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,<br />
<br />
within thirty days from its notification, to the Court of Markets (court<br />
<br />
of Appeal of Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal may be introduced by means of an interlocutory request which must contain the<br />
<br />
information listed in article 1034ter of the Judicial Code. The interlocutory request must be<br />
<br />
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 9<br />
<br />
<br />
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6<br />
Cf.Title 5–Will the classification without further action be published? Will the opposing party be informed? of the classification policy<br />
without further action by the Contentious Chamber.<br />
7Ibidem.<br />
<br />
8The request contains barely any nullity:<br />
1° indication of the day, month and year;<br />
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or<br />
Business Number;<br />
<br />
3° the surname, first name, address and, where applicable, the status of the person to be summoned;<br />
4° the object and summary of the grounds of the request;<br />
5° indication of the judge who is seized of the request;<br />
6° the signature of the applicant or his lawyer.<br />
9 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter<br />
<br />
recommended to the court clerk or filed with the court registry. Decision 38/2024 — 6/6<br />
<br />
<br />
<br />
<br />
To enable it to consider any other possible course of action, the Litigation Chamber refers<br />
<br />
the complainant to the explanations provided in its policy of dismissal. 10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(sé). Hielke HIJMANS<br />
<br />
<br />
<br />
President of the Litigation Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10Cf. Title 4 – What can I do if my complaint is closed? of the Chamber's policy of dismissal<br />
Contentious.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=VwGH_-_Ro_2020/04/0031-9VwGH - Ro 2020/04/0031-92024-03-18T15:02:23Z<p>Ec: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VwGH<br />
|Court_Original_Name=Verwaltungsgerichtshof<br />
|Court_English_Name=Austrian Administrative Supreme Court<br />
|Court_With_Country=VwGH (Austria)<br />
<br />
|Case_Number_Name=Ro 2020/04/0031-9<br />
|ECLI=ECLI:AT:VWGH:2024:RO2020040031.J00<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Vwgh/JWT_2020040031_20240201J00/JWT_2020040031_20240201J00.pdf<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=01.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 17 GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=Article 7 CFR<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A12012P%252FTXT<br />
|EU_Law_Name_2=Article 8 CFR<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A12012P%252FTXT<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Austrian Data Protection Authority<br />
|Party_Link_1=https://www.data-protection-authority.gv.at/<br />
|Party_Name_2=K GmbH<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=BvWG<br />
|Appeal_From_Case_Number_Name=W211 2225136-1/6E<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://360.lexisnexis.at/d/entscheidungen-ris/bvwg_w211_2225136_1/u_verwaltung_BVwG_2020_BVWGT_20200728_W_be70d0c11c<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Austrian Supreme Administrative Court found that the storing and processing of personal data from the public insolvency register by a credit agency after the date that the data is made unavailable to the public is unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In 2010, debt settlement proceedings were issued against the data subject. The data subject settled the payments of the debt in March 2018. <br />
<br />
The controller, a credit agency, processed and stored personal data of the data subject that related to his debt settlement procedure, for the data subject’s creditworthiness profile and of a company’s creditworthiness profile of which the data subject was the sole shareholder.<br />
<br />
In light of this, the appellant requested the erasure of personal data on 4 May 2018, after fulfilling his debt payment plan.<br />
On 24 October 2018, the data subject lodged a complaint at the Austrian DPA against the controller for the infringement of the right to erasure under [[Article 17 GDPR|Article 17 GDPR]]. <br />
<br />
The controller informed the DPA by letter the same day that it would not comply with this request.<br />
<br />
The DPA dismissed the data protection complaint. <br />
<br />
The data subject appealed this decision at the Federal Administrative Court (Bundesverwaltungsgericht).<br />
<br />
The Court dismissed the appeal. The Court found that the controller’s purpose for processing the personal data in question was necessary, as the data is necessary for making a forecast about the future payment behaviour of the data subject. The Court found that the interests of the controller and its third parties outweighed the interests of the data subject. <br />
<br />
The Court concluded that the processing of data on historical insolvencies and payment defaults of the data subject is necessary and lawful and that the objections raised by the data subject could not justify his request for erasure.<br />
<br />
The data subject appealed to the decision before the Verwaltungsgerichtshof (Austrian Supreme Administrative Court).<br />
<br />
The Austrian Supreme Administrative Court held off its judgement until the CJEU issued its decision on [[C-26/22 and C-64/22 – Schufa]].<br />
<br />
=== Holding ===<br />
The Supreme Administrative Court ruled on two questions. Firstly, it examined the legality of the storage of data from the insolvency registry by the controller.<br />
<br />
Previous Austrian jurisprudence stated that credit agencies could collect and process personal data out of the public insolvency register up to 5 years after deletion of the data concerned in the registry. However, the recent [[CJEU C-26/22 and C-64/22 – Schufa]] case stated that the lawfulness of the processing of personal data on insolvency by the controller must be assessed solely in light of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Moreover, the CJEU also ruled that credit agencies cannot process data they collected from the insolvency register once that data is expired and deleted in the registry they collected the data from (see [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CJ0026 CJEU C-26/22 and C-64/22 – Schufa] para 99). The CJEU explained that the data in the insolvency register is only kept for up to 6 months and therefore, considers that, after the expiry of a six-month period, the rights and interests of the data subject take precedence over those of the public to have access to that information.<br />
<br />
The controller argued it had a legitimate interest in the processing of the creditworthiness data of the data subject due to national law. The Federal Administrative Court also ruled that the processing also served to protect the legitimate interests of the controller’s contractual partners.<br />
In light of the [[CJEU C-26/22 and C-64/22 – Schufa]] case, the Supreme Administrative Court found the processing of this data, including the storage, analysis and disclosure of this data to a third party by the controller, constitutes a serious interference with the fundamental rights of the data subject under [[Article 7 CFR]] and [[Article 8 CFR]]. The processing of such data can significantly harm the interests of the data subject because the disclosure is likely to make it considerably more difficult for him to exercise his freedoms, especially when it comes to meeting basic needs. <br />
<br />
The Court stated that the objective of a payment plan is the economic recovery of the data subject. The request to erasure of personal data due to fulfilling the payment plan is intended to prevent the data subject from being impaired in business dealings by the public announcement of earlier insolvency proceedings. Therefore, the data subject’s economic recovery is jeopardised if a credit agency, thus the controller in this case, stores data on the data subject’s insolvency proceedings in order to assess the data subject’s creditworthiness, as this data is always used as a negative factor in the assessment. In light of this, the legitimate interests of the controller to process data regarding the insolvency proceedings of the data subject, which ended with the fulfilment of the legally confirmed payment plan, can no longer justify the processing of these personal data, which were previously publicly accessible in the insolvency register. <br />
<br />
The storage of this data by the controller after the decision of the insolvency court to remove the data from the public register can therefore not be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Thus, it is unlawful for the controller to store and process data relating to the insolvency proceedings of the data subject from the public insolvency register once the data is not available anymore in the register, contrary to the decision of the DPA and the administrative court.<br />
<br />
Secondly, the Court examined the request for erasure in accordance with [[Article 17 GDPR|Article 17 GDPR]]. The Court ruled that due to the absence of lawful processing of the data subject’s data from the insolvency proceedings, the controller is obliged to erase the data concerned immediately under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
<br />
<br />
<br />
<br />
<br />
I M N A M E N D E R R E P U B L I K!<br />
<br />
The Administrative Court has through the presiding Senate President<br />
<br />
Dr. Kleiser, Councilor Dr. Mayr, court councilor Mag. Hainz-Sator and the court councilors<br />
<br />
Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary<br />
Löffler, LL.M., on the revision of the A G in W, represented by the<br />
<br />
Brand Rechtsanwälte GmbH in 1020 Vienna, Schüttelstraße 55, Carré Rotunde,<br />
against the decision of the Federal Administrative Court of July 28, 2020,<br />
<br />
Zl. W211 2225136-1/6E, concerning a data protection matter<br />
(authority concerned before the administrative court: data protection authority;<br />
<br />
Co-involved party: K GmbH, represented by BLS Rechtsanwälte GmbH<br />
<br />
in 1010 Vienna, Kärntner Straße 10; other party: Federal Minister of Justice),<br />
rightly recognized:<br />
<br />
The contested finding is due to illegality of the content<br />
<br />
lifted.<br />
<br />
The federal government has incurred expenses of €1,346.40 for the appeal applicant<br />
<br />
to be replaced within two weeks if otherwise executed. The additional request<br />
is rejected.<br />
<br />
<br />
Reasons for the decision:<br />
<br />
1 The appellant's assets were reported in 2010<br />
<br />
Debt settlement proceedings before District Court D (Insolvency Court)<br />
opened and the repayment rate set in 2012 in mid-March 2018<br />
<br />
Fulfills. The insolvency court approved this procedure<br />
Resolution of May 4, 2018, the “deletion” requested by the appeal applicant<br />
<br />
the entries from the insolvency file” in accordance with Section 256 Paragraph 3 IO due to the<br />
Proof of fulfillment of the payment plan by the appeal applicant.<br />
<br />
<br />
2 The participating party operates, among other things, the business of<br />
Credit information agency in accordance with Section 152 of the 1994 Trade Code (GewO 1994) and<br />
<br />
stored, among other things, the following excerpts from the data<br />
<br />
Applicant in relation to his debt settlement procedure<br />
in the personal credit profile of the audit applicant, as well as in the<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
2 of 26<br />
<br />
<br />
<br />
<br />
Credit profile of XY GmbH, whose sole shareholder is<br />
<br />
The applicant for appeal is, under the heading “Insolvency”:<br />
“Current status of the proceedings since 2018-04-01”; “Procedural status: payment plan<br />
<br />
was settled directly by the debtor”, “Liabilities according to the insolvency application<br />
<br />
[EUR] 167,596.54”.<br />
<br />
3 On October 24, 2018, the applicant filed an appeal against the party involved<br />
<br />
data protection complaint filed by the party as the respondent<br />
Violation of the right to deletion in accordance with<br />
<br />
Art. 17 General Data Protection Regulation (GDPR), after writing<br />
of May 23, 2018 the deletion of the entry concerning him about his<br />
<br />
Bankruptcy both in his “personal profile” and in the profile of the<br />
XY GmbH desires the database of the party involved and the<br />
<br />
co-involved party had informed this party in a letter dated the same day<br />
<br />
Not complying with desires.<br />
<br />
4 In a decision dated September 20, 2019, the data protection authority (appealed<br />
<br />
Authority) rejects the data protection complaint as unfounded.<br />
<br />
5 The complaint lodged by the appellant against this rejected this<br />
<br />
Federal Administrative Court (Administrative Court) with the contested<br />
The finding of July 28, 2020 was unfounded and stated that the<br />
<br />
Revision is permissible.<br />
<br />
6 In summary, the administrative court stated that:<br />
<br />
The participating party processes the data in the course of operating the business<br />
Credit information agency in accordance with Section 152 GewO 1994 historical information about<br />
<br />
Payment defaults and insolvency proceedings of the appeal applicant<br />
(potential) creditors in order to determine the risk of any<br />
<br />
to provide payment defaults.<br />
<br />
This is a purpose recognized by the legal system.<br />
<br />
The data on the insolvency proceedings are correct, complete and fundamental<br />
<br />
necessary and suitable to make a forecast about the future<br />
payment behavior of the appeal applicant.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
3 of 26<br />
<br />
<br />
<br />
<br />
<br />
Neither the GDPR nor the regulations on the credit reporting agency business<br />
(§ 152 GewO 1994) contained concrete deadlines “for the permissible storage period<br />
<br />
historical insolvency proceedings and payment defaults”. The permissible one<br />
<br />
Storage duration depends on the individual case.<br />
<br />
Historical payment information is essential for the future<br />
Payment behavior of (potential) debtors<br />
<br />
to be able to predict. However, they would have less informative value<br />
longer they would be in the past and the longer there would be no further delays in payments<br />
<br />
and payment defaults. The age of the claim or the<br />
<br />
The time when the final default of the claim is determined<br />
The timing of any repayments and the “good behavior” since then would be included<br />
<br />
the weighing up is of crucial importance.<br />
<br />
As a guideline, how long payment history data is used to assess creditworthiness<br />
(potential) debtors are suitable, observation or<br />
<br />
Deletion periods in the provisions serving to protect creditors<br />
<br />
are used that meet the requirements of a suitable one<br />
Creditworthiness assessment should be specified in more detail, such as the provisions of the<br />
<br />
Regulation (EU) No 575/2013 of the European Parliament and of the Council<br />
of June 26, 2013 on supervisory requirements for credit institutions and<br />
<br />
Investment firms and amending Regulation (EU) No 646/2012<br />
(Capital Adequacy Ordinance). These obliged credit institutions under<br />
<br />
among other things, for customer assessment and risk assessment of their claims. For<br />
credit or retail claims against natural persons<br />
<br />
Credit institutions that calculate their risk-weighted position amounts based on a<br />
based on internal assessments<br />
<br />
(Art. 143 Para. 1), in accordance with Art. 151 Para. 6 in conjunction with Art. 180 Para. 2 lit. a<br />
and e Capital Adequacy Ordinance the probability of default<br />
<br />
Requirement based, among other things, on the long-term averages of the annual<br />
<br />
Estimate the failure rate. This is a historical observation period for<br />
at least one data source, which could also be external, from at least<br />
<br />
to be taken as a basis for five years. Also the estimate to be carried out<br />
The loss rate in the event of a default is in accordance with Article 151 paragraph 7<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
4 out of 26<br />
<br />
<br />
<br />
<br />
<br />
In conjunction with Article 181 Paragraph 2 Letter c of the Capital Adequacy Ordinance, it is generally based on one<br />
for a period of at least five years.<br />
<br />
<br />
The EU regulator therefore assumes that for the assessment of the<br />
Creditworthiness of (potential) debtors and the risk<br />
<br />
a claim data on any payment defaults over a period of<br />
be relevant for at least five years.<br />
<br />
<br />
If credit institutions are potential business partners of the party involved<br />
are legally obliged to report their claims based on default rates<br />
<br />
at least for the last five years, and the credit rating database<br />
The party involved should also serve to provide data to credit institutions,<br />
<br />
that they would need for their mandatory assessment violates the<br />
Processing the insolvency data of the appeal applicant does not violate the principle<br />
<br />
data minimization or storage limitation if the payment plan for<br />
The time of the deletion request on May 23, 2018 was less than<br />
<br />
three months, or at the time of the administrative court's decision<br />
<br />
was fulfilled a little over two years ago. This also applies to<br />
Receivables that were already defaulted more than five years ago<br />
<br />
only, as in the present case, a little more than two years ago through the fulfillment of the<br />
The payment plan was finally paid off because only with the successful payment<br />
<br />
The specific amount of the default can be determined when the payment plan is fulfilled<br />
could.<br />
<br />
<br />
As part of the balancing of interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR<br />
on the one hand, the interests of the person responsible and of third parties (possible<br />
<br />
business partners of the party involved) and, on the other hand, the interests,<br />
The rights and expectations of the data subject must be taken into account.<br />
<br />
The party involved and their customers would have a comprehensible one<br />
<br />
Interested in assessing credit risk. The processing of data<br />
<br />
about insolvencies and payment defaults to protect potential successes<br />
Contractual partner of the data subject, the third party within the meaning of Art. 6<br />
<br />
Paragraph 1 lit. f GDPR. This data processing also serves<br />
Support of credit institutions, the regulations of the<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
5 out of 26<br />
<br />
<br />
<br />
<br />
<br />
to comply with the capital adequacy regulation. For assessing credit risk<br />
by the party involved is the observation of the historical<br />
<br />
Payment behavior of potential debtors is essential and the<br />
<br />
Processing data about a little over two years ago<br />
Fulfillment of a payment plan finally concluded insolvency proceedings<br />
<br />
necessary.<br />
<br />
This interest of the party involved and their business partners outweighs this<br />
the interest of the appeal applicant, not from economic disadvantages<br />
<br />
Data processing to be affected because the amount of liabilities of the<br />
<br />
Insolvency proceedings amounted to approximately €215,000. Furthermore, the person involved<br />
Only one party has this payment experience data of the appeal applicant<br />
<br />
limited public who has an interest to be taken into account<br />
Credit check is available.<br />
<br />
In contrast to the credit rating database of the party involved, the<br />
<br />
data protection law admissibility of maintaining the insolvency file<br />
<br />
§ 256 Insolvency Code (IO), a legal obligation within the meaning of Art. 6<br />
Paragraph 1 lit. c GDPR. It cannot be deduced from Section 256 IO that<br />
<br />
Insolvency data (at all) also based on other permitted circumstances<br />
Art. 6 GDPR may no longer be processed if they come from the<br />
<br />
Insolvency file had been deleted. Such a restriction would<br />
at least with regard to the present relevant permit<br />
<br />
Art. 6 Para. 1 lit. f GDPR contradicts EU secondary law.<br />
<br />
As far as the appeal applicant in his letter of request dated<br />
<br />
May 29, 2018 to object to the use of your data<br />
21 GDPR, he did not explain to what extent the<br />
<br />
Data processing based on Article 6 Paragraph 1 Letter f of the GDPR<br />
is nevertheless not permissible in a special situation. The contradiction is<br />
<br />
therefore inadmissible.<br />
<br />
By claiming that the stored data is old and incomplete because<br />
<br />
the appeal applicant has been successfully active again in business since 2016 and<br />
This data is only suitable for his economic advancement<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
6 of 26<br />
<br />
<br />
<br />
<br />
The appeal applicant is doing something to hinder and cause damage<br />
<br />
Violation of the general processing principles of the<br />
Data minimization and data economy according to Art. 5 GDPR and one<br />
<br />
inadequate balancing of interests within the framework of Article 6 GDPR, but none<br />
<br />
reasons arising from a special situation affecting him<br />
would result.<br />
<br />
<br />
The “processing of data on historical bankruptcies and<br />
“Payment defaults” by the appeal applicant by the co-involved party are therefore<br />
<br />
necessary and lawful. The objection raised by the appeal applicant<br />
could not justify his request for deletion.<br />
<br />
<br />
7 The administrative court based its decision on admissibility on the grounds that it was missing<br />
Jurisprudence of the Administrative Court on the question of which principles<br />
<br />
a balancing of interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR must be sufficient;<br />
in particular, whether and under what conditions the regulations of the<br />
<br />
Capital Adequacy Ordinance as a guideline for determining the permissible<br />
<br />
Storage period of creditworthiness data can be used.<br />
<br />
8 The present ordinary revision is directed against this with the application<br />
<br />
Repeal of the contested finding against reimbursement of expenses.<br />
<br />
9 The authority concerned requested this in its response to the appeal<br />
<br />
Dismissal of the appeal against reimbursement of expenses. The participating party<br />
did not submit an appeal response.<br />
<br />
10 By resolution of December 23, 2021, 6 K 441/21.WI, and resolution of<br />
<br />
January 31, 2022, 6 K 1052/21.WI, was ruled by the Wiesbaden Administrative Court<br />
<br />
(Germany) asked, among other things, the following questions to the ECJ (there<br />
pending C-26/22 and C-64/22) for a preliminary ruling:<br />
<br />
“...<br />
<br />
2. Is data storage at a private credit reporting agency<br />
personal data from a public register, such as the 'national<br />
Databases' within the meaning of Article 79 Paragraphs 4 and 5 of the<br />
<br />
Regulation (EU) 2015/848 [Regulation of the European Parliament and the<br />
Council of May 20, 2015 on insolvency proceedings], without any specific reason<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
7 out of 26<br />
<br />
<br />
<br />
<br />
stored in order to provide information in the event of an inquiry<br />
can, with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union<br />
compatible?<br />
<br />
3. a) Are private parallel databases (especially databases of a<br />
Credit agencies) that are set up alongside the state databases and<br />
in which the data from the state databases (here<br />
Insolvency notices) are stored longer than in the narrow one<br />
<br />
Framework of Regulation 2015/848 in conjunction with the national one<br />
Regulated by law, generally permissible?<br />
<br />
b) If question 3 a) is answered in the affirmative, this results in the right to be forgotten<br />
in accordance with Art. 17 Paragraph 1 Letter d) GDPR, this data must be deleted,<br />
if the processing time envisaged for the public register<br />
has expired?<br />
<br />
4. Insofar as Article 6 Paragraph 1 Subparagraph 1 letter f) GDPR as the sole one<br />
Legal basis for data storage for private individuals<br />
Credit reporting agencies also appear in public registers<br />
Stored data comes into consideration is a legitimate interest<br />
<br />
Credit reporting agency is to be affirmed if this credit reporting agency has the data<br />
from the public directory without any specific reason<br />
Is this data then available when a request is made?<br />
<br />
..."<br />
<br />
11 By resolution of June 10, 2023, Ro 2020/04/0031, the<br />
Administrative Court continues the appeal process until the<br />
<br />
Decision of the ECJ in the above two<br />
<br />
Request for a preliminary ruling from the Wiesbaden Administrative Court is pending<br />
Proceedings suspended because answering these questions is also for the<br />
<br />
treatment of the present revision is important.<br />
<br />
12 With judgment of December 7, 2023, C-26/22 and C-64/22, SCHUFA Holding<br />
<br />
(discharge of residual debt), the ECJ has decided on the request for a preliminary ruling from<br />
Wiesbaden Administrative Court decided.<br />
<br />
The Administrative Court considered:<br />
<br />
<br />
admissibility<br />
<br />
13 The appeal turns out to be in line with the separate admissibility submissions made by the<br />
<br />
Revision clarified the legal question as to whether EU regulations, such as the one in this case<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
8 out of 26<br />
<br />
<br />
<br />
<br />
<br />
Capital Adequacy Ordinance applicable to credit institutions and investment firms<br />
are addressed and contain regulations for internal credit checks, as<br />
<br />
Guideline for determining the permissible storage period of not for<br />
<br />
internal use of certain creditworthiness data by credit reporting agencies<br />
can be used as permissible. She is also entitled.<br />
<br />
Relevant legal situation<br />
<br />
<br />
Union law<br />
<br />
14 The relevant recitals and provisions of the<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of<br />
April 27, 2016 on the protection of natural persons during processing<br />
<br />
personal data, the free movement of data and the abolition of the<br />
Directive 95/46/EC (General Data Protection Regulation; GDPR), OJ L 119<br />
<br />
dated May 4, 2016, excerpts read:<br />
<br />
“Article 6<br />
Lawfulness of processing<br />
<br />
(1) Processing is only lawful if at least one of the<br />
the following conditions are met:<br />
<br />
...<br />
<br />
f) the processing is to protect the legitimate interests of the<br />
responsible person or a third party, unless the<br />
interests or fundamental rights and freedoms of the person concerned,<br />
which require the protection of personal data, predominate<br />
especially if the person concerned is a child<br />
<br />
acts.<br />
Subparagraph 1(f) does not apply to those carried out by public authorities<br />
processing carried out in their tasks.<br />
<br />
...<br />
<br />
Article 17<br />
Right to deletion (“right to be forgotten”)<br />
<br />
(1) The data subject has the right to obtain information from the person responsible<br />
request that personal data concerning you be deleted immediately<br />
<br />
and the person responsible is obliged to provide personal data<br />
deleted immediately if one of the following reasons applies:<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
9 out of 26<br />
<br />
<br />
<br />
<br />
<br />
a) The personal data are for the purposes for which they were collected<br />
or processed in any other way is no longer necessary.<br />
...<br />
<br />
c) The data subject objects in accordance with Article 21(1).<br />
processing and there are no overriding legitimate reasons<br />
for processing, or the data subject submits in accordance with Article 21<br />
<br />
Paragraph 2 objection to the processing.<br />
d) The personal data was processed unlawfully.<br />
<br />
..."<br />
<br />
15 The relevant recitals and provisions of the<br />
<br />
Directive 2008/48/EC of the European Parliament and of the Council of<br />
April 23, 2008 on consumer credit agreements and the cancellation of the<br />
<br />
Council Directive 87/102/EEC, OJ L 133 of 22.5.2008<br />
excerpts:<br />
<br />
“(26) ... Particularly in the expanding credit market, it is important that<br />
Lenders do not act irresponsibly in granting loans or<br />
<br />
Granting loans without prior assessment of creditworthiness, and the<br />
Member States should carry out the necessary checks to prevent such<br />
Behaviors should be stopped and they should be the necessary ones<br />
Determine sanctions for those lenders who behave in this way.<br />
Without prejudice to the provisions of Directive 2006/48/EC of the European<br />
Parliament and of the Council of 14 June 2006 on the inclusion and<br />
<br />
The activities of credit institutions should be controlled by credit risk<br />
Lenders are responsible for evaluating the loan in each individual case<br />
Check the consumer's creditworthiness. ...<br />
<br />
...<br />
(28) To assess the consumer's credit situation, the creditor should:<br />
<br />
also consult the relevant databases; due to legal and<br />
Factual circumstances may require such<br />
Consultations vary in scope. So that the competition between<br />
Lenders should not be distorted, lenders should choose from others<br />
Member States access to private or public databases<br />
concerning consumers in a Member State in which they are not established<br />
<br />
are granted under non-discriminatory conditions<br />
the creditors of that Member State.<br />
<br />
...<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
10 out of 26<br />
<br />
<br />
<br />
<br />
<br />
Article 8<br />
Obligation to assess the consumer's creditworthiness<br />
<br />
(1) Member States shall ensure that before the credit agreement is concluded<br />
the lender assesses the consumer's creditworthiness based on sufficient creditworthiness<br />
evaluates information that he may collect from the consumer and<br />
if necessary, based on information from the relevant company<br />
<br />
Database. Those Member States that require lenders to do so by law<br />
oblige to check your creditworthiness based on a corresponding query<br />
database can maintain this requirement.”<br />
<br />
16 The relevant recitals and provisions of the<br />
<br />
Directive 2014/17/EU of the European Parliament and of the Council of<br />
February 4, 2014 on residential real estate credit agreements for consumers and for<br />
<br />
Amendments to Directives 2008/48/EC and 2013/36/EU and the<br />
Regulation (EU) No. 1093/2010, OJ L 60 of February 28, 2014<br />
<br />
excerpts:<br />
<br />
“(55) Before concluding a credit agreement, it is essential to have the ability and<br />
Evaluate and evaluate the consumer's propensity to repay the loan<br />
check. During this credit check, everyone should<br />
necessary and relevant factors are taken into account that determine the capability<br />
of a consumer to repayments due over the term of the loan<br />
<br />
could achieve, influence. ...<br />
...<br />
<br />
(59) Querying a credit database is a useful element in the<br />
Credit check. ...<br />
<br />
...<br />
<br />
Article 18<br />
Obligation to check the consumer's creditworthiness<br />
<br />
1. Member States shall ensure that the creditor before concluding a<br />
Credit agreement requires a thorough check of the consumer's creditworthiness<br />
carries out. When checking your creditworthiness, the factors that determine the...<br />
<br />
Examination of the prospects that are relevant to the consumer<br />
fulfills obligations under the loan agreement in an appropriate manner<br />
taken into account.<br />
<br />
...<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
11 of 26<br />
<br />
<br />
<br />
<br />
<br />
Article 21<br />
Access to databases<br />
<br />
(1) Each Member State shall ensure that all creditors from all<br />
Member States have access to the assessment within their territory<br />
the consumer's creditworthiness databases used<br />
Use should only be monitored to what extent consumers<br />
<br />
fulfill their loan obligations during the term of a loan agreement.<br />
Access must be granted without discrimination.<br />
<br />
(2) Paragraph 1 applies to both private credit bureaus and credit reporting agencies<br />
operated databases as well as for public registers.<br />
..."<br />
<br />
17 The relevant recitals and provisions of the<br />
<br />
Regulation (EU) No 575/2013 of the European Parliament and of the Council<br />
<br />
of June 26, 2013 on supervisory requirements for credit institutions and<br />
Investment firms and amending Regulation (EU) No 646/2012<br />
<br />
(Capital Adequacy Regulation), OJ L 176 of June 27, 2013<br />
excerpts:<br />
<br />
“(42) It is essential to take into account the diversity of institutions in the Union<br />
is, should be used when calculating the own funds requirements for the<br />
There are different approaches to credit risk with varying degrees of severity<br />
<br />
Risk sensitivity and sophistication should be provided. Through the<br />
Use of external credit assessments and those from the institutions themselves<br />
The estimates made of individual credit risk parameters win<br />
Credit risk provisions significantly increase risk sensitivity and<br />
regulatory soundness. Institutes should switch to approaches<br />
<br />
with higher risk sensitivity. If institutes are to<br />
Apply the investigation approaches provided for in this Regulation<br />
They should provide the estimates needed to assess credit risk if they submit their procedures<br />
for credit risk measurement and credit risk management, so that for the<br />
Determination of regulatory capital requirements methods for<br />
are available that match the type, scope and complexity of the<br />
<br />
take into account the procedures of the individual institutes. In this regard, the<br />
Data processing in connection with procurement and administration<br />
of loans to customers also the development and validation of systems<br />
for credit risk management and credit risk measurement. This<br />
not only serves the legitimate interests of institutions, but also the goal<br />
<br />
this regulation, better methods for risk measurement and management<br />
apply and these methods also with regard to the prescribed ones<br />
to use own resources. Regardless, higher-level approaches require<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
12 of 26<br />
<br />
<br />
<br />
<br />
<br />
Risk sensitivity significant expertise and resources as well as qualitative<br />
high-quality and sufficient data. ...<br />
...<br />
<br />
Article 135<br />
<br />
Use of ECAI credit ratings<br />
<br />
(1) An external credit assessment may only be used to determine the<br />
risk weight of a claim according to this chapter can be used,<br />
if it comes from an ECAI or from an ECAI in accordance with the<br />
Regulation (EC) No. 1060/2009 was confirmed.<br />
<br />
...<br />
Article 171<br />
<br />
Assignment to rating levels or risk pools<br />
<br />
...<br />
<br />
(2) When assigning debtors and facilities to a rating level<br />
or a risk pool, an institution carries all relevant information<br />
Invoice. The information is up-to-date and enables the institute to<br />
Forecast of the future development of the risk position. The less<br />
