VwGH - Ro 2019/04/0229

From GDPRhub
VwGH - Ro 2019/04/0229
Courts logo1.png
Court: VwGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(7) GDPR
Article 83 GDPR
Article I EVGV
Article II EVGV
§ 3 VbVG
§ 30 DSG (Austrian Data Protection Act)
§ 31 VStG
§ 32 VStG
§ 44a VStG
§ 9 VStG
§ 99d BWG (Austrian Banking Act)
§ 50 VwGVG
Decided: 12.05.2020
Published: 23.06.2020
Parties:
National Case Number/Name: Ro 2019/04/0229
European Case Law Identifier: ECLI:AT:VWGH:2020:RO2019040229.J00
Appeal from: BVwG (Austria)‎
W211 2208885- 1/19E
Appeal to: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: Marco Blocher

The Austrian Supreme Administrative Court held that under Austrian administrative penal law a legal person could only be fined under Article 83 GDPR if there is a specific accusation of culpable actions against a natural person who had a decisive influence on that legal person (e.g. a manager).

In order to issue a fine against a legal person, such natural person must also be a party (accused) in an administrative penal procedure regarding GDPR-violations against the legal person.

English Summary

Facts

The Austrian Data Protection Authority (DSB) had issued a fine of EUR 4,800 under Article 83 GDPR against a legal person based in Austria ("the company"). The reason for this fine were four violations of the GDPR and the DSG (Austrian Data Protection Act) in connection with a CCTV (closed circuit television).

The company filed an appeal against this fine with the BVwG (Austrian Federal Administrative Court).

On 19 August 2019 the BVwG repealed the fine and suspended the administrative penal procedure. It held that the DSB had failed to make an accusation pursuant to § 30(1) and (2) DSG (Austrian Data Protection Act) against specific persons who have a decisive influence on the accused company's business (managers) and whose own culpable actions (own actions, own omissions or lack of supervision of subordinate employees) can be attributed to the accused company.

In its reasoning, the BVwG also referred to a VwGH (Austrian Supreme Administrative Court) decison regarding violations of the BWG (Austrian Banking Act). This is because § 30 DSG, that establishes rules for data protection liability of legal persons, has a very similar wording to § 99d BWG.

The DSB filed an appeal against this decision with the VwGH requesting it to repeal the BVwG's decision and to reinstate the decision of the DSB.

Dispute

A) Is the VwGH case law on § 99d BWG relevant with regard to § 30 DSG and Article 83 GDPR? (§ 99d BWG requires culpable conduct on the part of a natural person who is entitled to decision-making or asserting control within the legal person.)

B) Or rather, is the CJEU case law on fines under competition law relevant with regard to § 30 DSG and Article 83 GDPR? (EU competition law allows the European Commission to impose a fine against a legal person without having to specifically accuse a natural person of culpable conduct.)

C) Is § 30 DSG even applicable or is there a lack of a corresponding opening-clause in the GDPR? (§ 30 DSG requires the same culpable conduct of a natural person as § 99d BWG)

D) Depending on the answers to the questions above: Does the DSB have to accuse a natural person attributable to a legal person (which acts a controller or processor) of GDPR-violations in order to issue a fine under Article 83 GDPR against the legal person?

Holding

The VwGH upheld the decision of the BVwG in its entirety:

The VwGH case law on § 99d BWG is applicable, the CJEU case law on fines under competition is not. According to the VwGH, this is because the fines under the GDPR and the BWG are "real administrative penalties" (see recital 150 GDPR), whereas the fines imposed by the European Commission under EU competition law are not. In addition, Article 83(8) GDPR leaves it to the members states to pass procedural laws for the of imposition of fines. (The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.)

The VwGH applied § 30 DSG without even questioning whether this provision is at all in conformity with Article 83 GDPR. It held, that Austrian administrative penal law in connection with § 30 DSG a legal person can only be fined pursuant to Article 83 GDPR if there is a specific accusation of culpable actions against a natural person who had a decisive influence on that legal person (e.g. a manager). In order to lawfully impose fine under Article 83 GDPR, it is therefore necessary for the DSB to accuse a natural person attributable to the legal person of specific culpable actions (own actions, own omissions or lack of supervision of subordinate employees).

Comment

According to the DSB, the VwGH should have referred the question on the compatibility of § 30 DSG with Article 83 GDPR, to the CJEU for a preliminary ruling under Article 267 TFEU.

This case law has a wide-ranging impact on GDPR-fines in Austria. It makes it more difficult to prosecute legal persons for violations of the GDPR and the DSG, because from now on the DSB always has to

- identify natural persons with decisive influence over the data processing that (allegedly) violates the GDPR

- describe the conduct of which they are accused, and

- include them as accused persons (in addition to the legal person) in the administraive criminal proceedings

A specific accusation against a person makes a significantly higher investigation effort necessary.

