VwGH - 2021/04/0030-4: Difference between revisions

VwGH - 2021/04/0030-4
Court:	VwGH (Austria)
Jurisdiction:	Austria
Relevant Law:	Article 5 GDPR Article 14 GDPR Article 15(1)(d) GDPR Article 77 GDPR
Decided:	06.03.2024
Published:
Parties:
National Case Number/Name:	2021/04/0030-4
European Case Law Identifier:
Appeal from:	BVerwG (Germany) W211 2222613-2/11E
Appeal to:
Original Language(s):	German
Original Source:	noyb (in German)
Initial Contributor:	ec

The supreme administrative court held that the controller does not fulfil its information obligation under Article 14 GDPR by stating the recipients of the personal data in a privacy policy on its website without active, explicit notification to data subjects.

English Summary

Facts

A data subject, an entrepreneur, requested access to their personal data at a credit ranking agency (“controller”). The controller provided certain information, including that a specifically named company had carried out a query regarding the identity and creditworthiness of the data subject.

The data subject lodged a complaint with the Austrian DPA (“Datenschutzbehörde”) against the controller for violating their right of access under Article 15 GDPR and for violating the principles of data minimisation (Article 5(1)(c) GDPR), confidentiality (Article 5(1)(f) GDPR) and the controller’s information obligation under Article 14 GDPR regarding the transfer of the data subject’s data to a third party. The data subject argued that the information that the controller provided was inadequate as it did not provide the origin of the data, storage period, processing purposes and a copy was missing.

The DPA dismissed the complaint, stating that the controller provided sufficient information. The DPA held that the controller fulfilled the information obligations as the information was publicly accessible on a website.

The data subject appealed this decision to the Federal Administrative Court (“Bundesverwaltungsgericht”).

The Federal Administrative Court partially upheld the complaint against the controller, stating that the controller violated the data subject’s right of access by providing insufficient information on the storage period within the meaning of Article 15(1)(d) GDPR. At the same time, the court dismissed the data subject’s arguments concerning the information on the origin of the data and the processing purposes. Concerning transparency obligations, the court further held that the controller did not fulfil its duty to provide information on the recipients of data and thereby violated Article 14(1)(e) GDPR. Finally, the court rejected the complaint on the alleged violations of data minimisation and right to confidentiality.

Both the DPA and the controller appealed this decision to the Supreme Administrative Court (“Verwaltungsgerichtshof”).

Regarding the storage period, the controller argued that it processes data for the purpose of operating as a credit ranking agency and must therefore process the data for as long as the data subject is able to conclude contracts or participate in economic life. The data subject argued that this would mean processing for his entire lifetime, which would violate the principle of storage limitation under Article 5(1)(e) GDPR.

The controller also argued that data subjects do not have an enforceable right to compliance with the principles under Article 5 GDPR. The data subject argued that Article 77 GDPR contains an independent right to lodge a complaint and covers all violations of the GDPR provisions.

Regarding the violation of Article 14 GDPR, the controller argued that the publication of a privacy policy on the internet should be considered sufficient. Actively informing each data subject about each processing of personal data would be impracticable due to the large number of creditworthiness enquiries, especially as the controller only processed postal and not electronic contact data.

Holding

On the information about the planned storage period, the Court stated that the data subject has, under Article 15(1)(d) GDPR, a right of access to information about – if possible – the planned duration for which the personal data will be stored or, if this is not possible, about the criteria for determining this duration.

The Court disregarded the data subject’s argument that the storage period would mean the data subject’s entire lifetime and would violate the principle of storage limitation. The Court explained that the issue at hand is not whether the processing of personal data complies with the principle of storage limitation under Article 5(1)(e) GDPR, but whether the information regarding the storage period complies with the requirements of Article 15(1)(d) GDPR.

The Court found that the storage period is as long as the data subject participates in economic life and wants to conclude a contract with the customers of the controller. Once the data subject is erased from the commercial or trade register, the controller will stop processing this data. Therefore, the Court concluded that the data subject can estimate the time at which it will end its business activities and thus estimate the storage period. Thus, the controller's information regarding the storage period complies with the requirements of Article 15(1)(d) GDPR. The Court therefore rejected the Federal Administrative Court's part of the ruling, which stated that the controller provided insufficient information regarding the duration of the storage period.

On the violations of the principles of Article 5 GDPR, the Court rejected the controller’s argument that data subjects do not have an enforceable right to compliance with these principles. Although Article 77(1) GDPR is not based on a violation of rights, but on a violation of data processing against the GDPR, the Court held that this does not mean that the principles in Article 5 GDPR cannot be included in a complaint under Article 77 GDPR if it concerns the processing of the data subject’s personal data. The CJEU in case C-579/21 also stated that the “review of lawfulness with regard to compliance with the requirements of Art. 5 and 6 GDPR (as a result of the provision of information) on the part of the data subject requires that any (alleged) unlawfulness can be asserted by way of a complaint under Art. 77 GDPR.” Both the CJEU Schrems cases were also based on a complaint by a data subject to a DPA in which no violation of rights under the Data Protection Directive was asserted, but rather a violation of the fundamental provision of Article 25 of the Data Protection Directive. Therefore, the Court concluded that it is permissible to base a data protection complaint solely on Article 5 GDPR under Article 77 GDPR.

Regarding the information obligation under Article 14 GDPR, the Court reaffirmed that the controller is exempted from this obligation if the data subject already has the information (Article 14(5)(a) GDPR). However, such an exception to an information obligation can only refer to the time at which the information obligation would have had to be fulfilled and cannot be remedied by a subsequent request of the data subject under Article 15 GDPR. The data subject only received information regarding the disclosure of their personal data to a third party after an access request and not earlier. The Court cannot assume that the information to the data subject would have otherwise been given by the controller.

The Court then examined whether the Federal Administrative Court was right to assume a violation of Article 14(1)(e) GDPR. The Court held that the duty to provide information under Article 14 GDPR requires active action by the controller without a prior request from the data subject. However, the Court stated that it is disputed whether the provision of a privacy policy on a website is sufficient to fulfil this duty. The Court took into account the CJEU case C-201/14 in which the CJEU stressed that the obligation to provide information is a prerequisite for the data subject affected by the processing to exercise their rights of access, rectification or erasure. In this case, the controller did not collect the personal data from the data subject, and therefore, the data subject might not be aware of the processing of their personal data by the controller. The Court stated that it therefore cannot be guaranteed that the data subject will access the controller’s privacy policy on a website. Thus, the Court held that Article 14(1) GDPR cannot be understood to mean that the availability of the information specified on a website without active, explicit notification of the data subject is sufficient even if the data subject was not aware of the fact of data processing by the controller. Therefore, the Court upheld the Federal Administrative Court’s decision that the controller violated Article 14(1)(e) GDPR.

Regarding the dismissal of the complaint by the Federal Administrative Court and the DPA on the violation of the right to confidentiality, the Court stated that this was wrong and that the DPA and the Federal Administrative Court should have examined whether there was a violation of the right to confidentiality.

The Court therefore ruled that the Federal Administrative Court’s decision should be annulled regarding the points on the violation of Article 15(1)(d) GDPR and the dismissal of the complaint on the violation of the right to confidentiality, due to the unlawfulness of the content. The Court dismissed the appeal of the DPA and the controller that there was no violation of Article 14(1)(e) GDPR and that data protection complaint could not be solely based on Article 5 GDPR under Article 77 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Ro 2021/04/0030-4 to
0031-5
March 6, 2024

IN THE NAME OF THE REPUBLIC!

The Administrative Court, through the Chairman, Senate President

Dr. Kleiser, Hofrat Dr. Mayr, Hofratin Mag. Hainz-Sator and the Hofraten
Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary

Mag. Vonier, on the appeals 1. of the Data Protection Authority (recorded in

Ro 2021/04/0030) and 2. of C GmbH in W, represented by

Baker McKenzie Rechtsanwälte LLP & Co KG in 1010 Vienna, Schottenring 25

(recorded in Ro 2021/04/0031), against the decision of the

Federal Administrative Court of August 9, 2021, W211 2222613-2/11E,

concerning a data protection matter (authority concerned [in the

proceedings recorded in Ro 2021/04/0031]: Data Protection Authority;

parties involved: 1. Dipl.-Ing. F F in M, 2. [in the proceedings recorded in Ro 2021/04/0030
recorded proceedings] C GmbH in W, again represented by

Baker McKenzie Rechtsanwälte LLP & Co KG; other party:

Federal Minister of Justice), rightly ruled:

The ruling points A)I.1. and A)I.2. of the contested decision are

repealed due to the appeal by the second appeal applicant due to the illegality of the

content.