The more information an institution has available, the more conservative it is<br />
The procedure for assigning risk positions to debtor<br />
<br />
or facility rating levels or risk pools. Does an institute support the<br />
Determination of an internal assessment mainly to an external one<br />
Credit rating, it ensures that other relevant ones are also relevant<br />
information is taken into account.<br />
<br />
...<br />
<br />
Article 180<br />
Special requirements for PD estimates<br />
<br />
(1) When quantifying the risk parameters for certain creditworthiness levels<br />
or pools are used by the institutions when estimating PD for receivables<br />
Companies, institutions, central governments and central banks as well as for<br />
Investment positions for which they apply the PD/LGD approach in accordance with Article 155<br />
<br />
Apply paragraph 3, the following specific requirements:<br />
...<br />
<br />
f) to the extent that an institution compares its internal creditworthiness levels with the creditworthiness scale of a<br />
ECAI or comparable institutions linked or one of such<br />
scale and then the external creditworthiness levels<br />
<br />
assigns default rates recorded by the organization to its internal levels,<br />
This assignment is made based on a comparison between the internal ones<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
1. February 2024<br />
<br />
13 of 26<br />
<br />
<br />
<br />
<br />
Assessment criteria and the criteria of the external organization and<br />
a comparison between internal and external assessments of any<br />
joint debtor. Distortions or inconsistencies in<br />
Assignment procedures or the underlying data are included<br />
<br />
avoided. The criteria of the external organization that is responsible for the<br />
The data used for quantification are based<br />
exclusively focused on the risk of default and do not reflect any<br />
transaction characteristics. ..."<br />
<br />
National law<br />
<br />
<br />
18 Section 7 Paragraph 1 of the Consumer Credit Act (VKrG), Federal Law Gazette I No. 28/2010 as amended<br />
Federal Law Gazette I No. 135/2015 reads:<br />
<br />
“Checking the consumer’s creditworthiness<br />
<br />
§ 7. (1) Before concluding the loan agreement, the lender has the<br />
The consumer's creditworthiness based on sufficient information<br />
check that he - if necessary - requests from the consumer;<br />
If necessary, he also has information from one available<br />
<br />
database.”<br />
<br />
19 § 9 Mortgage and Real Estate Loan Act - HIKrG, Federal Law Gazette I No. 135/2015,<br />
reads in part:<br />
<br />
“Checking the consumer’s creditworthiness<br />
<br />
§ 9. (1) Before concluding a credit agreement, the lender has a<br />
carry out a thorough check of the consumer's creditworthiness. At<br />
The creditworthiness check are the factors that are used to check the<br />
<br />
Prospects are relevant that the consumer fulfills his obligations<br />
the credit agreement must be taken into account in an appropriate manner.<br />
(2) The creditworthiness check is based on necessary,<br />
<br />
sufficient and appropriate information on income, expenses<br />
and other financial and economic circumstances of the consumer<br />
to be carried out. The lender has the information from relevant<br />
internal or external sources, including the consumer.<br />
..."<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
14 of 26<br />
<br />
<br />
<br />
<br />
20 § 256 Insolvency Code (IO), Federal Law Gazette No. 337/1914 as amended by Federal Law Gazette I No. 122/2017,<br />
<br />
reads in part:<br />
<br />
“Bankruptcy file<br />
§ 256. (1) Data must be included in the edict file according to this<br />
<br />
Federal law must be made public (insolvency file).<br />
(2) Access to the insolvency file is no longer permitted if a<br />
year has passed since<br />
<br />
...<br />
<br />
4. Expiry of the payment period provided for in the payment plan or<br />
<br />
...<br />
(3) At the debtor's request, the insolvency file can already be viewed<br />
<br />
will no longer be granted if the restructuring plan has been legally confirmed<br />
or payment plan has been fulfilled. The debtor has fulfillment<br />
to be documented. The court can examine compliance<br />
Hire an expert to cover the costs of the debtor<br />
are. The court will make a decision on the inspection that cannot be postponed<br />
<br />
Decision.<br />
..."<br />
<br />
Legality of storing data from the insolvency file<br />
<br />
Credit reporting agencies<br />
<br />
21 In the present case, the applicant for appeal is requesting the deletion of an entry in the<br />
<br />
With regard to his insolvency proceedings in the database of those involved<br />
Credit reporting agency after the bankruptcy court in its<br />
<br />
Debt settlement procedure involves the “deletion of entries from the<br />
Insolvency file” in accordance with Section 256 Paragraph 3 IO. It is therefore necessary to check<br />
<br />
Permissibility of storing this data by the participating party also<br />
<br />
still in the period after the decision of the insolvency court approved it<br />
Failure to grant access to the insolvency file in accordance with Section 256 Paragraph 3 IO.<br />
<br />
22 The ECJ in its judgment of December 7, 2023, C-26/22 and C-64/22,<br />
<br />
SCHUFA Holding (remaining debt discharge), the key questions at hand<br />
<br />
the request for a preliminary ruling from the Wiesbaden Administrative Court<br />
answered that Art. 5 Para. 1 lit. a GDPR in conjunction with Art. 6 Para. 1 lit. f GDPR<br />
<br />
should be interpreted as belonging to the practice of “private credit reporting agencies”.<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
15 of 26<br />
<br />
<br />
<br />
<br />
<br />
which consists in having one in their own databases<br />
information about the granting of a certificate from the public register<br />
<br />
Discharge of residual debt in favor of natural persons for the purpose of delivery<br />
of information about the creditworthiness of these people for a period of time<br />
<br />
to store the duration of the data storage in the public register<br />
goes out. He essentially justified this as follows:<br />
<br />
“...<br />
<br />
74 In the present case, it is clear that the lawfulness of the processing<br />
personal data that is at issue in the main proceedings, solely in<br />
Light of Article 6 paragraph 1 subparagraph. 1 letter f GDPR is to be assessed. After<br />
This provision is for the processing of personal data only<br />
<br />
lawful if the processing is carried out to protect legitimate interests<br />
of the person responsible or a third party is necessary, unless the<br />
interests or fundamental rights and freedoms of the data subject<br />
require the protection of personal data, in particular<br />
if the person concerned is a child.<br />
<br />
75 The processing of personal data is therefore subject to this<br />
Determination lawful under three cumulative conditions: First<br />
must be from the controller or a third party<br />
a legitimate interest must be perceived; secondly, the<br />
<br />
Processing of personal data to achieve this<br />
legitimate interest may be necessary, and thirdly, the interests or<br />
Fundamental rights and freedoms of the person whose data is protected<br />
should not outweigh (judgment of July 4, 2023, Meta Platforms et al.<br />
[General conditions of use of a social network], C-252/21,<br />
EU:C:2023:537, paragraph 106 and the case law cited there).<br />
<br />
76 Firstly, what is the requirement for safeguarding a 'legitimate interest'?<br />
concerns, is in the absence of a definition of this term by the GDPR<br />
highlighted, as the Advocate General did in point 61 of his Opinion<br />
<br />
has stated that a wide range of interests are fundamentally considered<br />
can be considered justified.<br />
77 Secondly, what is the requirement that the processing is necessary?<br />
<br />
personal data to realize the perceived<br />
As far as legitimate interest is concerned, this requires the referring court to do so<br />
check whether the legitimate interest in processing the data is not in<br />
can reasonably be achieved just as effectively by other means,<br />
which have less impact on the fundamental rights and freedoms of those affected<br />
Persons, in particular those guaranteed by Articles 7 and 8 of the Charter<br />
<br />
Rights to respect for private life and protection of personal data,<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
16 of 26<br />
<br />
<br />
<br />
<br />
intervene (judgment of July 4, 2023, Meta Platforms et al. [General<br />
<br />
Terms of use of a social network], C-252/21, EU:C:2023:537,<br />
108 and the case law cited there).<br />
78 In this context it should also be noted that the<br />
<br />
Requirement of the necessity of data processing together with the<br />
The so-called principle of 'data minimization' must be examined, which is set out in Article 5<br />
Paragraph 1 letter c GDPR is anchored and requires that personal data<br />
Data 'adequate and relevant to the purpose and relevant to the purposes<br />
processing is limited to the extent necessary (judgment of July 4, 2023,<br />
Meta Platforms et al. [General terms and conditions of use of a social<br />
<br />
Network], C-252/21, EU:C:2023:537, paragraph 109 and the one cited there<br />
case law).<br />
79 Thirdly, as regards the requirement that the interests or<br />
<br />
Fundamental freedoms and rights of the person whose data is protected<br />
should, against the legitimate interest of the person responsible or one<br />
third parties do not predominate, the Court has already decided that these<br />
The prerequisite is a balancing of the respective conflicting factors<br />
Rights and interests that fundamentally depend on the specific<br />
circumstances of the individual case and that it is therefore a matter for the submitter<br />
<br />
The court is to weigh this up taking this specific into account<br />
circumstances (judgment of July 4, 2023, Meta Platforms et al.<br />
[General conditions of use of a social network], C-252/21,<br />
EU:C:2023:537, paragraph 110 and the case law cited there).<br />
<br />
80 Furthermore, as can be seen from recital 47 of the GDPR<br />
results, the interests and fundamental rights of the data subject are in the interest of the<br />
Those responsible predominate, especially when personal data are involved<br />
Data is processed in situations where a data subject<br />
cannot reasonably expect such processing (judgment of<br />
July 4, 2023, Meta Platforms et al. [General Terms and Conditions of Use a<br />
<br />
social network], C-252/21, EU:C:2023:537, paragraph 112).<br />
81 Ultimately, it is for the referring court to decide whether<br />
with regard to the processing of personal data involved in the<br />
<br />
The main proceedings concern the three referred to in paragraph 75 of this judgment<br />
requirements are met; the Court may order the national court to do so<br />
however, its request for a preliminary ruling provides relevant information for<br />
give this test (see in this sense judgment of October 20, 2022, Digi,<br />
C-77/21, EU:C:2022:805, paragraph 39 and the case law cited there).<br />
<br />
82 In the present case, SCHUFA does one thing with regard to the prosecution<br />
legitimate interest applies that the credit reporting agencies data<br />
processed to assess the creditworthiness of people or companies<br />
are necessary to provide this information to their contractual partners<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
17 of 26<br />
<br />
<br />
<br />
<br />
to be able to provide. This activity not only protects them<br />
<br />
economic interests of the companies that have credit-related contracts<br />
wanted to enter into the determination of creditworthiness and the granting of credit<br />
Credit reports also form a foundation of the credit system and the<br />
functionality of the economy. The activities of credit reporting agencies help<br />
also, the business wishes of those interested in credit-relevant transactions<br />
realize this, as the information allows for a quick and unbureaucratic check<br />
<br />
made business possible.<br />
83 In this respect, the processing of personal data serves as that in the<br />
The main proceedings in question do indeed represent the economic interests of the<br />
<br />
SCHUFA, but this processing also serves to protect the legitimate interests<br />
Interest of SCHUFA's contractual partners who have credit-relevant contracts<br />
people want to take part in assessing their creditworthiness<br />
people and thus the socio-economic interests of the credit sector.<br />
<br />
84 With regard to consumer credit agreements, Article 8 of the<br />
Directive 2008/48, in the light of its 28th recital, highlights that<br />
The lender is obliged to do so before the loan agreement is concluded<br />
creditworthiness of the consumer based on sufficient information,<br />
if necessary, also based on public and private information<br />
<br />
Databases to evaluate.<br />
85 Furthermore, in relation to consumer residential property credit agreements<br />
Article 18(1) and Article 21(1) of Directive 2014/17 in conjunction with<br />
<br />
Recitals 55 and 59 of this Directive indicate that:<br />
Lenders carry out a thorough check of the consumer's creditworthiness<br />
has to make and has access to credit databases, whereby the query<br />
such databases is a useful element in this examination.<br />
<br />
86 It should be added that the obligation to evaluate the<br />
Consumer creditworthiness as defined in Directives 2008/48 and<br />
2014/17 is intended not only to protect the loan applicant, but also<br />
also, as highlighted in recital 26 of Directive 2008/48,<br />
to ensure the smooth functioning of the entire credit system.<br />
<br />
87 However, data processing must also be carried out to achieve the<br />
legitimate interests of the controller or a third party<br />
and the interests or fundamental rights and freedoms of those affected<br />
person must not outweigh this interest. At the<br />
<br />
appropriate balancing of the respective conflicting rights<br />
and interests, i.e. H. that of the person responsible and those involved<br />
Third parties on the one hand and the data subject on the other hand, as in paragraph 80<br />
of the present judgment, in particular the reasonable expectations<br />
the data subject and the scope of the processing in question and<br />
to take into account their effects on this person (cf. judgment of<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
18 of 26<br />
<br />
<br />
<br />
<br />
July 4, 2023, Meta Platforms et al. [General Terms and Conditions of Use a<br />
<br />
social network], C-252/21, EU:C:2023:537, paragraph 116).<br />
88 Regarding Article 6 Paragraph 1 Subparagraph The Court of Justice has 1 letter f of the GDPR<br />
decided that this provision should be interpreted as meaning that a<br />
<br />
Processing only if it is necessary to protect the legitimate interests of the<br />
responsible party or a third party required within the meaning of this regulation<br />
can be considered if this processing is within the limits<br />
what is done to realize this legitimate interest<br />
is absolutely necessary and if it results from a consideration of each other<br />
conflicting interests, taking into account all relevant circumstances<br />
<br />
shows that the interests or fundamental rights and freedoms of the<br />
Processing of data subjects against the legitimate interest of the data subject<br />
those responsible or a third party do not prevail (cf. in this sense<br />
Judgments of May 4, 2017, Rīgas satiksme, C-13/16, EU:C:2017:336, paragraph 30,<br />
and dated July 4, 2023, Meta Platforms et al. [Terms and conditions<br />
a social network], C-252/21, EU:C:2023:537, paragraph 126).<br />
<br />
89 In this context, the referring court points out<br />
two aspects of the processing at issue in the main proceedings<br />
personal data. Firstly, this processing implies a<br />
<br />
diverse storage of data, i.e. H. not just in a public one<br />
Register, but also in the databases of the credit reporting agencies<br />
these companies do not carry out this storage for a specific reason,<br />
but in the event that their contractual partners requested information from them.<br />
Second, these companies stored this data for three years<br />
Basis of rules of conduct within the meaning of Art. 40 GDPR, while the<br />
National legislation for the public register requires a storage period<br />
<br />
of just six months.<br />
...<br />
<br />
92 With regard to the duration of data storage, it can be assumed that<br />
The examination of the second and third is in paragraph 75 of the present judgment<br />
the above-mentioned requirement overlaps in that the assessment of the<br />
Question whether in the present case the legitimate interests that are related to the<br />
<br />
processing of personal data at issue in the main proceedings<br />
cannot reasonably be perceived by a shorter duration of the<br />
Storage of data can be achieved by balancing each other<br />
conflicting rights and interests.<br />
<br />
93 When weighing up the legitimate interests pursued, it should be noted that<br />
the analysis of a credit reporting agency insofar as it provides an objective and<br />
reliable assessment of the creditworthiness of potential customers<br />
Contractual partner of the credit reporting agency enables<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
19 of 26<br />
<br />
<br />
<br />
<br />
Compensate for information differences and thus fraud risks and others<br />
<br />
can reduce uncertainties.<br />
94 However, as far as the rights and interests of the data subject are concerned,<br />
represents the processing of data regarding the granting of a discharge of residual debt,<br />
<br />
such as storing, analyzing and sharing this data with you<br />
Third parties, through a credit reporting agency, a serious interference in the<br />
Articles 7 and 8 of the Charter represent the fundamental rights of the data subject.<br />
Such data serves as a negative factor when assessing the<br />
Creditworthiness of the person concerned and are therefore sensitive<br />
information about her private life (cf. in this sense judgment of<br />
<br />
13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 98).<br />
Their processing may significantly jeopardize the interests of the data subject<br />
harm, as this disclosure is likely to interfere with the exercise of their freedoms<br />
significantly more difficult, especially when it comes to basic needs<br />
cover up.<br />
<br />
95 Furthermore, as the Commission has pointed out, the consequences for the<br />
The interests and private life of the person concerned are even greater<br />
Requirements regarding the lawfulness of storing this information<br />
the higher the longer the data in question has been kept by credit reporting agencies<br />
<br />
get saved.<br />
96 It should also be noted that the aim of a public<br />
Insolvency register, as can be seen from recital 76 of the<br />
<br />
Regulation 2015/848 is to provide better information<br />
affected creditors and courts. In this<br />
In this context, Article 79 (5) of this regulation simply provides that<br />
Member States inform data subjects for what period of time their<br />
personal data stored in insolvency registers are accessible,<br />
without specifying a storage period for this data. On the other hand, it follows from<br />
Article 79(4) of this Regulation states that Member States may, in accordance with this<br />
<br />
Article is responsible for collecting data and storing it in national databases.<br />
The period for storing this data must therefore take this into account<br />
regulation to be established.<br />
<br />
97 In the present case, the German legislature provides that<br />
Information about the granting of a discharge of residual debts in the insolvency register<br />
is only stored for six months. He therefore assumes that after<br />
After a period of six months, the rights and interests of the<br />
affected person to those of the public about this information<br />
have, predominate.<br />
<br />
98 Furthermore, as the Advocate General stated in point 75 of his Opinion<br />
has stated that the granted exemption from residual debts enables the beneficiary to<br />
to participate in economic life again, and therefore has for this person<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
20 out of 26<br />
<br />
<br />
<br />
<br />
<br />
generally existential meaning. The realization of this goal would be<br />
However, it is at risk if credit reporting agencies are used to assess the<br />
economic situation of a person, data about a discharge of residual debt<br />
store and could use such data after it has been removed from the<br />
public insolvency register has been deleted because this data is with the<br />
Assessing the creditworthiness of such a person is always a negative factor<br />
<br />
be used.<br />
99 Under these circumstances, the interests of the credit sector, over<br />
<br />
There is no information regarding a discharge of residual debt<br />
Processing of personal data such as that in legal disputes<br />
The main proceedings in question after the expiry of the storage period<br />
Data in the public insolvency register justify storage<br />
of this data by a credit reporting agency in relation to the period<br />
the deletion of this data from a public insolvency register does not apply<br />
<br />
Article 6 paragraph 1 subparagraph 1 letter f GDPR can be supported.<br />
...<br />
<br />
106 Finally, the referring court essentially asks which<br />
Obligations to a credit reporting agency in accordance with Art. 17 GDPR.<br />
<br />
...<br />
<br />
108 Should the referring court, after its assessment of legality<br />
the processing at issue in the main proceedings<br />
personal data comes to the conclusion that this processing<br />
is therefore not lawful, according to the clear wording of this provision<br />
the person responsible, in this case SCHUFA, is obliged to do so<br />
delete the relevant data immediately. This would be as in paragraph 99 of<br />
<br />
found in this judgment when processing the data in question<br />
personal data that is received after the expiry of the six-month period for the<br />
The data is stored in the public insolvency register.<br />
<br />
..."<br />
<br />
23 Based on this case law of the ECJ, the legality of the<br />
Processing of personal data from the insolvency file by the<br />
<br />
co-involved party solely in the light of Article 6 Paragraph 1 Letter f GDPR<br />
judge. According to this provision, the processing is personal<br />
<br />
Data is lawful under three cumulative conditions: firstly, from<br />
the controller or a third party<br />
<br />
legitimate interest must be exercised; secondly, the processing must be carried out<br />
<br />
personal data to achieve legitimate interest<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
21 of 26<br />
<br />
<br />
<br />
<br />
be necessary, and thirdly, the interests and fundamental rights and<br />
<br />
Basic freedoms of the person whose data is to be protected are not<br />
predominate (ECJ December 7, 2023, C-26/22 and C-64/22, SCHUFA Holding<br />
<br />
[Discharge of residual debt], paragraphs 74 and 75, mwN; see also VwGH October 31, 2023,<br />
Ro 2020/04/0024, 0025, Rn. 22, mwN).<br />
<br />
<br />
24 In this case, the party involved makes a claim regarding the prosecution<br />
legitimate interest claims that they are based on the exercise of the business<br />
<br />
the credit reporting agency has a legitimate interest in the credit information agency in accordance with Section 152 GewO 1994<br />
Processing of the creditworthiness data of the appeal applicant, in particular<br />
<br />
Information about his past insolvency for the purpose of assessment<br />
<br />
his creditworthiness. This data processing therefore serves<br />
the economic interests of the party involved. The<br />
<br />
In this context, however, the administrative court also pointed out that<br />
that the processing of data about insolvencies and payment defaults<br />
<br />
Protection of potential contractual partners of the appeal applicant is achieved. The<br />
The processing of the insolvency data of the appeal applicant therefore also serves the purpose<br />
<br />
Safeguarding the legitimate interests of the contractual partners involved<br />
Party that concludes credit-relevant contracts with the appeal applicant<br />
<br />
want to estimate the associated credit risk.<br />
<br />
25 The ECJ (C-26/22 and C-64/22, paras. 83 to 86) goes in this<br />
<br />
Connection also depends on the existence of a socio-economic interest<br />
the credit sector in the processing of creditworthiness data, especially from<br />
<br />
Insolvency data. On the one hand, he refers to Article 8 of the directive<br />
<br />
2008/48/EC, which in the light of recital 28 of this Directive<br />
With regard to consumer credit agreements, the lender's obligation is clear,<br />
<br />
before concluding the credit agreement, the consumer's creditworthiness<br />
on the basis of sufficient information, if necessary also on the basis of<br />
<br />
Evaluate information from public and private databases (dem<br />
corresponds domestically to Section 7 Paragraph 1 of the Consumer Credit Act (VKrG), which means<br />
<br />
Article 8 of Directive 2008/48/EC on consumer credit agreements implemented<br />
<br />
became). On the other hand, the lender has regarding<br />
Residential real estate loan agreements for consumers in accordance with Article 18, paragraph 1 and<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
22 of 26<br />
<br />
<br />
<br />
<br />
Article 21(1) of Directive 2014/17 in conjunction with recitals 55 and 59<br />
<br />
This guideline carries out a thorough check of the creditworthiness of the<br />
Consumer to carry out the query of credit databases<br />
<br />
which the lender has access to, is a useful element in this review<br />
is (this corresponds domestically to Section 9 Paragraphs 1 and 2 Mortgage and<br />
<br />
Real Estate Loan Act - HIKrG, which means Article 18 Paragraph 1 of the<br />
Directive 2014/17/EU was implemented). Furthermore, the obligation to<br />
<br />
Assess consumers' creditworthiness as outlined in the guidelines<br />
<br />
2008/48/EC and 2014/17/EU is provided not only for the loan applicant<br />
but also, as in recital 26 of the directive<br />
<br />
2008/48/EC emphasizes the smooth functioning of the entire system<br />
Guarantee credit system.<br />
<br />
<br />
26 The administrative court refers (specifically on the question of storage duration)<br />
in particular to Regulation (EU) No. 575/2013 of the European Union<br />
<br />
Parliament and of the Council of 26 June 2013 on prudential requirements<br />
Credit institutions and investment firms and to change the<br />
<br />
Regulation (EU) No. 646/2012 (Capital Adequacy Regulation). This<br />
The regulation is based on Art. 135 Para. 1, Art. 171 Para. 2 and Art. 180 Para. 1 lit. f<br />
<br />
in conjunction with recital 42, the use of external<br />
<br />
Credit assessments, for example for the assignment of rating levels and<br />
Risk pools or for estimating the probability of default<br />
<br />
(“PD estimate”), thus for credit risk assessment. It<br />
It therefore also follows from the Capital Adequacy Ordinance that<br />
<br />
Processing of insolvency data from (potential) borrowers<br />
socio-economic interest of the credit sector in evaluating the<br />
<br />
Creditworthiness of the contractual partners of the party involved with the<br />
Applicants for an audit want to conclude credit-relevant contracts.<br />
<br />
<br />
27 Finally, the analysis of a credit reporting agency, such as the one involved<br />
party, insofar as it provides an objective and reliable assessment of the<br />
<br />
creditworthiness of potential customers of their contractual partners,<br />
<br />
Compensate for information differences and thus fraud risks and others<br />
Reduce uncertainties (cf. ECJ C-26/22 and C-64/22, para. 93).<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
23 of 26<br />
<br />
<br />
<br />
<br />
28 In this respect, there is a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR<br />
<br />
the processing of the appeal applicant's data<br />
Debt settlement procedures.<br />
<br />
<br />
29 In contrast, the processing of this data, in particular with regard to<br />
the fulfillment of the legally confirmed payment plan, such as<br />
<br />
Storage, analysis and transfer of this data to a third party by the<br />
<br />
The party involved is a serious encroachment on the rights set out in Articles 7 and 8 GRC<br />
enshrined fundamental rights of the appeal applicant. Since such data as<br />
<br />
negative factor in assessing the creditworthiness of the<br />
To serve the appeal applicant, they provide sensitive information about it<br />
<br />
Private life. Your processing may be in the interests of the appeal applicant<br />
considerable harm because the disclosure is likely to jeopardize the exercise of his rights<br />
<br />
to make freedoms considerably more difficult, especially when it comes to<br />
<br />
to cover basic needs. The consequences for interests and private life<br />
of the appeal applicant are even greater and the requirements placed on them<br />
<br />
The lawfulness of storing this information therefore increases, the higher<br />
longer this data is stored by the participating party<br />
<br />
(see ECJ C-26/22 and C-64/22, paras. 94, 95).<br />
<br />
30 Aim of a public insolvency register, such as the insolvency file<br />
<br />
§ 256 IO is to ensure better information for those affected<br />
<br />
Creditors and courts (cf. ECJ C-26/22 and C-64/22, para. 96, as well<br />
domestically the explanations for<br />
<br />
Insolvency Law Amendment Act 1997 - IRÄG 1997 in RV 734 BlgNR<br />
20 GP, 34, 63).<br />
<br />
<br />
31 According to Section 256 Paragraph 2 Item 4 IO, the insolvency file can no longer be viewed<br />
grant if since the expiry of the period provided for in the payment plan<br />
<br />
One year has passed for the payment deadline. Inspection is possible at the request of the debtor<br />
in the insolvency file can no longer be granted if the<br />
<br />
legally confirmed payment plan has been fulfilled (Section 256 Para. 3 IO).<br />
<br />
The latter option serves to avoid disadvantages for the debtor<br />
Business transactions (see the explanations for<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
24 out of 26<br />
<br />
<br />
<br />
<br />
Insolvency Law Amendment Act 2010 -IRÄG 2010 RV 612 BlgNR 24. GP 3,<br />
<br />
35).<br />
<br />
32 The legislature therefore assumes that with the fulfillment of the<br />
<br />
legally confirmed payment plan, but at the latest upon expiry of a deadline<br />
of one year since the expiry of the payment period provided for in the payment plan<br />
<br />
the rights and interests of the data subject, as in this case<br />
The appeal applicant, those of the public, have access to this information<br />
<br />
have, predominate (cf. RV 734 BlgNR 20. GP, 63). After all, that's the goal<br />
of the payment plan, the economic recovery of the debtor<br />
<br />
(cf. OGH August 18, 2010, 8 Ob 146/09t). In this sense, a “deletion” should occur<br />
<br />
the insolvency file is impaired as a result of fulfilling the payment plan<br />
of the debtor in business transactions through public announcement of a<br />
<br />
Avoid previous insolvency proceedings (see explanations in<br />
RV 612 BlgNR 24. GP, 3, 35).<br />
<br />
<br />
33 However, the realization of this goal would be jeopardized if those involved<br />
Party as a credit reporting agency to assess the economic situation of the<br />
<br />
Store the appeal applicant's data about his insolvency proceedings and such<br />
Data could be used after viewing the insolvency file<br />
<br />
§ 256 paragraph 2 and paragraph 3 IO can no longer be granted because this data is included<br />
the assessment of the creditworthiness of the audit applicant is always negative<br />
<br />
factor can be used. Under these circumstances, those entitled to<br />
Interests of the credit sector, about information regarding the fulfillment<br />
<br />
the legally confirmed payment plan ended the insolvency proceedings<br />
<br />
of the appeal applicant to order the processing of this previously in the<br />
Personal data can no longer be publicly viewed in the insolvency file<br />
<br />
justify. The storage of this data by the participating party<br />
Reference to the period after the decision of the<br />
<br />
Insolvency court about the “deletion of the entries from the<br />
Insolvency file” in accordance with Section 256 Paragraph 3 IO cannot therefore be based on Art. 6<br />
<br />
Paragraph 1 lit. f GDPR is supported. The storage of the<br />
<br />
data relating to the debt settlement procedure of the appeal applicant<br />
the insolvency file by the party involved about the time of<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
25 out of 26<br />
<br />
<br />
<br />
<br />
The decision of the insolvency court has legal force in accordance with Section 256 (3) IO<br />
<br />
This proves to be contrary to the legal opinion of the authority concerned and the<br />
Administrative court - as not legal (cf. again ECJ C-26/22 and<br />
<br />
C-64/22, paragraphs 98 and 99).<br />
<br />
Request for deletion according to Art. 17 GDPR<br />
<br />
<br />
34 Due to the lack of lawfulness of the processing from the insolvency file<br />
deleted data of the appeal applicant regarding his insolvency proceedings<br />
<br />
The party involved is obliged to provide the relevant data immediately<br />
<br />
to be deleted in accordance with Art. 17 Para. 1 lit. d GDPR (cf. again ECJ C-26/22<br />
and C-64/22, paragraph 108).<br />
<br />
35 In contrast to this, in the VwGH decision May 9, 2023, Ro 2020/04/0037,<br />
<br />
that asserted by the appeal applicant against a credit institution<br />
<br />
Right to deletion in accordance with Art. 17 GDPR in relation to you<br />
relevant entry of payment experience data in a jointly with<br />
<br />
database operated by other credit institutions (bank warning list).<br />
This entry did not concern the processing of personal data<br />
<br />
Applicant from the insolvency file. Rather, they were in the<br />
<br />
Payment history data of the audit applicant stored on the bank warning list<br />
by the credit institution in connection with the existing one<br />
<br />
Current account details of the appeal applicant are collected<br />
(see VwGH Ro 2020/04/0037, paragraph 57, last sentence). So much for this one<br />
<br />
Knowledge taking into account the Capital Adequacy Ordinance<br />
Storage period of at least five years in relation to the storage of<br />
<br />
Payment experience data in the bank warning list is generally considered legitimate<br />
<br />
was considered, it should be noted that the Capital Adequacy Ordinance<br />
in accordance with Article 1, the general supervisory requirements for<br />
<br />
Credit institutions regulate specific areas and are therefore not applicable<br />
Credit reporting agencies, such as the party involved in this case, apply.<br />
<br />
<br />
Result<br />
<br />
36 In this respect, the administrative court is of the legality of storing the data<br />
<br />
Insolvency data relating to the appeal applicant is provided by the co-participant<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2020/04/0031-9<br />
February 1, 2024<br />
<br />
26 of 26<br />
<br />
<br />
<br />
<br />
Credit reporting agency in accordance with Article 6 Paragraph 1 Letter f of the GDPR and that from<br />
<br />
If the right to deletion asserted by the appeal applicant is denied, it has that<br />