Further Resources

https://www.dataprotect.at/2020/06/08/gastbeitrag/ (in German)

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

 
Court 
Administrative Court 
Decision date 
12.05.2020 
Business figures 
Ro 2019/04/0229 
Subject 
The Administrative Court, with the assistance of the Secretary Klima, LL.M., on the appeal of the Data Protection Authority at 1030 Vienna, Barichgasse 40-42 against the decision of the Federal Administrative Court of 19 August 2019, no. 1, by the President of the Senate, Dr. Handstanger, and the Court Councillors Dr. Mayr and Mr. Brandl as judges, with the assistance of the Secretary Klima, LL.M., on the appeal of the Data Protection Authority at 1030 Vienna, Barichgasse 40-42, against the decision of the Federal Administrative Court of 19 August 2019, no. 1, by the President of the Senate, Dr. Handstanger, and the Court Councillors Dr. Mayr and Mr. Brandl as judges. W211 2208885- 1/19E, concerning the violation of the Data Protection Act 2000 as well as the Data Protection Act and the Basic Data Protection Regulation (DSGVO) (co-involved party: N.N. Handels- und Betriebsgesellschaft mbH. in G): 
Saying 
The appeal is dismissed as unfounded. 
Justification 
1	With the penal decision of 12 September 2018, the authority requesting the audit of N.N. Handels- und Betriebsgesellschaft mbH (co-involved party) that, as the person responsible for an image processing system (video surveillance) within the meaning of Article 4 no. 7 of the Basic Data Protection Regulation (DSGVO), it was responsible for the fact that, from 22 March 2018, in a specified betting shop, video surveillance 1. covered the public parking spaces and traffic areas in front of the entrance to the betting shop and thus prevented the 
purpose of the processing is not appropriate and not limited to the necessary extent; 2. no 
3. no deletion of the personal image data recorded by the video surveillance within 72 hours, no separate recording in this regard and no justification for an extended storage period; 4. the video surveillance is not appropriately marked. As a result, the party involved had infringed Article 5(1)(a) and (c) and Article 6(1) DSGVO, Article 50b(1) of the Data Protection Act 2000 (DSG 2000) for the period before 25 May 2018 and Article 13(2) of the Data Protection Act (DSG) from 25 May 2018, Article 50b(2) for the period before 25 May 2018, Article 50b(2) for the period before 25 May 2018 and Article 6(3) for the period after 25 May 2018. 2 DSG 2000 and, as from 25 May 2018, Article 13, paragraph 3, DSG, and, fourthly, for the period prior to 25 May 2018, Article 50d, paragraph 1, DSG 2000 and, as from 25 May 2018, Article 13, paragraph 5, DSG, have been infringed, which is why the party involved, as the party responsible under Article 30 DSG, has been fined one fine each, namely 1) pursuant to Art. 83, paragraph 5, lit. a, DSGVO in the amount of EUR 2,400.00, or 2) pursuant to Article 52, paragraph 2, item 6, DSG 2000 in conjunction with Article 69, paragraph 5, DSG and Article 62, paragraph 1, item 4, DSG, or 3) pursuant to Article 52, paragraph 2, item 7, DSG 2000 in conjunction with Article 69, paragraph 5, DSG and Article 62, paragraph 1, item 4, DSG, or 4) pursuant to Article 52, paragraph 2, item 6, DSG 2000 in conjunction with Article 69, paragraph 5, DSG and Article 62, paragraph 1, item 4, DSG. 2 item 4 DSG 2000 in conjunction with section 69(5) DSG and section 62(1) item 4 DSG, each in the amount of EUR 800, thus totalling EUR 4,800, and a contribution to costs in the amount of EUR 480 was imposed in accordance with section 64 VStG. 
2	By the contested decision, the Federal Administrative Court (Administrative Court) ordered the 
Appeal by the co-involved party, overturned the penal decision, discontinued the proceedings under Section 45(1)(3) of the VStG and declared that, under Section 52(8) of the VwGVG, the co-involved party was not to bear any costs and that the appeal was admissible. 
3	The Administrative Court stated in summary that, in accordance with the provisions of the 
proceedings in accordance with the case-law of the Administrative Court of 29 March 2019, Ro 2018/02/0023, which is transferable to the DSG, the precise description of the natural person's act of commission is necessary for the persecutory act directed against the legal person to be effective. For the punishment of the legal person, it was decisive that the information required for the assessment of a factual, unlawful and culpable conduct, which also satisfies any additional requirements for criminal liability, was available. 
findings are made and all necessary elements for punishing the natural person are included in the ruling (§ 44a VStG), with the addition that the conduct of the natural person is attributed to the legal person. 
In the present case, a natural person whose conduct (arrangement and installation of the cameras or lack of control of the cameras or their use) is to be attributed to the co-operating party was never identified and thus never specified. An extract from the commercial register was obtained by the authority requesting an audit on 12 July 2018. However, this extract was neither referred to in the penal decision nor was it attached to the penal decision. 
The request for justification had been addressed to the managing director of the co-involved party who, according to the Commercial Register, was a commercial law executive. However, the managing director had not been mentioned in the description of the allegation. In the report of the state police directorate, the waitress working in the betting shop at the time had stated that the partner and managing director under commercial law of the party involved was the "head of the company". In the proceedings before the Administrative Court, it had turned out that the information from the commercial register did not represent the actual influence and control of the co-participating party in a sufficiently concrete and realistic manner. 
As a result, it must be assumed that the allegation was not sufficiently substantiated in the official proceedings because it is not clear from the allegation which conduct should have been attributed to which person of the party involved. Thus, the exercise of essential rights of defence of the party involved was not sufficiently guaranteed. 
Even according to the argumentation of the authority seeking appeal in the appeal proceedings, an act of a person should be attributed to the legal person. This was not the case in the present case. Moreover, § 30 of the DSG referred to the persons mentioned there who could be regarded as having "key functions". 
	The 	argumentation of the 	authority 	seeking an appeal	, that 	Art. 83 	DSGVO 	is in 	substance 
It is therefore not necessary to follow the relevant case-law of the Court of Justice of the European Union (ECJ), according to which a specific designation of a natural person who is alleged to have acted culpably within an undertaking or to be responsible for a possibly defective organisation is not necessary, and should not be applied in the present case. The case law cited refers to competition law proceedings conducted by the European Commission using its own - also procedural - guidelines. Article 83 (8) DSGVO, on the other hand, states that the exercise of the powers of the supervisory authority must be subject to adequate procedural guarantees in accordance with Union law and the law of the Member States, including effective judicial remedies and due process. Direct applicability of the principles of jurisdiction of the courts of the European Union in competition law is ruled out on account of the different legal bases, the different procedural bases and the reference in the DSGVO itself to the fact that the procedure under Article 83 DSGVO must also be subject to procedural guarantees under the law of the Member States. 
Thus, it could not be assumed that the accusation had been sufficiently substantiated in the official proceedings. 
This deficiency could not be remedied by the Administrative Court. 
The present Criminal Decision does not specify a point in time at which the criminal conduct ceased, which is why the date of the Criminal Decision, 12 September 2018, is to be assumed for the beginning of the calculation of the limitation period for prosecution under § 31, Subsection 1, VStG, and this is still open. 
The lack of fitness of the act of persecution could, however, not be remedied by the Administrative Court by making up for the act of persecution, due to the limitation of the appeal proceedings to the charge of an offence that is the subject of the criminal conviction. An allegation of an offence raised for the first time by the administrative court was an inadmissible extension of the subject matter of the complaint that went beyond a mere specification. If a criminal finding is based on an accusation that is not sufficiently concrete, the proceedings can only be proceeded with the removal of the criminal finding and the discontinuation of the proceedings. The lack of concretisation of the charge constituted a procedural obstacle to review by the Administrative Court. 
4	The present revision is directed against this finding. The party involved did not respond to the appeal. 
 