Ruling point A)III.2. of the contested decision is

repealed due to the appeal by the first appeal applicant due to the illegality of the

content.

In all other respects, thus with regard to ruling points A)II. and A)III.1. of the

contested decision, the appeals are dismissed as unfounded.

The request of the (first) co-participant in the appeal response to decide on the matter itself with regard to ruling point A)II. of the contested decision is rejected.

The federal government must reimburse the second appeal applicant for expenses in the amount of

€ 1,346.40 within two weeks, otherwise execution will take place.

Administrative Court
Judenplatz 11, 1010 Vienna
www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

2 of 40

Reasons for the decision:

I.

1 1. The (first) co-participant (hereinafter co-participant) requested C GmbH

(operator of an identity and creditworthiness database, hereinafter

second appeal applicant) by letter dated December 28, 2018 for more detailed

information regarding the personal data processed about him by the second appeal applicant. The second appeal applicant

then provided certain information in a letter dated December 31, 2018.

Among other things, it was stated that a specifically named

company (E AG) had made an inquiry into the identity and

creditworthiness of the co-participant on November 8, 2018.

2 In a letter dated January 16, 2019, the co-participant filed a data protection complaint with the

Data Protection Authority (DSB, authority concerned, first appeal applicant) based on

Article 77 of the General Data Protection Regulation (GDPR) and Section 24 of the Data Protection Act

(DSG). In it, he complained that the information provided by the second appeal party was inadequate with regard to certain aspects (origin of the data, storage period, processing purposes, missing copy), which violated his right to information under Art. 15 GDPR, and that the second appeal party had violated the principles of data minimization (Art. 5 Para. 1 lit. c GDPR) and confidentiality (Art. 5 Para. 1 lit. f GDPR) as well as (with regard to the transmission of his data to a third party) the obligation to provide information under Art. 14 GDPR. 3 In a letter dated 18 March 2019, the second appeal party responded to this data protection complaint at the request of the DSB and supplemented the information provided with regard to individual points (in particular regarding the origin of the data and the storage period). In a letter dated March 19, 2019, submitted in response to the alleged violations of the principles of data minimization and confidentiality, the co-participant stated that he was also basing his data protection complaint on Section 1, Paragraph 1 of the Data Protection Act and the right to confidentiality. Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

3 of 40

4 2. By decision of September 11, 2019, the authority concerned rejected the

data protection complaint “due to a violation of the right to information”

(judgment point 1.) and “due to a violation of the information obligations

pursuant to Art. 14 GDPR” (judgment point 2.) and “due to a violation of the right

to confidentiality due to a violation of the

data minimization obligation and due to a violation of the

data backup obligations” (judgment point 3.).

5 The authority concerned stated the following in summary: The information provided by the applicant for the second appeal was sufficient in view of the supplementary statement of 18 March 2019. In order to fulfil the information obligation, it is sufficient if the information is publicly accessible (e.g. on a website). The appeal to Section 1 Paragraph 1 of the Data Protection Act (made for the first time in the statement of 19 March 2019) or the resulting assertion of a violation of the right to confidentiality represents an inadmissible material change to the matter (with regard to Section 13 Paragraph 8 of the General Data Protection Regulations), which is why the data protection complaint should be rejected in this respect. 6 3. With the contested (partial) ruling of August 9, 2021, the

Federal Administrative Court (BVwG) ruled on the appeal filed by the co-participant as follows:

"A) I.

1. The appeal against point 1 is partially upheld and

it is determined that the co-participating party violated the complainant's

right to information by providing insufficient

information within the meaning of Art. 15 (1) lit. d GDPR regarding the

planned duration for which the personal data will be stored,

or the criteria for determining this duration.

2. The co-participating party is ordered to provide the information regarding the

storage period in accordance with Art. 15 GDPR within a period of

two weeks, otherwise execution will result.

3. The appeal against point 1 is dismissed with regard to the

points of complaint concerning the provision of information about the origin

of the data and the purposes of processing.

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

4 of 40

II. The appeal against ruling point 2 is upheld and it is determined that

the party involved has violated its obligation to provide information under Art. 14

Paragraph 1 lit. e GDPR.

III.

1. The appeal against ruling point 3 is upheld with regard to the

alleged violations of the data minimization obligation under

Art. 5 GDPR and the data backup obligations under Art. 25 GDPR

and the contested decision in this regard is

removed without replacement. 2. The appeal against point 3 is dismissed with regard to the

rejection of the data protection complaint due to an alleged

violation of the right to confidentiality."

The appeal was declared admissible pursuant to Art. 133 Para. 4 B-VG.

7 The BVwG first pointed out that with regard to the question of

providing a copy of the personal data pursuant to

Art. 15 Para. 3 GDPR, a

request for a preliminary ruling had been made to the Court of Justice of the European Union

(ECJ [recorded there under C-487/21]) by decision (also) of August 9, 2021, which is why this

question is not the subject of the present partial decision.

8 The Federal Administrative Court presented the main content of the letters of the second appeal applicant dated 31 December 2018 and 18 March 2019 and found that the second appeal applicant had not informed the co-participant about the disclosure of his personal data to E AG. 9 In its legal assessment, the Federal Administrative Court stated (with further justification) that the information provided by the second appeal applicant on the origin of the data pursuant to Art. 15 (1)(g) and on the purposes of processing pursuant to Art. 15 (1)(a) GDPR was sufficient. However, the Federal Administrative Court considered the information on the storage period and the criteria for determining this period pursuant to Art. 15 (1)(d) GDPR to be incomplete and therefore unlawful; it was insufficient to explain to the person concerned that their data would be stored for as long as necessary for the legitimate purposes. In the present case, the co-participant was unable to estimate how long his data would be stored based on the information provided by the second appeal applicant (who stated that the data would be stored as long as the content was correct, there was no legal reason for deletion and the storage fulfilled the purpose of the processing).10 Regarding the obligation to provide information under Article 14 of the GDPR, the BVwG (with reference to the case law of the ECJ cited in more detail) stated that a distinction must be made between the obligation to provide information and the right to information, whereby the "data processor" must "actively create transparency" with regard to the obligation to provide information. Contrary to the view of the second appeal applicant, the obligation to provide information is not directed at the company that carries out the database query (E AG), but at the controller (the second appeal applicant). Recital 58 of the GDPR, which the authority concerned cited as justification, does not mean that simply "making the data available online" is sufficient in the present case (in which there is typically no online contact between the data subject and the controller), because the data subject has no idea at all that their data has been collected by third parties. Therefore, the second appeal applicant should have informed the co-participant of the disclosure to a recipient at the latest at the time of the first query (on November 8, 2018). 11 Regarding the (partial) rejection of the data protection complaint by the authority concerned in point 3 of the contested decision, the BVwG initially stated that the subject of the appeal proceedings was only the legality of the rejection. In his data protection complaint of January 16, 2019, the co-participant had requested a declaration that his "right to respect for private and family life in accordance with Section 1, Paragraph 1 of the Data Protection Act" had been violated, but he had not made any further comments on this. In view of its content, it could have been assumed that the data protection complaint, based on its objective explanatory value, was only aimed at asserting violations of the duty to provide information and the duty to minimise data and to secure data. The rejection of the data protection complaint was therefore justified with regard to the violation of the right to confidentiality. The situation is different with regard to the alleged violations of the duty to minimise data and the data security obligations, with regard to which there can be no talk of an inadmissible change to the "essence" of the data protection complaint. In this regard, the BVwG also pointed out that

Article 77 GDPR stipulates an independent right to complain, which is not

linked to formal or substantive requirements. The rejection of the

data protection complaint was therefore wrong on this point and

therefore had to be remedied.

12 The BVwG justified the admission of the appeal with the lack of

case law of the Administrative Court on the interpretation of

Articles 5, 14 and 15 (1) GDPR.