contested finding is burdened with illegality of the content. The<br />
<br />
The contested finding therefore had to be repealed in accordance with Section 42 Paragraph 2 Z 1 VwGG.<br />
<br />
37 From the conduct of the requested hearing before<br />
<br />
The Administrative Court was able to distance itself in accordance with Section 39 Para. 2 Z 6 VwGG<br />
<br />
be taken because the present case does not involve questions of<br />
assessment of evidence or disputed findings of fact, but in the<br />
<br />
Revision legal questions were raised that were not complex in nature<br />
have, especially since the central legal question already refers to the case law of the ECJ<br />
<br />
could be referred (see VwGH August 3, 2023, Ro 2020/04/0035,<br />
Rn. 35, mwN), and to solve them in the sense of the judicature of the ECHR<br />
<br />
an oral hearing is not required (cf. VwGH May 9, 2023,<br />
<br />
Ro 2020/04/0037, Rn. 81, mwN).<br />
<br />
38 The decision on reimbursement of expenses is based on Sections 47 ff VwGG<br />
<br />
in particular Section 1 Paragraph 1 Letter a VwGH Expense Reimbursement Ordinance, according to which<br />
the flat rate amount for the filing costs for the submission of the<br />
<br />
Revision contrary to the recorded flat rate of € 2,180.-- only<br />
€ 1,106.40. Sales tax is not separate according to Section 47 Paragraph 1 VwGG<br />
<br />
to be awarded because this is already included in the flat-rate written expenses<br />
<br />
is included (see on the latter VwGH April 10, 2020, Ra 2018/04/0154 to 0155,<br />
34).<br />
<br />
Vienna, February 1, 2024<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at<br />
</pre></div>Echttps://gdprhub.eu/index.php?title=CJEU_-_C-46/23_-_Budapest_F%C5%91v%C3%A1ros_IV._Ker%C3%BClet_%C3%9Ajpest_%C3%96nkorm%C3%A1nyzat_Polg%C3%A1rmesteri_Hivatala_v._Nemzeti_Adatv%C3%A9delmi_%C3%A9s_Inform%C3%A1ci%C3%B3szabads%C3%A1g_Hat%C3%B3s%C3%A1gCJEU - C-46/23 - Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság2024-03-18T14:02:32Z<p>Lm: altered title to shorten</p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C-46/23 Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság<br />
|ECLI=ECLI:EU:C:2024:239<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=2016%252F679&docid=283833&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=2140435#ctx1<br />
<br />
|Date_Decided=14.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2d<br />
|GDPR_Article_3=Article 58(2)(g) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2g<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala<br />
|Party_Link_1=https://ujpest.hu/<br />
|Party_Name_2=Nemzeti Adatvédelmi és Információszabadság Hatóság<br />
|Party_Link_2=https://www.naih.hu/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Reference_Body=Alkotmánybíróság (Hungary Constitutional Court)<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The CJEU held that DPAs can exercise corrective powers under Article 58(2)(d) and (g) GDPR to order erasure of personal data by their own motion, regardless of where the data originated or whether the data subject requested its erasure. <br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic. <br />
<br />
The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. <br />
<br />
Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it. <br />
<br />
The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] does not empower the DPA to order the erasure of personal data in the absence of an [[Article 17 GDPR]] request from the data subject.<br />
<br />
On appeal, the Alkotmánybíróság (Hungarian Constitutional Court) held that the DPA is empowered to order erasure of unlawfully processed personal data of its own motion, regardless of whether a request has been made by the data subject. In doing so, it set aside a prior judgment by the Kúria (Hungary Supreme Court).<br />
<br />
Seeking clarification on the interpretation of Article 17 and 58(2) GDPR, the Constitutional Court referred two questions to the CJEU: <br />
<br />
# Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject?<br />
# If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject?<br />
<br />
=== Holding ===<br />
In deciding the first question, the Court held that some corrective powers under [[Article 58 GDPR#2|Article 58(2) GDPR]], namely [[Article 58 GDPR#2d|58(2)(d)]] and [[Article 58 GDPR#2g|(g) GDPR]], may be exercised by the DPA on its own motion. [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], on the other hand, does require a prior data subject request. <br />
<br />
The Court noted that the plain language of [[Article 58 GDPR#2d|Article 58(2)(d)]] and [[Article 58 GDPR#2g|(g) GDPR]] does not require a data subject request to authorize the DPA’s corrective power. [[Article 58 GDPR]] uses different wording to distinguish between corrective measures that may only be adopted following a data subject request, such as [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], and corrective measures that may be ordered by an authority of its own motion, such as [[Article 58 GDPR#2d|Article 58(2)(d)]] and [[Article 58 GDPR#2g|(g) GDPR]]. In addition, the Court found that [[Article 17 GDPR#1|Article 17(1) GDPR]] distinguishes between the right of the data subject to obtain erasure of their data and the obligation of the controller to erase such personal data without undue delay. The controller’s obligation thus attaches regardless of whether the data subject requests erasure. <br />
<br />
With regard to the second question, the Court concluded that the DPA’s power to order erasure of unlawfully processed data applies both to data collected from the data subject and to data originating from another source. It noted that the text of the provisions does not suggest that a DPA's corrective powers are contingent on the origin of the data.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Lmhttps://gdprhub.eu/index.php?title=VwGH_-_VwGH_Ro_2021/04/0010-11VwGH - VwGH Ro 2021/04/0010-112024-03-18T08:43:16Z<p>Ec: </p>
<hr />
<div>{{DISPLAYTITLE:VwGH - Ro 2021/04/0010-11}}<br />
{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VwGH<br />
|Court_Original_Name=Verwaltungsgerichtshof<br />
|Court_English_Name=Austrian Administrative Supreme Court<br />
|Court_With_Country=VwGH (Austria)<br />
<br />
|Case_Number_Name=Ro 2021/04/0010-11<br />
|ECLI=ECLI:AT:VWGH:2023:RO2021040010.J09<br />
<br />
|Original_Source_Name_1=VwGH<br />
|Original_Source_Link_1=https://www.vwgh.gv.at/medien/mitteilungen/Ro_2021040010.pdf?9g4sif<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=21.12.2023<br />
|Date_Published=20.02.2024<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 4(4) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#4<br />
|GDPR_Article_2=Article 9(2)(g) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#2g<br />
|GDPR_Article_3=Article 22 GDPR<br />
|GDPR_Article_Link_3=Article 22 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 1 §2 DSG<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/eli/bgbl/i/1999/165/A1P2/NOR40139563<br />
|National_Law_Name_2=§25(1) AMSG<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&Artikel=&Paragraf=25&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_3=§38(c) AMSG<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&FassungVom=2017-05-16&Artikel=&Paragraf=38c&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Austrian Data Protection Authority<br />
|Party_Link_1=https://www.data-protection-authority.gv.at/<br />
|Party_Name_2=Public Employment Service Austria<br />
|Party_Link_2=https://www.ams.at/organisation/public-employment-service-austria<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=BVwG<br />
|Appeal_From_Case_Number_Name=W256 2235360-1<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Bvwg&Dokumentnummer=BVWGT_20201218_W256_2235360_1_00<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Austrian Supreme Administrative Court held that an algorithm in itself is an automated decision even if the final decision is made by a human who was provided instructions and training to question the algorithm’s decision-making.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Austrian Data Protection Authority (DSB) issued a ban against the processing of data by the Public Employment Service in Austria.<br />
The controller, the Public Employment Service in Austria, supports workers in (re)integrating into the labour market by offering various services, including a counsellor that discusses labour market opportunities with the jobseeker.<br />
<br />
In order to assess the jobseeker’s labour market opportunities, the controller used an algorithm to calculate the degree of probability for jobseekers to be employed for a certain number of days, based on: (1) age group, (2) gender, (3) country group, (4) education, (5) health impairment, (6) care responsibilities, (7) occupational group, (8) career history and (9) the regional labour market situation and the duration of cases at the controller.<br />
<br />
It did not include motivation, self-help potential of the jobseeker, addiction, debt or housing situation.<br />
Based on this, the algorithm divided jobseekers into the following three groups:<br />
(1) Service jobseekers with high labour market opportunities<br />
(2) Care jobseekers with low labour market opportunities<br />
(3) Consultancy jobseekers with medium labour market opportunities<br />
<br />
The result was used as a starting point for counsellors to work with jobseekers to assess their potential and any obstacles in the labour market integration. The algorithm itself was not used for a job placement, but only for targeted support and assistance, meaning, choosing the right support strategy based on which group the jobseeker was divided into. <br />
<br />
The controller claimed it had a legal basis under Austrian national law (the Arbeitsmarktservicegezetz, AMSG) to process data with the help of an algorithm. According to [[Article 4 GDPR#4|Article 4(4) GDPR]], this processing of data is considered profiling. However, the DPA found that a legal authorisation for this processing was lacking in the AMSG, which is necessary under Austrian data protection law (see&nbsp;[https://www.ris.bka.gv.at/eli/bgbl/i/1999/165/A1P1/NOR40139563 Article&nbsp;1&nbsp;§2&nbsp;DSG]).<br />
<br />
The DPA also found there was a case of automated individual decision-making under [[Article 22 GDPR|Article 22 GDPR]]. Although the results of the algorithm are not binding as the final decision lies with the counsellor, the DPA contested that it cannot be ruled out that in individual cases, the decision will be based exclusively on profiling. <br />
<br />
Therefore, the DPA issued a ban due to lack of a sufficient legal basis for the processing.<br />
<br />
The controller appealed this decision at the Bundesverwaltungsgerichts (the Federal Administrative Court).<br />
<br />
The Federal Administrative Court upheld the controller’s appeal against the decision of the DPA. In its reasoning, the Court stated that the controller should ensure there is a support plan between the counsellor and jobseeker. Moreover, the controller should provide counsellors with instructions and training to ensure they do not accept the result of the algorithm unquestioningly. <br />
<br />
The Court held that the controller is allowed to carry out an assessment of personal data in accordance with national law (see [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&Artikel=&Paragraf=25&Anlage=&Uebergangsrecht= &nbsp;§25(1)&nbsp;AMSG&nbsp;]). Moreover, it cannot be assumed that the mere use of automated processing already results in “informational added value”. Moreover, [[Article 22 GDPR|Article 22 GDPR]] does not apply, as the final decision lies with the counsellors and therefore the decision-making is not based solely on automated processing. The Court concluded that the DPA decision should be annulled due to the lack of violation of the principle of lawful data processing under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].<br />
<br />
The DPA appealed the decision before the Verwaltungsgerichtshof (Supreme Administrative Court).<br />
<br />
=== Holding ===<br />
The Supreme Administrative Court found that the lawfulness of the data processing at issue in the proceeding must be examined, because under Austrian national law (see [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008905&FassungVom=2017-05-16&Artikel=&Paragraf=38c&Anlage=&Uebergangsrecht= §38c AMSG]) the data processing in question is a private-sector activity and not a public service task. <br />
<br />
The DPA argued that the Federal Administrative Court did not take into account the character of profiling as a special processing procedure and challenged the lawfulness of the processing under [[Article 22 GDPR|Article 22 GDPR]]. <br />
<br />
The Court found that the controller’s algorithm in itself is an automated decision under [[Article 22 GDPR#1|Article 22(1) GDPR]] based on the recent CJEU decision [[CJEU - C‑634/21 - SCHUFA|C-634/21 - Schufa]]. The Court explained that the algorithm decides on the allocation of jobseeker’s group and thus has a legal effect on the jobseekers concerned or similarly significantly affects them. The fact that the final decision on the jobseeker’s group assignment lies with the counsellor, does not prevent the algorithm from being classified as an automated decision under [[Article 22 GDPR#1|Article 22(1) GDPR]]. The CJEU decision is also based on the fact that the controller makes the final decision. The Supreme Administrative Court found that the instructions and trainings that were provided to ensure counsellors would not accept the algorithm’s results unquestioningly could not exclude the possibility that the algorithm is ultimately decisive for the allocation. <br />
<br />
The Court further held that the algorithm did not fall under the exceptions of [[Article 22 GDPR#2|Article 22(2) GDPR]]. Therefore, the Court concluded that the appeal had to be upheld and that the decision of the Federal Administrative Court needed to be set aside.<br />
<br />
== Comment ==<br />
In paragraph 15 and 20 of the decision, the Supreme Administrative Court refers to [[Article 9 GDPR#2d|Article 9(2)(d) GDPR]], which is incorrect. It should be [[Article 9 GDPR#2g|Article 9(2)(g) GDPR]], which is about the substantial public interest.<br />
<br />
Moreover, it seems that the Supreme Administrative Court interprets [[Article 22 GDPR#1|Article 22(1) GDPR]] very broadly. The Court does not substantiate how the algorithm produces legal effects for the data subject or similarly significantly affects the data subject. It merely states it does in paragraph 79 of the decision. This is interesting, because it does state that the algorithm cannot be used for a job placement itself, but only for choosing the right support strategy for the jobseeker. Moreover, according to paragraph 7 of the decision, the jobseeker can have a different assessment of the labour market opportunities than the counsellor, which will be then be documented in the support agreement that is made between the counsellor and jobseeker.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
<br />
<br />
<br />
<br />
<br />
I M N A M E N D E R R E P U B L I K!<br />
<br />
The Administrative Court has through the presiding Senate President<br />
<br />
Dr. Kleiser, Councilor Dr. Mayr, court councilor Mag. Hainz-Sator and the court councilors<br />
<br />
Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary<br />
Mag. Vonier, about the data protection authority's appeal against the finding<br />
<br />
of the Federal Administrative Court of December 18, 2020,<br />
Zl. W256 2235360-1/5E, concerning a data protection matter<br />
<br />
(Participating party: Employment Service, represented by Brauneis Klauser<br />
Prändl Rechtsanwälte GmbH in 1010 Vienna, Bauernmarkt 2;<br />
<br />
other party: Federal Minister of Justice), rightly recognized:<br />
<br />
The contested finding is due to illegality of the content<br />
<br />
lifted.<br />
<br />
Reasons for the decision:<br />
<br />
<br />
1 1. The contested finding is based on the following undisputed facts<br />
remove:<br />
<br />
2 The co-participating party (hereinafter: mP), in the proceedings before the<br />
<br />
Administrative Court regularly referred to as the “Austrian Labor Market Service”<br />
<br />
referred to, is responsible according to Section 1 Paragraph 1 of the Employment Services Act (AMSG).<br />
Implementation of the federal labor market policy” and it is referred to as “a<br />
<br />
Service companies under public law with their own<br />
Legal personality” is defined.<br />
<br />
<br />
3 To help workers (re)integrate into the labor market<br />
To support this, the mP offers various services. The<br />
<br />
The detailed procedure of the consultants employed for this purpose can be found in the<br />
“Federal Guideline” of the Labor Market Service “Core Process Workers<br />
<br />
support”. This states that consultants in the process<br />
a consultation with job seekers<br />
<br />
Wishes/expectations, their previous life course and the reasons for their<br />
<br />
have to explain unemployment. The labor market opportunities of<br />
Job seekers should be addressed and discussed.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
2 of 53<br />
<br />
<br />
<br />
<br />
4 To help the consultants assess the labor market opportunities of the<br />
<br />
The mP has been developing a concept to support job seekers since 2016<br />
for calculating labor market opportunities<br />
<br />
Labor Market Opportunities Assistance System (AMAS). This model should be from<br />
<br />
mP consultants will be mandatory from January 1, 2021.<br />
<br />
5 This statistical model uses an algorithm to determine the degree of<br />
<br />
Probability for job seekers automatically calculated,<br />
a certain number within a certain period of time in the future<br />
<br />
to be busy for days. Specifically, this is based on the following<br />
Data an “IC” is calculated:<br />
<br />
age group,<br />
<br />
Gender,<br />
<br />
group of states,<br />
<br />
Education,<br />
health impairment,<br />
<br />
care obligations,<br />
<br />
professional group,<br />
<br />
pre-career,<br />
regional labor market events as well<br />
<br />
Duration of the business case at mP.<br />
<br />
6 Based on the “IC”, job seekers are divided into the following<br />
<br />
three groups:<br />
<br />
Service customers with job market opportunities are high<br />
Care customers with labor market prospects low<br />
<br />
Advice clients with medium labor market prospects.<br />
<br />
7 The results of the AMAS should be used in the consultation process and for<br />
<br />
The consultants can be a starting point to work together with the customers<br />
Assessment of the respective potential and, if necessary, the obstacles<br />
<br />
of labor market integration. Based on these<br />
<br />
The aim is to define the optimal care strategy. Has he<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
3 out of 53<br />
<br />
<br />
<br />
<br />
Job seekers expressly have a different assessment of the<br />
<br />
Labor market opportunities than the consultants, this is in the<br />
Document care agreement.<br />
<br />
<br />
8 AMAS does not take into account criteria such as motivation, self-help potential<br />
Customers, addiction, debts, housing situation, etc.<br />
<br />
<br />
9 2. After the initiation of an ex officio examination procedure in accordance with<br />
Art. 57 Para. 1 lit. h in conjunction with Art. 58 Para. 1 lit. b and Para. 2 lit. a GDPR in conjunction with<br />
<br />
Section 22 Paragraph 1 DSG was notified to the mP by the appeal applicant<br />
<br />
from August 16, 2020 data processing in connection with<br />
Determination of labor market opportunities for job seekers<br />
<br />
With the help of the Labor Market Opportunities Assistance System (AMAS).<br />
Effective January 1, 2021, “unless there are any by this point in time.”<br />
<br />
there is a suitable legal basis for data processing.”<br />
<br />
10 In summary, the appellant gave reasons in her decision<br />
<br />
that data processing takes place with the help of AMAS<br />
Within the framework of the exercise of the rights transferred to the mP in accordance with Section 1 Paragraph 1 AMSG<br />
<br />
public tasks. For an authority it is in accordance with Section 1 Paragraph 2 DSG<br />
<br />
it is necessary that their data processing is sufficient<br />
determined legal authorization. The § 29 mentioned by the mP<br />
<br />
and Section 31 Paragraph 5 AMSG would only generally describe the goal and the<br />
Specify the fulfillment of tasks by the mP, but not for data processing<br />
<br />
authorize. The data processing in question is the issue<br />
This is a profiling within the meaning of Art. 4 Z 4 GDPR, through which a<br />
<br />
“informational added value” comes about, which is stated in the law<br />
<br />
must be expressly referred to. The present<br />
Data processing cannot be based on a suitable legal basis<br />
<br />
support. In addition, there is a case of Art. 22 GDPR, namely an automated one<br />
individual decision. It should be admitted that the final decision<br />
<br />
due to internal guidelines lies with the mP consultants. This<br />
<br />
However, internal instructions for action would not bind the mP<br />
unfold and are therefore not subject to any verification controls. In addition<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
4 out of 53<br />
<br />
<br />
<br />
<br />
It cannot be ruled out that in individual cases the decision will be made exclusively<br />
<br />
based on profiling.<br />
<br />
11 3. The Federal Administrative Court issued the contested finding<br />
<br />
(BVwG) of the mP's complaint against the appeal applicant's decision<br />
<br />
Followed and repealed the contested decision without replacement. The audit explained it<br />
below one for permissible.<br />
<br />
<br />
12 In addition to the findings already presented at the beginning, the BVwG made in<br />
his reasons also include the findings that only after the<br />
<br />
Discussing the optimal support strategy with customers<br />
<br />
would be defined by the consultants based on a supervision agreement.<br />
To ensure that the consultants do not have the result of the algorithm<br />
<br />
would take over without question, have the mP in addition to those shown<br />
Guidelines also provide appropriate instructions for action<br />
<br />
Training conducted.<br />
<br />
13 In its legal assessment, the BVwG stated in an ex officio manner<br />
<br />
The appellant is responsible for the examination proceedings initiated<br />
<br />
Supervisory authority in the event of a violation of the GDPR being detected<br />
the power to order various remedial measures. Matter<br />
<br />
The complaint procedure before the BVwG can only be examined<br />
Legality of the specific order made in connection with<br />
<br />
the violation on which the supervisory authority is based. In the<br />
<br />
In the present case, it can be assumed that the appellant is<br />
Prohibition issued by official notice solely because of the lack of one<br />
<br />
sufficient legal basis for official action.<br />
A legality assessed in the contested decision<br />
<br />
The BVwG is prohibited from further checking data processing.<br />
<br />
14 Art. 9 Paragraph 2 Letter h GDPR refers, according to its wording, to one<br />
<br />
Data processing for health-related purposes. In the present case be<br />
<br />
this provision cannot therefore be relied upon without further ado.<br />
<br />
15 It follows from Art. 6 Para. 1 lit. e GDPR and Art. 9 Para. 2 lit. d GDPR that<br />
<br />
the processing of personal data can be lawful if<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
5 out of 53<br />
<br />
<br />
<br />
<br />
<br />
the processing for a sovereign or other public interest<br />
underlying task or in the case of processing special categories<br />
<br />
personal data due to significant public interest<br />
<br />
was required. In this context it is according to the provisions of<br />
GDPR is irrelevant whether the person responsible is an authority or<br />
<br />
a private body and in which - sovereign or<br />
private sector - form the controller may take action if necessary.<br />
<br />
What is more important is whether a matter is public<br />
or significant public interest is required and a legal requirement<br />
<br />
regulated data processing is carried out. Art. 6 Paragraph 3 GDPR<br />
specifies content requirements for an appropriate legal basis,<br />
<br />
which are clear and precise in the context of recital 41 of the GDPR<br />
and should be predictable for those subject to the law. Related<br />
<br />
Art. 9 Para. 2 lit. g GDPR also stipulates that the corresponding<br />
Legal basis appropriate and specific measures to safeguard the<br />
<br />
should provide for the fundamental rights and interests of the persons concerned. Nothing<br />
<br />
otherwise see § 1 Para. 2 DSG, Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 14/2019,<br />
provided that the data processing is carried out by the state authorities. The<br />
<br />
Union law provisions - Art. 6 and Art. 9 GDPR - would generally<br />
a task in the considerable public interest and - accordingly<br />
<br />
not limited to sovereign activities - one is sufficient<br />
Demand a specific legal basis for data processing. It<br />
<br />
It can therefore remain open in the present case whether the mP<br />
procedural data processing in sovereign or<br />
<br />
in a private law form. Rather, it comes because of the<br />
data processing that is the subject of the procedure also includes health data and<br />
<br />
thus special categories of data within the meaning of Art. 9 Para. 1 GDPR<br />
are included, depends on whether the data processing that is the subject of the procedure<br />
<br />
on an appropriate legal basis and for a task by the MP<br />
<br />
is necessary in the significant public interest.<br />
<br />
16 The mP is a service company under public law with its own<br />
Legal personality, which is responsible for the implementation of the labor market policy of the<br />
<br />
federal responsibility. According to Section 29 Paragraph 1 AMSG, the mP has a<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
6 out of 53<br />
<br />
<br />
<br />
<br />
as complete, economically sensible and sustainable as possible<br />
<br />
Bringing together labor supply and labor demand<br />
to work towards supplying the economy with workers and the<br />
<br />
Employment of all people available on the labor market<br />
to secure it as best as possible. The mP is held in accordance with Section 29 Paragraph 2 AMSG<br />
<br />
efficient placement of suitable workers<br />
To create jobs that, as far as possible, correspond to the placement wishes<br />
<br />
provide the job seeker with appropriate employment and the<br />
<br />
Effect of circumstances that have a direct mediation in this<br />
to help overcome the senses. The principles are:<br />
<br />
Economy, economy and practicality must be taken into account and it is<br />
It is also important to ensure that groups of people who are particularly affected by<br />
<br />
If people are threatened with unemployment, appropriate support services are offered<br />
would.<br />
<br />
<br />
17 Section 25 Paragraph 2 AMSG expressly authorizes the mP to do so<br />
Processing of those involved in the proceedings<br />
<br />
personal data, provided this is necessary to fulfill legal requirements<br />
Task is an essential prerequisite. That of the mP is therefore legal<br />
<br />
The task of ensuring an orderly system assigned by Section 29 AMSG<br />
<br />
and well-functioning labor market is undoubtedly a significant one<br />
public interest within the meaning of Art. 9 Para. 2 lit. g GDPR.<br />
<br />
18 In addition, it is undisputed that it is also necessary to take into account personal characteristics<br />
<br />
of job seekers in combination with the general<br />
<br />
Labor market events and the resulting application opportunities<br />
of job seekers on the labor market to take into account the<br />
<br />
The task of optimally supplying the economy with workers and the<br />
To secure employment for job seekers in the best possible way<br />
<br />
can. The relevance of the procedural subject matter in data processing<br />
The personal data included cannot be disputed<br />
<br />
become. There are therefore no concerns that the MP should be used to “ensure<br />
<br />
“Ordinary labor market policy” is the subject matter of the proceedings<br />
may use personal data to ensure a “proper<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
7 out of 53<br />
<br />
<br />
<br />
<br />
to secure labor market policy”. § 25 Para. 10 AMSG meets before the<br />
<br />
Background to the requirements of the GDPR and the DSG<br />
Related comprehensive appropriate technical and<br />
<br />
organizational measures to ensure compliance with the principles of<br />
<br />
GDPR and processing in accordance with the DSG. About the of<br />
In addition to the measures mentioned in recital 78, see Section 25 (10) AMSG<br />
<br />
additional specific requirements to ensure the<br />
Data security.<br />
<br />
<br />
19 The fundamental right of the mP to evaluate the<br />
Labor market opportunities for job seekers based on certain personal characteristics<br />
<br />
The appellant does not doubt that data should be provided<br />
pulled. An “informational” accepted by the appeal applicant<br />
<br />
Added value” of one based on the same personal data<br />
<br />
Assessment of labor market opportunities can - whether the assessment is not<br />
automated or based on profiling - for data protection reasons<br />
<br />
View cannot be recognized because each evaluation is also weighted<br />
the evaluator is based on.<br />
<br />
<br />
20 In addition, a different assessment could affect the legality of a<br />
Data processing relating to Article 6 Paragraph 1 Letter e or Article 9<br />
<br />
Paragraph 2 lit. d GDPR cannot be derived because these provisions do not<br />
<br />
distinguish between automated and non-automated processing<br />
would only focus on the concept of processing in general<br />
<br />
would. Art. 4 Z 1 GDPR in turn defines using an example<br />
List the processes there in connection with personal data<br />
<br />
Data as processing, regardless of whether this is done with or without help<br />
automated procedures are carried out. That Art. 4 Z 4 GDPR<br />
<br />
I exclusively refer to automated processing separately as profiling,<br />
<br />
highlight this significant use case and make it clear that these<br />
Form of processing falls within the scope of application of the GDPR and the<br />
<br />
must meet the general criteria there.<br />
<br />
21 Art. 22 GDPR in turn states that a data subject has the right<br />
<br />
should have no decision to evaluate aspects that concern them<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
8 out of 53<br />
<br />
<br />
<br />
<br />
<br />
to be subjected exclusively to an automated<br />
Processing would be based and legal effect for the data subject<br />
<br />
develop or significantly impair them in a similar way. Art. 22 GDPR<br />
<br />
I therefore only aim at decisions that are devoid of any human touch<br />
intervention would take place. However, this provision limits profiling<br />
<br />
not as such in its legal admissibility as part of a<br />
Decision support. As stated, they should<br />
<br />
algorithm used in the procedure and those calculated from it<br />
Labor market opportunities merely as a source of information for a decision<br />
<br />
of the mP consultants can be used. The final decision<br />
about the job seekers' labor market opportunities should be with the consultants<br />
<br />
remain. In this regard, internal guidelines and guidelines would be issued by the mP<br />
Instructions for action exist and training courses are carried out. The according to § 4<br />
<br />
Paragraph 2 Z 2 AMSG guidelines are for the fulfillment of the tasks<br />
the mP is binding for all bodies and institutions. In the federal guidelines<br />
<br />
“Supporting the workforce as a core process” is the exact process in relation to<br />
<br />
the assessment of labor market opportunities is specified and explicit<br />
stipulated that the mP consultants would use the calculated labor market opportunities<br />
<br />
to be discussed with the person concerned during a consultation<br />
would have to document a contrary view of the person concerned and<br />
<br />
ultimately have to decide about it. Given these clear guidelines<br />
There would be no reasons for this to be a completely automated decision<br />
<br />
within the meaning of Art. 22 GDPR. With the argument of<br />
Appellant, it was not due to the shortened consultation times<br />
<br />
to rule out that ultimately a completely automated decision<br />
would be available because the mP consultants calculated it from AMAS<br />
<br />
would routinely adopt this value, overlooking the fact that the assessment,<br />
whether data processing is lawful in accordance with Art. 5 Para. 1 lit. a GDPR<br />
<br />
is, from the assessment of whether the person responsible is the legality of a<br />
<br />
to ensure such data processing. At the<br />
Assessment of the lawfulness of data processing is based on the actual<br />
<br />
Processing process and possible violations by third parties do not apply<br />
enter into. Whether the MP ultimately fulfills its obligation in accordance with Article 5<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
9 out of 53<br />
<br />
<br />
<br />
<br />
Paragraph 1 lit. f GDPR adequately and unauthorized use<br />
<br />
excludes the data processing in question<br />
The subject of the complaint procedure at issue. Ultimately<br />
<br />
In this context, it should be noted that the applicant for appeal in<br />
<br />
contested decision itself assumes that the mP<br />
Appropriate measures “internal to the organization” to protect the<br />
<br />
Job seekers hit and thus an abusive use<br />
data processing by their employees is appropriately excluded<br />
<br />
have.<br />
<br />
22 In summary, it should be noted that the mP according to Section 25 Paragraph 1 AMSG<br />
<br />
is fundamentally entitled to evaluate personal data<br />
to be carried out. That from the mere use of an automated<br />
<br />
Processing does not result in “informational added value”.<br />
<br />
to accept. The case frowned upon in Article 22 of the GDPR is just on one<br />
The decision based on automated data processing does not lie here<br />
<br />
because - as shown - the final decision lies with the consultants.<br />
Whether the mP fulfills its obligation under the GDPR to prevent an unauthorized person<br />
<br />
Excluding use by taking appropriate measures is sufficient<br />
<br />
has complied with is not the subject of the assessment of the<br />
Legality of limited present proceedings. Since the present one<br />
<br />
Data processing can therefore rightly be based on Section 25 Paragraph 1 AMSG<br />
can, the contested decision is due to a lack of violation of the provisions of Article 5<br />
<br />
Paragraph 1 lit. a GDPR standardized principle of a lawful<br />
to cancel data processing.<br />
<br />
<br />
23 The appeal is admissible because (among other things) it comes to the highest court<br />
Case law on Articles 6, 9 and 22 GDPR in connection with profiling<br />
<br />
missing.<br />
<br />
24 4. The ordinary appeal of the defendant is directed against this decision<br />
<br />
authority before the administrative court.<br />
<br />
25 The mP filed a complaint in the preliminary proceedings before the BVwG<br />
<br />
Revision response.<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
10 out of 53<br />
<br />
<br />
<br />
<br />
5. The Administrative Court considered:<br />
<br />
<br />
26 The revision refers to the statements of the BVwG regarding<br />