The Administrative Court has considered 
 Admissibility 
5	The Administrative Court justified the admission of the appeal on the grounds of the lack of supreme court rulings on the provisions regarding the punishment of the legal entity in connection with the new legal situation regarding the DSGVO and the DSG regarding the transferability of the statements of the Administrative Court in its ruling of 29 March 2019, Ro 2018/02/0023, to the substantive 
Legal situation under the DSGVO and the DSG. Likewise, there is a lack of case-law on the authorisation or even obligation of the administrative court to make up for a lack of suitability of a prosecution act by the authority in the case of an open limitation period for prosecution - here with regard to determining the natural person whose conduct is to be attributed to the legal person. 
6	The official revision is already admissible for the reasons given, but it is not justified. 
 Legal situation 
 National law 
7	§ Section 52 of the Federal Act on the Protection of Personal Data (Data Protection Act 2000 - DSG 2000), Federal Law Gazette I No. 165/1999, in the version applicable here, Federal Law Gazette I No. 83/2013, reads in extracts:       "Section 10 Penal Provisions 
      ... 
 Administrative penal provision 
 § (1) Unless the offence constitutes a criminal act falling within the jurisdiction of the courts or is punishable by a more severe penalty under other provisions on administrative offences, an administrative offence shall be punishable by a fine of up to EUR 25 000 if 
      ... 
(2) Unless the act does not constitute a criminal offence falling within the jurisdiction of the courts, an administrative offence punishable by a fine of up to EUR 10 000 shall be committed by any person 
      ... 
4.	violates its disclosure or information obligations under sections 23, 24, 25 or 50d or 
      ... 
5.	disregards the security measures required under Section 50a(7) and Section 50b(1), or 
6.	does not delete data after the expiry of the deletion period provided for in Section 50b (2). 
2a. Unless the offence does not constitute a criminal offence falling within the jurisdiction of the courts 
A person who fails to provide information, correct or delete data in a timely manner contrary to §§ 26, 27 or 28 is guilty of an administrative offence, which is punishable by a fine of up to 500 euros. 
      ..." 
      §§ Sections 30(1) to (3) and 69(4) and (5) of the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG), Federal Law Gazette I No 165/1999, in the version applicable here, Federal Law Gazette I No 24/2018, and Section 62(1)(2) of the Federal Law Gazette I No 120/2017, in the version applicable here, shall read 
 "General conditions for the imposition of fines 
§ Section 30 (1) The data protection authority may impose fines on a legal person if infringements of the provisions of the DSGVO and of Section 1 or Article 2 1. principal are committed by persons who have acted either individually or as part of an organ of the legal person and who have a leading position within the legal person on the basis of 
1.	the power of representation of the legal person, 
2.	the power to take decisions on behalf of the legal entities 
person, or 
3.	an authority to exercise control within the legal person 
(3)	Legal persons may also be held liable for infringements of the provisions of the DSGVO and of Article 1 or Article 2 1. main clause if the lack of supervision or control by a person referred to in paragraph 1 has made it possible for such infringements to be committed by a person acting on behalf of the legal person, provided that the act does not constitute a criminal offence falling within the jurisdiction of the courts. 
(4)	The data protection authority must refrain from punishing a responsible person in accordance with § 9 of the Administrative Criminal Act 1991 - VStG, Federal Law Gazette No. 52/1991, if an administrative penalty has already been imposed on the legal entity for the same violation. 
      ... 
(5)	Main section 
Specific penal provisions 
 Administrative penal provision 
 § (1) Unless the offence does not constitute an offence pursuant to Art. 83 DSGVO or has been committed under other 
is threatened with a more severe penalty under administrative penal provisions, an administrative offence is committed, punishable by a fine of up to EUR 50 000, by anyone who 
      ... 
4. operates      an image processing system contrary to the provisions of Section 3 of the 1st main section or 
      ... 
 Transitional provisions 
 § 69. 
      ... 
(4)	Proceedings pending before the data protection authority or before the ordinary courts on the Data Protection Act 2000 at the time of entry into force of this Federal Act shall be continued in accordance with the provisions of this Federal Act and the DSGVO, provided that the jurisdiction of the ordinary courts remains intact. 
(5)	Violations of the Data Protection Act 2000, which, at the time of entry into force of this 
Federal Act have not yet been made pending, shall be assessed in accordance with the legal situation after the entry into force of this Federal Act. An offence that was committed before the entry into force of this Act shall be assessed in accordance with the legal situation that is more favourable to the offender in its overall effect; this shall also apply to the appeal procedure. 
      ..." 
 Union law 
8      Article 4(7) and (8) and Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, OJ 2016 L 119, p. 1 (the basic regulation on data protection) (DSGVO): 
      "Article 4 
 Definitions 
For the purposes of this Regulation 
      ... 
7.	controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or national law, provision may be made for the controller to be designated in accordance with Union or national law 
8.	processor' means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller 
      ... 
Article 83 
 General conditions for the imposition of fines 
(1)	Each supervisory authority shall ensure that the imposition of fines under this Article for infringements of this Regulation in accordance with paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. 
(2)	Fines shall be imposed in addition to or instead of the measures referred to in points (a) to (h) and (i) of Article 58(2), depending on the circumstances of the case. In deciding on the imposition of a fine and the amount thereof, due account shall be taken in each individual case of the following: 
a)	the nature, seriousness and duration of the breach, having regard to the nature, scale or purpose of the processing operation in question, as well as the number of persons concerned by the processing operation and the extent of the damage suffered by them 
b)	wilful misconduct or negligence of the infringement; 
c)	any measures taken by the responsible person or the processor to 
Reduction of the damage suffered by the persons concerned; 