13 4. The

authority concerned filed an official appeal against points A)II. and A)III. of this decision, recorded in Ro 2021/04/0030. The first appealer raises the admissibility of point A)II. that it is a fundamental legal question whether Article 14 (1) (e) GDPR should be interpreted as meaning that a data subject must be proactively informed by the controller every time data is transferred to a third party or whether "generic information" about recipients or categories of recipients is sufficient. With regard to point A)III., the first appeal appellant assumes that the BVwG wrongly (in deviation from the case law of the Administrative Court) separately agreed on the uniform, non-divisible point 3. of the DSB's decision and thus indirectly decided on an argument that was not an independent subject of the main proceedings. 14 The appeal of the second appeal appellant, recorded in Ro 2021/04/0031, is directed against points A)I.1., A)I.2., A)II. and A)III.1. In the admissibility argument, it is argued on the one hand that there is no scope for a declaratory decision at all; on the other hand, there is no case law of the Administrative Court on the question of when the specification of a specific storage period within the meaning of Art. 15 Administrative Court Judenplatz 11, 1010 Vienna www.vwgh.gv.at Ro 2021/04/0030-4 to 0031-5 March 6, 2024 7 of 40 Paragraph 1 Letter d GDPR is "not possible" or in what "level of detail" the criteria for determining this period must be specified. In its judgment point A) II., the Federal Administrative Court wrongly assumed (in deviation from the case law of the Administrative Court) that there is a right to establish violations of law in the past. In addition, the publication of a data protection declaration on the Internet in the sense of Article 14 GDPR is to be regarded as sufficient. With regard to point A)III., the second appeal appellant refers to the unresolved question (which in her opinion should be answered in the negative) of whether a data subject can make the violation of objective obligations of the controller (here according to Article 5 GDPR) the subject of a complaint procedure. 15 The co-participant submitted a response to both appeals in which he requested that the appeal be dismissed with regard to points A)I.1., A)I.2. and A)III. and that with regard to point A)II., a decision be made on the matter itself and that it be established that the second appeal appellant had violated its information obligations under Article 14 (1) and (2) GDPR by not informing the co-participant accordingly within a month. In the event, it is requested that the appeals be dismissed in their entirety as unfounded. Furthermore, the suggestion is made to suspend the appeal proceedings until the ECJ has made its decision in the case C-552/21 or - if the Administrative Court does not share the co-participant's opinion in this regard - to refer more precisely formulated questions to the ECJ for a preliminary ruling on the one hand on the relationship between Section 24 DSG and Article 77 GDPR and on the other hand on the interpretation of Article 14 GDPR. 16 The DSB submitted a response to the appeal by the second appeal applicant, in which it requests that the appeal be dismissed on the specified points and that it be granted in all other respects. Administrative Court
Judenplatz 11, 1010 Vienna
www.vwgh.gv.at Ro 2021/04/0030-4 to
0031-5
6 March 2024
8 of 40
II.
The Administrative Court has considered:
1. Admissibility
17 The appeals prove to be admissible in view of the statements made in paragraphs 13 and 14.
2. Preliminary remarks
18 The following should be noted in advance regarding individual statements made by the co-participant and the first appeal applicant
in their respective responses to the appeal:
19 In his primary application (made in both responses to the appeal), the co-participant requests a
substantive decision by the Administrative Court with regard to point A)II. Since a decision of the Administrative Court based on

Section 42 para. 4 VwGG presupposes in the matter itself the illegality of the contested decision

(cf. VwGH 17.12.2014, Ro 2014/03/0066, point V.1., mwN) and

the position as a co-participant requires legally protected interests that contradict

the interests of the appellant (cf. for example VwGH 4.7.2016, Ra 2016/04/0014, margin no. 40, mwN), an application for a substantive decision in an appeal response (which makes the illegality of the

contested decision necessary) is not possible. The co-participant's application in this regard is therefore inadmissible for this reason alone.

Based on this, there is also no need to address the related argument of the co-participant, according to which the finding of the BVwG in point A)II of the contested decision does not go "far enough". 20 With regard to the co-participant's request to suspend the appeal proceedings until the ECJ's decision in the case recorded in C-552/21, it is sufficient to point out that in the meantime, by order of the President of the ECJ of 25 January 2022, following withdrawal of the request for a preliminary ruling, this case has been removed from the ECJ's register.

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

9 of 40

21 To the extent that the authority concerned suggests in its official appeal that its statements

in a response to the appeal, which was submitted in another, more precisely specified procedure, should also be taken into account in the present appeal procedure, and the co-participant requests in his response to the appeal (as a

reaction to this) that the authority concerned be instructed to send him the arguments put forward in this response to the appeal for comment, it should be noted that the appeal must contain the reasons on which the

allegation of illegality is based and that references to

other written submissions do not meet this requirement, which is why they

do not need to be addressed (cf. e.g. VwGH 29.6.2017, Ra 2016/04/0068 to 0077,

para. 32, mwN). Based on this, there is also no need to respond to the

application presented by the co-participant.

22 Insofar as the authority concerned finally stated in its response to the appeal that

the appeal of the second appeal applicant had been rejected “in its point 4.2., 4.6.,

5.1.1. and 5.3.", it should be noted that a partial rejection of an appeal is possible with regard to separable points of the award (see - there on the separate examination of the admissibility of separable points of the award or awards - for example VwGH 27.6.2023, Ra 2020/04/0027, para. 13, mwN), but not - as requested here by the authority concerned - with regard to individual elements of the justification of an appeal. The application of the authority concerned in this regard therefore does not need to be discussed further. 3. Legal basis 23 3.1. The relevant provisions of the Data Protection Act (DSG),

Federal Law Gazette I No. 165/1999 in the version of Federal Law Gazette I No. 51/2012 (§ 1)

or Federal Law Gazette I No. 120/2017 (§ 24) read in extracts:

“Fundamental right to data protection

§ 1. (1) Everyone has the right to keep personal data concerning him or her confidential, in particular with regard to respect for his or her private and family life, insofar as there is a legitimate interest in doing so.

The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to

its general availability or its lack of traceability

to the person concerned.

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

10 of 40

[...]
Complaint to the Data Protection Authority

§ 24. (1) Any data subject has the right to complain to the
Data Protection Authority if they believe that the processing of personal data concerning them

violates the GDPR or § 1 or

Article 2, Chapter 1.

[...]

(2) The complaint must contain:

1. the designation of the right considered to have been violated,

[...]

5. the request to establish the alleged violation of law and

[...]

(5) If a complaint proves to be justified, it must be followed up.

If a violation is attributable to a controller in the private sector,
the controller must be instructed to comply with the complainant's requests for information,
correction, deletion, restriction or data transfer to the extent necessary to remedy the violation of law identified. If the complaint proves to be
unfounded, it must be rejected.

(6) A respondent may subsequently remedy the alleged violation of law until the conclusion of the proceedings before the
data protection authority by complying with the complainant's requests. If the
data protection authority considers the complaint to be irrelevant in this respect, it must hear the
complainant on the matter. At the same time, the complainant must be made aware
that the data protection authority will discontinue the proceedings informally
if the complainant does not justify within a reasonable period of time why he still considers the
originally alleged violation of law to have not been remedied, at least in part. If such a statement by the complainant changes the nature of the matter (Section 13 Paragraph 8 AVG), it is assumed that the original complaint has been withdrawn and a new complaint has been submitted at the same time. In this case too, the original complaint procedure must be discontinued informally and the complainant must be informed of this. Late statements are not to be taken into account. [...]" 24 3.2. The relevant recitals and provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 Administrative Court Judenplatz 11, 1010 Vienna www.vwgh.gv.at Ro 2021/04/0030-4 to 0031-5 March 6, 2024 11 of 40 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR]) read in part: “[Recital] (39) [...] Natural persons should be able to be transparent about the collection, use, access or other processing of personal data concerning them and the extent to which the personal data are being processed and will be processed in the future. The principle of transparency requires that all

information and communications relating to the processing of such personal data are easily accessible and intelligible, using clear and plain language.

This principle concerns in particular information on the identity of the controller and the purposes of the processing and

other information ensuring fair and transparent processing with regard to the natural persons concerned, as well as their right to obtain confirmation and information as to which personal data concerning them are being processed. [...]

(58) The principle of transparency requires that information intended for the

public or the data subject is precise, easily accessible and intelligible, using clear and plain language,

and, where appropriate, visual elements. This

information could be provided in electronic form, for example on a website, if it is intended for the public.

This applies in particular to situations where the large number of parties involved and the complexity of the technology required make it difficult for the data subject to identify and understand whether, by whom and for what purpose personal data concerning him or her are being collected, such as in the case of advertising on the Internet. [...] [...] [...] (60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with all other information that is necessary to ensure fair and transparent processing, taking into account the specific circumstances and conditions under which the personal data are processed. [...]

[...]

(63) A data subject should have a right of access to the personal data concerning him or her that have been collected and should be able to exercise this right easily and at reasonable intervals in order to be aware of the processing and to be able to verify its lawfulness. [...] Every data subject should therefore have the right to know and be informed, in particular, of the purposes for which the personal data are processed and, where possible, the period for which they are stored, the recipients of the personal data, the logic underlying the automated processing of personal data and the possible consequences of such processing, at least in cases where the processing is based on profiling. [...]