Admissibility of the appeal and that the highest court case law<br />
<br />
on the requirement of certainty of legal regulations against the background of<br />
GDPR and the question of the interpretation of the criterion of “similar<br />
<br />
“significant impairments” within the meaning of Article 22 GDPR are missing.<br />
<br />
27 For these reasons, the appeal is admissible and ultimately justified.<br />
<br />
<br />
28 5.1. The legal basis:<br />
<br />
29 5.1.1. The case-specific relevant recitals and provisions of the<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of<br />
April 27, 2016 on the protection of natural persons during processing<br />
<br />
personal data, the free movement of data and the abolition of the<br />
Directive 95/46/EC (General Data Protection Regulation - GDPR), OJ L 119<br />
<br />
dated May 4, 2016, p. 1, are as follows:<br />
<br />
“(10) In order to ensure a uniform and high level of data protection for natural persons<br />
to ensure people and the barriers to traffic<br />
to eliminate personal data in the Union, the level of protection should be increased<br />
<br />
for the rights and freedoms of natural persons during processing<br />
this data must be equivalent in all Member States. The regulations for<br />
Protection of the fundamental rights and freedoms of natural persons<br />
Processing of personal data should be uniform and uniform across the Union<br />
<br />
be applied uniformly. Regarding processing<br />
personal data to fulfill a legal obligation or<br />
to carry out a task that is in the public interest or in<br />
The exercise of public authority is carried out and is transferred to the person responsible<br />
Member States should have the possibility to adopt national ones<br />
<br />
Provisions ensuring the application of the provisions of this Regulation<br />
to be maintained or introduced in more detail. Combined with<br />
the general and horizontal legislation on data protection<br />
There are several implementations of Directive 95/46/EC in the Member States<br />
sector-specific legislation in areas that are more specific<br />
<br />
regulations require. This regulation also offers Member States<br />
a scope for the specification of their regulations, including for the<br />
Processing of special categories of personal data (in<br />
“Sensitive Data” below). This regulation is not exclusive in this regard<br />
<br />
Legislation of Member States where the circumstances are particular<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
11 of 53<br />
<br />
<br />
<br />
<br />
Processing situations can be determined, including a more precise one<br />
<br />
Determination of the conditions under which the processing<br />
personal data is lawful.<br />
(...)<br />
<br />
(40) For the processing to be lawful, personal data must<br />
with the consent of the data subject or otherwise permitted<br />
The legal basis for processing is this regulation<br />
<br />
or - whenever referred to in this Regulation<br />
other Union law or the law of the Member States, as follows<br />
other things on the basis that they comply with legal requirements<br />
Obligation to which the controller is subject or to fulfill one<br />
Contract to which the data subject is a party, or for which<br />
Implementation of pre-contractual measures at the request of those affected<br />
<br />
person is required.<br />
(41) If this Regulation refers to a legal basis or a<br />
Legislative measure referred to does not require this<br />
<br />
necessarily one adopted by a parliament<br />
legislative act; Requirements in accordance with the remain unaffected<br />
Constitutional system of the Member State concerned. The corresponding<br />
However, the legal basis or legislative measure should be clear and precise<br />
and their application should be for those subject to the law in accordance with<br />
Case law of the Court of Justice of the European Union (hereinafter<br />
<br />
‘Court of Justice’) and the European Court of Human Rights<br />
be predictable.<br />
(...)<br />
<br />
(45) If the processing is carried out by the person responsible on the basis of a request to him<br />
applicable legal obligation or is the processing for<br />
Carrying out a task in the public interest or in exercise<br />
<br />
If public authority is required, there must be a basis for this in Union law<br />
or exist in the law of a Member State. This regulation will not<br />
a specific law requires each individual processing. A law as<br />
Basis for multiple processing operations may be sufficient if<br />
the processing is based on a legal obligation incumbent on the person responsible<br />
Obligation takes place or if the processing is carried out for the purpose of carrying out an obligation<br />
Task in the public interest or in the exercise of official authority<br />
<br />
is required. The same should be done in Union law or in the law of the<br />
Member States regulate the purposes for which the data is processed<br />
may be. Furthermore, the general conditions could be included in this law<br />
this regulation regulating the lawfulness of processing<br />
personal data would be clarified and it could specify how<br />
the person responsible must determine what type of personal data<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
12 of 53<br />
<br />
<br />
<br />
<br />
Data is processed, which people are affected, which ones<br />
<br />
Institutions disclose the personal data and for what purposes<br />
and how long they may be stored and what other measures<br />
be taken to ensure that the processing is lawful and<br />
carried out in good faith. The same should be done in Union law or in<br />
The law of the Member States determines whether this is the case<br />
Responsible person who carries out a task that is in the public interest<br />
<br />
lies or takes place in the exercise of official authority, to an authority or to<br />
another natural or legal entity covered by public law<br />
Person or, if this is justified by the public interest including<br />
health purposes, such as public health or social<br />
security or the administration of health care services,<br />
is justified, a natural or legal person under private law, such as<br />
<br />
for example a professional association, should act.<br />
(...)<br />
<br />
(71) The data subject should have the right not to decide what<br />
a measure may include - to evaluate what affects it<br />
to be subjected to personal aspects that are exclusively based on one<br />
is based on automated processing and the legal effect for that<br />
<br />
the person concerned develops or significantly affects them in a similar way,<br />
such as the automatic rejection of an online loan application or<br />
Online recruitment process without any human intervention. To a<br />
Such processing also includes 'profiling' in any form<br />
automated processing of personal data under assessment of the<br />
personal aspects exist in relation to a natural person, in particular<br />
to analyze or predict aspects related to work performance,<br />
<br />
economic situation, health, personal preferences or interests,<br />
Reliability or behavior, whereabouts or change of location<br />
data subject, insofar as this has legal effect for the data subject<br />
unfolds or significantly affects them in a similar way. One on one<br />
such processing, including profiling<br />
However, decision-making should be allowed if this is according to the<br />
<br />
Union law or the law of the Member States responsible for the processing<br />
Controller is subject to, is expressly permitted, also in accordance with<br />
the regulations, standards and recommendations of the institutions<br />
[European] Union or national supervisory bodies fraud and<br />
to monitor and prevent tax evasion and security and<br />
Reliability of a service provided by the person responsible<br />
<br />
guarantee, or if this is necessary for the conclusion or fulfillment of a<br />
Contract between the data subject and a controller<br />
is necessary or if the data subject expressly expresses their consent<br />
has given consent to this. In any case, such processing should<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
13 out of 53<br />
<br />
<br />
<br />
<br />
<br />
be accompanied by appropriate guarantees, including specific ones<br />
Informing the person concerned and the right to direct action<br />
Intervention by a person to present their own point of view<br />
Explanation of the decisions taken after an appropriate assessment<br />
decision and the right to challenge the decision. This<br />
Measure should not affect any child. In order to take into account the<br />
<br />
special circumstances and framework conditions under which the<br />
personal data processed is that of the data subject<br />
To ensure fair and transparent processing, the<br />
suitable mathematical or statistical data controllers<br />
Use procedures for profiling, technical and organizational<br />
<br />
Take measures to ensure appropriate security in particular<br />
that factors that lead to inaccurate personal data<br />
be corrected and the risk of errors is minimized, and<br />
secure personal data in such a way that the potential<br />
Threats to the interests and rights of the data subject<br />
is worn and, among other things, prevent it from becoming natural<br />
<br />
people based on race, ethnic origin, political opinion,<br />
Religion or belief, trade union membership, genetic<br />
Dispositions or health status as well as sexual orientation<br />
discriminatory effects or processing that occurs<br />
has such an effect. Automated decision making and profiling<br />
<br />
on the basis of special categories of personal data<br />
only be allowed under certain conditions.<br />
(...)<br />
<br />
Article 4<br />
<br />
Definitions<br />
(1) For the purposes of this Regulation, the term means:<br />
<br />
(...)<br />
<br />
4. 'Profiling' any type of automated processing of personal data<br />
Data that consists of using personal data<br />
be to certain personal aspects that relate to a natural<br />
person, to evaluate, especially aspects relating to<br />
<br />
work performance, economic situation, health, personal preferences,<br />
Interests, reliability, behavior, location or change of location<br />
to analyze or predict that natural person;<br />
<br />
(...)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
14 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Article 5<br />
Principles for processing personal data<br />
<br />
(1) Personal data must<br />
<br />
a) in a lawful manner, in good faith and in a manner for which<br />
data subject are processed in a comprehensible manner<br />
(“Legality, fair processing, transparency”);<br />
<br />
(...)<br />
c) appropriate and relevant to the purpose and relevant to the purposes of the<br />
<br />
Processing must be limited to the extent necessary ('data minimization');<br />
(...)<br />
<br />
Article 6<br />
<br />
Lawfulness of processing<br />
(1) Processing is only lawful if at least one of the<br />
<br />
the following conditions are met:<br />
(...)<br />
<br />
c) the processing is to fulfill a legal obligation<br />
required to which the controller is subject;<br />
<br />
(...)<br />
e) the processing is necessary for the performance of a task that<br />
<br />
is in the public interest or in the exercise of official authority<br />
carried out, which was transferred to the person responsible;<br />
<br />
(...)<br />
(2) Member States may provide more specific adaptation provisions<br />
the application of the provisions of this Regulation in relation to<br />
<br />
Processing to comply with paragraph 1 letters c and e maintained or<br />
introduce specific requirements for processing as well<br />
determine other measures more precisely in order to ensure a lawful and faithful action<br />
and to ensure processing carried out in faith, including for<br />
other special processing situations in accordance with Chapter IX.<br />
<br />
(3) The legal basis for the processing pursuant to paragraph 1 letter c<br />
and e is determined by<br />
<br />
a) Union law or<br />
<br />
b) the law of the Member States to which the controller is subject.<br />
The purpose of the processing must be specified in this legal basis or<br />
with regard to the processing referred to in paragraph 1 letter e for fulfillment<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
15 out of 53<br />
<br />
<br />
<br />
<br />
be necessary for a task that is in the public interest or in<br />
<br />
The exercise of public authority is carried out and is transferred to the person responsible<br />
became. This legal basis may contain specific provisions for adaptation<br />
the application of the provisions of this Regulation, among others<br />
Provisions on what general conditions govern the<br />
The lawfulness of the processing by the controller applies<br />
Types of data processed determine which individuals are affected<br />
<br />
which facilities and for what purposes the personal data<br />
may be disclosed, what purpose they are subject to and for how long<br />
they may be stored and which processing operations<br />
and procedures may be applied, including measures to<br />
Ensuring that the service is carried out lawfully and in good faith<br />
Processing, such as those for other special processing situations<br />
<br />
according to Chapter IX. Union law or the law of the Member States must<br />
pursue a goal that is in the public interest and in one<br />
be proportionate to the legitimate purpose pursued.<br />
<br />
(4) If the processing is based on a purpose other than that of<br />
which the personal data was collected, not on the consent<br />
the data subject or on a law of the Union or the<br />
Member States that have a necessary and<br />
proportionate measure to protect the persons referred to in Article 23(1).<br />
represents goals, the person responsible takes them into account - to determine whether the<br />
<br />
Processing for a purpose other than that for which the<br />
personal data was originally collected is compatible - under<br />
other<br />
a) any connection between the purposes for which the personal data<br />
<br />
Data was collected and the purposes intended<br />
further processing,<br />
b) the context in which the personal data was collected<br />
<br />
were, particularly with regard to the relationship between the<br />
affected persons and the person responsible,<br />
c) the type of personal data, in particular whether special<br />
<br />
Categories of personal data are processed in accordance with Article 9<br />
or whether personal data about criminal convictions and<br />
offenses are processed in accordance with Article 10,<br />
<br />
d) the possible consequences of the intended further processing for the<br />
affected persons,<br />
e) the existence of appropriate guarantees, including encryption or<br />
<br />
Pseudonymization can include.<br />
(...)<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
16 of 53<br />
<br />
<br />
<br />
<br />
<br />
Article 9<br />
Processing of special categories of personal data<br />
<br />
(1) The processing of personal data from which the racial and<br />
ethnic origin, political opinions, religious or ideological<br />
beliefs or union membership, as well as the<br />
Processing of genetic data, biometric data for unique purposes<br />
<br />
Identification of a natural person, health data or data on<br />
sex life or sexual orientation of a natural person<br />
prohibited.<br />
<br />
(2) Paragraph 1 does not apply in the following cases:<br />
(...)<br />
<br />
g) the processing is based on Union law or law<br />
of a Member State that is proportionate to the one being prosecuted<br />
The aim is to preserve the essence of the right to data protection and<br />
<br />
appropriate and specific measures to safeguard fundamental rights<br />
and interests of the data subject, for reasons of one<br />
significant public interest required,<br />
<br />
h) the processing is for health care purposes or<br />
Occupational medicine, for assessing the employee's ability to work,<br />
for medical diagnostics, care or treatment in<br />
Health or social sector or for the administration of systems<br />
and health or social services based on the<br />
<br />
Union law or the law of a Member State or based on one<br />
Contract with a healthcare professional and<br />
subject to the conditions and guarantees set out in paragraph 3<br />
necessary,<br />
<br />
(...)<br />
<br />
(3) The personal data mentioned in paragraph 1 may be included in<br />
Paragraph 2 letter h are processed if these<br />
<br />
Data is processed by or under the responsibility of specialist personnel<br />
and these professionals in accordance with Union law or the law of a<br />
Member State or the regulations of national competent bodies<br />
is subject to professional secrecy, or if the processing is carried out by another party<br />
Person who is also under Union law or the law of a<br />
Member State or the regulations of national competent bodies<br />
<br />
subject to confidentiality.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
17 of 53<br />
<br />
<br />
<br />
<br />
<br />
(4) Member States may impose additional conditions, including<br />
introduce or maintain restrictions insofar as the processing of<br />
genetic, biometric or health data is affected.<br />
<br />
(...)<br />
Article 22<br />
<br />
Automated decisions in individual cases including profiling<br />
<br />
(1) The data subject has the right not to rely solely on one<br />
automated processing - including profiling<br />
to be subjected to the decision, which has legal effect on it<br />
unfolds or significantly affects them in a similar way.<br />
<br />
(2) Paragraph 1 does not apply if the decision<br />
<br />
a) for the conclusion or fulfillment of a contract between the<br />
the person concerned and the person responsible is required to<br />
<br />
b) under Union or Member State law,<br />
which the person responsible is subject to, is permissible and this<br />
Legislation appropriate measures to safeguard rights and<br />
freedoms and the legitimate interests of the data subject<br />
contain or<br />
<br />
c) takes place with the express consent of the data subject.<br />
<br />
(3) In the cases mentioned in paragraph 2 letters a and c<br />
Responsible for taking appropriate measures to protect rights and freedoms<br />
as well as to protect the legitimate interests of the data subject, for what purpose<br />
at least the right to obtain human intervention on the part of the<br />
those responsible, to present their own point of view and to contest it<br />
<br />
belongs to the decision.<br />
(4) Decisions under paragraph 2 may not be based on special categories<br />
personal data pursuant to Article 9 paragraph 1, unless<br />
<br />
Article 9(2)(a) or (g) applies and appropriate measures to be taken<br />
Protection of the rights and freedoms as well as the legitimate interests of the<br />
affected person.”<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
18 of 53<br />
<br />
<br />
<br />
<br />
30 5.1.2. § 1 of the Federal Act for the Protection of Natural Persons<br />
<br />
Processing of personal data (Data Protection Act - DSG),<br />
Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 51/2012 reads in part:<br />
<br />
“Article 1 (constitutional provision)<br />
<br />
Basic right to data protection<br />
<br />
§ 1. (1) Everyone has, especially with regard to respect for their own<br />
Private and family life, right to secrecy of those concerning him<br />
personal data to the extent that there is a legitimate interest in doing so.<br />
The existence of such an interest is excluded if data as a result<br />
their general availability or because of their lack of traceability<br />
<br />
are not accessible to those affected by a claim of confidentiality.<br />
(2) To the extent that the use of personal data is not permitted<br />
<br />
vital interest of the person concerned or with his consent,<br />
are restrictions on the right to confidentiality only for reasons of protection<br />
overriding legitimate interests of another are permissible, namely at<br />
Intervention by a state authority only on the basis of laws arising from the<br />
in Article 8 paragraph 2 of the European Convention for the Protection of the<br />
<br />
Human rights and fundamental freedoms (ECHR), Federal Law Gazette No. 210/1958,<br />
reasons mentioned are necessary. Such laws permit the use<br />
of data that is particularly worthy of protection due to its nature, only for preservation purposes<br />
important public interests and must be provided for at the same time<br />
appropriate guarantees to protect the confidentiality interests of the<br />
<br />
Determine those affected. Even in the case of permissible restrictions, the<br />
Interference with fundamental rights only in the slightest way that achieves the desired result<br />
type.<br />
<br />
(...)"<br />
<br />
31 5.1.3. The relevant provisions of the Federal Law on<br />
Labor Market Service (Labor Market Service Act - AMSG),<br />
<br />
Federal Law Gazette No. 313/1994, namely § 1, § 25 and § 27 as amended by Federal Law Gazette I No. 32/2018,<br />
§ 29 as amended by Federal Law Gazette I No. 3/2013, § 31 as amended by Federal Law Gazette I No. 90/2009, § 32 as amended<br />
<br />
Federal Law Gazette I No. 71/2005 and § 38c as amended by Federal Law Gazette I No. 77/2004 read in extracts:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
19 of 53<br />
<br />
<br />
<br />
<br />
“Labor market service<br />
<br />
§ 1. (1) The implementation of the federal labor market policy is the responsibility of the<br />
'Labour market service'. The employment service is one<br />
Service companies under public law with their own<br />
<br />
Legal personality.<br />
(...)<br />
<br />
Data processing<br />
<br />
§ 25. (1) The employment service, the Federal Administrative Court and the<br />
Federal Ministry of Labor, Social Affairs, Health and Consumer Protection<br />
are for the processing of personal data within the meaning of<br />
Data Protection Act, Federal Law Gazette I No. 165/1999, insofar as this is authorized<br />
Fulfillment of legal tasks is an essential prerequisite. The<br />
The types of data in question are:<br />
<br />
(...)<br />
<br />
(2) The labor market service or the Federal Ministry of Labor,<br />
Social, health and consumer protection data processed in accordance with<br />
Paragraph 1, with the exception of health data in accordance with Paragraph 1 Item 4, may<br />
other authorities, courts, social security institutions and the<br />
Federal Statistical Institute Austria by means of automation-supported<br />
<br />
Data processing will be disclosed to the extent that the relevant data is for<br />
the execution of the respective legally assigned tasks<br />
form an essential prerequisite. Other authorities, courts and the carriers<br />
The social security authorities may process data they process in accordance with paragraph 1<br />
Exception of health data in accordance with paragraph 1 item 4, the employment service<br />
and the Federal Ministry of Labor, Social Affairs, Health and<br />
<br />
Consumer protection through automated data processing<br />
disclose to the extent that this data is necessary for the execution of the<br />
Employment Service and the Federal Ministry of Labor, Social Affairs,<br />
tasks assigned by law to health and consumer protection<br />
form an essential prerequisite. From the social security providers<br />
Data transmitted in accordance with Paragraph 1 Z 9 may be used by the employment service and by<br />
<br />
Federal Ministry of Labor, Social Affairs, Health and Consumer Protection<br />
personally for the purposes of sustainable labor market integration<br />
group of people are processed.<br />
<br />
(...)<br />
(4) The data processed by the employment service in accordance with paragraph 1 may be sent to<br />
the Bundesrechenzentrum GmbH and to institutions that are responsible for the tasks of the<br />
<br />
are transferred to the Labor Market Service (§ 30 para. 3 and § 32 para. 3), within the framework<br />
the services to be provided by them by way of<br />
automated data processing.<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
20 out of 53<br />
<br />
<br />
<br />
<br />
(5) The Labor Market Service and the Federal Ministry of Labor, Social Affairs,<br />
<br />
Health and consumer protection may use the data they process<br />
in accordance with paragraph 1, with the exception of health data in accordance with paragraph 1 item 4<br />
commissioned legal entities by means of automated support<br />
Transmit data processing to the extent that the relevant data is a<br />
an indispensable prerequisite for the fulfillment of an assessment requirement<br />
Services, aid and other financial benefits<br />
<br />
research contracts awarded by the Labor Market Service. For in public<br />
Interested scientific and statistical studies may be carried out<br />
the Federal Ministry of Labor, Social Affairs, Health and<br />
Consumer protection and the employment service provide the necessary support<br />
Data in accordance with paragraph 1 (except Z 1 lit. a and e to h), linked to the<br />
encrypted bPK AS, the Austrian Federal Statistical Institute for the purpose of<br />
<br />
Merging with indirectly personal data from others<br />
Authorities or social security institutions or at the Federal Agency<br />
transmit existing data on the working population. These are also allowed<br />
other authorities or social insurance providers in accordance with legal regulations<br />
Data processed in accordance with the regulations of the state's own area of activity,<br />
linked to the encrypted bPK AS, transmitted to the Federal Agency.<br />
<br />
A return transfer of merged data or the enabling of this<br />
Restoring a direct personal connection is not permitted. The<br />
The Federal Institute prepares the scientific or statistical evaluations<br />
after commissioning by the Federal Minister of Labor, Social Affairs and Health<br />
and consumer protection. The federal agency provides its services<br />
this federal law against reimbursement of costs in accordance with Section 32 Paragraph 4 Z 2 of<br />
Federal Statistics Act 2000. The merged data is as soon as it is<br />
<br />
are no longer needed for the purpose of the investigation, at the latest<br />
three years to delete.<br />
(6) The Austrian Federal Statistical Institute may process master data<br />
<br />
the employer in accordance with paragraph 1 item 6 and data on training in accordance with paragraph 1<br />
Z 2 lit. b and Z 7 lit. b to the employment service and the Federal Ministry<br />
for work, social affairs, health and consumer protection through the<br />
disclose automated data processing, insofar as this data is for<br />
Scientific purposes that fall within their legal area of responsibility<br />
or labor market statistical studies that are not personal<br />
<br />
Aiming to achieve results (§ 7 DSG) is an essential prerequisite.<br />
(7) If this is necessary for the fulfillment of legal tasks,<br />
Health data (paragraph 1 no. 4) may be disclosed by the employment service to the<br />
<br />
responsible social security institutions, the Ministry of Social Affairs,<br />
the responsible social assistance providers and institutions that carry out their tasks<br />
are transferred to the employment service (§ 30 para. 3 and § 32 para. 3) as well<br />
must be disclosed by them to the employment service.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
21 of 53<br />
<br />
<br />
<br />
<br />
(8) Employers may only disclose data in accordance with paragraph 1<br />
<br />
for the establishment of an employment relationship and the assessment<br />
the professional suitability of the job seekers are needed.<br />
Health data may not be disclosed to employers.<br />
<br />
(9) The data according to paragraph 1 is seven years after the end of the respective period<br />
business case. The retention period is extended by<br />
Periods in which the data is used to assert, exercise or<br />
Defense of legal claims are still needed or others<br />
Legal regulations provide for longer deadlines. The deletion of data is<br />
for economic and technical reasons on one or two dates<br />
<br />
year to focus. Until then, there is no entitlement to early payment<br />
Deletion.<br />
(10) The employment service has to take into account the economic<br />
<br />
Justifiable and the state of the art adequate precautions for the<br />
Ensuring data security within the meaning of Articles 24, 25 and 32 of the<br />
Regulation (EU) No. 2016/679 on the protection of natural persons<br />
Processing of personal data, free movement of data and<br />
Repeal of Directive 95/46/EC (General Data Protection Regulation),<br />
OJ No. L 119 of May 4, 2016 p. 1, (hereinafter: GDPR) and Section 6 DSG<br />
<br />
hold true. In particular, recordings or changes are personal<br />
Data only by the responsible organizational units<br />
(employees) permitted. When transmitting<br />
of personal data to third parties is due to technical or organizational reasons<br />
Measures to ensure that only the intended recipients<br />
Recipients gain access to the data. Access and reading rights are<br />
according to the tasks (roles) of the respective organizational units and<br />
<br />
to design servants. Access to personal data as well as any<br />
Transmission of health data must be recorded. Log data<br />
may not be used for personal purposes unless this is necessary<br />
Enforcement or defense of legally asserted claims<br />
Ensuring the lawful use of data processing or<br />
necessary for technical reasons.<br />
<br />
(11) Based on paragraphs 1 to 10, Section 69 AlVG and Sections 27 and<br />
27a AuslBG, the data processing to be carried out meets the requirements<br />
Requirements of Art. 35 Para. 10 GDPR for the omission of the<br />
<br />
Data protection impact assessment.<br />
(...)<br />
<br />
Obligation of confidentiality<br />
<br />
§ 27. (1) The bodies of the employment service are, to the extent not permitted by law<br />
otherwise is intended to maintain confidentiality about all of them from their official position<br />
Facts that have become known during the activity are obliged to keep them confidential<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
22 of 53<br />
<br />
<br />
<br />
<br />
<br />
interest in maintaining public peace, order and<br />
Security, comprehensive national defense, foreign<br />
Relationships, in the economic interest of the employment service, to<br />
Preparation of a decision or in the overriding interests of the parties<br />
is required. The responsible supervisor has to waive this obligation<br />
To release the request of a court or an administrative authority if<br />
<br />
this is in the interests of justice or in other public interests<br />
lies.<br />
<br />
(2) The obligation of confidentiality in accordance with paragraph 1 also applies after<br />
Leaving the position and after termination of the employment relationship.<br />
The obligation of confidentiality in accordance with paragraph 1 also applies to persons<br />
a committee of the board of directors, the state directorate or the<br />
Member of the regional advisory board.<br />
<br />
(...)<br />
<br />
Goal and task fulfillment<br />
§ 29. (1) The aim of the employment service is, within the framework of<br />
<br />
The federal government's full employment policy for prevention and elimination<br />
of unemployment while maintaining social and economic principles<br />
In the sense of an active labor market policy, the most complete,<br />
economically sensible and sustainable merging<br />
supply and demand for labor, and thereby the supply<br />
the economy with workers and the employment of all people who<br />
<br />
are available to the Austrian labor market in the best possible way<br />
to back up. This includes securing economic existence during the<br />
Unemployment within the framework of the legal provisions.<br />
<br />
(2) In order to achieve this goal, the labor market service has to do so within the framework of<br />
legal provisions to provide services aimed at:<br />
<br />
1. the placement of suitable workers in an efficient manner<br />
To create jobs that are as close as possible<br />
Employment appropriate to the job seeker's placement wishes<br />
offer,<br />
<br />
2. the effects of circumstances that require direct mediation<br />
hinder the senses of Z 1, to help overcome them,<br />
<br />
3. to counteract the confusion of the labor market,<br />
4. quantitative or qualitative imbalances between<br />
reduce labor supply and demand,<br />
<br />
5. the preservation of jobs if this makes sense within the meaning of paragraph 1<br />
is to enable and<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
23 out of 53<br />
<br />
<br />
<br />
<br />
6. to secure the economic existence of the unemployed.<br />
<br />
(3) The tasks of the employment service include in particular:<br />
Ensuring vocational training opportunities for young people<br />
through placement of suitable apprenticeships and additional measures such as<br />
<br />
the commissioning of training institutions for inter-company purposes<br />
Apprenticeship training in accordance with Section 30b of the Vocational Training Act (BAG),<br />
Federal Law Gazette No. 142/1969, or from training institutions in accordance with Section 2 Paragraph 4 of<br />
Agricultural and Forestry Vocational Training Act,<br />
Federal Law Gazette I No. 298/1990.<br />
<br />
(4) The tasks of the employment service also include:<br />
Promoting the re-employment of those with health impairments<br />
people through placement in suitable jobs and supplementary ones<br />
or preparatory measures. Particular attention is paid to the individual<br />
<br />
Performance, the development and expansion of on the labor market<br />
usable qualifications and securing economic existence<br />
to pay attention.<br />
<br />
(...)<br />
Principles in the performance of tasks<br />
<br />
§ 31. (1) The services of the employment service that are not covered by the authorities<br />
Procedures can be carried out by anyone at all branches and<br />
Make use of the employment service facilities that provide this<br />
Offer services unless the principles stated in paragraph 5 are met<br />
<br />
oppose.<br />
(2) If there is no legal entitlement to benefits from the employment service<br />
exists, the choice, type and, if necessary, combination of the<br />
<br />
services used according to the requirements of the individual case<br />
from the point of view that they achieve the aim stated in § 29 as best as possible<br />
are equivalent to. When fulfilling its tasks, the employment service has to<br />
an appropriate balance between the interests of employers and<br />
respect employees.<br />
<br />
(3) For people who either because of their personal circumstances or<br />
their belonging to a group that is disadvantaged in the labor market<br />
particular difficulties in obtaining or maintaining a job<br />
the services of the employment service within the meaning of paragraph 2 are as follows<br />
<br />
design and, if necessary, use it more intensively so that a<br />
The greatest possible equality of opportunity with other workers is achieved<br />
becomes. In particular, through appropriate use of the services<br />
gender-specific division of the labor market and discrimination<br />
of women in the labor market.<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
24 out of 53<br />
<br />
<br />
<br />
<br />
(4) The activity of the employment service is, as far as it is<br />
<br />
- ensuring compliance with and implementation of labor market policy<br />
the federal government,<br />
<br />
- the equal treatment of similar matters,<br />
<br />
- the necessary uniformity of approach and<br />