d)	Degree of responsibility of the person responsible or the processor under 
taking into account the technical and organisational measures they have taken in accordance with Articles 25 and 32; 
e)	any relevant previous infringements committed by the person responsible or by the processor; 
f)	Extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects; 
g)	Categories of personal data concerned by the breach; 
h)	the manner in which the infringement was brought to the attention of the supervisory authority, in particular whether and, if so, to what extent the person responsible or the processor notified the infringement 
i)	compliance with the conditions laid down in Article 58(2) previously applicable to the 
persons responsible or processors in respect of the same object, where such measures have been ordered; 
j)	compliance 	with 	approved codes of conduct 	pursuant to 	Article 40 	or 	approved 
the certification procedure referred to in Article 42, and 
k)	any other aggravating or mitigating circumstances in the case in question, such as financial benefits obtained directly or indirectly from the infringement or losses avoided. 
(3)	Where, intentionally or negligently, a controller or a processor breaches several of the provisions of this Regulation in the course of identical or related processing operations, the total amount of the fine shall not exceed the amount imposed for the most serious breach. 
(4)	Fines of up to EUR 10 000 000 or, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater, shall be imposed in respect of infringements of the following provisions, in accordance with paragraph 2 
a)	the obligations of processors and processors under Articles 8, 11, 25 to 39, 42 and 
43; 
b)	the obligations of the certification body under Articles 42 and 43; 
c)	the obligations of the monitoring agency pursuant to Article 41(4). 
5. Fines of up to EUR 20 000 000 or, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, whichever is the greater, shall be imposed in respect of infringements of the following provisions, in accordance with paragraph 2 
a)	the principles governing the processing, including the conditions for consent, in accordance with 
Articles 5, 6, 7 and 9; 
b)	the rights of the data subject in accordance with Articles 12 to 22; 
c)	the transfer of personal data to a recipient in a third country or to an international organisation in accordance with Articles 44 to 49; 
d)	all obligations under the legislation of the Member States adopted under Chapter IX; 
e)	failure to comply with an order or temporary or definitive restriction or suspension of data transmission by the supervisory authority in accordance with Article 58(2) or failure to grant access in breach of Article 58(1). 
(6)	Failure to comply with an order issued by the supervisory authority pursuant to Article 58(2) shall be subject to fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of its total annual worldwide turnover in the preceding business year, whichever is the greater, in accordance with paragraph 2 of this Article. 
(7)	Without prejudice to the powers of the supervisory authorities to take remedial action under Article 58(2), each Member State may lay down rules on whether and to what extent fines may be imposed on authorities and public bodies established in that Member State. 
(8)	The exercise of its powers by a supervisory authority under this Article shall be subject to adequate procedural safeguards in accordance with Union and national law, including effective judicial remedies and due process. 
(9)	Where the legal system of a Member State does not provide for fines, this Article may be applied in such a way that the fine is initiated by the competent supervisory authority and imposed by the competent national courts, while ensuring that these remedies are effective and have the same effect as fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. The Member States concerned shall notify the Commission by 25 May 2018 of the provisions adopted pursuant to this paragraph and shall notify it without delay of any subsequent amending legislation or amendment thereto. 
 The period of the offence prior to the entry into force of the DSGVO and DSG 9      The period of the offence charged in the penal decision of the party involved with all four administrative offences begins in each case on 22 March 2018 and thus also includes a period prior to the entry into force of the DSGVO and the DSG on 25 May 2018 (cf. Art. 99 para. 2 DSGVO and Art. 70 para. 9 DSG with regard to Sections 30, 62 and 69 DSG applicable here). 10      Therefore, for the period prior to 25 May 2018, in the absence of direct criminal liability of the party involved as a legal person pursuant to § 1.2 VStG, the party involved cannot be charged with the offences for which it is accused. For this reason alone, the revocation of the penal sentence for this period of time was therefore rightly made. 
 Requirement to identify the natural persons whose infringements of the 
DSGVO or the DSG to a legal person in a prosecution act pursuant to § 32 VStG and in a judgment of penal knowledge pursuant to § 44a Z 1 VStG 
 On the question of the relevance of the case law of the Administrative Court on § 99d BWG of 29 March 2019, Ro 2018/02/0023 
11	Under Art. 83 DSGVO in conjunction with Art. 4(7) and (8) DSGVO, fines for violations of the DSGVO under Art. 83(4) to (6) DSGVO are to be imposed not only on natural persons but also on legal persons as "responsible parties" within the meaning of Art. 4(7) DSGVO or "processors" within the meaning of Art. 4(8) DSGVO. The Regulation does not contain more detailed provisions on the criminal liability of legal persons for violations of the DSGVO committed by natural persons attributable to them. 
12	Until the entry into force of the DSGVO and its (direct) application and the DSG, legal persons were not subject to direct criminal liability and sanctions for violations of the DSG 2000 by natural persons attributable to them. There was only the concept of liability for legal persons under § 9 VStG with liability for fines imposed on those appointed to represent them externally or on a responsible representative and for the costs of proceedings under § 9 para. 7 leg. cit. as a "criminal guarantee" dependent on the legally binding and enforceable sentence against these natural persons and not as a punishment 
(see VwGH 22.5.2019, Ra 2018/04/0074, 0075, marginal no. 9, mwN). As explained in the legislative materials on the DPA, Federal Law Gazette I no. 120/2017, (Explanatory remarks RV 1664 BlgNR 25. GP 10), it was therefore necessary, among other things, to regulate the conditions under which fines can be imposed on legal persons. The imposition of fines on legal persons as regulated in sec. 30 DSG is based on the provision of sec. 99d of the Bankwesengesetz (BWG), Federal Law Gazette No. 532/1993. 
13	In the decision of 29 March 2019, Ro 2018/02/0023, marginal no. 
