VwGH - Ro 2019/04/0232
From GDPRhub
| VwGH - Ro 2019/04/0232 | |
|---|---|
 | |
| Court: | VwGH (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 17 GDPR |
| Decided: | 28.03.2023 |
| Published: | 25.04.2023 |
| Parties: | |
| National Case Number/Name: | Ro 2019/04/0232 |
| European Case Law Identifier: | ECLI:AT:VWGH:2023:RO2019040232.J00 |
| Appeal from: | BVwG (Austria) |
| Appeal to: | Not appealed |
| Original Language(s): | German |
| Original Source: | VwGH (Austria) (in German) |
| Initial Contributor: | mg |
According to the Austrian Supreme Administrative Court, a data subject can identify which data should be deleted under Article 17 GDPR. However, a controller does not have to limit the deletion to those data.
English Summary
Facts
The data subject made an erasure and a rectification request to the controller – a credit ranking agency. The controller deleted all the data concerning the data subject.
The data subject lodged a complaint with the Austrian DPA for excessive erasure and violation of the right to data rectification. The Austrian DPA upheld the complaint with regard to the excessive erasure and rejected the part concerning data rectification. In particular, rectification was no longer possible after the controller deleted all the data subject’s personal data.
The data subject appealed the decision before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). The court rejected the appeal and overturned the DPA decision also in the part concerning the alleged excessive erasure. According to the court, the data subject’s claim that the erasure was excessive was based on the fact that the complete lack of information on the data subject in the databases of the controller could be interpreted by a third party as lack of creditworthiness. The court rejected this argument and stated that due to the complete lack of personal data following the erasure no processing could take place: mere assumptions by third parties that are based on non-existence of certain data do not constitute processing and are therefore not subject to the GDPR. Therefore, right to erasure pursuant to Article 17 GDPR was not violated. Again due to the lack of information after the deletion, the right to rectification pursuant to Article 16 GDPR did not come into play at all.
The data subject appealed the decision before the Supreme Administrative Court.
Holding
The Supreme Administrative Court dismissed the appeal. The court acknowledged that a data subject has in principle the right to a partial deletion pursuant to Article 17 GDPR. However, this does not entail that a complete deletion of data by the controller violates the right to erasure. As a matter of fact, the controller – at least in this case – was under no legal obligation to process the data which the data subject asked to restore. More in general, the Supreme Administrative Court upheld the argument that a “processing” under the GDPR necessarily requires a "positive" element. The mere lack of data points about an identifiable person cannot be considered processing within the meaning of the GDPR.
Comment
The legal issue arising from this case is a difficult one. On the one hand, it is true that controllers are under no direct GDPR obligation to process personal data, unless EU or national law impose processing. On the other hand, it is clear that the controller could use erasure of data whose deletion was not asked by the data subject to retaliate against the exercise of rights by the latter.
Two solutions may be identified in the context of the GDPR: the first is to consider erasure a violation of the principle of fairness, pursuant to Article 5(1)(a). This could be argued whenever the controller uses a broad erasure to discourage the data subject's attempts to obtain a narrower deletion of information. Another way is to stick to the definition of processing under Article 4(2), which clearly encompasses erasure. As any other processing operation, erasure requires a valid legal basis. The controller could potentially base a complete erasure on legitimate interest, but they shall also prove that such an interest overrides rights and interests of the data subject, such as the interest to prove one's creditworthiness.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Regarding The Administrative Court, through the Chairman of the Senate, Dr. Handstanger, Hofrat Dr. Mayr, Hofrätin Mag. Hainz-Sator and Hofrätin Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary Mag. Vonier, on the revision of the data protection authority in 1030 Vienna, Barichgasse 40-42, against the decision of the Federal Administrative Court of August 22, 2019, Zl. W256 2213660-1/4E, regarding a data protection matter (participating parties: 1. C GmbH in W, represented by Dr. Friedrich Gatscha, lawyer in 1010 Vienna, Stubenring 24, and 2. R K in O, represented by Dr. Michael-Paul Parusel, lawyer in 1010 Vienna, Stadiongasse 6-8), rightly recognized: saying The appeal is dismissed as unfounded. The federal government must reimburse the first party involved for expenses of EUR 1,106.40 within 14 days, otherwise execution. Reason I. Roman one. 1 1. By decision of the data protection authority (revision advertiser) of December 5, 2018, the data protection complaint of the second -person party was partially granted and found that the initial part of the party (as the operator of a loan, in accordance with Section 152 GewO 1994) the second part -part party both in the right to secrecy also violated the right to erasure by exceedingly complied with the partial erasure request of the second party involved and erasing all data (paragraph 1). With regard to the violation of the right to rectification alleged by the second party involved and the related request to have the first party involved correct or restore the general information of the second party involved, the appeal was dismissed (point 2). With the decision of the data protection authority (revision applicant) of December 5, 2018, the data protection complaint of the second party involved was partially granted and it was found that the first party involved (as the operator of a credit reporting agency according to paragraph 152, GewO 1994) the second party involved both in the right to secrecy and in the violated the right to erasure by exceedingly complied with the partial erasure request of the second party involved and erasing all data (paragraph 1). With regard to the violation of the right to rectification alleged by the second party involved and the related request to have the first party involved correct or restore the general information of the second party involved, the appeal was dismissed (point 2). 2 The data protection authority justified the rejection in point 2 with the fact that due to the complete deletion of the data of the second party involved, a correction or restoration of the same is essentially not possible because the factual existence of a data record to be corrected is a prerequisite for a correction. Consequently, no performance order was to be issued. 3 2. The second party involved lodged a complaint with the Federal Administrative Court against this decision (“in particular with regard to clause 2 [...]”) and argued that in clause 1 of the decision the first party involved had found a violation of applicable law had been. Nevertheless, as can be seen from point 2, this need not fear any consequences. In addition, the data protection authority came to the incorrect conclusion that a recovery requires the existence of a data set. It is therefore requested that the Federal Administrative Court should uphold the appeal and set aside the decision in relation to point 2 and amend it so that the first party involved is instructed to restore the generalia of the second party involved. 4 3.1. With the contested decision of August 22, 2019, the Federal Administrative Court upheld the complaint and changed the decision so that the decision as a whole should read: "The complaint is dismissed as unfounded." The Federal Administrative Court declared the ordinary revision to be admissible. 5 3.2. In the reasoning, the Federal Administrative Court - with reference to the transitional provision of Section 69 (4) DSG - with reference to the transitional provision of Section 69, Section 4, DSG - first stated that in the present case the Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation [hereinafter: GDPR]) and the Data Protection Act (FADP), Federal Law Gazette No. 165/1999 in the version of Federal Law Gazette I No. 24/2018. first notes that in the present case Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and repealing Directive 95/46/EC ( General Data Protection Regulation [hereinafter: GDPR]) and the Data Protection Act (DSG), Federal Law Gazette No. 165 from 1999, in the version of Federal Law Gazette Part One, No. 24 from 2018, are decisive. 6 With regard to the scope of the examination, the Federal Administrative Court stated that the second party involved had opposed the excessive deletion of their name and address by the first party throughout the entire process. According to the argument of the second party involved, the latter ignored the restricted request for deletion and thus violated the second party's right to deletion. In addition, the first party involved refuses to restore this data of the second party involved, which is why their right to correction according to § 1 Para. 3 Z 3 DSG or to correction according to Art. 16 GDPR is violated. ignores the limited request for deletion and thus violates the second party's right to deletion. In addition, the first party involved refuses to restore this data of the second party involved, which is why their right to correction according to paragraph one, paragraph 3, number 3, DSG or to correction according to Article 16, DSGVO is violated. 7 The present complaint is now directed against the fact that the data protection authority found the excessive deletion of the data to be unlawful, but did not instruct the first party to rectify this unlawful situation (namely the restoration of the data). It already follows from Section 24 (5) second sentence DSG that the desired elimination of the unlawful state determined by the data protection authority in clause 1. The present complaint is now directed against the fact that the data protection authority found the excessive deletion of the data to be unlawful, but the elimination of this unlawful condition (namely the restoration of the data) did not instruct the first party involved. It already follows from paragraph 24, paragraph 5, second sentence DSG that the requested elimination of the unlawful state determined by the data protection authority in clause 1 - namely the restoration of the data - is inseparably connected with the determination of the infringement of the law itself and can therefore not be assessed separately from each other could. The adjudicating administrative court was therefore reluctant to comprehensively review the determination of the violation of rights and thus the contested decision. 