- achieving the highest possible efficiency and practicality<br />
performance<br />
<br />
allow to be carried out decentrally. The services of the employment service<br />
are, unless expressly stated otherwise, by the<br />
regional organizations.<br />
<br />
(5) In all activities, the public employment service adheres to the principles of<br />
Economy, economy and practicality from the point of view<br />
the best possible achievement of the goal stated in § 29<br />
<br />
take. To assess the efficiency of the activities of the labor market service<br />
to set up internal controlling.<br />
(6) The employment service has particular responsibility for projects relating to:<br />
<br />
Ensuring vocational training opportunities for young people<br />
in accordance with Section 29 Paragraph 3 to the different needs of each individual<br />
Federal states should be taken into account and fulfilled in the best possible way<br />
Tasks require the participation and appropriate financial participation of the<br />
to strive for in the respective federal state.<br />
<br />
(7) When planning measures, the employment service must ensure that<br />
that for groups of people who are particularly at risk of unemployment,<br />
appropriate support services are offered.<br />
<br />
(8) The measures are intended in particular to maintain and expand<br />
promote marketable skills among employees. The<br />
The labor market service can participate in measures taken by other legal entities<br />
Improving the framework conditions for long-term maintenance<br />
<br />
participate in health.<br />
(...)<br />
<br />
Services<br />
<br />
§ 32. (1) The employment service has its services in the form of<br />
to provide services whose purpose is to provide<br />
Job seekers on vacancies, job security and the<br />
Securing one's existence within the meaning of Section 29 is.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
25 out of 53<br />
<br />
<br />
<br />
<br />
<br />
(2) Services to prepare, enable or facilitate a<br />
such placement or job security are particularly important<br />
1. Information about the labor market and the professional world,<br />
<br />
2. Advice on choosing a career,<br />
<br />
3. Assistance in the production or maintenance of the<br />
ability to place workers,<br />
<br />
4. Supporting the qualification of workers and<br />
5. Supporting companies in finding and selecting suitable ones<br />
<br />
workforce and the design of the internal company<br />
workforce planning,<br />
6. Assisting job seekers in searching and choosing one<br />
<br />
workplace and<br />
7. Supporting businesses and workers to create and<br />
<br />
Preservation of jobs.<br />
(3) To the extent that the employment service does not provide services within the meaning of paragraph 2<br />
can provide itself or its provision is inappropriate or<br />
<br />
If it were uneconomical, it must ensure that such services are provided<br />
based on contractual agreements, e.g. through transfer to suitable persons<br />
Facilities may be provided by other means. Allowed to do so<br />
third party interests worthy of protection within the meaning of Section 1 Paragraph 1 of<br />
Data protection law is not violated.<br />
<br />
(4) Services are generally free of charge. For special ones<br />
Services such as testing and pre-selection of applicants or special ones<br />
Advertising measures and personnel consulting measures for companies can<br />
<br />
the board of directors shall set an appropriate remuneration that corresponds to the<br />
to the labor market service. Services for employees, unemployed people<br />
and jobseekers must in any case be provided free of charge.<br />
<br />
(5) If services of the employment service are covered by the provisions<br />
of Section 2 of the Labor Market Promotion Act (AMFG), Federal Law Gazette No. 31/1969,<br />
the provisions of Sections 3 to 7 AMFG apply to them.<br />
<br />
(...)<br />
Care plan<br />
<br />
§ 38c. The regional office has one for every unemployed person<br />
Create a care plan based on what is expected<br />
Care needs in particular the type of care and the in<br />
<br />
Measures taken and a justification for them<br />
contains the intended procedure. In particular, the care plan includes:<br />
the relevant aspects in accordance with Section 9 Paragraphs 1 to 3 AlVG are taken into account<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
26 of 53<br />
<br />
<br />
<br />
<br />
take. When communicating and taking measures to improve the<br />
Placement opportunities are those that can be exploited on the labor market<br />
Qualifications (professional and technical knowledge and skills<br />
Nature) of the unemployed person and these are to be taken into account if possible<br />
<br />
maintained or expanded if necessary. When changing the for incorporation<br />
Circumstances significant in the labor market is the care plan<br />
adjust accordingly. The regional office has an agreement<br />
with the unemployed person via the care plan. Can one<br />
If agreement is not reached, the care plan is from the regional<br />
<br />
Office with the greatest possible consideration of the interests of the<br />
unemployed person unilaterally. The care plan is this<br />
brought to the attention of the unemployed person. To a specific one<br />
Care plan or measures planned in the care plan<br />
taken, there is no legal claim. The board of directors has one<br />
<br />
Guideline to ensure a consistent approach to the<br />
Creation and adjustment of care plans.<br />
(...)"<br />
<br />
32 5.2. To assess the relevant action of the AMS as sovereign or<br />
<br />
private sector and on the question of the applicability of Section 1 Paragraph 2 DSG<br />
<br />
the present facts<br />
<br />
33 5.2.1. The revision argues that the data processing in question is carried out<br />
<br />
the mP takes place within the framework of sovereign administration. Nobody spoke<br />
understandable reasons for the processing to be in the area of<br />
<br />
To be attributed to private sector administration, especially since Section 29 AMSG covers the mediation<br />
of suitable workers for jobs as the goal and task of the mP<br />
<br />
statue. However, the task of providing employment is one<br />
inseparable connection with the Unemployment Insurance Act<br />
<br />
(AlVG). AMAS cannot be separated from official activities according to the<br />
AlVG are considered because this data processing is ultimately considered<br />
<br />
Basis for decision-making for job placement and thus<br />
<br />
serve in conjunction with unemployment insurance claims.<br />
Since the data processing in question takes place within the framework of sovereign administration<br />
<br />
is carried out, Section 1 Paragraph 2 DSG requires the respective legislator<br />
Matter-specific regulations in the sense that the cases are more admissible<br />
<br />
Interventions in the fundamental right to data protection are specified and limited<br />
would.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
27 of 53<br />
<br />
<br />
<br />
<br />
34 The response to the appeal counters that the AMSG regulates the same<br />
<br />
Essentially the “services” of the employment service (AMS) and<br />
thus the private sector tasks of the mP, in particular their<br />
<br />
Employment placement activities including organization and<br />
Carrying out training and awarding aid. The<br />
<br />
Procedural processing - AMAS - is used for activities of the<br />
mP used in the private sector. These in Sections 29 ff AMSG<br />
<br />
The tasks envisaged by the mP would be carried out using the means of private law<br />
<br />
carried out, the basis for the procedure essentially being:<br />
Supervision agreement in accordance with Section 38c AMSG. On any possible<br />
<br />
There is no entitlement to services. See Section 32 AMSG in this sense<br />
suggests that the MPs describe their services in more detail<br />
<br />
have to provide services to which expressly no reference is made<br />
legal claim exists. This also applies to the awarding of aid. The<br />
<br />
The appellant herself assumes that the matter at issue in the proceedings<br />
<br />
Data processing for the purposes of job placement in accordance with<br />
§§ 29 ff AMSG is used. It should be noted that AMAS is not for<br />
<br />
the job placement itself, but only for the targeted person<br />
Support and support can be used. The program<br />
<br />
serve to choose the right care strategy. The employment agency itself<br />
success regardless of the calculated opportunities on the labor market. From all<br />
<br />
The result is that the requirement of Section 1 Paragraph 2 DSG, according to which an intervention in the<br />
Basic right to data protection by a state authority only on the basis<br />
<br />
should be made on a qualified legal basis, this is not the case<br />
<br />
application succeed.<br />
<br />
35 5.2.2. The balancing of interests stipulated in Section 1 Paragraph 2 DSG requires:<br />
Admissibility of official interventions in data protection secrecy<br />
<br />
an (express) legal regulation resulting from the provisions set out in Article 8 Para. 2 ECHR<br />
<br />
reasons mentioned is necessary. The explanations for this provision<br />
understand authorities as state bodies acting sovereignly; that is what is meant<br />
<br />
sovereign action by administrative authorities (cf. Pürgy/Zavadil,<br />
The state authority within the meaning of Section 1 Paragraph 2 DSG 2000 in Bauer/Reimer,<br />
<br />
Handbook on data protection law [2009], 141 ff [147], with reference to<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
28 out of 53<br />
<br />
<br />
<br />
<br />
ErlRV on the StF of § 1 DSG 2000, 1613 BlgNR 20. GP 34 f; Eberhard in<br />
<br />
Korinek/Holoubek, B-VG, 12th Lfg [2016], § 1 DSG, Rn. 58, mwN).<br />
<br />
36 5.2.3. Sovereign administration occurs when the administrative bodies<br />
<br />
“Empire”, i.e. using specific state command and control<br />
Coercive force occurs. They act in those legal sentence forms that...<br />
<br />
public law for the exercise of official powers<br />
<br />
(cf. VfGH March 3, 2001, KI-2/99).<br />
<br />
37 The determination that an administrative body is an act of society<br />
<br />
services of general interest, thus a public administrative task,<br />
excludes the qualification of such an activity as<br />
<br />
Private sector administration not out. For the delimitation of the area<br />
Private sector administration from that of the sovereign administration it depends on the<br />
<br />
motives and the purpose of the activity, what is more important is<br />
what legal technical means the legislation can use to implement the<br />
<br />
fulfilling tasks. Does the legislature have the administrative authority?<br />
<br />
not endowed with coercive powers, there is no sovereign administration,<br />
but rather private sector administration (see VfGH October 18, 1957, KI-1/57;<br />
6<br />
see also the comments in Raschauer, General Administrative Law,<br />
2021, paragraph 694 ff).<br />
<br />
<br />
38 According to the statements in - the still relevant<br />
“leading case” - VfSlg. 3262/1957 it is official for qualification<br />
<br />
Acting as a sovereign administration, it is irrelevant whether the authority in question has one<br />
performs a “public task” because not everything “public” is sovereign<br />
<br />
is carried out. Furthermore, it is not decisive that it is one<br />
<br />
regulation in the field of public law. Not everyone is either<br />
Act of a body endowed with official powers is an act of sovereignty.<br />
<br />
The fact that the relevant authority in connection with the<br />
Works with public funds to fulfill the task does not make a decision either<br />
<br />
about the questions of sovereign action, because also within the framework of<br />
<br />
Private sector administration the state deals with public funds.<br />
The only decisive factor is what legal means the legislature uses<br />
<br />
has provided, i.e. whether there is a legal authorization to do something sovereign<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
29 of 53<br />
<br />
<br />
<br />
<br />
action is given and whether such action is used in the specific case<br />
<br />
is made (cf. on all the Raschauer, ibid).<br />
<br />
39 The term “simple sovereign administration” refers to administrative action<br />
<br />
recorded, which is not of a private economic nature, but rather belongs to the area of<br />
sovereign administration, even if in the specific case there is no sovereign act<br />
<br />
is set. In the simple sovereign administration the<br />
Administrative bodies not in the forms of action of the decision<br />
<br />
direct administrative command and coercive power as well as the<br />
Regulation acts, although this limits its power to order and enforce<br />
<br />
is present in the background. In this sense it is simple<br />
<br />
Sovereign administration a potentially sovereign administration that can be achieved through deployment<br />
can go from empire to current sovereign administration; it deals<br />
<br />
It is therefore a matter of “different intensity” of an administrative activity<br />
overall belongs to the area of sovereign administration (cf. VwGH April 15, 2016,<br />
<br />
Ra 2016/02/0028). There may be administrative acts that are not<br />
have independent normativity, but undoubtedly - preparatory,<br />
<br />
accompanying, implementing - within the framework of the sovereign administration.<br />
In some cases it is even expressly provided that the refusal<br />
<br />
Such an (actual) performance should be made with a notice, which is probably the case<br />
<br />
The clearest indication of this is also the case of positive approval<br />
or fulfillment can be qualified as sovereign action. The simple one<br />
<br />
Sovereign administration can no longer be based solely on the limited<br />
Number of typified forms of sovereign acts can be determined.<br />
<br />
What is crucial is that certain actions are taken that both<br />
in the area of sovereign administration as well as in the area of<br />
<br />
Private sector administration can be found. To act sovereignly<br />
this action the context in which they are placed<br />
<br />
(cf. again Raschauer, ibid).<br />
<br />
40 5.2.4. It is undisputed that the mP has both private and sovereign interests<br />
<br />
To fulfill tasks (see Section 31 Paragraph 1 AMSG) because they<br />
<br />
Job seekers both as a (contractual) partner and as a sponsor<br />
confronted with state sovereignty.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
30 out of 53<br />
<br />
<br />
<br />
<br />
41 5.2.4.1. The mP acts in the area of sovereign administration, provided that it has<br />
<br />
Benefits to which there is a legal claim - for example under the AlVG - are decided<br />
<br />
consists. The care activity in question including that in this context<br />
the planned creation of a care plan/a care agreement<br />
<br />
but takes place without the law granting the mP coercive powers or<br />
the job seeker has a legal right to what is considered expedient there<br />
<br />
The prospect of supporting measures opens up. Rather, the mP<br />
<br />
theirs in the service of “the federal government’s full employment policy<br />
Preventing and eliminating unemployment while preserving social and<br />
<br />
“Economic Principles” fulfillment of tasks<br />
<br />
(see Section 29 Paragraph 1 AMSG) to be provided in the form of services,<br />
which anyone can take advantage of (Section 31 Paragraph 1 AMSG). The<br />
<br />
Case-related relevant activity of the MP is therefore not considered a sovereign activity<br />
in a narrower sense.<br />
<br />
<br />
42 5.2.4.2. The possibility of this happening simply needs to be questioned<br />
sovereign action because - as the appeal argues - the<br />
<br />
Employment placement in an “inseparable connection with the AlVG”<br />
<br />
stand.<br />
<br />
43 According to the undisputed findings, the results of the AMAS should be<br />
<br />
Consultation process can be used and a starting point for the consultants<br />
be in order to make an assessment together with the job seeker<br />
<br />
Potentials and, if necessary, obstacles to labor market integration<br />
to determine. Because of this dispute, the optimal one is<br />
<br />
Care strategy - funding and care services<br />
<br />
define. The final decision about assignment to one of the<br />
The consultant meets customer groups. Does the job seeker have a dedicated one?<br />
<br />
different assessment of the labor market opportunities than the consultant<br />
document this in the supervision agreement.<br />
<br />
<br />
44 Based on this, the following should be considered:<br />
<br />
45 Against the background of the AMSG, the task of the mP is the prevention and<br />
<br />
Elimination of unemployment while preserving social and economic<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
31 out of 53<br />
<br />
<br />
<br />
<br />
Principles in the sense of an active labor market policy (Section 29 Paragraph 1 AMSG).<br />
<br />
According to the materials on the AMSG (RV 1468 BlgNR 18. GP, 32; AB 1555<br />
BlgNR 18. GP) the sole purpose of the law is reform<br />
<br />
the labor market administration and the associated re-achievement of the<br />
Full employment and the participation of job seekers in working life<br />
<br />
The central aim of the provisions of the AMSG is to achieve one<br />
the highest possible level of employment through the organization of the mP<br />
<br />
should be achieved, for whose services the rapid placement of a<br />
<br />
Productive and individually satisfying employment is the top priority.<br />
According to Section 29 AMSG, the economic existence should be maintained during the period of<br />
<br />
Job search is guaranteed, securing a living in form<br />
Recurring benefits to job seekers are therefore part of the<br />
<br />
Labor market policy. This is the basic idea of active labor market policy<br />
through specific measures tailored to the individual case and under<br />
<br />
Consideration of the greatest possible compatibility of full employment<br />
<br />
and achieve economic growth. From this objective<br />
The AMSG shows that, on the one hand, the AMS unites the job seeker<br />
<br />
Overview of the domestic labor market and orientation towards it<br />
enable, on the other hand, through targeted advice and assistance<br />
<br />
Identify a position that is appropriate to the individual's individual abilities<br />
should do (see OGH January 30, 2001, 1 Ob 257/00a).<br />
<br />
<br />
46 The entitlement to unemployment benefit (§ 47 para. 1 AlVG) is of a sovereign nature;<br />
when deciding whether you are entitled to unemployment benefit<br />
<br />
official tasks are fulfilled. The placement of job seekers<br />
However, as can be seen from Section 31 Paragraph 1 AMSG, it is in any case not sovereign<br />
<br />
(see OGH November 24, 2015, 1 Ob 208/15t, mwN).<br />
<br />
47 The relevant advice according to the findings, within the framework of which this<br />
<br />
The data processing in question is carried out - regardless of the narrow subject matter<br />
Context - intentionally not about the preparation of the agreement<br />
<br />
Claims from unemployment insurance, but rather the purpose of the<br />
<br />
Bringing together supply and demand in the labor market. The<br />
Legally designed advisory process as a service, which is in accordance with<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
32 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Section 31 Paragraph 1 AMSG is also open to job seekers who are not recipients of<br />
Unemployment benefits are not provided through sovereign means<br />
<br />
carried out this still ends - given the lack of reciprocal<br />
<br />
Rights and obligations - in a sovereign act. The purely objective one<br />
Connection between unemployment and possible support<br />
<br />
According to the AlVG, in the event of an unsuccessful job search, advice is provided<br />
Reintegration into the labor market itself is not one<br />
<br />
Preparatory act for official activities at the<br />
Granting support, namely in the absence of a sufficient normative one<br />
<br />
Connexes does not apply even if it is made to people who are already in the<br />
Receipt of benefits according to the AlVG.<br />
<br />
<br />
48 This also applies to the “care plan”: according to the<br />
The Labor Market Reform Act 2004, BGBl. I No. 77, inserted Section 38c AMSG has this<br />
<br />
AMS to create a care plan for every unemployed person<br />
“Based on the expected need for care, in particular the type and<br />
<br />
Type of care and the measures envisaged as well as a<br />
Justification for the intended course of action”. The explanations<br />
<br />
of the legislature, ErlRV 464 BlgNR 22. GP 9, excerpts read:<br />
<br />
“The basic principles of the employment service have already been good so far<br />
Experiences in the care plan used should now be expressly legal<br />
be anchored. The care plan is not the sovereign administration<br />
to be attributed, but should only be the framework conditions for which the<br />
<br />
Mediation and placement services associated with the private sector administration<br />
the employment service's placement-supporting activities.<br />
The care plan should provide a consistent, meaningful, predictable and<br />
Proceedings in accordance with the principle of trust in the care and<br />
Placement of the unemployed must be ensured. Depending on the to<br />
Part of very different conditions for success<br />
<br />
Reintegration into the labor market involves different requirements<br />
to provide care for the unemployed. This results in tiered ones<br />
Requirements for the care plan. Discussions to clarify the situation<br />
and the care process will usually take this into account<br />
(must) whether the unemployment is only temporary and expected<br />
<br />
appears to be remediable in the foreseeable future without special measures or<br />
With regard to age, lack of qualifications, health, for example<br />
Restrictions, care obligations or structural problems on the<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
33 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Special efforts are required in the labor market. (...) The<br />
Agreement on the care plan is within the framework of the existing one<br />
discretion. If the ideas of the (des)<br />
Unemployed people are not in compliance with the applicable regulations<br />
clarification in this regard should be provided. Still can't agree<br />
achieved, the care plan is one-sided from the regional one<br />
<br />
Establish office. The care plan is for the unemployed person<br />
in any case in an appropriate manner, for example by handing it over or sending it<br />
to bring knowledge. The care plan should define the framework,<br />
within which placement efforts and qualification or other<br />
to improve employment opportunities on the labor market<br />
<br />
necessary measures should be taken. In the agreements should<br />
also the planned personal activities of the unemployed<br />
be held. The care plan is for the actions of the<br />
Labor market service as well as the unemployed as long as he<br />
not changed - usually after a new consultation<br />
became. (...) On the one hand, the support plan is intended to provide for the unemployed<br />
<br />
higher degree of personal action orientation as well<br />
Predictability of the actions of the employment service and on the other hand<br />
Overall, it is even more planned, easier to understand and, if necessary, targeted<br />
changeable approach of the employment service can be guaranteed. The<br />
The tried and tested 'agreement culture' should be continued and expanded. (...)"<br />
<br />
49 According to the declared will of the legislature, the mP is given the task<br />
<br />
the creation of the care plan/care agreement within the framework<br />
the private sector administration. This corresponds to the explicit one<br />
<br />
Exclusion of a legal right to a specific care plan or<br />
<br />
on measures that are envisaged in the care plan<br />
(see also Julcher in AlV-Komm § 9 AlVG Rz 79). Furthermore is<br />
<br />
decisive for the classification of the relevant cases<br />
mP's advisory activity as a private sector activity that<br />
<br />
Creation of the care plan in accordance with the reasonableness criteria<br />
Section 9 paragraphs 1 to 3 AlVG must be taken into account; one from the<br />
<br />
Binding terms that can be derived directly from the care plan/care agreement<br />
Determination of the limits of the reasonableness of employment in the sense of<br />
<br />
§ 9 AlVG or just a binding definition of the individual case-related criteria<br />
However, the law does not provide for the assessment of these limits,<br />
<br />
so that the care plan, against this background, limits the<br />
<br />
Reasonableness of employment - especially in connection with<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
34 out of 53<br />
<br />
<br />
<br />
<br />
possible sanctions according to § 10 AlVG - neither expand nor restrict<br />
<br />
can. There can also be no sanction directly following the care plan<br />
§ 10 AlVG. Section 9 (8) AlVG also changes this consequence<br />
<br />
nothing, because the provision there does reduce the justification effort of the mP for<br />
<br />
Reintegration measures for the job seeker - under<br />
certain requirements - in connection with an existing one<br />
<br />
Care plan modified, but which itself does not develop any bond and the<br />
Authority is also not relieved of its obligation to present one<br />
<br />
comprehensible - and in this sense independent - justification<br />
<br />
which is subject to verification (cf. in this direction<br />
pointing VwGH March 28, 2012, 2010/08/0250).<br />
<br />
50 From what has been said above it follows that neither the advice<br />
<br />
as part of the job placement itself, the creation of the<br />
<br />
Care plan (a care agreement) within the meaning of Section 38c AMSG<br />
to be attributed to the (even if simply) sovereign area of activity of the mP<br />
<br />
is. Rather, this is part of the private sector<br />
actions of the mP, against the background of the functional concept of authority<br />
<br />
Section 1 Paragraph 2 DSG does not correspond to this in terms of data protection law<br />
<br />
determinate standard for encroachments on fundamental rights<br />
Personal data is subject to confidentiality in accordance with Section 1 Paragraph 1 DSG.<br />
<br />
<br />
51 For this reason alone, the controversial legality of the<br />
data processing that is the subject of the procedure using the<br />
<br />
to examine the relevant provisions of the GDPR without the standard of<br />
Section 1 Paragraph 2 DSG must be taken into account.<br />
<br />
<br />
52 5.3. On the question of the existence of sufficient justification reasons<br />
Articles 6 and 9 GDPR<br />
<br />
<br />
53 5.3.1. The BVwG supported its argument regarding legality<br />
the processing in question is based on the conclusion in accordance with Article 6<br />
<br />
Paragraph 1 lit. e GDPR and Art. 9 para. 2 lit. g GDPR can be processed<br />
personal data or special categories of personal data<br />
<br />
Data will be lawful if this processing is based on the law of<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
35 out of 53<br />
<br />
<br />
<br />
<br />
<br />
Member State of the person responsible for a matter in the public interest<br />
underlying task or with regard to the processing of special categories<br />
<br />
personal data based on significant public interest<br />
<br />
was required. The legal basis corresponding to Art. 6 Para. 3 GDPR<br />
according to Recital 41 of the GDPR, I have made it clear and precise and for the<br />
<br />
to be predictable for those subject to the law. Art. 9 paragraph 2 lit. g GDPR requires<br />
additional appropriate and specific measures to safeguard the<br />
<br />
Fundamental rights and interests of the persons concerned. Summarized<br />
The BVwG believes that the mP has the right to it in accordance with Section 29 Paragraph 1 AMSG<br />
<br />
assigned tasks in accordance with Section 31 Paragraph 5 AMSG<br />
required principles of thrift, economy and<br />
<br />
expediency must be met. Section 25 Paragraph 2 AMSG grants the mP one<br />
Authorization to process personal data, insofar as this<br />
<br />
are an essential prerequisite for fulfilling legal tasks.<br />
The task assigned to the mP in accordance with Section 29 AMSG is undoubtedly one of<br />
<br />
significant public interest. In order to achieve the set goal of optimal<br />
<br />
Supplying the economy with workers and employing everyone<br />
In order to secure people in the best possible way, it is undeniably necessary to focus on the<br />
<br />
personal characteristics of the job seekers in combination with the<br />
Labor market events to be taken into account. That those brought in<br />
<br />
personal data of job seekers for the assessment of the job seekers<br />
Labor market opportunities can be relevant, also from the appeal applicant<br />
<br />
not been disputed. There are none in this case<br />
Concerns that the mP is intended to ensure a “proper<br />
<br />
Labor market policy” the personal data in accordance with Section 25 Paragraph 1 AMSG<br />
may use. There are indications that such data processing is carried out in<br />
<br />
§ 25 AMSG is not sufficiently clearly expressed<br />
recognizable. Section 25 Paragraph 10 AMSG takes precautions to ensure that the<br />
<br />
Processing and warranty in accordance with the principles of the GDPR<br />
<br />
data security.<br />
<br />
54 5.3.2. In order to answer the appeal's submissions, we must first look at the<br />
The question of whether the requirements of Articles 6 and 9 of the GDPR are met will be addressed<br />
<br />
and to say in advance that the question of the legality of the<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
36 out of 53<br />
<br />
<br />
<br />
<br />
Processing against the background of these provisions is one of the questions<br />
<br />
the ban on automated decisions in accordance with Art. 22 GDPR<br />
represents a dividing legal question.<br />
<br />
<br />
55 5.3.2.1. The processing of personal data is in accordance with<br />
Art. 6 Para. 1 lit. e GDPR - among other things - lawful if the<br />
<br />
Processing is necessary for the performance of a task that is...<br />
<br />
is in the public interest or is carried out in the exercise of official authority<br />
was transferred to the person responsible.<br />
<br />
<br />
56 Art. 6 Para. 1 lit. e GDPR is closely related to Art. 6<br />
Paragraphs 2 and 3, which contain more detailed requirements for the legal basis.<br />
<br />
The legal basis for the processing is in accordance with Article 6 Paragraph 1 Letter e of the GDPR<br />
may in accordance with Art. 6 para. 3 leg. cit. by Union law or the law of the<br />
<br />
Member States to which the controller is subject must be determined. The<br />
The purpose of the processing must - unlike the processing according to<br />
<br />
Art. 6 Para. 1 lit. c GDPR - not necessarily in a legal basis<br />
<br />
be expressly provided for. According to Art. 6 Para. 3 Sentence 2 GDPR, it is sufficient<br />
if the purpose of the processing is necessary to complete a task<br />
<br />
fulfill which is in the public interest or in the exercise of a public purpose<br />
Violence occurs.<br />
<br />
<br />
57 Recital 41 of the GDPR again provides that the corresponding<br />
Legal basis or legislative measure clear and precise and their<br />
<br />
Application should be predictable for those subject to the law. However<br />
Recital 45 of the GDPR expressly does not require each individual<br />
<br />
Processing a specific law. Rather, a law can serve as a basis<br />
<br />
be sufficient for multiple processing operations when processing<br />
is necessary to carry out a task in the public interest.<br />
<br />
<br />
58 In light of the wording of these relevant provisions<br />
It cannot be assumed that the national legislature is responsible for fulfilling the<br />
<br />
Justification of Article 6 Paragraph 1 Letter e GDPR with regard to a<br />
certain data processing is in any case held, the data processing<br />
<br />
to determine themselves in the law. Rather, it is the justification fact<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
37 out of 53<br />
<br />
<br />
<br />
<br />
fulfilled if the task to be performed is in the legal basis<br />
<br />
is adequately described and the relevant data processing<br />
the purpose of fulfilling this task. However, this assumes that<br />
<br />
such a task is sufficiently clear and defined by the law<br />
is described. The legal basis in question may be more specific<br />
<br />
Regulations are included, but this is not mandatory (arg.: “can”<br />
in Art. 6 Para. 3 third sentence GDPR). Ultimately sees<br />
<br />
Art. 6 Para. 3 fourth sentence GDPR also applies to processing<br />
<br />
Art. 6 Para. 1 lit. e leg. cit. proposes that the legislation be a public one<br />
Pursue a goal that is of interest and in an appropriate proportion<br />
<br />
must be consistent with the legitimate purpose pursued (see also this view<br />
supporting Kastelitz/Hötzendorfer/Tschohl in Knyrim, the DatKomm, 2020,<br />
<br />
Art. 6 para. 47; see also Buchner/Petri in Kühling/Buchner, DS-GVO, BDSG,<br />
3rd edition, 2020, Art. 6 GDPR, paragraph 120 f).<br />
<br />
<br />
59 5.3.2.2. The purpose of the provisions of Article 9 Paragraph 1 GDPR is to provide a<br />
to ensure increased protection against such data processing<br />
<br />
a particularly difficult one due to the particular sensitivity of this data<br />
Interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter<br />
<br />
Respect for private life and protection of personal data<br />
<br />
can (cf. the comments of the ECJ on the purpose of protection in the judgment of<br />
September 24, 2019, C-136/17, GC and others, paragraph 44).<br />
<br />
60 Core of - Art. 6 Paragraph 1 Letter e GDPR<br />
<br />
reproduced - legality of Article 9 Para. 2 lit. g GDPR<br />
<br />
is that the processing is carried out for reasons of significant public concern<br />
interest must be required. While accordingly for processing<br />
<br />
personal data is generally in the public interest<br />
(Art. 6 Para. 1 lit. e GDPR), the processing of sensitive data is required<br />
<br />
Within the meaning of Article 9 Para. 1 GDPR - according to its wording - such<br />
considerable interest. This means that specific consideration is required<br />
<br />
a special legitimation for the use of such data (cf. to<br />
<br />
Interpretation of the corresponding legal situation in Germany<br />
Explanations in Kühling/Buchner, DS-GVO, BDSG, 3rd edition, Art. 9 Rz. 91,<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
38 out of 53<br />
<br />
<br />
<br />
<br />
<br />
cf. on Art. 9 Para. 2 lit. g GDPR also already ECJ September 24, 2019, C-136/17,<br />
GC et al. [Delisting of sensitive data], paragraph 61).<br />
<br />
<br />
61 The requirements for the legal basis are not specified in more detail<br />
Art. 9 GDPR. Art. 9 Para. 2 lit. g GDPR refers as well as Art. 6<br />
<br />
Paragraph 1 lit. e leg. cit. as a justification for the requirement of<br />
Processing for reasons of - in connection with Art. 9 Para. 2 lit. g<br />
<br />
considerable - public interest. With regard to the structural<br />
What these two justification facts have in common and the respective one<br />
<br />
Reference to Union law or the law of a Member State as well<br />
<br />
In the absence of an order to the contrary, this is also necessary to justify the<br />