[...]
Article 1

Subject matter and objectives
[...]

(2) This Regulation protects the fundamental rights and freedoms of natural
persons, and in particular their right to the protection of personal data.

[...]

Article 5
Principles for the processing of personal data

(1) Personal data must

a) be processed lawfully, fairly and in a transparent manner in relation to the

data subject

(‘lawfulness, fairness, transparency’);

[...]

c) be adequate, relevant and limited to what is necessary for the

purposes of the processing (‘data minimisation’);

[...]

f) be processed in a manner that ensures appropriate security of the

personal data, including protection against

unauthorised or unlawful processing and against accidental

loss, destruction or damage, using appropriate technical and organisational measures

(‘integrity and confidentiality’);

[...]

Administrative Court
Judenplatz 11, 1010 Vienna
www.vwgh.gv.at Ro 2021/04/0030-4 to
0031-5
March 6, 2024
13 of 40

Article 12
Transparent information, communication and modalities for the
exercise of the rights of the data subject

(1) The controller shall take appropriate measures to provide the data subject with all information pursuant to Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language; this applies in particular to information specifically addressed to children. The information shall be provided in writing or in another form,
where appropriate, also electronically. If requested by the data subject, the information may be provided orally provided that the identity of the data subject has been proven by other means.

(2) The controller shall facilitate the exercise by the data subject of his or her rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his or her rights under Articles 15 to 22 only if the controller demonstrates that it is unable to identify the data subject.

(3) The controller shall provide the data subject with information on the action taken on the request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months if necessary taking into account the complexity and number of requests. The controller shall inform the data subject of any extension within one month of receipt of the request, together with the reasons for the delay. If the data subject makes the request electronically, the information shall be provided electronically, if possible, unless he or she indicates otherwise.

[...]

Article 14
Information obligation where the personal data were not collected from the data subject

(1) Where personal data were not collected from the data subject, the controller shall communicate to the data subject:

(a) the name and contact details of the controller and, where applicable, of his or her representative;

(b) in addition, the contact details of the data protection officer;

Administrative Court
Judenplatz 11, 1010 Vienna
www.vwgh.gv.at Ro 2021/04/0030-4 to
0031-5
March 6, 2024
14 of 40
c) the purposes for which the personal data are to be processed and the legal basis for the processing;
d) the categories of personal data being processed;
e) where applicable, the recipients or categories of recipients of the
personal data;
[...]
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information, which is
necessary to ensure fair and transparent processing for the data subject:
a) the period for which the personal data will be stored or,
if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the

legitimate interests pursued by the controller or by a third party;

c) the existence of a right to obtain from the controller information about

the personal data concerned, as well as to rectification or erasure or restriction of processing, and a

right to object to processing, as well as the right to

data portability;

[...]

f) the source of the personal data and, where applicable, whether they come from publicly accessible sources;

[...]

(3) The controller shall provide the information referred to in paragraphs 1 and 2:

(a) taking into account the specific circumstances of the processing of the

personal data, within a reasonable period of time after

obtaining the personal data, but no later than one month,

[...]

(c) if disclosure to another recipient is intended,

at the time of the first disclosure at the latest.

[...]

(5) Paragraphs 1 to 4 shall not apply if and to the extent that

a) the data subject already has the information,

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

15 of 40

b) providing this information proves impossible or would involve

disproportionate effort; [...]

[...]

Article 15
Right of information of the data subject

(1) The data subject shall have the right to obtain from the controller

confirmation as to whether personal data concerning him or her

are being processed; where this is the case, he or she shall have the right to information about

those personal data and to the following information:

a) the purposes of the processing;

b) the categories of personal data being processed;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; [...] (g) where the personal data are not collected from the data subject, all available information on their origin; [...] Article 25 Data protection by design and by default (1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the controller shall implement appropriate technical and organisational measures, such as safeguards, both at the time of determining the means of processing and at the time of the processing itself. B. Pseudonymisation - designed to effectively implement the data protection principles, such as data minimisation, and to incorporate the necessary safeguards into the processing in order to meet the requirements of this Regulation and to protect the rights of the data subjects. [...] Article 58 Powers [...] (2) Each supervisory authority shall have all of the following remedial powers, allowing it to: [...] (6) Each Member State may provide by law that its supervisory authority shall have additional powers in addition to those listed in paragraphs 1, 2 and 3. The exercise of these powers shall not jeopardise the effective implementation of Chapter VII.

[...]
Article 77

Right to lodge a complaint with a supervisory authority

(1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data concerning him or her infringes this Regulation.

[...]

Article 79
Right to an effective judicial remedy against controllers

or processors

(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

[...]“

Administrative Court
Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

17 of 40

4. Determination of the violation of the right to information

25 4.1. In its ruling point A)I.1., the BVwG found that the

second appeal applicant had violated the co-participant’s right to information (in the manner described in more detail).

26 The second appeal applicant argues that (according to the more closely cited case law of the Administrative Court) there is no room for a

determination notice if a performance notice is possible. In view of

the performance order issued in ruling point A)I.2., the

determination made in ruling point A)I.1. is therefore superfluous. Neither the DSB nor the BVwG therefore have the authority to issue a declaratory decision; this is clear from paragraphs 5 and 6 of Section 24 DSG, according to which - if the data protection complaint is not rejected or discontinued as a result of the subsequent elimination of the violation of law - the controller must be instructed to eliminate the violation of law. Finally, the determination is not mentioned in the remedial powers listed in Article 58 paragraph 2 GDPR. 27 In its response to the appeal, the DSB refers to the provisions of Section 24 paragraph 2 no. 5 and paragraph 5 DSG, from which it follows that there is authority to issue a declaratory decision. The co-participant also contradicts the second appeal applicant's opinion in this regard in its response to the appeal with more detailed reasons. 28 4.2. On the question of the right to a declaration of a violation (there) of the right to confidentiality, the Administrative Court has already stated, with reference to the provisions in Section 24 Paragraph 2 Item 5 and Paragraph 5 of the Data Protection Act, that the law explicitly provides for a declaration of a violation of data protection law as a legal remedy within the framework of the complaint. The

Administrative Court therefore has no doubt that the

Data Protection Authority has the jurisdiction to determine, on the basis of a complaint that proves to be

justified, that a complainant’s right to confidentiality of the personal data concerning him

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

18 of 40

has been violated (for all this, see VwGH 19.10.2022,

Ro 2022/04/0001, para. 21 f, with further references).

29 This case law is transferable to the determination of a violation of the right to information - especially since Section 24 Paragraph 2 Item 5 DSG does not differentiate between the

various rights of the data subject (see the result already VwGH 3.8.2023, Ro 2020/04/0015; 3.8.2023,

Ro 2020/04/0035). The Administrative Court does not see itself as being obliged to deviate from this case law on the basis of the

arguments of the second appeal applicant. Since the Administrative Court in the cited decision VwGH Ro 2022/04/0001 recognized an application for the issuance of a determination notice provided for in the law, the case law on the subsidiarity of determination notices cited by the second appeal appellant is not relevant to the present case because it refers to determination notices not expressly provided for in the law (cf. VwGH 24.04.2018, Ra 2017/05/0215, para. 29). Insofar as the second appeal appellant refers to the list of remedial powers in Art. 58 Para. 2 GDPR, it is sufficient to point out that the Member States can provide for additional powers under Art. 58 Para. 6 GDPR. 5. Information on the planned storage period 30 5.1. According to Article 15 paragraph 1 letter d of the GDPR, the data subject has the right to information about - if possible - the planned duration for which the personal data will be stored, or, if this is not possible, about the criteria for determining this duration. 31 In this regard, the BVwG refers to more detailed guidelines from the "Article 29 Data Protection Working Party", according to which the information provided to a data subject should enable them to assess how long the retention period is and it is insufficient to simply explain to the data subject that their data will be stored "for as long as necessary" for the legitimate purposes. Based on the information provided here by the second appeal applicant

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

19 of 40

it was not possible for the co-participant to estimate the

storage period.

32 The second appeal applicant argues that it processes data for the purpose of the

business of a credit agency and must therefore process the data as long as the co-participant can conclude contracts or participate in

economic life. As long as it is possible for potential

contractual partners to obtain information about his creditworthiness, it is also justified to process the data required for a creditworthiness assessment. The criterion of participation in economic life is sufficiently

precise, further specification of the information is neither possible nor

sensible. The information provided by her therefore meets the requirements of

Article 15(1)(d) GDPR.

33 The co-participant counters that the criterion of "participation in economic life" put forward by the second appeal appellant

expresses processing for the entire life of the data subject, which violates the principle of storage limitation.