21	- 33, the Administrative Court held that 
requirements for the content of the persecutory act as defined in Articles 31 and 32 VStG as well as the verdict of guilty in relation to Article 99d paras 1 and 2 BWG: 
      "21 If one considers the procedural guarantees of Art. 47 GRC, which are decisive here because of the reference to Union law, it is logical that the legal person is to be regarded as an accused person pursuant to § 32 VStG if it is suspected of being responsible for an administrative offence and the authority brings a prosecution against it. It is then also a party within the meaning of the AVG. 
22	If the legal entity is the accused in administrative criminal proceedings (§ 32 VStG), it has all rights associated with this party status. For example, the accused must be granted a hearing (§ 40 VStG) and is not required to answer questions put to him (§ 33 (2) VStG). The accused has access to a court (administrative court), which in principle has to conduct a public oral hearing (§ 44 VwGVG), in which the accused has the right to ask questions and receive information; he can also be represented (§ 46 VwGVG). Moreover, due to the lack of a lower limit, the range of penalties under § 99d para. 3 BWG allows for a level of penalties appropriate to the individual case (on the constitutionality of § 99d BWG with regard to the level of penalties, see VfGH 13.12.2017, G 408/2016-31 et al. 
23	In addition, the restrictions and exceptions to the principle of official channels, such as 
§ The provisions of Article 25(3) VStG (refusal to report), Article 34 VStG (temporary refusal to initiate or continue criminal proceedings) or Article 45(1) VStG (refusal to initiate or continue criminal proceedings and discontinuation) shall apply to proceedings conducted against the legal person as an accused party in its favour, unless they are exclusively directed at natural persons. 
24	This procedural legal status accorded to the legal person meets the requirements of the right to a fair trial, which is why the procedural guarantees required by Article 47 of the Basic Law are also guaranteed for the legal person in proceedings under the VAT Act (cf. on Article 6 of the ECHR in criminal proceedings against an association, again VfGH 2.12.2016, G 497/2015 et al. 
25	The punishment of a legal person under the provision in question presupposes that a natural person (leader) attributable to it has committed a criminal offence. The punishability of the legal person pursuant to § 99d paras. 1 and 2 BWG is based on the accusation that the executives named therein have committed an offence against the 
They may have 'breached their obligations' (paragraph 1) or they may have allowed 'employee action' to be taken due to lack of control or supervision (paragraph 2). 
26	The prohibitions and requirements referred to in Article 99d BWG are addressed either directly to the legal person (Article 98(1) BWG) or to the person responsible pursuant to Article 9 VStG (Article 98(2), (5), (5a) and Article 99(1) BWG). 
27	The constitutionally required connection for the attribution of the offence to a legal person is expressed by the fact that, on the one hand, a leading person has either committed the offence himself (para. 1) or the commission of the act by an employee was made possible by a lack of supervision and control (para. 2), on the other hand, obligations of the association were violated (§ 98 para. 1 BWG) or the association derives a benefit from the act (§ 99d para. 3 leg.cit.) (cf. on § 3 VbVG, again VfGH 2.12.2016, G 497/2015 et al. 
28	Anyone who unlawfully and culpably (§ 5 VStG) commits the corresponding offence may be punished for a violation of an obligation sanctioned under administrative criminal law; in a specific case, one or more of the offences listed in § 98 para. 1, para. 2 nos. 7 and 11, para. 5, para. 5a or § 99 para. 1 nos. 3 or 4 BWG. 
29	Since the legal entity cannot act itself, its criminal liability under Article 99d Banking Act is a consequence of the criminal, illegal and culpable conduct of a manager. Accordingly, the exact description of the natural person's criminal act is necessary for the prosecution directed against the legal entity to be effective. An act of persecution within the meaning of §§ 31 and 32 VStG must in fact have a specific administrative offence as its object, which requires that it must relate to all elements of the facts on which the subsequent punishment is based (VwGH 8.3.2017, Ra 2016/02/0226, mwN). If such an accusation is directed against the legal person, then - because the criminal liability of the legal person depends on the infringement of the natural person attributable to it - the accusation against the natural person named therein is also included in it. 
30	If, however, a paraphrase mentioned by name or clearly determined from other paraphrases according to individual criteria (cf. Lewisch/Fister/Weilguni, Verwaltungsgstrafgesetz2 , margin no. 13 to § 32) is accused of one of the above-mentioned criminal offences in a prosecution against the legal person and if the person in question is eligible for punishment, which (only) applies to the persons responsible pursuant to § 9 VStG due to the provisions referred to in § 99d BWG, the person responsible is suspected of this administrative offence pursuant to § 9 VStG, which is why, from this point in time, the person responsible is subject to the provisions of § 32 para. 1 VStG, especially since the official act need not be addressed to the suspect (cf. ibid., para. 15). In addition to his special position as a party in administrative criminal proceedings, this circumstance is also important for the limitation period for prosecution with regard to both the legal and the natural person (§ 31, paragraph 1 VStG). 
31	On this occasion, it should be noted that - whether for the act of persecution or for the punishment - it is not sufficient for the determination of the persecuted person, if he is not mentioned by name in the sentence anyway, if documents not included in the execution are referred to (such as the 'Commercial Register' in the present penal decision); as shown above, the mere determinability of the person is not sufficient. 
32	The consequence of being an accused is that the person responsible must not only be treated as an accused in any proceedings against him, but also in proceedings against the legal person, otherwise his rights as a party would not be guaranteed. 
33	With regard to the question of admissibility referred to at the beginning, this means that the proceedings against the natural person do not have to be conducted and concluded as a matter of priority and do not require a verdict of guilt against the natural person in order to be able to punish the legal person as well. Rather, it is decisive for a punishment of the legal person that the findings necessary for the assessment of a factual, unlawful and culpable conduct, which also meets any additional requirements of criminal liability, are made and that all necessary elements for a punishment of the natural person are included in the ruling (§ 44a VStG), with the addition that the conduct of the natural person is attributed to the legal person. It is irrelevant whether and, if applicable, against which natural person - also - administrative criminal proceedings are or were conducted. 