Processing of special categories of personal data within the meaning of<br />
<br />
Art. 9 Para. 2 lit. g GDPR assumes that - just like with<br />
Justification for Article 6 Paragraph 1 Letter e - the sufficiently clear definition<br />
<br />
the task to be performed with the processing - which is related<br />
This data must have a special quality (arg.: “significant<br />
<br />
public interest”) - is necessary but also sufficient (cf. the<br />
Statements by Schörghofer/Warter, The legal basis of a<br />
<br />
Data processing in FS Pfeil, 2022, 721ff [734]). This view corresponds<br />
the opinion of the ECJ in C-136/17, according to which Art. 9 Para. 2 lit. g GDPR<br />
<br />
Processing of the special categories of data referred to in Article 9 is permitted,<br />
if it is necessary for reasons of significant public interest,<br />
<br />
on the basis of Union law or the law of a third party<br />
<br />
Member State that is proportionate to the objective pursued,<br />
preserves the essence of the right to data protection and appropriate and<br />
<br />
specific measures to safeguard the fundamental rights and interests of the<br />
data subject, whereby the ECJ in the manner provided for by Article 11 of the Charter<br />
<br />
protected right to free information a possible justification<br />
The legal basis for the data processing in dispute there is (cf. ECJ ibid.,<br />
<br />
61, 66 and 68). In this examination, the ECJ in no way relies on<br />
whether the justifying legal basis is the disputed data processing itself<br />
<br />
designated.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
39 out of 53<br />
<br />
<br />
<br />
<br />
62 5.3.2.3. Case-related arises against the background of this legal situation<br />
<br />
the following:<br />
<br />
First of all, it should be noted that the question of the existence of a public one<br />
<br />
Interest in the assets transferred to mP by Sections 29 ff AMSG<br />
Tasks - including those of the audit department - are not disputed.<br />
<br />
63 Section 29 Paragraph 1 AMSG defines the task of the mP; Section 29 Paragraph 2 AMSG mentions this<br />
<br />
The goals to be achieved in connection with the fulfillment of this task<br />
<br />
Activity of the mP. Section 30 Paragraph 2 AMSG also explicitly norms this<br />
Commitment of the mP to labor market monitoring and statistics<br />
<br />
care for. By detailing the principles governing task fulfillment<br />
must be taken as a basis; Section 31 AMSG also states which<br />
<br />
Demands must be met when fulfilling tasks. Section 25 Paragraph 1 AMSG<br />
limits the authorization for processing to the statutory task and<br />
<br />
to such processing that is essential for the fulfillment of the task<br />
<br />
are prerequisites. This is done by listing the data and the<br />
direct connection between the same and the permitted processing purpose<br />
<br />
It regulates in a predictable manner for the data subject which data and for what purpose<br />
may be processed. There is no doubt that this violates §§ 29<br />
<br />
up to 31 AMSG the task in connection with which the mP is to be processed<br />
the data listed in Section 25 Paragraph 1 AMSG is authorized, and thus the<br />
<br />
Framework for the permitted purpose of data processing is sufficiently clear and<br />
describe precisely. That the assessment of the labor market opportunities of one<br />
<br />
a relevant parameter for an efficient person looking for work<br />
<br />
Employment placement is obvious. It can therefore be assumed<br />
that a subject to the law is given in view of the mP<br />
<br />
Task and the services to be provided - in particular the<br />
The care plan to be drawn up in accordance with Section 38c AMSG - is sufficiently clear<br />
<br />
It is clear that processing in accordance with Section 25 Paragraph 1 AMSG<br />
The data listed also helps to assess the positioning of each<br />
<br />
relevant job seekers on the labor market and thus for<br />
<br />
this purpose, which is necessary for the fulfillment of the public task,<br />
can be used.<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
40 out of 53<br />
<br />
<br />
<br />
<br />
64 Furthermore, with regard to the health data affected on a case-by-case basis,<br />
<br />
the special categories of personal data within the meaning of<br />
Art. 9 Para. 1 GDPR must be counted, it should be noted that it is in accordance with the requirements<br />
<br />
There is no doubt about the case law of the ECJ cited above<br />
<br />
can ensure the best possible integration of job seekers<br />
The legislative objective applicable to the national labor market is significant<br />
<br />
pursues public interest within the meaning of Article 9 Paragraph 2 Letter g GDPR<br />
but this objective in connection with efficient use<br />
<br />
state support resources and optimization of social satisfaction<br />
<br />
job-seekers on the one hand and the best possible care for the<br />
labor market on the other hand. That case-related data processing in one<br />
<br />
appropriate relationship to the task assigned by law<br />
pursued goals is not and is not in dispute<br />
<br />
visible. This is particularly because, according to the findings in<br />
According to the contested finding, only those health data are processed<br />
<br />
which restrict the exercise of activities in the labor market and therefore<br />
<br />
are directly related to the employment placement.<br />
<br />
65 The provisions regarding the duty of confidentiality of the bodies of the mP in<br />
<br />
§ 27 AMSG and the detailed provisions on disclosure and<br />
Storage of the data in Section 25 Paragraphs 2 to 11 AMSG leaves no room for doubt<br />
<br />
to fulfill the measures required by Art. 9 Para. 2 lit. g GDPR<br />
Preservation of the essence of the fundamental right enshrined in Article 8 GRC<br />
<br />
Protection of personal data (see the concept of the essential content guarantee<br />
ECJ April 8, 2014, Digital Rights Irefond et al., C‑293/12 and C‑594/12, para. 40;<br />
<br />
see also bakers in Kühling/Buchner, DSG-VO, BDSG, comment,<br />
<br />
3rd edition, 2020, Art. 23 Rn. 57) as well as the fundamental rights and interests of the<br />
affected persons. The revision does not bring forward anything concrete,<br />
<br />
which calls this view into question.<br />
<br />
66 Insofar as the appeal repeatedly points out that the BVwG has the<br />
<br />
Character of profiling as a special processing procedure<br />
There is no connection with the requirements of Articles 6 and 9 GDPR<br />
<br />
observed, it is not clear from the statements to what extent the mentioned<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
41 out of 53<br />
<br />
<br />
<br />
<br />
There are other requirements for this form of processing<br />
<br />
should provide a justifying legal basis, especially since neither Article 6 nor<br />
Art. 9 GDPR refer to Art. 4 Z 4 GDPR. That of revision in it<br />
<br />
It may be agreed that profiling is a special form of processing<br />
does not change this view per se. The peculiarity of the<br />
<br />
Rather, profiling is taken into account in Art. 22 GDPR, whereby the<br />
Dangerous nature of this form of processing as formulated there<br />
<br />
prohibition or in the reasons for justification there<br />
<br />
Precipitation finds.<br />
<br />
In this respect, the revision - including in this context - is based on the<br />
<br />
Requirements of Section 1 Paragraph 2 DSG, the case law of<br />
Constitutional Court on the legality principle of Article 18 B-VG and the<br />
<br />
insufficient legal basis of the federal directive because of it<br />
refers to insufficient commitment, please refer to the comments on point<br />
<br />
5.2. to point out.<br />
<br />
67 Does the revision point out that in order to exercise the rights concerned,<br />
<br />
It is necessary that “the data collection is carried out in a way that is suitable for those affected by it<br />
[...] foreseeable manner and in a manner that is at most contestable<br />
<br />
“duly verifiable form”, it should be noted that the<br />
Data collection itself is not even an issue in this case.<br />
<br />
The subject of the appeal proceedings is rather that of the<br />
Prohibition issued by the appellant regarding the appeal<br />
<br />
Processing of data. The data to be collected itself is also set out in Section 25<br />
<br />
Paragraph 1 AMSG is listed in detail so that there is no doubt about it<br />
There is predictability about the type of data to be collected.<br />
<br />
68 If the appeal further refers to this, it follows from<br />
<br />
Recital 41 second sentence GDPR that from the legal basis itself<br />
<br />
It must be clear and predictable which data processing will take place<br />
carried out, this is not reflected in the wording of the recital<br />
<br />
to bring harmony. This states that “the corresponding legal basis<br />
or legislative measure [...] should be clear and precise and their<br />
<br />
Application [...] for those subject to the law in accordance with the jurisprudence of<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
42 out of 53<br />
<br />
<br />
<br />
<br />
Court of Justice of the European Union and the European Court of Justice for<br />
<br />
“Human rights [should] be predictable.” To what extent this recital<br />
the order of Article 6 Paragraph 1 Letter e GDPR, according to which the purpose of the<br />
<br />
Processing may be necessary for the performance of a public task<br />
<br />
It is not clear that the content should be determined in more detail.<br />
Art. 6 Para. 3 GDPR, on the other hand, expressly speaks of the need for one<br />
<br />
Legal basis from which the purpose of the processing can be derived<br />
must, or the relevant task in the public interest to which the<br />
<br />
data processing must be attributed. In this respect, the revision in this<br />
<br />
In this context, the second sentence of Section 1 (2) of the DSG is repeatedly referred to<br />
these in turn refer to the statements under point 5.2. to refer to what<br />
<br />
this legal provision does not apply in each case.<br />
<br />
69 This is used by the revision as a yardstick for the sufficient specification of a<br />
<br />
The legal basis for the decision of the ECJ of October 6, 2020,<br />
C-511/18, C-512/18 and C-520/18, were issued on the interpretation of Article 15(1).<br />
<br />
Directive 2002/58/EC of the European Parliament and of the Council of<br />
July 12, 2002 on personal data processing and protection<br />
<br />
privacy in electronic communications (Privacy Policy<br />
<br />
for electronic communications, OJ 2002, L 201, p. 37). This into the meeting<br />
The judgment of the ECJ is not relevant because it violates the principle of<br />
<br />
Data minimization is treated in accordance with Art. 5 lit. c GDPR. On this<br />
The appellant's decision was not supported in principle.<br />
<br />
<br />
70 The appeal must be agreed that when processing special data<br />
Categories of personal data within the meaning of Article 9 Paragraph 1 GDPR<br />
<br />
special intervention circumstances of Art. 9 Para. 2 GDPR are relevant. She<br />
In this context, criticizes the reasoning of the BVwG, according to which a<br />
<br />
Review of Section 25 Paragraph 10 AMSG to ensure compliance with the requirements<br />
<br />
necessary data security measures did not have to be taken,<br />
because this is not the subject of the review by the appeal applicant<br />
<br />
has been.<br />
<br />
71 However, even if this view of the BVwG were not correct, the appeal<br />
<br />
does not show to what extent the guarantees for data security in this case<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
43 out of 53<br />
<br />
<br />
<br />
<br />
Case - different from that under 5.3.2.1. shown<br />
<br />
assessment - would be inadequate. So nothing comes of the appeal applicant<br />
brought forward, which would lead to the assumption that with the<br />
<br />
Obligations of confidentiality of the organs and in particular with the prohibition of<br />
<br />
Disclosure of health data in accordance with Section 25 Paragraph 8 AMSG<br />
employers and the legal precautions regarding storage<br />
<br />
and ensuring data security on a case-by-case basis is not for one in mind<br />
Sufficient data protection is ensured in accordance with the provisions of the GDPR<br />
<br />
be.<br />
<br />
5.4. On the question of the existence of an automated decision within the meaning of<br />
<br />
Art. 22 Para. 1 GDPR<br />
<br />
72 The appeal repeatedly points out that the BVwG has the character of<br />
<br />
Profiling is not taken into account as a special processing procedure. It will happen<br />
from Recital 41, second sentence of the GDPR, that from the<br />
<br />
The legal basis itself must be clearly visible and predictable<br />
<br />
Data processing is carried out. The job seekers also ran<br />
There is a risk that AMAS' assumptions will be changed without further processing<br />
<br />
could be taken over.<br />
<br />
73 With this argument, the appeal concerns the legality of the<br />
<br />
processing that is the subject of the proceedings against the background of<br />
Art. 22 GDPR.<br />
<br />
<br />
74 5.4.1. The ECJ has in its - for the present appeal decision<br />
to be seen - recent judgment of December 7, 2023, C-634/21,<br />
<br />
SCHUFA Holding [Scoring] on the request for a preliminary ruling<br />
Art. 267 TFEU, submitted by the Wiesbaden Administrative Court<br />
<br />
(Germany) by decision of October 1, 2021, submitted question<br />
<br />
regarding the interpretation of Article 22 Para. 1 GDPR as follows:<br />
<br />
“40 With its first question, the referring court essentially wants:<br />
know whether Article 22 Para. 1 GDPR is to be interpreted as meaning that a<br />
“automated decision in individual cases” within the meaning of this provision<br />
exists if a claim is based on personal data about a person<br />
Probability value in relation to their ability to fulfill future requirements<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
44 out of 53<br />
<br />
<br />
<br />
<br />
Payment obligations are created automatically by a credit reporting agency<br />
<br />
will, provided that this probability value significantly determines whether a<br />
Third party to whom this probability value is transmitted<br />
The contractual relationship with this person is established, executed or terminated.<br />
<br />
41 To answer this question, it should first be noted that:<br />
the interpretation of a provision of Union law not only its wording,<br />
but also the context in which it stands, as well as the purposes and<br />
objectives pursued by the legal act to which it is a part<br />
must be taken into account (judgment of June 22, 2023, Pankki S, C‑579/21,<br />
EU:C:2023:501, paragraph 38 and the case law cited therein).<br />
<br />
42 As far as the wording of Article 22 Para. 1 GDPR is concerned, this is what it looks like<br />
Provision stipulates that a data subject has the right, not one<br />
solely based on automated processing - including<br />
<br />
Profiling - to be subjected to decision based on it<br />
has legal effect or is similarly significant<br />
impaired.<br />
<br />
43 The applicability of this provision therefore depends on three cumulative factors<br />
prerequisites, namely that, firstly, a 'decision'<br />
must be available, secondly, this decision 'exclusively on one<br />
automated processing, including profiling, must be based on and<br />
thirdly, they have ‘legal effect vis-à-vis [the person concerned]’<br />
or must affect it ‘in a similar significant way’.<br />
<br />
44 As regards, first, the requirement for the existence of a decision,<br />
It should be noted that the term 'decision' within the meaning of Article 22<br />
Paragraph 1 GDPR is not defined in this regulation. Already from the<br />
<br />
However, the wording of this provision shows that this term does not apply<br />
only refers to actions that have legal effect on the person concerned<br />
person develop, but also on actions that this person is similar to<br />
significantly affect.<br />
<br />
45 The broad meaning of the term 'decision' is defined by the<br />
Recital 71 of the GDPR confirms that a decision on<br />
Assessment of personal aspects that affect a person, 'a measure<br />
[may] include', which either has 'legal effect for the person concerned<br />
Person' develops or 'significantly affects him in a similar way', whereby<br />
the data subject should have the right not to make such a decision<br />
<br />
to be subjugated. According to this recital, the<br />
The term 'decision', for example, means the automatic rejection of a decision<br />
Online loan application or online hiring process without any<br />
human intervention.<br />
<br />
46 Since the term 'decision' within the meaning of Article 22 Paragraph 1 GDPR,<br />
as the Advocate General pointed out in point 38 of his Opinion, several<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
45 out of 53<br />
<br />
<br />
<br />
<br />
Actions can involve the affected person in many ways<br />
<br />
can affect, this term is broad enough to cover the result of the<br />
Calculation of a person's ability to fulfill future needs<br />
Payment obligations in the form of a probability value<br />
to include.<br />
<br />
47 Secondly, as regards the requirement that the decision in the sense<br />
of Art. 22 Para. 1 GDPR 'exclusively on an automated basis<br />
Processing, - including profiling - [must be based]', it says<br />
Advocate General stated in point 33 of his Opinion that one<br />
Activity like that of SCHUFA in the definition of 'profiling'<br />
<br />
Art. 4 No. 4 GDPR corresponds and that this requirement is therefore in place<br />
present case is fulfilled; the wording of the first question refers<br />
Furthermore, we expressly refer to the automated creation of one<br />
personal data about a person based probability value<br />
regarding their ability to service a loan in the future.<br />
<br />
48 Thirdly, as regards the requirement that the decision against<br />
the data subject has 'legal effect' or it has 'a similar effect'<br />
The content of the document must have a significant impact on it<br />
first question that the actions of the third party, the<br />
<br />
Probability value is transmitted, 'relevant' from this value<br />
is directed. According to the facts of the case submitted by the presenter<br />
Court in a case addressed to a bank by a consumer<br />
Loan application has an insufficient probability value in almost all<br />
In some cases, the bank may refuse to grant the requested loan.<br />
<br />
49 Consequently, it can be assumed that the third requirement, of which<br />
the application of Art. 22 Para. 1 GDPR depends, is fulfilled because a<br />
Probability value like that at issue in the main proceedings<br />
affected person is at least significantly impaired.<br />
<br />
50 Therefore, in circumstances such as those in the main proceedings, in which<br />
that determined by a credit reporting agency and reported to a bank<br />
Probability value plays a significant role in granting a<br />
Credit plays, the determination of this value as such is a decision<br />
<br />
to be classified as a person within the meaning of Article 22 Paragraph 1 GDPR<br />
data subject has legal effect or in a similar way<br />
significantly impaired'.<br />
<br />
51 This interpretation is influenced by the context in which Article 22<br />
Paragraph 1 GDPR stands, as well as the purposes and objectives associated with it<br />
Regulation to be pursued is supported.<br />
<br />
52 In this regard, it should be noted that, as the Advocate General stated in point 31<br />
in its Opinion stated that Art. 22 Para. 1 GDPR was the data subject<br />
Person who gives the 'right', not one solely based on an automated one<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
46 out of 53<br />
<br />
<br />
<br />
<br />
Processing - including profiling - subject to decision<br />
<br />
to become. This provision imposes a fundamental ban on<br />
Violation cannot be claimed individually by such a person<br />
are needed.<br />
<br />
53 As can be seen from Article 22 Para. 2 GDPR in conjunction with<br />
As can be seen from recital 71 of this regulation, the adoption of a<br />
based exclusively on automated processing<br />
Decision only permissible in the cases mentioned in Article 22 paragraph 2, i.e. H.,<br />
if they are necessary for the conclusion or performance of a contract between the<br />
the person concerned and the person responsible is required (letter a),<br />
<br />
if they are based on Union or Member State law,<br />
which the controller is subject to, is permissible (letter b) or if they are with<br />
express consent of the data subject (letter c).<br />
<br />
54 Furthermore, Article 22 Paragraph 2 Letter b and Paragraph 3 GDPR provides that<br />
appropriate measures to safeguard rights and freedoms as well as the<br />
legitimate interests of the data subject must be taken into account. In<br />
the cases referred to in Article 22(2)(a) and (c) of this Regulation<br />
the person responsible grants the data subject at least the right to<br />
Obtaining the intervention of a person upon presentation of one's own<br />
<br />
position and to challenge the decision.<br />
55 Furthermore, according to Art. 22 Para. 4 GDPR, automated decisions may be made<br />
in individual cases within the meaning of this Article 22 only in certain special cases<br />
<br />
special categories of personal data in accordance with Article 9 Paragraph 1 of this<br />
Regulation based.<br />
56 In addition, in the case of an automated<br />
<br />
Decision-making such as that within the meaning of Art. 22 Para. 1 GDPR<br />
one of the persons responsible has additional information obligations in accordance with Article 13<br />
Paragraph 2(f) and Article 14(2)(g) of this Regulation. On the other hand<br />
is the responsibility of the data subject in accordance with Article 15 Paragraph 1 Letter h GDPR<br />
Right to information to the person responsible for processing<br />
in particular 'meaningful information about the logic involved as well<br />
the scope and intended effects of such<br />
<br />
Processing for the data subject concerns.<br />
57 These higher requirements for the legality of an automated<br />
Decision-making and the additional information obligations of the<br />
<br />
Those responsible and the associated additional information rights<br />
The data subject explains the purpose pursued by Article 22 of the GDPR<br />
and which consists in protecting people from the particular risks to their rights and<br />
Protect freedoms associated with automated processing<br />
personal data - including profiling.<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
47 out of 53<br />
<br />
<br />
<br />
<br />
58 This processing requires, as follows from<br />
<br />
Recital 71 of the GDPR results in the assessment of personal aspects<br />
in relation to the natural person affected by this processing,<br />
especially for analyzing or predicting aspects related to them<br />
work performance, economic situation, health, preferences or interests,<br />
Reliability or their behavior, their location or change of location.<br />
<br />
59 These particular risks are, according to this recital, capable of:<br />
to impair the interests and rights of the data subject, in particular<br />
with regard to any discriminatory effects compared to natural ones<br />
people based on race, ethnic origin, political opinion,<br />
<br />
Religion or belief, trade union membership, genetic<br />
Dispositions or health status as well as sexual orientation. Therefore should<br />
According to this recital, fair and fair treatment to the data subject<br />
transparent processing can be guaranteed, in particular by the<br />
Use of suitable mathematical or statistical methods for this<br />
Profiling and through technical and organizational measures with which in<br />
<br />
appropriately ensuring that the risk of errors is minimized<br />
becomes.<br />
60 The interpretation set out in paragraphs 42 to 50 of this judgment and<br />
<br />
in particular the broad meaning of the term 'decision' in the sense of<br />
Art. 22 Para. 1 GDPR strengthens the effective protection to which this is based<br />
purpose.<br />
<br />
61 However, in circumstances such as those in the main proceedings, this would be the case<br />
involving three actors, there is a risk of circumvention<br />
Art. 22 GDPR and consequently a gap in legal protection if a narrow one<br />
Interpretation of this provision would be given preference according to which the<br />
Determination of the probability value only as a preparatory action<br />
and only the action taken by the third party<br />
if applicable, as a “decision” within the meaning of Article 22 Paragraph 1 of this<br />
<br />
Regulation can be classified.<br />
62 In this case, the determination of a<br />
probability value such as that at issue in the main proceedings<br />
<br />
does not meet the special requirements of Article 22 Paragraphs 2 to 4 GDPR<br />
are subject to, although this procedure is based on automated processing<br />
is based and has effects that have a significant impact on the person concerned<br />
affect the actions of the third party to which this<br />
Probability value is transmitted, is largely guided by this.<br />
<br />
63 Furthermore, the data subject could, as the Advocate General did in point 48<br />
in his opinion, on the one hand with the credit reporting agency,<br />
which determines the probability value that concerns them, their right to<br />
Information about the specific ones mentioned in Article 15 Paragraph 1 Letter h GDPR<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
48 out of 53<br />
<br />
<br />
<br />
<br />
Do not claim information if not automated<br />
<br />
decision-making by this company. On the other hand it would be<br />
the third party - assuming that the action taken by him<br />
would fall under Art. 22 Para. 1 GDPR, as it meets the requirements for the<br />
Application of this provision met - unable to comply with this specific<br />
to provide information because he generally does not have it.<br />
<br />
64 That the determination of a probability value like that in<br />
The main proceedings in question are covered by Article 22 (1) GDPR,<br />
has the effect, as stated in paragraphs 53 to 55 of this judgment,<br />
that it is prohibited, unless one of the things mentioned in Art. 22 Para. 2 GDPR<br />
<br />
Exceptions is applicable and the special requirements of Article 22<br />
Paragraphs 3 and 4 GDPR are fulfilled.<br />
65 What concerns in particular Article 22 Paragraph 2 Letter b GDPR, to which the<br />
<br />
The reference to the referring court is clear from the wording of that court<br />
Provision that national legislation authorizing the adoption of a<br />
allow automated decision-making in individual cases<br />
Measures to safeguard the rights and freedoms of those entitled to them<br />
must contain the interests of the person concerned.<br />
<br />
66 In the light of recital 71 of the GDPR, such<br />
Measures include in particular the obligation of the person responsible to<br />
to use appropriate mathematical or statistical methods, technical<br />
and to take organizational measures in an appropriate manner<br />
<br />
ensures that the risk of errors and errors is minimized<br />
be corrected, and to secure personal data in a way that<br />
the potential threats to the interests and rights of those affected<br />
Person is taken into account and in particular to prevent it from happening to her<br />
discriminatory effects occur. These measures<br />
also include at least the right of the data subject<br />
Obtaining the intervention of a person on the part of the person responsible<br />
<br />
Presenting your own point of view and challenging those against it<br />
issued decision.<br />
67 It should also be noted that, according to settled case law<br />
<br />
Court of Justice any processing of personal data with the in<br />
Art. 5 GDPR stipulated principles for processing<br />
personal data are consistent and in view of the provisions of Article 5<br />
Paragraph 1 letter a of the principle of legality of the<br />
Processing one of the conditions listed in Article 6 of this Regulation<br />
for the lawfulness of the processing (judgment of<br />
<br />
October 20, 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 49 and there<br />
cited case law). The person responsible must ensure compliance with this<br />
Principles in accordance with the principle laid down in Article 5 Para. 2 GDPR<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
49 out of 53<br />
<br />
<br />
<br />
<br />
be able to demonstrate accountability (cf. in this sense judgment of<br />
<br />
October 20, 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 24).<br />
68 Is required by the legislation of a Member State in accordance with Article 22<br />
Paragraph 2 letter b GDPR the issuance of an exclusively on one<br />
<br />
Decision based on automated processing is permitted, this must be the case<br />
Processing therefore not only those in the last-mentioned provision and in<br />
22 Paragraph 4 GDPR, but also<br />
the requirements in Articles 5 and 6 of this Regulation. Consequently, they may<br />
Member States do not have legislation under Article 22<br />
Paragraph 2 letter b GDPR enacted, according to which profiling is disregarded<br />
<br />
the requirements of these Articles 5 and 6 as interpreted by the<br />
The case law of the Court of Justice is admissible.<br />
69 What in particular is that in Article 6 Paragraph 1 Letters a, b and f GDPR<br />
<br />
the conditions for legality provided for in a case<br />
like that in the main proceedings can apply<br />
Member States are not authorized to apply additional rules<br />
of these conditions, since such a power is provided for in Article 6<br />
Paragraph 3 GDPR refers to those in Article 6 Paragraph 1 Letters c and e of this Regulation<br />
reasons mentioned is limited.<br />
<br />
70 What also concerns Article 6 Paragraph 1 Letter f GDPR in detail, may<br />
the Member States are not affected by the GDPR in accordance with Article 22 Paragraph 2 Letter b of the GDPR<br />
Requirements differ from the case law of the Court<br />
<br />
according to the judgment of December 7, 2023, SCHUFA Holding<br />
(Residual debt discharge) (C‑26/22 and C‑64/22, EU:C:2023:XXX), result,<br />
especially not because they are the result of weighing each other up<br />
conclusively prescribe conflicting rights and interests (cf. in<br />
to this effect, judgment of October 19, 2016, Breyer, C‑582/14, EU:C:2016:779,<br />
62).<br />
<br />
71 In the present case, the referring court points out that only<br />
§ 31 BDSG is a national legal basis within the meaning of Article 22 Paragraph 2<br />
Letter b GDPR could represent. Regarding the compatibility of this<br />
However, § 31 BDSG with Union law applies to this court<br />
<br />
profound concerns. This provision should be considered consistent with Union law<br />
are viewed as incompatible, SCHUFA would not only be without it<br />
legal basis, but would ipso iure violate the provisions of Article 22<br />
Paragraph 1 of the GDPR.<br />
<br />
72 In this respect, it is for the referring court to examine whether Section 31 BDSG<br />
qualifies as a legal basis within the meaning of Article 22 Paragraph 2 Letter b GDPR<br />
according to which it would be permissible to use one exclusively on one<br />
to adopt a decision based on automated processing. should that<br />
The referring court comes to the conclusion that Section 31 is such<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
50 out of 53<br />
<br />
<br />
<br />
<br />
legal basis, it would still have to examine whether the provisions in Article 22<br />
Paragraph 2 letter b and paragraph 4 GDPR and in Articles 5 and 6 GDPR<br />
requirements are met in this case.<br />
<br />
73 In view of the foregoing, the answer to the first question is that Article 22<br />
Paragraph 1 of the GDPR must be interpreted as meaning that an “automated decision”.<br />
in individual cases' within the meaning of this provision if a<br />
personal data about a person based probability value in<br />
<br />
Regarding their ability to meet future payment obligations<br />
is created automatically by a credit reporting agency, provided that it does so<br />
The probability value depends significantly on whether a third party is responsible for this<br />
Probability value is transmitted, a contractual relationship with this<br />
Person establishes, carries out or terminates.”<br />
<br />
<br />
75 5.4.2. From the reasons for the judgment given above<br />
of the ECJ it can be concluded that the application of an automated<br />
<br />
Processing - such as AMAS - as such already constitutes a decision<br />
of Art. 22 Para. 1 GDPR can represent, without justification<br />
<br />
legal basis within the meaning of Article 22 Paragraph 2 Letter b GDPR - the<br />
Justifications for the necessity of automated<br />
<br />
Decision to conclude a contract within the meaning of Article 22<br />
Paragraph 2 lit. a GDPR or the existence of consent within the meaning of<br />
<br />
Article 22 Paragraph 2 Letter c GDPR is not at issue on a case-by-case basis - the ban<br />
<br />
of Article 22 Paragraph 1 GDPR. Is there such an automated one?<br />
Before making a decision, the relevant national legislation must comply with the<br />
<br />
Allow the automated decision to be made in individual cases and also<br />
appropriate measures to safeguard rights and freedoms as well as the<br />
<br />
legitimate interests of the data subject (cf. the<br />
Statements by the ECJ in C-634/21, paragraph 65).<br />
<br />
<br />
76 According to the statements in the ECJ judgment cited, one<br />
Automated data processing - such as profiling - itself an “automated<br />
<br />
Decision in individual cases” within the meaning of Article 22 Paragraph 1 GDPR if<br />
the result of this automated processing for a<br />
<br />
certain - further - decision is decisive insofar as the action<br />
<br />
of the third party is “significantly guided” by the profiling in question, and so on<br />
significantly affects those affected (cf. the statements of the ECJ in<br />
<br />
C-634/21, paragraphs 48 and 73).<br />
<br />
<br />
<br />
Administrative Court<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
51 out of 53<br />
<br />
<br />
<br />
<br />
77 5.4.3. Depending on the case, this results in the following:<br />
<br />
<br />
78 5.4.3.1. First of all, it should be noted that the classification of the<br />
mP applied automated, based on a mathematical-statistical<br />
<br />
program processing of personal data<br />
affected job seekers (in AMAS) as “profiling” in the sense<br />
<br />
of Art. 4 Z 4 GDPR in accordance with the case law of the ECJ<br />
<br />
in C-634/21 cannot be doubted.<br />
<br />
79 According to the ECJ, this is already automated<br />
<br />
Processing - here the determination of the IC value, which is the probability<br />
integration into the labor market - itself (already) identified as one<br />
<br />
“automated decision” within the meaning of Article 22 Paragraph 1 GDPR,<br />
provided that this probability value determines the allocation to the<br />
<br />
intended customer groups, and thus those affected<br />
legal effect towards job seekers or similar<br />
<br />
Significantly impaired.<br />
<br />
80 That the final decision on the customer group allocation lies with the<br />
<br />
Consultants of the mP are able to qualify the AMAS as one<br />
<br />
automated decision within the meaning of Art. 22 Para. 1 GDPR is not applicable<br />
prevent, the judgment of the ECJ is based on the facts that<br />
<br />
Ultimately, the potential lender decides on the question of how the loan comes about<br />