34 5.2. With regard to this argument by the co-participant, it must first be noted that

the issue is not whether the processing of personal data complies with the principle of storage limitation in Article 5(1)(e) GDPR,

but (only) whether the information with regard to the storage period complies with the requirements of Article 15(1)(d) GDPR. The co-participant's argument regarding the principle of storage limitation therefore does not need to be addressed further.

35 5.3. Art. 15 (1) (d) GDPR only provides for a right to information about the

planned storage period if this is possible; if not, there is a

right to information about the criteria for determining this period.

Recital 63 of the GDPR also states that a right

to know how long the personal data will be stored

only exists if this is possible. The ECJ has also stated that the right to information under Article 15(1) GDPR includes a right to know “if possible how long they [the personal data] will be stored (cf. ECJ June 22, 2023, C-579/21, J.M., para. 56). 36 Furthermore, the ECJ has stated that Article 15(1) GDPR is intended to ensure transparency of the manner in which personal data is processed towards the data subject. The information provided in

Article 15(1) GDPR is intended to ensure that

the data subject is aware of the processing and can check its

legality. The right to information provided for in Article 15 GDPR must enable the data subject to check whether

the data concerning him or her is correct and whether it is being processed lawfully

and thus, if necessary, to exercise his or her rights to rectification, erasure and restriction of processing under Articles 16 to 18 GDPR, as well as his or her right to object to the processing of his or her personal data under Article 21 GDPR

or, in the event of damage, his or her right to lodge an appeal under Articles 79 and 82 GDPR (see again ECJ 22.6.2023,

C-579/21, paras. 53 and 56 to 58, with further references).

37 In the Guidelines for Transparency under Regulation 2016/679 of the Article 29 Data Protection Working Party (established pursuant to Article 29 of Directive 95/46/EC and now replaced by the EDPB), WP 260 rev.01, p. 49 (confirmed by the European Data Protection Board [EDPB] on 25 May 2018), it is stated in relation to the essentially comparable wording in Article 13(2)(a) and Article 14(2)(a) GDPR (information obligations of the controller when collecting data) that it is not sufficient to generally indicate that the personal data will be stored for as long as is necessary for the legitimate purposes of the processing; the information about the storage period should be formulated in such a way that the data subject has the opportunity to assess, based on his or her own situation, which storage period applies (see also Illibauer in Knyrim [ed.], DatKomm [2022] Art. 13, para. 44 ff; see also Dix in Simitis et al. [ed.], Datenschutzrecht [2019] Art. 15, para. 22, according to which - if it is not possible to specify specific storage periods - reference can be made to certain circumstances that are not yet known but on which the storage period depends). 38 5.4. In the present case, the second appeal appellant pointed out in its (supplementary)

statement of 18 March 2019 that the data will be stored

for as long as the co-participant participates in economic life by wishing to

contract with customers of the second appeal appellant; the

entrepreneurial function will be deleted when the entry in the commercial register

or in the "trade register" is deleted. Based on this, the

Administrative Court cannot agree with the opinion expressed in the contested decision that this description of the storage period is neither

precise nor understandable. Based on the storage period planned by the second appeal appellant, it is in any case

not possible for her to specify a specific end date or a more precise period of time. On the other hand, it can be assumed that the co-participant can estimate the

point in time at which he will end his entrepreneurial activity. It is also not apparent to the Administrative Court that the information provided on a case-by-case basis would not be sufficient for the person concerned (here the co-participant) to assess the admissibility of the data processing and, if necessary, to exercise their rights to deletion, to restriction of processing, to object to processing or to assert a claim for damages.

39 Whether this storage period envisaged by the second appeal applicant complies with the requirements of Art. 5 GDPR is - as must be pointed out again - not the subject of point A)I.

of the contested decision concerning the alleged violation of the right to information, but would have to be assessed in connection with an alleged violation of Art. 5 GDPR (see, however, the comments below in point II.6.2. in this regard).

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

22 of 40

6. Assertion of objective violations of the principles of

Art. 5 GDPR in a complaint under Art. 77 GDPR

40 6.1. In point 3 of its decision, the authority concerned rejected the

data protection complaint of the co-participant “due to a violation of the right to

confidentiality due to a violation of the data minimization obligation

and due to a violation of the data backup obligation”.

41 The Federal Administrative Court rejected the appeal lodged by the co-participant in part (with regard to the alleged violation of the right to confidentiality) and partially upheld it (with regard to the alleged violations of the data minimization and data backup obligations) by removing the rejection without replacement. 42 The second appeal appellant argues that in a complaint procedure (according to Art. 77 GDPR or Section 24 DSG) violations of Art. 5 GDPR cannot be asserted. Although data subjects have the subjective rights provided for in Chapter III of the GDPR (“Rights of the data subject”), they have no enforceable right to compliance with the principles under Art. 5 GDPR. This is clear from the wording used there, according to which these are objective obligations of the controller, but do not give rise to any subjective claims of the data subject against the controller. In contrast, the (different) wording used in

Chapter III of the GDPR would grant subjective rights. The (related) rejection of the

data protection complaint by the DPO was therefore ultimately justified.

Finally, there are further comments on the fact that there is no

violation of Article 5 paragraph 1 letters c and f of the GDPR in this matter either.

43 In its response to the appeal, the authority concerned takes the view that, although there is no subjective right to specific

data security measures or to data minimization measures, it is possible that a data subject’s right to confidentiality could be violated due to inadequate

measures. If there is a subjective complaint, violations of objective obligations (imposed by the GDPR) could therefore also be asserted in the context of a complaint procedure under Art. 77 GDPR or Section 24 DSG. 44 The co-participant argues that Art. 77 GDPR contains an independent right of complaint (in addition to that under Section 24 DSG) and covers all violations of GDPR provisions. Contrary to the opinion of the authority concerned, the assertion of a right granted under Union law cannot depend on whether a regulation such as that in Section 1 Para. 1 DSG exists at the domestic level. In its judgment of 16 July 2020, C-311/18, para. 109, the ECJ expressed that a complaint can also be lodged in the event of violations of objective obligations. This also follows from Article 1 paragraph 2 of the GDPR, because compliance with the controller's objective obligations is essential for the protection of personal data referred to therein. The statements of the second appeal applicant on the different wordings in the GDPR must also be countered by the fact that there are also provisions outside of Chapter III of the GDPR that grant rights to the data subjects, while conversely some wordings in Articles 13 and 14 of the GDPR (which can be found in Chapter III of the GDPR) do not refer to the rights of the data subject, but to the obligations of the controller. Finally, the co-participant's response to the appeal contains statements that there was a violation of the principle of data minimization and the obligation to back up data. 45 6.2. First of all, the following should be said: The Administrative Court has already repeatedly stated that the only issue in the appeal proceedings before the Administrative Court in the event of an application being rejected by the authority concerned is the legality of this rejection (see, for example, VwGH 22.11.2022, Ra 2019/04/0003, para. 20, with further references). Based on this, the arguments of the second appeal applicant and the co-participant regarding the non-existence or the existence of violations of the principles of data minimization and data security do not need to be addressed in the case in question - given the method of settlement chosen by the authority concerned in its ruling point 3.46 6.3. Section 24 Para. 1 DSG provides for the right to lodge a complaint with the DPO if the data subject considers that the data processing violates the GDPR or Section 1 or Article 2, Chapter 1 DSG, whereby the complaint pursuant to Section 24 Para. 2 No. 1 DSG must contain the designation of the right deemed to have been violated. 47 Article 79 Para. 1 GDPR (on effective judicial remedies) stipulates that a data subject shall have the right to an effective judicial remedy, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR, if he or she considers that the rights to which he or she is entitled under this Regulation have been violated as a result of the processing of his or her personal data not complying with this Regulation. 48 In contrast, according to Article 77 GDPR, which is relevant here, every data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data concerning him or her infringes this Regulation, without prejudice to any other administrative or judicial remedy. The ECJ has also already held that Article 77 GDPR is sufficiently clear, precise and unconditional and thus directly applicable (cf. ECJ 16.1.2024, C-33/22, Austrian Data Protection Authority, para. 62). 49 According to its wording, Article 77(1) GDPR does not refer to a violation of rights, but to a violation of the GDPR by the data processing. However, this does not contradict the assumption that violations

of the principles of Art. 5 Para. 1 GDPR (as in the case of the case under its

letters c and f) can be asserted in a complaint under Art. 77 GDPR

insofar as this violation concerns the processing of personal data concerning the

complainant (here the co-participant).