14	The authority seeking review objects to the transferability of this case-law to infringements of the DSGVO and the DSG, by means of the sui generis model of responsibility of associations, which originates from EU competition law and which the Union legislator has adopted for the area of fines under Art. 83 
DSGVO, the procedural guarantees required by fundamental rights would be provided by legal provisions 
persons are not diminished. Based on the assumption that legal persons in proceedings under Article 83 DSGVO would also enjoy the legal protection and procedural guarantees of Articles 47 to 50 GRC, that the principle of proportionality and the principle of fault are inherent in the regulatory system of Article 83 DSGVO, and that the procedural guarantees referred to in Article 83.8 DSGVO, on which legal persons can rely, are also found in the VStG, for example in Sections 32a, 33(2) and (3), 43(2) to (4) and 44b leg.cit, there is no room for national provisions such as § 30 DSG - interpreted in the light of the ruling of the Administrative Court of 29 March 2019, Ro 2018/02/0023 - with regard to the direct applicability of Article 83 DSGVO. Nor does § 30 DSG have any coverage in Article 83.8 DSGVO in this respect. As a consequence, the comments in the ruling, Ro 2018/02/0023, on the administrative criminal liability of legal persons in the area of financial market supervision cannot be applied to the substantive legal situation under the DSGVO and the DSG. The VStG, in contrast to the Law on the Responsibility of Associations (VbVG), does not recognise any direct criminal liability of legal persons in the area of financial market supervision. 
person and thus no norm comparable to § 17 VbVG. In the opinion of the authority seeking revision, however, this - unplanned - gap could be closed by analogous application of § 17 VbVG in order to safeguard the rights of certain natural persons acting on behalf of a legal person. 
15	In accordance with Art. 83 DSGVO, the official procedure of the appeal authority for the imposition of fines under Art. I para. 1 and para. 2 line 2 in conjunction with Art. II EGVG, the VStG applies. This applies insofar as the DSGVO does not provide for more specific provisions. The provisions of Article 30 paragraphs 1 to 3 DSGG are necessary to ensure the full enforcement of Art. 83 DSGVO in national law, because the VStG only regulates the procedure for the criminal liability of natural persons; Art. 83 DSGVO, on the other hand, does not distinguish between offences committed by legal entities and offences committed by natural persons (see Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG (2018), page 210; Illibauer in Knyrim (ed.), DatKomm Art. 83 Rz 124 (as of October 2018)). 
16	§ Article 30 paras. 1 and 2 DSG do not contain procedural norms, but rather allocation rules based on Article 99d BWG for the imposition of fines under the DSGVO on legal persons. In this respect, § 30 DSG does not refer to Art. 83 para. 8 DSGVO, according to which the exercise of its own powers by a supervisory authority (audit-seeking authority) under this provision must be subject to adequate procedural guarantees in accordance with Union law and the law of the Member States, including effective judicial remedies and due process. 
17	In contrast to the responsibility of associations under the VbVG, which in Article 3 regulates the responsibility of an association for criminal offences committed by one of its decision-makers (Article 2) or one of its employees, Article 30 of the DSG and Article 99d of the Banking Act are not accompanied by procedural provisions and no special procedural law is found for administrative criminal proceedings against legal persons (see VwGH 29.3.2019, Ro 2018/02/0023, nos. 16 and 17, regarding Article 99d of the Banking Act). 
18	Rather, the imposition of fines pursuant to Art. 83 DSGVO is subject to the VStG to the extent that 
application than the DSGVO does not provide for more specific rules under the priority of application. The 
The submission of the authority seeking an appeal concerning an unplanned loophole in the law with regard to the treatment as accused of natural persons for whose violations of the DSGVO or the DSG or for whose lack of supervision and control enabling such violations by employees the legal person can be held responsible pursuant to Article 30 paragraphs 1 and 2 DSG, because a legal norm comparable to Article 17 VbVG is missing, is not open to the transfer of jurisdiction of the Administrative Court in the 
Finding Ro 2018/02/0023 does not preclude the application of that finding to the present case. On the contrary, the Administrative Court considers the position of the natural person whose criminal, unlawful and culpable conduct is attributed to the legal person as the accused for the direct criminal liability of legal persons pursuant to § 99d paras 1 and 2 BWG. 
19	Contrary to the legal opinion of the authority seeking an appeal, the case-law of the Administrative Court on the determination of the criminal liability of legal persons for conduct by natural persons attributable to them under Article 99d paras 1 and 2 Banking Act (which regulates the criminal liability of legal persons for their conduct by natural persons largely identical to Article 30 paras 1 and 2 DPA) of 29 March 2019, Ro 2018/02/0023, regarding the determination of the act of persecution within the meaning of Articles 31 and 32 VStG and of the punishment as defined in § 44a VStG also applies to the present essential legal question of the extent to which, in order to punish a legal person for violations of the DSGVO or the DSG pursuant to § 30 DSG, the findings necessary for the assessment of criminal, unlawful and culpable conduct must be made and criminal, unlawful and culpable conduct of a natural person named by name must be included in the ruling pursuant to § 44a VStG. 
 On the question of the relevance of the ECJ's case-law on the requirement in Union competition law to specifically identify the natural persons who have acted culpably within an undertaking 
20	The authority seeking an appeal challenges the requirement derived from the ruling of the Administrative Court, Ro 2018/02/0023, that the natural person whose unlawful and culpable conduct is attributable to the legal person must be named, arguing that Article 83 DSGVO is modelled on the content of the competition law provisions of the European Union and that the case-law of the ECJ on Article 15 of Regulation No 17/1962 and Article 23 of Regulation No 1/2003 is therefore relevant. In its judgment of 18 September 2003 in Case C-338/00 P Volkswagen v Commission, paragraph 98, in proceedings for the imposition of a fine for an infringement of Article 85 of the EC Treaty, the Court of Justice held that 