the credit agreement in question there. The - possibly - pure<br />
<br />
formal separation of data processing from automated data processing is crucial<br />
decision influenced by the automated data processing itself,<br />
<br />
prevents the latter from being classified against the background of Art. 22 GDPR<br />
<br />
This is a fundamentally forbidden decision (cf. again<br />
ECJ C-634/21, paragraph 73). The finding of the BVwG that through<br />
<br />
Instructions and training ensured that the<br />
mP consultants do not question the result of the algorithm unconditionally<br />
<br />
would take over, may now justify the assumption that<br />
<br />
Classification into the respective customer group is not exclusive<br />
due to the AMAS. However, this finding does not rule out that<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
52 out of 53<br />
<br />
<br />
<br />
<br />
AMAS - as an automated decision - is ultimately decisive for this<br />
<br />
Classification is.<br />
<br />
81 Since the BVwG based on its - against the background of the judgment of<br />
<br />
ECJ does not make any findings on the legal opinion that is to be regarded as incorrect<br />
<br />
precise use of the AMAS - especially not specific ones<br />
Findings on the question of which other parameters and to what extent<br />
<br />
Take into account, or what procedure to use the<br />
AMAS is provided - has already taken the question of<br />
<br />
Automated processing is not relevant in this case<br />
<br />
be assessed exhaustively legally.<br />
<br />
82 5.4.3.2. Should the use of AMAS fall within the scope of Article 22<br />
<br />
Paragraph 1 of the GDPR would result in it being prohibited unless<br />
one of the exceptions mentioned in Article 22 Paragraph 2 GDPR is applicable and<br />
<br />
the special requirements of Article 22 Paragraphs 3 and 4 GDPR are met.<br />
<br />
83 Art. 22 Paragraph 2 Letter b GDPR contains an opening clause that allows the Union<br />
<br />
and the Member States open up legislation for automated<br />
<br />
to create decisions. The relevant - justifying - national ones<br />
However, legislation would need to allow for the adoption of the automated<br />
<br />
Allow decisions to be made in individual cases and also take appropriate measures<br />
Safeguarding the rights and freedoms as well as the legitimate interests of the<br />
<br />
the person concerned (cf. the ECJ's comments in C-634/21,<br />
<br />
65). Furthermore, these would have to comply with the requirements of Articles 5 and 6 of the GDPR<br />
the interpretation of which is sufficed by the case law of the Court of Justice<br />
<br />
(cf. again ECJ C-634/21, para. 68).<br />
<br />
84 The AMSG now obviously does not contain any provision with regard to the<br />
<br />
case-related processing - the AMAS - the justification of the<br />
Article 22 Paragraph 2 Letter b GDPR would be fulfilled.<br />
<br />
<br />
85 The GDPR understands “legal basis” - and therefore also under<br />
“Legal provision” in Article 22 Paragraph 2 Letter b GDPR - Recital 41<br />
<br />
not necessarily one “adopted by a parliament”.<br />
<br />
legislative act”. However, whether this is the case for the application of AMAS<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at Ro 2021/04/0010-11<br />
December 21, 2023<br />
<br />
53 out of 53<br />
<br />
<br />
<br />
<br />
<br />
profiling, the claims of recital 41<br />
legal requirements sufficient in terms of clarity, precision and predictability<br />
<br />
A basis exists that meets the ECJ's requirements for the opening clause<br />
<br />
(cf. again C-634/21, paras. 65 and 68), was by<br />
BVwG - based on the legal opinion that AMAS does not constitute an automated system<br />
<br />
Decision within the meaning of Article 22 Paragraph 1 GDPR - not examined.<br />
<br />
86 5.5. According to the above, the appeal was ultimately upheld<br />
<br />
and the contested finding as a result of the existence of the provisions under point 5.4.<br />
secondary deficiencies in the findings due to the illegality of the<br />
<br />
content in accordance with Section 42 Paragraph 2 Z 1 VwGG.<br />
<br />
<br />
87 The BVwG will continue the proceedings as part of an oral hearing<br />
Negotiation against the background of point 5.4. shown<br />
<br />
Legal situation to discuss the legal situation with the parties and take this opportunity<br />
to provide a statement or additional facts.<br />
<br />
<br />
Vienna, December 21, 2023<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative Court<br />
<br />
Judenplatz 11, 1010 Vienna<br />
www.vwgh.gv.at<br />
</pre><br />
{{DEFAULTSORT:VwGH_-_Ro_2021/04/0010-11}}</div>Echttps://gdprhub.eu/index.php?title=Kammarr%C3%A4tten_i_Stockholm_-_6027-23Kammarrätten i Stockholm - 6027-232024-03-15T17:03:59Z<p>Johan90: Created page with "{{COURTdecisionBOX |Jurisdiction=Sweden |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Kammarrätten i Stockholm |Court_Original_Name=Kammarrätten i Stockholm |Court_English_Name=Stockholms administrativ courts of Appel |Court_With_Country=Kammarrätten i Stockholm (Sweden) |Case_Number_Name=6027-23 |ECLI= |Original_Source_Name_1=Allmanhandling.se |Original_Source_Link_1=https://allmanhandling.se/wp-content/uploads/2024/03/KR_Stockholm_6027_23.pdf |..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Kammarrätten i Stockholm<br />
|Court_Original_Name=Kammarrätten i Stockholm<br />
|Court_English_Name=Stockholms administrativ courts of Appel<br />
|Court_With_Country=Kammarrätten i Stockholm (Sweden)<br />
<br />
|Case_Number_Name=6027-23<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Allmanhandling.se <br />
|Original_Source_Link_1=https://allmanhandling.se/wp-content/uploads/2024/03/KR_Stockholm_6027_23.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=13.03.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 10 GDPR<br />
|GDPR_Article_Link_1=Article 10 GDPR<br />
|GDPR_Article_2=Article 85(1) GDPR<br />
|GDPR_Article_Link_2=Article 85 GDPR#1<br />
|GDPR_Article_3=Article 85(2) GDPR<br />
|GDPR_Article_Link_3=Article 85 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=1 kap. 20 § Fundamental Law on Freedom of Expression<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=1 kap. 4 § Fundamental Law on Freedom of Expression<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=21 kap. 7 § Public Access to Information and Secrecy Act<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Prolegia Research AB<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=Swedish Prosecution Authority<br />
|Appeal_From_Case_Number_Name=ÅM2023-1596<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Johan90<br />
|<br />
}}<br />
<br />
The case concerns the demarcation of the Swedish system with a media license that gives the database constitutional protection (freedom of expression) and the demarcation between the right to take part in public documents and use them in one's corporate activities. The Court of Appeal finds that the company's use of obtaining the documents for background checks because the priority of EU law means that the Swedish regulation should not be applied, and therefore the Public Prosecutor's Office cannot interpret it.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A company Prolegia Research AB has request to take part in records in a criminal case by the constitutional right to access public records in sweden. The company is sericeprovider in are like background checks and consultancy in recruitment. The company has during the process to get access applied for a voluntary certificate of publication that give the entity the same constituinal cover as pappers and TV by the constutition. <br />
<br />
The company has calmes that the by the voluntary certificate of publication is useing the data in the records for prupes of journalism and by that not is obligated to enforce the GDPR. The question in the case are if the EU-law by GDPR are to be enforced before the swedish constition and if the the company are processing with the records are for journalism purpes or more for a bussiness purpes.<br />
<br />
=== Holding ===<br />
The DPA has in a memorandum, IMYRS 2022:2 sayed following as a summery. <br />
<br />
According to Article 85 of the Data Protection Regulation, Member States are obliged to national legislation the right to protection of personal integrity and the right to freedom of expression and information. In Sweden, this has taken place through the regulation in ch. 1. Section 7 of the law (2018:218) with provisions adapting to the EU's data protection regulation (data protection act). The first paragraph of the section states that personal data processing that is covered by the constitutional protection in the Freedom of the Press Ordinance (TF) and the freedom of expression fundamental law (YGL) are exempted from the requirements and the data protection regulation if the application of the regulation would come into conflict with<br />
the constitutions. In c h. 1 Section 7, second paragraph, exceptions are made with regard to opinion and freedom of information. The exception covers treatments that take place for journalistic purposes purposes or for academic, artistic or literary creation. If the exception is applicable, most provisions of the data protection regulation do not apply.<br />
<br />
In the legal position, the following questions concerning concepts are dealt with "journalistic purposes" based on, among other things, case law from the European Court of Justice and Swedish courts. The position statement also contains a number of examples such as guidance for the application.<br />
<br />
== Comment ==<br />
This is a question many lawyers in Sweden have seen as a problem where the question has been if the Swedish system is compliant with the EU law. The judgment is the first, but the Supreme Administrative Court of Apple has granted dispensation review in a case in the same ground question (case 4588-23) and also has Attunda District Court in Mars requested a preliminary ruling from the court of justice in the same area (district courts nr T 3743-23).<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
BACKGROUND<br />
The Swedish Prosecution Authority decided on 13 July 2023 to reject Prolegia Research AB's request to take part records in criminal case AM-73270-17 and AM-98355-09. As the basis for the decision, it was stated that it could be assumed that the requested data in the records would be processed after disclosure in violation of the EU's data protection regulation 2016/679 (the data protection regulation) and law (2018:218) with supplementary provisions to the EU's data protection regulation (the data protection law ) and that confidentiality according to ch. 21 Section 7 of the Public Access to Information and Secrecy Act (2009:400), OSL, therefore prevented disclosure.<br />
<br />
Prolegia appealed to the Court of Appeal in Stockholm, which on 19 September 2023 (case no. 4653-23) remanded the case as the company had brought forward that the company would conduct journalistic activities and the Public Prosecutor's Office had not taken a position on whether this meant that the company's processing of the personal data contained in the requested documents were exempt from the data protection regulation.<br />
<br />
In the now appealed decision, the Swedish Prosecution Authority, after taking into account the submitted voluntary release certificate, again rejected Prolegia's request to take part in of records in criminal cases AM-73270-17 and AM-98355-09. The Swedish Prosecution Authority stated in the decision that the journalistic purpose must be the main purpose of the processing of personal data so that the exception for journalistic activities must be applicable when assessing whether the data after disclosure can be assumed to be processed in violation of the EU's data protection regulation or the data protection act. Since it had not emerged that Prolegia, which mainly engages in background checks and consultancy in recruitment, had started any journalistic activities, the requested information was covered according to the Prosecutor's Office by confidentiality according to ch. 21. Section 7 OSL.<br />
<br />
CLAIMS, M.M.<br />
Prolegia stands by its request and puts forward, among other things, following. The company has, through a granted publication certificate, a constitutionally protected right to publish its database. The EU's data protection regulation with supplementary Swedish regulations shall not be applied to this part of the company's operations. For the same reason, the data cannot be covered by confidentiality according to ch. 21. Section 7 OSL. The company intends to carry out journalistic activities. It is not a question of maintaining a legal database with search services that contains personal data about individuals. It is not the task of the Swedish Prosecution Authority to assess whether the company's operations are sufficiently journalistic. It is also neither appropriate nor in accordance with current law to give an authority the opportunity to preview and accept, or reject, the explanation provided regarding the relevance of the requested information to the public debate, investigative journalism or broader journalistic purposes. The actions of the Swedish Prosecution Authority involve a circumvention of the rights that follow from a certificate of issuance. The public prosecutor's office has also investigated who requested some of the documents in question and therefore did not carry out the exercise of authority in an objective and impartial manner.<br />
<br />
REASONS FOR THE COURT OF COURT'S DECISION<br />
<br />
Swedish Prosecution Authority procedure <br />
The Court of Appeal does not supervise the <br />
Swedish Prosecution Authority. What Prolegia has brought forward about the authority's proecedure of the case therefore does not entail any action on the part of the Court of Appeal.<br />
<br />
Right to take part in public records<br />
<br />
The issue in the case Similar to the Swedish Prosecution Authority, the Court of Appeal considers that the requested documents are public records. The question in the case therefore becomes whether there is any provision in OSL, primarily ch. 21. Section 7, which means that the records must not be disclosed to Prolegia anyway. As it has emerged in the case that Prolegia has been granted a so-called voluntary certificate of publication and therefore covered by the same constitutional protection as the traditional mass media, the question arises of the relationship between the data protection regulation and the constitutional protection of freedom of expression in the form of publication of information about prosecution on websites. There are no guiding rulings on the issue.<br />
<br />
Legal starting points<br />
<br />
EU law<br />
<br />
Article 10 of the data protection regulation states, among other things, that the processing of personal data relating to convictions in criminal cases and offenses involving crimes may only be carried out under the control of an authority or when processing is permitted under Union law or the national law of the Member States, where appropriate protective measures for the rights and freedoms of the data subjects are established.<br />
<br />
According to Article 85(1) point one of the data protection regulation, the member states must by law combine the right to privacy in accordance with the regulation with the freedom of expression and information, including processing that takes place for e.g. journalistic purposes. From the second point of the article, it appears that the member states, when processing for journalistic purposes, must determine exceptions or deviations from some of the regulation's provisions, if these are necessary to combine the right to privacy with freedom of expression and information. In Article 86, the possibility of exceptions to the publicity of documents is given in order to balance this right with the right to protection of personal data.<br />
<br />
In a ruling on 22 June 2021 (Latvijkas Republikas Saeima, C-439/19, EU:C:2021:504), the European Court of Justice has found that the provisions of the Data Protection Regulation may constitute an obstacle to certain national legislation which means that an authority transfers information about offences, covered by Article 10, to economic operators for further exploitation. The Court recalled that the purpose of Article 10 is to ensure enhanced protection against such processing which, by reason of the particular sensitivity of the data, may constitute a particularly serious interference with the fundamental right to respect for private life and protection of personal data in accordance with the Articles 7 and 8 of the EU Charter of Rights. The Court also stated that Union law takes precedence over national provisions, including the Constitution (paragraphs 74, 126 and 135).<br />
<br />
The Swedish constitutional protection and the relationship to the data protection regulation<br />
<br />
When introducing the Data Protection Act, the legislator considered that the EU data protection regulations continued to provide scope for the provisions on freedom of press and expression in the Swedish constitutions. A disclosure provision was therefore introduced through ch. 1. Section 7 first paragraph of the Data Protection Act, which makes it clear that the Freedom of the Press Act, TF, and the Fundamental Law on Freedom of Expression, YGL, take precedence over the provisions of the Data Protection Ordinance and the Act. From the provision's second paragraph, which has its basis in Article 85(2) of the data protection regulation, it appears that i.a. Article 10 of the Data Protection Regulation shall not be applied to the processing of personal data for journalistic purposes or for academic, artistic or literary creation.<br />
<br />
In the so-called the database rule in ch. 1 § 4 YGL is regulated under which conditions provision of information from a database over the internet is covered by YGL. An actor can, upon application, be granted a certificate of issuance and thereby be covered by constitutional protection. This means according to ch. 1 § 7 first paragraph of the Data Protection Act that the Data Protection Ordinance with supplementary Swedish regulations shall not be applied to the constitutionally protected part of the operator's activities, to the extent that it would conflict with TF or YGL.<br />
<br />
In the preparatory work for the regulations on certificates of issue, it was established that free access to information as rich as possible and to varying opinions is a prerequisite for the citizens themselves to be able to take a stand on various issues that concern them. Among the civil liberties and rights, freedom of expression therefore occupies a central position which, together with freedom of information, has received specific protection in Swedish law through TF and YGL. When introducing the so-called voluntary issuance certificates, the legislator noted that a risk with having to apply for and be granted such a certificate is that the person who wants constitutional protection must turn to an authority. It was stated that it could not be ruled out that there is a risk that the authority in a tense social situation applies the application rules in such a way that constitutional protection is denied with regard to the expected content of the database. The risk was eliminated by stating the conditions for constitutional protection directly in the constitution, current chapter 1. § 5 YGL (government bill prop. 2001/02:74 pp. 36 and 49).<br />
<br />
On January 1, 2019, the possibility was introduced to limit constitutional protection by law regarding certain search services that contain data of a particularly privacy-sensitive nature, e.g. information about sexual orientation and health, with the support of ch. 1 Section 20 YGL. Proposals for corresponding provisions regarding legal violations have been presented on two occasions but not adopted by the Riksdag (Committee terms of reference Dir. 2023:145, pp. 6–7). The Swedish legislation thus lacks the possibility to limit the constitutional protection according to YGL with regard to information about violations of the law through domestic law.<br />
<br />
The Court of Appeal's assessment<br />
<br />
Prolegia has requested access to certain documents in two criminal cases and stated that they are to be used in journalistic activities and that it is not a question of maintaining a legal database with search services that contain personal data about individuals. Since the processing of the requested documents involves the processing of personal data, including information about violations of the law that include crimes, the processing falls under Article 10 of the Data Protection Regulation.<br />
<br />
Such a strict approach as follows from ch. 1. Section 7 first paragraph of the Swedish Data Protection Act, i.e. that the Swedish constitutional protection must always take precedence over the data protection regulation for the holder of a voluntary issuance certificate, is not compatible with the principle of the primacy of Union law. This is especially true in light of the fact that the constitutionally protected part of the business is, according to Swedish law, completely exempt from the provisions of the data protection regulation and that no proportionality assessment is made between, on the one hand, the right to protection of personal data and, on the other hand, the right to protection of freedom of expression and information (Latvijkas Republikas Saeima, p. 105). Taking into account the principle of the primacy of Union law and the practice of the European Court of Justice, the Court of Appeal considers that a balance must be made in each individual case between the privacy protection interest that is expressed by the data protection regulation and the constitutionally protected rights that apply to holders of voluntary issuance certificates and that are found in TF and YGL .<br />
<br />
In this context, it can be stated that the examination carried out when issuing voluntary certificates of issue is of a formal nature. There is also no requirement that any actual journalistic activity, regardless of content, must have begun. In addition, it can be noted that Prolegia already operates an established business in recruitment and that information has previously been requested from the Public Prosecutor's Office in order to carry out background checks in recruitment procedures. It was only after Prolegia had been denied access to certain documents that the company came in with a release certificate and stated that it wished to access the information for journalistic purposes. It has not emerged that Prolegia has started any journalistic activities.<br />
<br />
Denying an actor who has been granted a release certificate access to documents on the grounds that constitutional protection must give way in favor of the Data Protection Regulation must be done with great care. At the same time, the data protection regulation places clear requirements on the member states to establish appropriate safeguards for the rights and freedoms of the data subjects when it comes to personal data relating to convictions in criminal cases and offenses involving crimes, when the processing of such data is carried out by someone other than an authority. When it comes to the proportionality balance between different interests that must be made, the European Court of Justice has stated that data falling under Article 10 of the Data Protection Regulation relates to behavior that society disapproves of, and that granting access to such data may therefore stigmatize the person concerned and constitute a serious interference in his or her private or professional life (Latvijkas Republikas Saeima p. 75).<br />
<br />
Against this background, automatically completely exempting Prolegia from the provisions of the data protection regulation is not compatible with the proportionality assessment that must be made between freedom of expression, public actions and the protection of personal data. The Data Protection Ordinance must therefore be applied when assessing whether Prolegia has the right to access requested documents, despite what is prescribed in the Data Protection Act regarding the primacy of constitutional protection.<br />
<br />
The Data Protection Regulation allows certain exceptions to the protection of personal data for activities that have journalistic purposes. The concept of journalistic purposes must be given a broad interpretation, including activities aimed at disseminating information, opinions or ideas to the public, and is applied to all persons engaged in journalistic activities (Satakunnan Markkinapörssi and Satamedia, C-73/07, EU:C:2008 :727 pp. 56, 58 and 61).<br />
<br />
In a balance between the data subjects' interest in the protection of their personal data and Prolegia's interest in accessing the current data with the intention of being able to carry out journalistic activities in the future, the data subjects' rights weigh more heavily. In making this assessment, the Court of Appeal has taken into account in particular that the information relates to violations of the law and that disclosure could constitute a serious interference in the individual's private or professional life. Prolegia also has, with regard to its already established recruitment activities, an interest in obtaining the data, which currently appears to be the actual purpose of the processing of the requested personal data.<br />
<br />
Against this background, it can be assumed that the information in the requested documents will, after disclosure, be processed in violation of the data protection regulation. The information is therefore covered by confidentiality according to ch. 21 Section 7 OSL. The appeal must therefore be dismissed<br />
</pre></div>Johan90https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_7286-1/2023NAIH (Hungary) - 7286-1/20232024-03-15T13:37:36Z<p>Im: Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=7286-1/2023 |ECLI= |Original_Source_Name_1=NAIH homepage |Original_Source_Link_1=https://gdprhub.eu/images/5/56/NAIH-7286-2023-hatarozat.pdf |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Orig..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Hungary<br />
|DPA-BG-Color=background-color:#7f0037;<br />
|DPAlogo=LogoHU.jpg<br />
|DPA_Abbrevation=NAIH<br />
|DPA_With_Country=NAIH (Hungary)<br />
<br />
|Case_Number_Name=7286-1/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=NAIH homepage<br />
|Original_Source_Link_1=https://gdprhub.eu/images/5/56/NAIH-7286-2023-hatarozat.pdf<br />
|Original_Source_Language_1=Hungarian<br />
|Original_Source_Language__Code_1=HU<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Started=15.06.2022<br />
|Date_Decided=02.08.2023<br />
|Date_Published=07.03.2024<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 15 GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR<br />
|GDPR_Article_3=Article 15(1) GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR#1<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA issued a reprimand to controller for responding to an access request after the deadline and to a misspelled e-mail address violating [[Article 15 GDPR|Article 15 GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 07 April 2022, the data subject received an e-mail from a recruiter, the controller, mentioning the data subject’s standout resume among job seekers’ profiles. It was unclear to the data subject how the controller obtained access to his contact information as he never disclosed it on the jobseeker’ website which is generally used by the recruiters to directly contact the candidates. Therefore, data subject asked the controller for an explanation based on [[Article 15 GDPR|Article 15 GDPR]]. Despite reminders, no response was received. <br />
<br />
The data subject requested the DPA to investigate the controller’s conduct and compel them to respond. Additionally, the data subject requested to investigate the relationship between the website operator and the recruiter and whether a joint liability could be established.<br />
<br />
The data controller declared to the DPA that he is registered on the jobseekers’ website as an independent data controller to carry out recruitment activities. Additionally, the data subject provided his consent to be contacted for recruitment purposes. The controller, therefore, had an access to his e-mail address as a subscriber to the website. <br />
<br />
The controller attributed the lack of response to the data subject's request to an administrative error, specifically, the misspelling of their email address in the response sent on 17 May 2022. This oversight came to light subsequent to the order from the Data Protection Authority to address the allegations.<br />
<br />
=== Holding ===<br />
The DPA held that the controller’s argument does not relieve them of their liability as a controller as per [[Article 4 GDPR#7|Article 4(7) GDPR]]. Despite the fact that controller intended to comply with the data subject’s access request under [[Article 15 GDPR|Article 15 GDPR]], the DPA observed two things. First, the controller sent the reply on 12 May 2022 which is exceeding the one-month deadline (on 7 May 2022) under [[Article 12 GDPR#3|Article 12(3) GDPR]]. <br />
<br />
Second, the DPA highlighted that the most important characteristic of a controller is that they have substantive decision-making power and responsibility for compliance with all the obligations of the processing laid down in the GDPR.<br />
<br />
Lastly, the DPA rejected an argument that the website owner qualifies as a controller in this case where the recruiter organised the process and created the conditions for the data processing. <br />
<br />
For the reasons set out above, the DPA found that the controller has infringed [[Article 15 GDPR#1|Article 15(1) GDPR]] and ordered them to comply with the data subject’s access request.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.<br />
<br />
<pre><br />
Case number: NAIH-7286-1/2023.<br />
<br />
History: NAIH-5460/2022. Subject: decision partially granting the request<br />
<br />
<br />
DECISION<br />
<br />
<br />
<br />
The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]<br />
applicant (hereinafter: Applicant) 06.15.2022 on the basis of the application submitted on<br />
regarding the non-fulfillment of the request with [...] represented by a lawyer (hereinafter: Lawyer).<br />
(hereinafter: Applicant 1) and with [...] (hereinafter: Applicant 2) (hereinafter<br />
<br />
together with: Respondents) the following decisions in the official data protection proceedings against<br />
brings:<br />
<br />
I. 1. The Authority in its decision to the Applicant's request<br />
<br />
<br />
<br />
partially correct and<br />
<br />
I.2. finds that Respondent 2 has violated it<br />
<br />
- to natural persons regarding the management of personal data<br />
protection and the free flow of such data, as well as the 95/46/EC Directive<br />
<br />
Regulation 2016/679 (EU) on its exclusion (hereinafter: GDPR or general<br />
data protection regulation) Article 15 (1), as it was submitted based on the right of access<br />
he did not fulfill his request, furthermore<br />
<br />
II. obligates Respondent 2 to within 15 days of the decision becoming final<br />
provide information to the Applicant about the fulfillment of the request submitted under Article 15 of the GDPR<br />
<br />
regarding.<br />
<br />
<br />
III. The Authority, in its decision, regarding Respondent 1, the Applicant's request<br />
<br />
<br />
rejects.<br />
<br />
The II. the fulfillment of the obligation of the Respondent 2 from taking the measure<br />
must be in writing within 15 days - the supporting evidence, i.e. written to the Applicant<br />
together with the submission of a copy of the letter and the document certifying its dispatch - to be verified by the Authority<br />
towards. In case of non-fulfilment of the obligation, the Authority orders the execution of the decision.<br />
<br />
<br />
During the official procedure, no procedural costs were incurred, so there was no provision to bear them<br />
the Authority.<br />
<br />
* * *<br />
<br />
<br />
There is no place for administrative appeal against this decision, but from the announcement<br />
within 30 days with a claim addressed to the Capital Tribunal in a public administrative case<br />
can be attacked. The statement of claim must be submitted electronically to the Authority, which is the case<br />
<br />
1 The NAIH_KO1 form is used to initiate an administrative lawsuit: NAIH KO1 form (16.09.2019) The<br />
the form can be filled out using the general form filling program (ÁNYK program) and forwarded to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim<br />
must For those who do not benefit from the full personal tax exemption, the administrative court fee<br />
<br />
HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal<br />
representation is mandatory.<br />
<br />
<br />
JUSTIFICATION<br />
<br />
I. Procedure of the procedure<br />
<br />
<br />
(1) At the request of the Applicant, on the right to self-determination of information and freedom of information<br />
CXII of 2011 Act (hereinafter: Infotv.) on the basis of Section 60 (1) - a<br />
After fulfilling the applicant's obligation to make up the gap - on June 15, 2022<br />
official data protection procedure has been initiated.<br />
<br />
(2) In its order, the Authority invited the Respondents to make a statement to clarify the facts<br />
<br />
order, with reference to the 2016 CL.<br />
Act (hereinafter: Act) to § 63, to which the Respondents' answers within the deadline<br />
they arrived at the Authority.<br />
<br />
(3) The Authority notified the Applicant and the Respondents that the evidence procedure<br />
has been completed and has drawn their attention to the fact that they may make a statement or comment. THE<br />
Applicant 2 exercised his right to inspect documents. With their right to make a statement, the Applicant and<br />
<br />
The applicants were not alive either.<br />
<br />
<br />
II. Clarification of facts<br />
<br />
II.1. Request of the Applicant (NAIH-5460-1/2022.)<br />
<br />
<br />
(4) In his application submitted to the Authority on May 21, 2022, the Applicant submitted that the<br />
received a letter from [...] e-mail address on April 7, 2022, in which […] wrote that "the<br />
browsing the profiles of job seekers, your profile stood out to me.” THE<br />
letter […], as signed by the head of the office of the Respondent 2, and also reports as part of the signature<br />
and the information that Respondent 2 is a member of Respondent 1's network.<br />
<br />
(5) Since the Applicant never gave his contact information to the letter writer ([…] and<br />
<br />
He applied for 2), and since he did not know what data sheet he was referring to, therefore the<br />
in the reply message sent to [...] that day, he asked to be informed how he got to the<br />
The applicant's address and what other data was given to him. Because he didn't get an answer<br />
the Applicant therefore wrote to Respondent 2 again on May 11, 2022, mentioning that<br />
that if he does not answer, he will file a report with the Authority. Nor to this letter from the Applicant<br />
received an answer according to what was submitted in his application of May 21, 2022.<br />
<br />
<br />
(6) The Authority called on the Applicant to fill in the gaps, to which the Applicant responded<br />
submitted his definite request regarding the procedure, received on June 14, 2022<br />
with his statement.<br />
<br />
(7) The Applicant requested the following from the Authority in filling the gaps (NAIH-5460-3/2022.):<br />
<br />
- examine the relationship between Applicant 1 and Applicant 2, who<br />
<br />
responsible for the management of your data, whether there has been a violation due to the failure to respond and<br />
if so, determine that it was not properly performed based on your right of access<br />
submitted application,<br />
- in the event of a legal violation, oblige the data controller to respond.<br />
<br />