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

25 of 40

50 In its judgment of 22 June 2023, C-579/21, J.M., para. 62,

the ECJ stated that the information requested there by way of a request for information at the time of processing the data constitutes an aspect for verifying their legality, because at the time of processing the requirements set out in Articles 5 and 6 of the GDPR must be met. The review of legality referred to here

with regard to compliance with the requirements of Art. 5 and 6 GDPR (as

a result of the provision of information) by the data subject requires

however, to be able to assert any (alleged) illegality by means of a complaint

in accordance with Art. 77 GDPR. Finally, two ECJ proceedings in connection with the transfer of personal data to third countries (ECJ 6.10.2015, C-362/14, Schrems; ECJ 16.7.2020, C-311/18, Facebook Ireland and Schrems) were based on a complaint (requesting a prohibition on the transfer of personal data to the United States of America) by a data subject to a (then) supervisory authority (now a supervisory authority), in which no violation of rights under Directive 95/46 was claimed, but rather a violation of the basic provision of Article 25 of Directive 95/46. 51 From a Union law perspective, it is therefore permissible, against the background of the ECJ’s case law cited above, to base a data protection complaint under Art. 77 GDPR (solely) on Art. 5 GDPR (see also Jahnel, Commentary on the GDPR [2021] Art. 77, paras. 9 to 12; Schweiger in Knyrim [ed.], DatKomm [2022] Art. 77 para. 11; Tambou in Spiecker et al. [ed.], General Data Protection Regulation, Art. 77, para. 21; Bergt in Kühling/Buchner [ed.], GDPR [2020], Art. 77 para. 10). This understanding is also inherent at the domestic level in the provision of Section 24 (1) DSG, which states that data processing violates the GDPR or Section 1 DSG. 52 On the basis of these considerations, however, the Administrative Court is unable to agree with the view of the second appeal applicant that the authority concerned had already rightly rejected the co-participant’s data protection complaint due to a lack of admissible subject matter. In view of the legal opinion presented, the Administrative Court does not see itself compelled to comply with the suggestion of the co-participant to initiate a request for a preliminary ruling on Article 77 GDPR. 53 This does not mean - as should be pointed out in addition - that a data protection complaint alleging a violation of the GDPR cannot also be based on Section 1 Para. 1 DSG (in parallel or under one); however, this is not mandatory. It is also possible to rule on a data protection complaint based on the GDPR and Section 1 Para. 1 DSG under one and thus uniformly if a violation of (for example) Article 5 GDPR asserted by means of a complaint under Article 77 GDPR simultaneously represents a violation of the right to confidentiality under Section 1 Para. 1 DSG. Nevertheless, it should be noted that the scope of application of Section 1 (1) DSG does not coincide with the scope of application of the GDPR in every respect (see, for example, VwGH June 27, 2023, Ro 2020/04/0014, marginal no. 17 et seq., or - conversely - VwGH February 1, 2024, Ro 2021/04/0016, marginal no. 24 et seq.). A violation of the right to confidentiality does not therefore automatically constitute a violation of the GDPR in every case. Conversely, in the opinion of the Administrative Court, it is also not excluded that a violation of the GDPR asserted within the framework of Art. 77 GDPR does not constitute a violation of the right to confidentiality under Section 1 (1) DSG. 7. Matter of the complaint procedure regarding the (partial) rejection of the data protection complaint 54 7.1. In his data protection complaint (apart from the alleged violations of the right to information dealt with under points II.5. and II.9.), the co-participant has asserted a violation of the principle of data minimization pursuant to Art. 5 Para. 1 lit. c GDPR (as a result of the storage of incorrect, no longer existing places of residence) as well as a violation of confidentiality and data security pursuant to Art. 5 Para. 1 lit. f GDPR (as a result of insufficiently encrypted transmission of personal data). In addition to the determination of violations of the above-mentioned provisions of the GDPR, a determination was also requested that the co-participant's right to respect for his private and family life and that his right to confidentiality of his personal data pursuant to Section 1 Para. 1 DSG had been violated. In his supplementary letter dated March 19, 2019, the co-participant confirmed that the data protection complaint - in addition to an assertion of violations of Art. 5 GDPR - also relates to Section 1 Para. 1 DSG. It cannot therefore be inferred from the co-participant's data protection complaint that a uniform, joint ruling was necessarily requested regarding the alleged violations pursuant to Art. 5 GDPR on the one hand and Section 1 Para. 1 DSG on the other. 55 In point 3 of its decision, the authority concerned, however, assumed that the data protection complaint referred to a “violation of the right to confidentiality due to a violation of the data minimization obligation [Article 5(1)(c) GDPR] and due to a violation of the data backup obligation [Article 5(1)(f) GDPR].” 56 In contrast, the Federal Administrative Court assumed that the data protection complaint had asserted (at least) two separable violations or infringements, on the one hand - and only in this respect was the data protection complaint rightly rejected due to a lack of further details - concerning the right to confidentiality and on the other hand - in this respect the rejection of the data protection complaint had to be remedied - concerning violations of the data minimization and data backup obligations.

57 According to the opinion of the first appeal applicant (represented in her appeal), the Federal Administrative Court had wrongly ruled separately on the uniform, non-division-allowing point 3 of the DSB decision and

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

28 of 40

thus decided on a matter that was not the subject of the

original proceedings.

58 7.2. The following must be countered to this argument by the applicant for the official appeal:

59 As explained above, there is no legal requirement to rule on a data protection complaint in a uniform and inseparable manner, which alleges both a violation of Section 1 Para. 1 DSG

and violations of Article 5 Para. 1 GDPR.

60 Therefore, the fact that the authority concerned viewed these parts of the data protection complaint as a uniform - in the sense of inseparable -

subject matter of the application cannot change the fact that the matter of the appeal procedure before the Federal Administrative Court in this regard was the rejection of a data protection complaint that contained a number of - separable -

requests. The Federal Administrative Court was therefore limited in its decision-making power in that it was not allowed to decide on the merits of the applications rejected by the authority concerned (which it did not do anyway). However, it was not prevented from making an independent, possibly divergent, decision on the (several) separable requests rejected by the authority concerned.

61 The partial rejection and partial granting of the appeal by the co-participant against point 3 of the DSB’s decision therefore raises no concerns in principle under the aspect of the matter of the appeal proceedings raised by the authority concerned in its official appeal.

8. Admissibility of the (partial) rejection of the data protection appeal

62 8.1. As already stated, the authority concerned has (partially) rejected the data protection complaint of the co-participant in point 3 of its decision on the grounds that there was an inadmissible, significant change in the matter (within the meaning of Section 13 (8) AVG). 63 The Federal Administrative Court rejected the appeal lodged by the co-participant

with regard to the alleged violation of the right to confidentiality, in this respect confirming point 3 of the DSB’s decision and

thereby denying the right to a substantive decision (with regard to the alleged violations of the data minimization and data backup obligations, point 3 of the decision was, however,

remedied without replacement because there had been no impermissible change to the nature of the data protection complaint). The Federal Administrative Court justified the confirmation of the rejection of the data protection complaint in this regard by stating that, in view of the content of the data protection complaint, it could be assumed that, based on its objective explanatory value,

it was only aimed at asserting violations of the duty to provide information and the duty to minimise data and to backup data, which is why the rejection of the data protection complaint

with regard to the violation of the right to confidentiality was justified.

64 8.2. The Administrative Court is unable to agree with the reasoning used by the Federal Administrative Court for the partial rejection of the data protection complaint of the co-participant for the following reasons: 65 If the data protection complaint of the co-participant had actually been interpreted - as the Federal Administrative Court states - in such a way that a violation of the right to confidentiality pursuant to Section 1 Paragraph 1 of the Data Protection Act had not been asserted at all (but see the contrary above in Section II.7.1.), then the rejection of the relevant data protection complaint would have had to be remedied without replacement (and not confirmed) due to the lack of an application to this effect. The reasoning of the Federal Administrative Court for confirming the rejection of the data protection complaint regarding a violation of the right to confidentiality therefore proves to be incomprehensible to the Administrative Court. Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

30 of 40

66 The argument put forward by the DSB in its decision of 11 September 2019 of the inadmissible material amendment of the application within the meaning of

Section 13 Paragraph 8 AVG is - as should be pointed out for the sake of completeness - no longer upheld by the DSB in its appeal, but rather

it is stated that "the rejection according to point 3 of the original decision was wrong".