ECJ stated that the European Court of First Instance (ECJ) did not have to designate the persons who would have acted culpably within the company or who should have been held responsible for the possibly defective organisation in determining the intentional commission of the infringement. The ECJ referred to this case-law, inter alia, in its judgment of 23 January 2014, T391/09, paragraph 38, which was confirmed by the judgment of the ECJ of 16 June 2016, Evonik Degussa and Alzchem v Commission, C155/14 P. Due to the similarity of the provisions on the imposition of fines under competition law and data protection law, it was to be assumed that a fine under Art. 83 DSGVO, although not a punitive measure in the narrower sense, was very much a measure of administrative law similar to "criminal law", whereby the principles that characterise criminal law (presumption of innocence, individual accusation of the act, principle of guilt) would apply. The relevant case-law of the European Court of Justice thus assumes that in the case of a breach of the rules by legal persons, although the breach must be individually accusable to them, it is not necessary to specifically name the persons acting within the legal person. 
21	In the present case, the proceedings before the Administrative Court have shown that the surveillance of images can be individually accused of the co-involved party and that this has not been contested by the co-involved party. In proceedings under Art. 83 DSGVO in conjunction with sec. 62 DSG, however, it was not necessary to examine whether the managing director or another natural person authorised to act could be individually accused of the infringement. Consequently, this was not to be reproached in the act of persecution under § 32 VStG. 
22	In its judgment of 18 September 2003 in Case C-338/00 P Volkswagen v Commission, Volkswagen v Commission, relating inter alia to the imposition of a fine by the European Commission in proceedings for infringement of European Union (then Community) competition law, the ECJ held that, under Community (now Union) competition law, the intentional or negligent commission of an infringement within the meaning of Article 15(2) of Regulation No 17/1962, without it being necessary to identify the persons who have acted wilfully or negligently within the undertaking which has been fined or who should have been held responsible for its possible defective organisation, the Court referred in this context, inter alia, to Article 15(4) of Regulation No 17/1962 (now Article 23(5) of Regulation No 1/2003), which provides that decisions imposing such a fine are not of a criminal law nature (see paragraphs 96 and 98 above). To the extent that the authority seeking review also refers in this context to the judgment of the ECJ of June 16, 2016, Evonik Degussa and Alzchem v. Commission, C-155/14 P, the ECJ does not address in this decision the requirement of naming natural persons whose violation of competition rules is attributed to a legal person. 
23	In contrast to the imposition of fines for breaches of Union competition rules, the fines to be imposed by the supervisory authority of a Member State for breaches of the DSGVO under Article 83(4) to (6) DSGVO are criminal penalties (cf. recital 150 of the DSGVO). Moreover, pursuant to Art. 83 para. 8 DSGVO, unlike with regard to the power of the European Commission to impose fines for infringements of European Union competition law, the exercise of the power of the supervisory authority of the individual Member State to impose sanctions must be subject not only to adequate procedural guarantees of Union law (such as the GRC), but also to those of the law of the Member States. In this respect, the imposition of fines by the European Commission for infringements of European Union competition law is not comparable to the imposition of fines by the supervisory authority of a Member State for infringements of the DSGVO under Art. 83 paras. 4 to 6 DSGVO. 24      On this basis, the case-law of the ECJ set out in the appeal concerning the lack of a duty to designate the persons who have acted culpably within an undertaking fined for an infringement of Union competition law is not relevant to proceedings concerning the imposition of fines by the supervisory authority of a Member State under Article 83 DSGVO. The omission of the naming of the natural person whose conduct is attributed to the legal person cannot therefore be based on this ECJ case law. 
 the possibility of concretising the lack of identification of the natural person whose 
Pursuant      to § 44a item 1 VStG, it is legally required to describe the offence with regard to the perpetrator and the circumstances of the offence in such detail that the assignment of the conduct to the administrative regulation which was violated by the offence is possible in consideration of all the elements of the offence (see VwGH 11.9.2019, Ra 2019/02/0094, marginal no. 24, mwN). 26 In the      present case, in the request for justification served on the co-invested party for the attention of its managing director under commercial law, the authority requesting the review did not name the natural persons whose conduct, which was deemed to be a constituent element of the facts, unlawful and culpable, was attributable to the co-invested party, but merely described them as "organs or employees" of the co-invested party. In the decision of the authority seeking an appeal, the party involved is 
party has not engaged in any criminal, unlawful and culpable conduct of a natural person attributable to it. Even in its statement of reasons, the authority seeking an appeal did not disclose which natural person actually committed the criminal, unlawful and culpable conduct attributable to the co-involved party with regard to the individual criminal charges. The authority seeking an appeal merely described the natural person(s) who committed the acts with the mere wording of Section 30 para. 1 of the DPA. 
27	Thus, the authority seeking an appeal has neither in the prosecution directed against the co-involved party nor, pursuant to § 44a VStG, in the decision of the penal court, sufficiently described the offence of a natural person named in detail in the sense of § 30, Subsection 1, DSG, which is to be attributed to the co-involved party, for the co-involved party to be punished. 
28	The act within the meaning of § 44a item 1 VStG is to be understood as one and the same conduct of the offender, irrespective of the legal assessment of the act. An insufficient description of the offence within the meaning of § 44a 
 