II.2. Statement of Applicant 1 (NAIH-5460-6/2022.)(8) Applicant 1 operates the national real estate brokerage franchise network. In [...] - a<br />
Franchise partner businesses in a franchise relationship with the applicant 1 is the trademark<br />
<br />
under, but they carry out their economic activities independently. Respondent 1 is […]<br />
as an operator with some businesses for the benefit of franchise partner customers<br />
can enter into framework contracts. For this reason, Respondent 1 is in a framework contract<br />
[...] Kft. The Authority sent 1 copy of the referenced contract to the Applicant<br />
for.<br />
<br />
(9) Based on the referenced framework agreement, to the database of jobseekers registered on the [...] website<br />
<br />
it is accessed by the franchise partner who uses this service of […]. THE […]<br />
service to the Applicant 2 indicated in the order as the franchise partner of the Applicant 1<br />
uses. The individual franchise partners receive the online directly from […] Kft<br />
access to the database. Each franchise partner business is recruiting<br />
they perform their activities independently, thus as independent data controllers.<br />
<br />
(10) To the knowledge of Respondent 1, the franchise partners are connected to the database<br />
<br />
if they have access, they can contact the data subject. Respondent 1's assumption<br />
According to Respondent 2, by using this service, he could have come into contact with a<br />
With an applicant.<br />
<br />
(11) The Applicant's data is not managed by the Applicant 1. Respondent 1 also does not know about it<br />
to state whether Respondent 2 or the franchise partner office manager received [….].<br />
request from the Applicant and whether he has responded to it.<br />
<br />
<br />
II.3. Statement of Respondent 2 (NAIH-5460-7/2022.)<br />
<br />
(12) The Applicant 2 uses the service provided by [….] Kft. to the partners of […]<br />
Based on the framework agreement between [...] Kft. and Applicant 1, which operates […].<br />
<br />
(13) As a customer of the service, Respondent 2 has access to the […] website<br />
<br />
to the database in which the jobseekers - with their consent -<br />
can be contacted for recruitment purposes. The legal basis for data management is on the website concerned […]<br />
his voluntary consent to the fact that those offering him the job - in this case a<br />
Applicant 2 - can be contacted.<br />
<br />
(14) At the Applicant's stakeholder request, due to an administrative error, the substantive action was not taken<br />
answering. According to the statement of the Respondent 2, this omission is the result of the order of the Authority<br />
<br />
detected after receipt.<br />
<br />
(15) Respondent 2 using the [...] database service of the Applicant's data<br />
became its manager, to which the voluntary consent given by the Applicant on the […] website<br />
on the basis of which Respondent 2 could access it. The Respondent 2 the Applicant's name and e-mail<br />
you used your address when you made the inquiry, it does not process your other data. The referred call was issued by<br />
It was sent by the manager of the real estate office operated by Respondent 2 for recruitment purposes.<br />
<br />
<br />
(16) The Respondent sent it to the Authority in 2 copies to the Applicant - at [...]<br />
a copy of the electronic letter you sent, which you declared in paragraph (14).<br />
as explained, that after receiving the order of the Authority, he noticed that<br />
an administrative error occurred. In the letter, it can be discovered that […], under the name of the sender<br />
12.05.2022 date is included, and the e-mail address was misspelled, as it was not […],<br />
but it was sent to […] email address.<br />
<br />
<br />
The text of the letter is as follows:<br />
<br />
"Dear […]!<br />
<br />
Our company is a subscriber to the [...] job search portal, whose database contains your e-<br />
email address as a current job seeker. If you are not currently looking for a job, please complete your profile on […]<br />
permanent deletion, which can be found in the settings menu after logging in.<br />
<br />
We only received your e-mail address, we do not store any other data about you<br />
we don't have any information.<br />
<br />
At the same time, we declare that we have deleted it from our address list!<br />
<br />
Best regards:<br />
<br />
<br />
[...]"<br />
<br />
<br />
III. Applicable legal provisions<br />
<br />
(17) The GDPR must be applied to personal data in a partially or fully automated manner<br />
processing, as well as those personal data in a non-automated manner<br />
<br />
which are part of a registration system or which<br />
they want to make it part of a registration system. Subject to the GDPR<br />
for data management by Infotv. According to Section 2 (2), the GDPR is indicated there<br />
must be applied with supplements.<br />
<br />
(18) Based on points 1, 2, 7 of Article 4 of the GDPR:<br />
1. "personal data": for an identified or identifiable natural person ("data subject")<br />
<br />
any information relating to; the natural person who is directly you can be identified<br />
indirectly, in particular an identifier such as name, number, location data,<br />
online identifier or physical, physiological, genetic, mental, economic,<br />
based on one or more factors related to your cultural or social identity<br />
identifiable;<br />
2. "data management": automated or not on personal data or data files<br />
any operation or set of operations performed in an automated manner, such as collection,<br />
<br />
recording, organizing, categorizing, storing, transforming or changing, querying,<br />
viewing, use, communication, transmission, distribution or otherwise<br />
by making it available, coordinating or connecting, limiting, deleting, or<br />
destruction;<br />
7. "data controller": the natural or legal person, public authority, agency or<br />
any other body that independently manages the purposes and means of personal data<br />
or determines with others; if the purposes and means of data management are defined by the EU or<br />
<br />
determined by the law of the Member State, concerning the data controller or the designation of the data controller<br />
special aspects may also be determined by EU or member state law;<br />
<br />
(19) Based on paragraphs (1)-(6) of Article 12 of the GDPR:<br />
<br />
(1) The data controller shall take appropriate measures in order to ensure that the data subject a<br />
all those referred to in Articles 13 and 14 relating to the management of personal data<br />
<br />
information and 15-22. and each piece of information according to Article 34 is concise, transparent,<br />
in an understandable and easily accessible form, clearly and intelligibly formulated<br />
provide, especially for any information directed at children. The information<br />
must be given in writing or in another way - including, where applicable, the electronic way. The<br />
at the request of the data subject, oral information can also be provided, provided that the data subject has confirmed otherwise<br />
identity.<br />
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11<br />
<br />
In the cases referred to in paragraph (2), the data controller is the data subject concerned in Articles 15-22. your rights under Art<br />
may not refuse to fulfill your request for exercise, unless you prove that<br />
that the person concerned cannot be identified.<br />
(3) The data controller without undue delay, but in any case the request<br />
within one month of its receipt, informs the person concerned of the 15-22 according to article<br />
on measures taken following a request. If necessary, taking into account the request<br />
complexity and the number of applications, this deadline can be extended by another two months. Regarding the extension of the deadline, the data controller explains the reasons for the delay<br />
indicating within one month from the receipt of the request<br />
<br />
concerned. If the person concerned submitted the request electronically, the information is possible<br />
must be provided electronically, unless the data subject requests otherwise.<br />
<br />
(20) Pursuant to Article 15 (1) of the GDPR:<br />
(1) The data subject is entitled to receive feedback from the data controller regarding<br />
whether your personal data is being processed and if such data is being processed<br />
is entitled to access to personal data and the following information<br />
<br />
get:<br />
a) the purposes of data management;<br />
b) categories of personal data concerned;<br />
c) recipients or categories of recipients with whom or with which the personal<br />
data has been disclosed or will be disclosed, including in particular third-country recipients,<br />
and international organizations;<br />
d) where appropriate, the planned period of storage of personal data, or if this is not the case<br />
<br />
possible aspects of determining this period;<br />
e) the right of the data subject to request from the data controller the personal data relating to him<br />
rectification, deletion or restriction of processing of data, and may object to such<br />
against the processing of personal data;<br />
f) the right to submit a complaint addressed to a supervisory authority;<br />
g) if the data were not collected from the data subject, everything about their source is available<br />
information;<br />
<br />
h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including<br />
also profiling, and at least in these cases to the applied logic and that<br />
comprehensible information about the significance of such data management and that<br />
what are the expected consequences for the person concerned.<br />
<br />
(21) Pursuant to points b) and d) of Article 58 (2) of the GDPR, the supervisory authority<br />
acting within its competence:<br />
<br />
b) condemns the data manager or the data processor if its data management activities<br />
violated the provisions of this regulation.<br />
d) instructs the data manager or the data processor that its data management operations - given<br />
in a specified manner and within a specified period of time - harmonized by this decree<br />
with its provisions.<br />
<br />
<br />
(22) Pursuant to Article 77 (1) of the GDPR, other administrative or judicial remedies<br />
without prejudice, all data subjects are entitled to lodge a complaint with a supervisory authority<br />
- in particular your usual place of residence, place of work or the place of the alleged infringement<br />
in the Member State of origin - if, according to the judgment of the data subject, the personal data relating to him<br />
handling violates this regulation.<br />
<br />
<br />
(23) Infotv. § 60 (1) In order to assert the right to the protection of personal data a<br />
At the request of the data subject, the authority initiates official data protection proceedings ex officio<br />
may initiate a data protection official procedure.<br />
<br />
(24) Infotv. On the basis of § 71, paragraph (1) during the Authority's procedure - for its conduct<br />
to the necessary extent and for the duration - can manage all personal data, as well as the law<br />
<br />
data classified as secrets protected by and secrets bound to the exercise of a profession, which are<br />
are related to the procedure, and the management of which is the successful completion of the procedure<br />
necessary for<br />
<br />
(25) Pursuant to Section 46 (1) of the Ákr, the authority shall reject the application if<br />
<br />
<br />
a) the legally defined condition for the initiation of the procedure is missing, and this law<br />
it does not attach any other legal consequences. (26) Pursuant to § 47, subsection (1) of the Ákr, the authority terminates the procedure if<br />
a) the request should have been rejected, but the reason for that was the initiation of the procedure<br />
<br />
came to the attention of the authorities.<br />
<br />
<br />
ARC. Decision:<br />
<br />
<br />
IV.1. Personal data of the Applicant, quality of data management<br />
<br />
<br />
(27) According to Article 4, Point 1 of the General Data Protection Regulation, the contact details of the Applicant,<br />
surname, first name, e-mail address are the personal data of the Applicant,<br />
the storage of which data is in accordance with Article 4, Point 2 of the General Data Protection Regulation<br />
is considered data management.<br />
<br />
(28) The Respondents declared to the Authority that Respondent 2 is the data controller<br />
<br />
determines its purpose and means independently, therefore it is an independent data controller, since it was taken over from […]<br />
personal data of job seekers, including the management of the Applicant's personal data<br />
has independent decision-making authority.<br />
<br />
(29) Due to the above, Respondent 2, as a data controller, was obliged to respond to the Applicant's data subject request<br />
fulfill and provide information to him in connection with the data subject's request.<br />
<br />
<br />
(30) The subject of the present proceedings was only the examination of whether the Applicant is a personal person<br />
data subject's request to those written in the general data protection regulation<br />
has been properly fulfilled, i.e. the Authority's handling of the Applicant's personal data,<br />
did not examine the data management conditions of their receipt from […].<br />
<br />
IV.2. Completing an access request and the related obligation to provide information<br />
<br />
<br />
(31) The data subject's right of access is regulated by Article 15 of the GDPR. Based on this, the data subject is entitled<br />
to receive feedback on the data management that it is personal<br />
whether your data is being processed, and if such data processing is underway, you are entitled<br />
to receive information about the purpose of data management, the personal data concerned<br />
categories, the recipients to whom your personal data was (will be) disclosed, a<br />
the duration of their storage, the source of the data, the exercise of the data subject's rights, and a<br />
On the right to appeal to the authorities.<br />
<br />
<br />
(32) On April 7, 2022, the Applicant turned to Respondent 2 with its access request. THE<br />
Respondent 2 as detailed in paragraph (14) only of the order of the Authority<br />
after receiving it, he noticed that this did not happen due to an administrative error.<br />
<br />
(33) Pursuant to Article 12 (3) of the GDPR, the Respondent 2 from the receipt of the request<br />
should have informed the Applicant about the access within one month<br />
<br />
regarding your request. Based on this, the access letter sent to Respondent 2 by the Applicant<br />
the one-month deadline for responding to your request was May 7, 2022<br />
down, so Respondent 2 should have informed the Applicant by this deadline. THE<br />
However, Respondent 2 failed to inform the Applicant within this deadline,<br />
According to his statement sent to the authorities, the reason for this was an administrative error. His statement<br />
according to the attached e-mail copy, the Applicant's e-mail address was typed,<br />
so that was the reason why he did not receive Respondent 2's reply letter. The buckled<br />
<br />
according to a copy, on May 12, 2022, i.e. the Applicant's reminder e-mail (in which again<br />
requested access, on the other hand, he claimed that he would turn to the Authority if they did not comply<br />
the request) would have sent the response of the Respondent 2, so Article 12 (3) of the GDPR<br />
exceeding the one-month deadline according to paragraph<br />
<br />
(34) Respondent 2 claimed that due to an administrative error, he did not answer a<br />
At the request of the applicant's stakeholders. According to this, it was unintentional behavior that caused Respondent 2 not to fulfill the stakeholder request at all. According to the position of the Authority<br />
this argument does not exempt Respondent 2 from data controller responsibility, given<br />
<br />
to the fact that, pursuant to Article 4, point 7 of the GDPR, Respondent 2 is considered a data controller. THE<br />
Respondent 2 is the one who organizes and develops the data management process<br />
circumstances. The most important feature of the data controller is that it is a substantive decision-maker<br />
has authority and is responsible for all data management, the general<br />
for fulfilling the obligation stipulated in the data protection decree. Because of the above, the Authority<br />
found that Respondent 2 violated Article 15 (1) of the GDPR.<br />
<br />
<br />
(35) The European Data Protection Board on the concept of data processor and data controller according to the GDPR<br />
07/2020 (hereinafter: Guideline)<br />
according to "Sometimes companies and public bodies appoint a separate person for data management<br />
to carry out an activity. Even though sometimes a specific natural<br />
a person is appointed to ensure compliance with data protection rules,<br />
this person will not be a data controller, but for that legal entity (or company<br />
public law body) acts on its behalf, which is the data controller in case of violation of the rules<br />
<br />
is ultimately responsible for its quality. In the same way, even if you are a specific class<br />
organizational unit is operative with regard to certain data management activities<br />
is also responsible for ensuring compliance, this does not mean that it is<br />
department or unit will be the data controller (rather than the organization as a whole).” The Guidelines<br />
In addition, his summary notes in this regard that "As a general rule, there is none<br />
restriction on the type of organization that can fulfill the role of data controller,<br />
however, in practice it is usually the organization itself, rather than those within the organization<br />
<br />
a person (such as a CEO, employee, or board member) that<br />
act as a data controller."<br />
<br />
(36) Based on all of this, the violation related to the case is also the Respondent 2, as a data controller<br />
falls under his responsibility. Article 25 of the GDPR requires that the controller is the controller<br />
implement appropriate technical and organizational measures throughout its entire process<br />
to ensure that you respond to data subject requests in a timely manner<br />
<br />
be fulfilled.<br />
<br />
ARC. 3. Request related to obliging the Respondent to fulfill 2 stakeholder requests<br />
<br />
(37) Considering that the Respondent 2 established in paragraph (34) of this decision<br />
did not comply with the Applicant's access request, therefore the Authority approved the<br />
Petitioner's request and obliged Respondent 2 to comply with it.<br />
<br />
<br />
IV.4. Request related to obliging Respondent 1 to fulfill the stakeholder request<br />
<br />
(38) Since Respondent 1 was not qualified for the data management complained about in the application<br />
decision IV.1. because of what was written in point, namely with the examined data management<br />
in this context, the Applicant 2 is qualified as a data controller, therefore the Authority is the Applicant<br />
He rejected his request for Respondent 1.<br />
<br />
<br />
IV.5. Legal consequences<br />
<br />
(39) The Authority convicts Respondent 2 on the basis of GDPR Article 58 (2) point b),<br />
because it violated Article 15 (1) of the GDPR.<br />
<br />
(40) In accordance with Article 58 (2) point d) of the GDPR, the Authority ordered that the<br />
<br />
Respondent 2 fulfill the Requester's access request.<br />
<br />
(41) The Authority exceeded Infotv. administrative deadline according to § 60/A. (1), therefore<br />
HUF 10,000, i.e. ten thousand forints, is due to the Applicant - according to his choice - to a bank account<br />
by money order or postal order Based on point b) of paragraph (1) of § 51.V. Other questions:<br />
<br />
<br />
(42) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is<br />
covers the entire territory of the country.<br />
<br />
(43) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is<br />
Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116<br />
(1) and on the basis of § 114, paragraph (1) administrative against the decision<br />
there is room for legal redress through a lawsuit.<br />
<br />
* * *<br />
(44) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the<br />
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority<br />
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)<br />
Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.<br />
Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal<br />
representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a<br />
<br />
does not have the effect of postponing the entry into force of an administrative act.<br />
<br />
(45) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable<br />
of 2015 on the general rules of electronic administration and trust services<br />
CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) of the<br />
the client's legal representative is obliged to maintain electronic contact.<br />
<br />
<br />
(46) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE<br />
information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)<br />
based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees<br />
XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance<br />
from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it<br />
party initiating the procedure.<br />
<br />
<br />
(47) If the Respondent 2 does not adequately certify the fulfillment of the prescribed obligation, a<br />
The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132<br />
according to, if the obligee has not complied with the obligation contained in the final decision of the authority,<br />
is enforceable. The Authority's decision in Art. According to § 82, paragraph (1), with the communication<br />
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law<br />
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.<br />
pursuant to § the execution - if it is a law, government decree or municipal authority<br />
<br />
the decree of the local government does not provide otherwise - the state tax authority<br />
undertakes.<br />
<br />
(48) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A<br />
administrative deadline, therefore the Ákr. Based on point b) of § 51, he pays ten thousand forints a<br />
To the applicant.<br />
<br />
<br />
dated: Budapest, according to the electronic signature<br />
<br />
Dr. Habil. Attila Péterfalvi<br />
president<br />
c. professor<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_40/2024APD/GBA (Belgium) - 40/20242024-03-14T07:32:08Z<p>Nzm: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=40/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=GBA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-40-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Other Outcome<br />
|Date_Started=24.01.2024<br />
|Date_Decided=23.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12(3) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#3<br />
|GDPR_Article_2=Article 12(4) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#4<br />
|GDPR_Article_3=Article 17(1) GDPR<br />
|GDPR_Article_Link_3=Article 17 GDPR#1<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA ordered a controller who sent unsolicited letters to a data subject to erase their data after the latter had made an erasure request, to which the controller failed to respond.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject received unsolicited letters from the controller on a regular basis. On 27 July 2023, the data subject requested the controller that his data be deleted and to stop the communications. The data subject alleged that the influx of letters increased after these communications. The data subject lodged a complaint with the Belgian DPA (“APD”) asking them to force the controller to delete their data.<br />
<br />
=== Holding ===<br />
[[Article 17 GDPR#1|Article 17(1) GDPR]] establishes that under certain conditions, a data subject may obtain the erasure of personal data without undue delay. [[Article 12 GDPR#3|Article 12(3) GDPR]] specifies this period by indicating that the controller provides information on action taken under a request regarding the data subject’s rights, without undue delay and in any event within one month of receipt of the request. This period may be extended by two months if necessary. [[Article 12 GDPR#4|Article 12(4) GDPR]] adds that if the controller does not take action, it must inform the data subject without delay and at the latest within one month of receiving the request of the reasons for not taking action and on the possibility of lodging a complaint with the DPA.<br />
<br />
In the present case, the APD found that the controller did not respond to the erasure request. Therefore, the DPA concluded that there was a breach of [[Article 12 GDPR#3|Articles 12(3)]], [[Article 12 GDPR#4|12(4)]] and [[Article 17 GDPR#1|17(1) GDPR]] and ordered the controller to proceed with the deletion of the data subject’s data.<br />
<br />
== Comment ==<br />
As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision 40/2024 of February 23, 2024<br />
<br />
<br />
File number: DOS-2024-00171<br />
<br />
<br />
Subject: complaint for failure to respond to a request for data erasure<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
<br />
hereinafter “WOG”;<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
Complainant: Mr and Mrs X, hereinafter “the complainant”<br />
<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 40/2024 — 2/6<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
1. The subject of the complaint concerns the failure to respond to the complainant's request<br />
<br />
to delete data so that it no longer receives written communication from the<br />
<br />
defendant, being a non-profit organization.<br />
<br />
<br />
2. On January 11, 2024, the complainant submits a complaint to the Data Protection Authority<br />
<br />
against the defendant.<br />
<br />
In the complaint, the complainant states that he receives unsolicited letters on a very regular basis<br />
<br />
of the defendant. On July 27, 2023, the complainant wrote to the chairman<br />
<br />
from the defendant asking him to delete his data in order to make these communications<br />
<br />
fuses. The complainant states that the influx of letters continues after this communication<br />
<br />
increased, which is also demonstrated by copies of communications from the<br />
<br />
defendant on dates of August 11, 2023, September 4, 2023, October 18, 2023, 9<br />
<br />
November 2023, December 4, 2023 and December 12, 2023. The complainant asks the GBA between<br />
<br />
to force the defendant to erase his data.<br />
<br />
3. On January 24, 2024, the complaint will be declared admissible by the First Line Service on<br />
<br />
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1<br />
2<br />
of the WOG transferred to the Disputes Chamber.<br />
<br />
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations<br />
<br />
order of the GBA, the parties can request a copy of the file. If one<br />
<br />
both parties wish to make use of the opportunity to consult and<br />
<br />
copying the file, he or she must contact the secretariat of the<br />
<br />
Disputes Chamber, preferably via litigationchamber@apd-gba.be.<br />
<br />
<br />
<br />
II. Justification<br />
<br />
<br />
5. Article 17.1 GDPR provides that the data subject of the controller without<br />
<br />
can obtain the deletion of personal data relating to him without unreasonable delay. The<br />
<br />
controller is obliged to process personal data without unreasonable<br />
<br />
delay to erase when the personal data is no longer necessary for the<br />
purposes for which they were collected or otherwise processed.<br />
<br />
<br />
6. In accordance with Article 12.3 GDPR, the controller shall provide the<br />
<br />
person concerned without delay and in any case within one month of receipt of the request<br />
<br />
pursuant to Articles 15 to 22 GDPR information about the outcome of the request<br />
<br />
<br />
<br />
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible<br />
declared.<br />
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to<br />
has been transferred to her as a result of this complaint. Decision 40/2024 — 3/6<br />
<br />
<br />
is given. Depending on the complexity of the requests and the number of requests<br />
<br />
that period may be extended by a further two months if necessary. The<br />
<br />
the controller shall inform the data subject within one month of receipt of the<br />
<br />
<br />
request of such extension.<br />
<br />
7. The Disputes Chamber determines that the complainant is on the basis of the documents supporting the complaint<br />
<br />
exercised the right to erasure of data on July 27, 2023. The Disputes Chamber can<br />
<br />
<br />
However, it cannot be determined on the basis of the complaint that the complainant has received an answer. The inde<br />
<br />
documents attached communication from the defendant on the date of August 11, 2023, 4<br />
<br />
September 2023, October 18, 2023, November 9, 2023, December 4, 2023 and December 12<br />
<br />
2023, however, the Disputes Chamber suspects that there has been an infringement against it<br />
<br />
Articles 12.3 and 12.4 GDPR, as well as Article 17.1 GDPR. 4<br />
<br />
<br />
8. Based on the above analysis, it could be concluded that the defendant<br />
<br />
has committed an infringement of the provisions of the GDPR, which justifies this in this case<br />
<br />
a decision will be taken on the basis of Article 95, § 1, 5° of the<br />
<br />
WOG, in particular to order the defendant to comply with the exercise by<br />
<br />
the complainant of his right to erasure (Article 17.1 GDPR) and this in particular in view<br />
<br />
on the documents that the complainant has provided showing that the complainant is the defendant<br />
<br />
has requested that his data be deleted.<br />
<br />
<br />
9. This decision is a prima facie decision taken by the Disputes Chamber<br />
<br />
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,<br />
<br />
<br />
<br />
<br />
3Article 12 GDPR<br />
<br />
[…]<br />
3. The controller shall provide the data subject without undue delay and in any case within one month of receipt<br />
the request pursuant to Articles 15 to 22 information about the consequence that has been given to the request.Depending on<br />
the complexity of the requests and the number of requests may extend this period by another two months if necessary<br />
<br />
be extended. The controller shall notify the data subject within one month of receiving the request<br />
notice of such extension. When the data subject submits his request electronically, the information is if<br />
may be provided electronically, unless the data subject requests otherwise. 4. When the controller does not<br />
responds to the data subject's request, he shall communicate the latter without delay and at the latest within one month of receipt<br />
of the request why the request was unsuccessful and informs him of the possibility to file a complaint<br />
to a supervisory authority and to appeal to the courts. […]<br />
4<br />
Article 17 GDPR<br />
1. The data subject has the right to have his or her data erased without undue delay by the controller<br />
concerning personal data and the controller is obliged to obtain personal data without<br />
<br />
unreasonable delay where one of the following applies:<br />
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;<br />
<br />
(b) the data subject withdraws consent to which processing is carried out in accordance with Article 6(1)(a) or Article 9(2)(a)<br />
is based on, and there is no other legal basis for, the processing;<br />
c) the data subject objects to the processing in accordance with Article 21(1), and there are no mandatory<br />
<br />
legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article<br />
21(2);<br />
d) the personal data have been processed unlawfully;<br />
<br />
(e)the personal data must be erased in order to comply with a requirement laid down in Union or Member State law<br />
legal obligation incumbent on the controller;<br />
f) the personal data have been collected in connection with an offer of information society services as referred to<br />
<br />
in Article 8(1). Decision 40/2024 — 4/6<br />
<br />
<br />
in the context of the “procedure prior to the decision on the merits” 5 and none<br />
<br />
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.<br />
<br />
<br />
The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and<br />
<br />
Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request<br />
<br />
of the data subject to exercise his rights, in particular the right to<br />
<br />
erasure (“right to be forgotten”) as provided for in Article 17 GDPR.<br />
<br />
<br />
10. The purpose of this decision is to inform the defendant of the fact that this<br />
<br />
has committed an infringement of the provisions of the GDPR and has the opportunity to do so<br />
<br />
still agree to comply with the aforementioned provisions.<br />
<br />
<br />
11. If the defendant does not agree with the content of the present primafacie<br />
<br />
decision and is of the opinion that it can apply factual and/or legal arguments<br />
<br />
that could lead to a different decision, this can be done via the e-mail address<br />
<br />
litigationchamber@apd-gba.be send a request to hear the merits of the case<br />
<br />
to the Disputes Chamber within 30 days after notification of this<br />
<br />
decision. The implementation of this decision will, if necessary, continue for a period of time<br />
<br />
suspended for the aforementioned period.<br />
<br />
<br />
12. In the event of a continuation of the merits of the case, the<br />
<br />
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG<br />
<br />
invite them to submit their defenses as well as any documents they consider useful in the case<br />
<br />
file to add. If necessary, the present decision will be permanently suspended.<br />
<br />
13. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits<br />
<br />
6<br />
of the case may lead to the imposition of the measures stated in Article 100 of the WOG.<br />
<br />
<br />
<br />
<br />
<br />
<br />
5Section 3, Subsection 2 of the WOG (Articles 94 to 97).<br />
<br />
6Article 100. § 1. The Disputes Chamber has the authority to:<br />
1° to dismiss a complaint;<br />
2° to order the dismissal of prosecution;<br />
3° order the suspension of the ruling;<br />
4° to propose a settlement;<br />
5° formulate warnings and reprimands;<br />
6° order that the data subject's requests to exercise his rights be complied with;<br />
<br />
7° to order that the person concerned is informed of the security problem;<br />
8° order that processing be temporarily or permanently frozen, restricted or prohibited;<br />
9° to order that the processing be brought into compliance;<br />
10°the rectification, limitation or deletion of data and its notification to the recipients of the data<br />
recommend data;<br />
11° order the withdrawal of the recognition of certification bodies;<br />
12° to impose penalty payments;<br />
13° to impose administrative fines;<br />
14° the suspension of cross-border data flows to another State or an international institution<br />
command;<br />
<br />
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the<br />
follow-up given to the file;<br />
16° decide on a case-by-case basis to publish its decisions on the website of the<br />
Data Protection Authority. Decision 40/2024 — 6/6<br />
<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. .8 or via e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(get). HielkeIJMANS<br />
<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8<br />
The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.<br />
deposited with the clerk of the court or at the registry.<br />
</pre></div>Nzm