67 Based on this, the (by the BVwG in point A)III.2. of the contested finding) rejected the co-participant's data protection complaint regarding the violation of the right to confidentiality as unlawful. 9. Violation of the obligation to provide information pursuant to Art. 14 GDPR 68 9.1. The authority concerned justified the rejection of the co-participant's data protection complaint regarding the alleged violation of the right to information pursuant to Art. 14 GDPR by stating that the controller (second appeal applicant) did not have to actively approach the data subject, but that it was sufficient if the information required pursuant to Art. 14 GDPR was publicly accessible - as was the case here. 69 In contrast, the Federal Administrative Court assumed that the controller had to "actively create transparency" on its own initiative with regard to the obligation to provide information. Simply "putting" the data online is not sufficient if - as is the case here - the person concerned has no idea that their data has been collected from third parties. 70 In her appeal, the second appeal appellant argues that the person concerned's right to complain does not extend to violations that occurred in the past; only violations that are currently ongoing can be the subject of a complaint procedure. The co-participant received the requested information in a letter dated December 31, 2018, and his legal protection objective has therefore been fully achieved. There is no evidence that the DSG is intended to deviate from the relevant case law of the Administrative Court (issued on the DSG 2000). Finally, Art. 77 GDPR also supports this view because this provision is written in the present tense. In addition, according to Art. 14 Para. 5 lit. a GDPR, paragraphs 1 to 4 of Art. 14 GDPR do not apply if the data subject already has the information. On the other hand - the second appeal applicant continues - the publication of a data protection declaration on the Internet within the meaning of Art. 14 GDPR is to be regarded as sufficient. The second appeal party thus provides the public with information about the potential recipients to whom the personal data of the data subjects is transmitted. The information can be provided via the controller's website if the information to be provided is of a general nature and is the same for all data subjects. Actively notifying each data subject about each transmission of their personal data would be practically impossible due to the large number of credit checks, especially since the second appeal party only processes postal and not electronic contact data.71 In its appeal, the authority concerned first points out that the obligation to provide information under Article 14 GDPR is closely linked to the processing principle of transparency under Article 5(1)(a) GDPR and that the principle of transparency is specified in more detail with regard to the modalities in Article 12 GDPR. Recital 58 of the GDPR states that information under Article 14 GDPR can be provided in electronic form, for example on a website, if it is intended for the public. Transparency is a necessary prerequisite for the exercise of the other rights of the data subject. While information under Article 15 GDPR must be provided at the request of a specific person, information under Article 14 GDPR is addressed to an indeterminate group of recipients and must therefore be provided in a general manner, not tailored to an individual data subject. If - as the BVwG believes - the

responsible party had to inform the other party at the latest at the time of the first

disclosure (here on November 8, 2018) in accordance with Art. 14 Para. 1 lit. e

Administrative Court
Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

March 6, 2024

32 of 40

in conjunction with Para. 3 lit. c GDPR, this would lead the right to information (with regard to the recipients) standardized in Art. 15

Para. 1 lit. c GDPR

"ad absurdum". Therefore, the obligation to provide information is sufficiently fulfilled by the information made public by the

second appeal applicant on its website.

Even if the opposite view were taken, there would no longer have been any complaint at the time of the decision - in view of the disclosure of the information in the letter dated 31 December 2018. A right to a subsequent determination that certain information had only been provided late cannot be derived from the GDPR. This is consistent with the provision of Article 14 (5) GDPR, according to which there is no obligation to provide information if the data subject has the relevant information. A possible violation of the right to confidentiality because the information was provided too late was not asserted in this case. 72 The co-participant argues in this regard that Article 14 (3) GDPR requires information to be provided within one month of the data being collected. Information in accordance with Article 14 GDPR must be actively provided by the controller; making it available on a website is not sufficient in cases where the data subject does not know that his or her data is being processed. If a data subject did not have to be actively informed by the controller, they would have to constantly search the Internet for possible controllers in order to submit a request for information to them. A data protection declaration that can be accessed online can only be used to fulfill the obligation to provide information under Art. 14 GDPR if the data subject had previously been proactively informed that their data was being processed. There is also no exception to the obligation to provide information under Art. 14 (5) GDPR. Finally, the co-participant suggests that a request for a preliminary ruling on the interpretation of Art. 14 GDPR should be made to the ECJ if the Administrative Court has doubts about the opinion held by the co-participant. Administrative Court
Judenplatz 11, 1010 Vienna
www.vwgh.gv.at Ro 2021/04/0030-4 to
0031-5
March 6, 2024
33 of 40
73 9.2. Section II of Chapter III of the GDPR (beginning with Article 13)
contains provisions regarding the obligation to provide information and the right to information. Article 14 of the GDPR provides in paragraph 1 that the controller, if the personal data are not collected from the data subject, shall provide the data subject with the listed information; according to the relevant letter e, this includes “where applicable, the recipients or categories of recipients of the personal data”. According to Art. 14 (3) (a) and (c) GDPR, this information must be provided

within a reasonable period of time after obtaining the personal

data, but no later than one month, or - if disclosure

to another recipient is intended - at the latest at the time of the first disclosure. Art. 14 (5) GDPR contains exceptions to

these obligations. Art. 12 (1) GDPR, in turn, generally provides

that information pursuant to (among others) Art. 14 GDPR must be provided in a precise, transparent,

intelligible and easily accessible form, in clear and plain

language, with the information being provided

in writing or in another form, including electronically where appropriate.

74 Recital 58 of the GDPR states that the information can be provided in

electronic form, for example on a website, if it is intended for the public. According to

Recital 60 of the GDPR, the principles of fair and

transparent processing require that the data subject be informed of the

existence of the processing operation and its purposes. The

controller should provide the data subject with all further information

that is necessary to ensure fair and transparent processing, taking into account the

specific circumstances and conditions under which the personal data are processed.

75 9.3. As a first step, the argument of the parties seeking an appeal

that the subsequent determination of a past, no longer valid violation of law (including

in the scope of Art. 14 GDPR) is not provided for.

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5

6 March 2024

34 of 40

76 The Administrative Court has (in connection with the rights to

information, correction or deletion on the one hand and to confidentiality

on the other) stated on this issue in its decision VwGH 19.10.2022,

Ro 2022/04/0001, para. 25 ff,

"[...] that according to the regulation of Section 24 Para. 5 DSG, a distinction must be made between the right

to confidentiality on the one hand and the rights to information, correction and

deletion on the other. According to Section 24 Paragraph 5, second sentence of the Data Protection Act, a person responsible in the private sector must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the violation of law identified. However, eliminating the violation of law or an order to do so to the person responsible is not addressed in connection with the right to confidentiality. 26 The rights to information, correction or deletion - unlike the right to confidentiality pursuant to Section 1 Paragraph 1 of the Data Protection Act - each create a claim to a specific service (see VfGH 26.6.1991, B 811/89). If one of these services is the subject of the complainant's request, the request can be complied with and the service in question can be carried out or arranged. Section 24 (6) DSG accordingly provides that a respondent can subsequently remedy the alleged violation of law until the conclusion of the proceedings before the data protection authority by complying with the complainant's requests. 27 In connection with the violation of the right to confidentiality, however, the question of remedying the violation of law must be assessed differently. [...] The right to confidentiality does not embody a right to a specific service and the assertion of a violation of the right to confidentiality is not aimed at an action by the controller. A violation that has occurred through inadmissible investigation cannot be remedied retroactively by an action (in this case, the deletion of the data in question) and thus differs from the rights guaranteed by data protection law, which can be complied with by a specific service.
[...]

29 Referring to this ruling, the Administrative Court in the
hg. ruling VwGH 28.3.2006, 2004/06/0125, denied the admissibility of issuing
assessment notices on violations of the relevant right to notification of the requested

Administrative Court
Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5
March 6, 2024

35 of 40

deletion. The Administrative Court emphasized in this decision that the

notification of deletion is aimed at providing a service to the person subject to the law. [...]

[...]

31 The Administrative Court has therefore already distinguished, within the scope of application of the DSG 2000, between the claims (for information, deletion or correction) directed at a service provided by the client (now: the controller within the meaning of Art. 4 Z 7 GDPR) and the right to confidentiality. However, this cannot be assessed differently for the current legal situation.”

77 The relevant ruling point A)II. is neither about the right to information, correction or deletion (according to Art. 15 to 17 GDPR) nor about the right to confidentiality (according to Section 1 Para. 1 DSG), but about the controller’s obligation to provide information to the data subject as stipulated in Art. 14 GDPR. This obligation to provide information is indeed regulated in Chapter III of the GDPR (“Rights of the data subject”). However,

this regulation differs from the rights to information, rectification, erasure (etc.) regulated in Art. 15 ff GDPR in that the right

to receive information under Art. 14 GDPR - unlike the rights

under Art. 15 ff GDPR - is not dependent on a request from the data subject.