Z 1 VStG does not entitle the Administrative Court to revoke the penal decision. Rather, it is obliged to decide on the matter itself and to specify the offence in a manner corresponding to § 44a no. 1 VStG, but may not replace the offence. According to the principles of the case law of the courts, an inadmissible exchange of the charge constitutes an extension of the charge made by the administrative court in the appeal proceedings or the use of a different factual situation than that on which the punishment was originally based. The administrative courts have no authority to extend the subject matter of the proceedings beyond the subject matter of the administrative criminal proceedings within the meaning of § 50 VwGVG. For example, an extension of the period of the offence only in the appeal proceedings in administrative criminal cases before the administrative court constitutes an inadmissible extension of the offence and the subject matter of the proceedings within the meaning of § 50 VwGVG (see VwGH 13 December 2019, Ra 2019/02/0184, marginal nos. 13 - 15, mwN). 
29	As can be seen from the case-law of the Administrative Court on Ro 2018/02/0023, which is also applicable to the imposition of fines for violations of the DSGVO or the DSG in the present case, if the accusation is directed against the party involved as a legal party, the accusation against the natural person to be named in it is also included in the sentence because the criminal liability of the legal person depends on the violation by the natural person attributable to it. 
30	In the present case, the authority seeking an appeal has not named the natural person whose violation of the DSGVO or the DSG is to be attributed to the party involved in the case. Thus, in administrative criminal proceedings against the legal person, the specification of the natural person for whose conduct the legal person is held liable would only constitute an impermissible change of the allegation of the offence and the subject matter of the proceedings within the meaning of § 50 VwGVG in the appeal proceedings. 
31	The Administrative Court was therefore right to rectify the contested penal decision and discontinue the proceedings. 32      The appeal thus proves to be unfounded and had to be dismissed pursuant to § 42.1 of the Administrative Court Act. 
Vienna, 12 May 2020 
European Case Law Identifier 
ECLI:AT:VWGH:2020:RO2019040229.J00 
Page