The general regulation of Art. 12 GDPR also only refers to a request from the data subject to exercise their rights with regard to the rights under Art. 15 to 22 GDPR.

78 The controller's obligation to provide information under Art. 14 GDPR therefore exists

independently of a prior request from the data subject

(see also Illibauer in Knyrim [ed.], DatKomm Art. 12,

para. 20/1). Accordingly, there is also no request for performance

by the data subject in this regard, which must first be asserted and which must therefore be complied with (in the sense of the case law presented above). According to this, however, there is no violation of law in the non-fulfillment of such a request for performance that could be (subsequently) remedied. Rather, the violation of law lies in the failure to provide the information (which must be provided without an application), which cannot be remedied retroactively by a subsequent information provided on the basis of an application by the data subject within the meaning of the Administrative Court of Justice Judenplatz 11, 1010 Vienna www.vwgh.gv.at Ro 2021/04/0030-4 to 0031-5 March 6, 2024 36 of 40 Art. 15 GDPR. 79 In this respect, this violation of law is comparable to the legal situation clarified by the VwGH Ro 2022/04/0001 in the case of a violation of the right to confidentiality under Section 1 Para. 1 DSG. Section 24, paragraph 5, second sentence of the Data Protection Act also provides for an order (addressed to those responsible in the private sector) only with regard to the complainant's requests for information, correction, deletion, restriction or data transfer. A subsequent removal of the violation of law or an order to that effect to the person responsible in connection with the right to fulfil the obligation to provide information under Art. 14 of the GDPR is not addressed. Thus, nothing can be derived from the case law of the Administrative Court cited by the second appeal applicant (still issued in relation to the Data Protection Act 2000) on the rights to information or deletion for the present case (see, for example, VwGH 27.9.2007, 2006/06/0330). 80 This result cannot be changed by the provision of Article 14(5) GDPR cited by the parties seeking an appeal, according to which Article 14(1) to (4) GDPR does not apply if the data subject already has the information. Such a provision concerning an exception to an obligation to provide information can only refer to the time at which the obligation to provide information should have been fulfilled; the data subject must therefore have the information at the time at which the controller would have to communicate it (see also that exceptions under [there: Article 2] of the GDPR are to be interpreted narrowly according to the case law of the ECJ, ECJ 16.1.2024, C-33/22, Austrian Data Protection Authority, para. 37). However, the fact that this would have been the case in the present case, in which the information in question regarding the disclosure of the co-participant's personal data to a third party was only communicated as a result of the co-participant's request for information in a letter dated December 31, 2018, does not emerge from the submissions of the parties seeking the appeal. Administrative Court Judenplatz 11, 1010 Vienna www.vwgh.gv.at Ro 2021/04/0030-4 to 0031-5 March 6, 2024 37 of 40 81 Thus, the fact that the information to be communicated in accordance with Art. 14 Para. 1 lit. e GDPR was contained in the controller's letter dated December 31, 2018 does not per se preclude the finding of a violation of the relevant law. 82 9.4. In view of this, it must therefore be examined whether the BVwG was right to assume a violation of Art. 14 (1)(e) GDPR in this case. 83 In connection with the distinction between Art. 15 and

Art. 13 and 14 GDPR, the ECJ has stated that the latter provisions stipulate the

obligation of the controller to provide the data subject

with information on the categories of recipients or the specific

recipients of personal data concerning him or her,

if these data are collected from the data subject or not from the data subject,

while Art. 15 GDPR provides for an actual

right of information in favour of the data subject, so that he or she

must be able to choose whether - if possible - information on specific

recipients to whom these data have been or will be disclosed, or information on the categories of recipients

is provided to him or her (ECJ 12.1.2023, C-154/21, Österreichische Post

[Information on the recipients of personal data], para. 36).

84 With regard to the predecessor provisions of Articles 10 and 11 of Directive 95/46, which are fundamentally comparable to Articles 13 and 14 of the GDPR, the ECJ has stated that the requirement to inform the persons affected by the processing of their personal data creates the prerequisite for them to be able to exercise their right to information and rectification as well as their right to object to the processing of the data. Consequently,

the requirement of processing personal data in good faith, as provided for in Article 6 of Directive 95/46,

obliges an administrative authority to inform the data subjects that the

personal data are being forwarded to another administrative authority

in order to be processed by that authority in its capacity as its recipient (see, in particular, ECJ 1.10.2015, C-201/14, Smaranda Bara et al.,

para. 33 et seq.; see also ECJ 7.5.2009, C-553/07, Rijkeboer, para. 68, according to which

Administrative Court

Judenplatz 11, 1010 Vienna

www.vwgh.gv.at Ro 2021/04/0030-4 to

0031-5
6 March 2024

38 of 40

with Articles 10 and 11 of Directive 46/95 imposes on the controller, under certain conditions, an obligation to inform the data subject, inter alia, of the recipients or categories of recipients of the data; it is for the controller or his representative to inform the data subject thereof, in particular at the time the data are collected or, if they are not collected directly from the data subject, at the time they are stored or, where appropriate, at the time they are communicated to a third party).

85 In the guidelines on transparency under Regulation 2016/679 of the

Article 29 Data Protection Working Party, WP 260 rev.01, p. 9, it is stated with regard to the easy accessibility of the

information referred to in Article 12 paragraph 1 GDPR that the data subject should not be forced to find the

information themselves; rather, it should be clear to them where and how they can access this information, which could be done, for example, by providing them with a

relevant link.

86 First of all, it should be noted that the provision on the obligation to provide information in Article 14 GDPR requires active action by the controller - without

a prior request from the data subject. However, it is disputed whether the provision of a data protection declaration (containing the relevant information) on the homepage of the second appeal applicant in a situation such as the present one is sufficient to fulfil the obligation to provide information stipulated in Article 14(1) GDPR. 87 In the opinion of the Administrative Court, it should be noted in particular that, according to the statement of the ECJ in its judgment C-201/14 presented above, which can be applied to the GDPR in this respect, the obligation to provide information is a prerequisite for the person affected by the processing of their personal data to be able to exercise their rights to information, rectification or erasure (etc.). In order to fulfill this function, however, it is necessary that this information is easily accessible to the data subject. However, this cannot be guaranteed by the mere possibility of accessing a data protection declaration on a website in a case in which the personal data were not collected from the data subject, the data subject has no other connection with the controller and therefore does not need to have any knowledge of the processing of their personal data by the controller. Against the background of the objective also expressed by the ECJ, Art. 14 (1) GDPR cannot therefore be understood to mean that the availability of the information mentioned therein on a website without an active, explicit notification of the data subject of this form of provision is sufficient even if the data subject had no knowledge of the fact of data processing by the controller (see also Knyrim, in Ehmann/Selmayr [ed.], GDPR Art. 14 para. 13; Greve, in Sydow/Marsch [ed.], GDPR/BDSG Art. 12 para. 20; Bäcker in Kühling/Buchner [ed.], GDPR [2020], Art. 14 para. 41). 88 Since such knowledge of the co-participant of data processing by the second appeal applicant at the time the data was collected was not presented in the appeals either and the existence of an exception under Art. 14 Para. 5 GDPR was not demonstrated in a way that was comprehensible to the Administrative Court, the BVwG's finding in ruling point A)II. regarding a violation of Art. 14 Para. 1 lit. e GDPR cannot be recognized as unlawful.

10. Result

89 Based on the considerations presented in point II.5., ruling points A)I.1.

and A)I.2. of the contested decision and based on the considerations presented in point II.8., ruling point A)III.2. of the contested decision were to be annulled in accordance with Section 42 Para. 2 No. 1 VwGG due to the unlawfulness of the content.

Administrative Court
Judenplatz 11, 1010 Vienna
www.vwgh.gv.at Ro 2021/04/0030-4 to
0031-5
March 6, 2024
40 of 40
90 For the reasons set out in point II.9. and in points II.6. to II.8, the appeals were to be dismissed as unfounded in accordance with Section 42 (1) VwGG insofar as they were directed against the

ruling points A)II. and A)III.1. of the contested decision.
91 The co-participant's application for a substantive decision by the

Administrative Court with regard to the contested ruling point A)II.

was to be rejected for the reasons set out in point II.2.

92 The decision on reimbursement of expenses is based on Sections 47 ff,
in particular Section 50 VwGG in conjunction with the VwGH Expenses Reimbursement Ordinance 2014.

Vienna, March 6, 2024

Administrative Court
Judenplatz 11, 1010 Vienna

www.vwgh.gv.at