8 In the matter, the Federal Administrative Court held that the second party involved alone opposed the excessive deletion because this gave the querying third party the impression of poor creditworthiness. The data protection authority followed suit and assumed that this (excessive) deletion, which gave the impression of poor creditworthiness, would have to be qualified as processing contrary to good faith and thus as unlawful. 9 However, according to the Federal Administrative Court, this view of the data protection authority cannot be shared. Personal data within the meaning of the GDPR is all information that relates to an identified or identifiable person. Data that could be assigned to a natural person by using additional information should be regarded as information about an identifiable person. The mere assumption (not based on any such additional information) that data could be assigned to a specific person does not justify identifiability and therefore no personal reference. 10 In the present case, the first party involved as a credit agency is entitled to process information relevant to creditworthiness in accordance with § 152 GewO 1994, but a legal obligation to do so cannot be derived. There is therefore no obligation for the first party involved to leave the entry in its file reduced by a data record affected by the request for deletion. Also, in the absence of this statutory obligation to process data in the event of non-processing, no suitable conclusions (going beyond mere assumptions) about the person of the second party involved and their creditworthiness could be drawn. The possible speculative assumption by third parties that the second party involved is uncreditworthy if the first party does not process it, can therefore under no circumstances be equated with the processing of personal data by the first party involved 1994 authorized to process information relevant to creditworthiness, but a legal obligation to do so cannot be derived. There is therefore no obligation for the first party involved to leave the entry in its file reduced by a data record affected by the request for deletion. Also, in the absence of this statutory obligation to process data in the event of non-processing, no suitable conclusions (going beyond mere assumptions) about the person of the second party involved and their creditworthiness could be drawn. The possible speculative assumption by third parties that the second party involved is uncreditworthy if the first party does not process it can therefore under no circumstances be equated with the processing of personal data by the first party involved. 11 However, since the fundamental right to data protection is based exclusively on the processing of personal data, the second party involved cannot exercise its right to data protection through the deletion in question for that reason alone, and thus, as a further consequence, certainly not its right to deletion and rectification ( completion) may be injured. Since there was no violation of rights by the second party involved, the decision had to be taken in accordance with the verdict. A closer discussion about a performance mandate could not have been done with this result. 12 The Federal Administrative Court declared the appeal admissible because there was no case law on the question of whether the non-inclusion of a party in the file of a credit agency pursuant to § 152 GewO 1994 is equivalent to data processing on their credit (un)worthiness within the meaning of the DSG or the GDPR. The Federal Administrative Court declared the appeal admissible because there was no case law on the question of whether the non-inclusion of a party in the file of a credit agency in accordance with Section 152, GewO 1994 is equivalent to data processing on their credit (un)worthiness within the meaning of the DSG or the GDPR. 13 4. The present ordinary official revision is directed against this finding. 14 The first party involved submitted a response to the appeal in which it applied for the fee-based return or possibly the dismissal of the appeal. II.Roman II. The Administrative Court considered: 15 1. The revision proves to be admissible with regard to the reasons accepted by the Federal Administrative Court, but not justified for the following considerations. 16 2.1. The appeal is initially against the scope of the audit accepted by the Federal Administrative Court. The complaint of the second party involved was directed exclusively against point 2 of the contested decision, namely against the fact that the first party involved was not instructed to correct or restore the data and the request in this regard was rejected. The opinion of the Federal Administrative Court that the contested decision must be examined comprehensively because clause 1 is inextricably linked to clause 2 is not shared. According to the appeal, it is rather a matter of different rights that are very much amenable to independent assessment. The right to secrecy and erasure is not inseparable from the right to rectification or in terms of content, which also results from the system of the GDPR. Since only a part of several separable claims was contested in the complaint, the Federal Administrative Court should only have ruled on this. 17 2.2. According to the jurisprudence of the Administrative Court - which was also referred to by the appeal - the administrative court must in principle decide the matter itself and thus not only settle the complaint lodged against the administrative decision, but also the matter to be decided by the administrative authority was. However, this authority to examine is not unlimited, rather its outermost scope is the "matter" of the challenged decision; this framework is further restricted in cases where the official decision is separable, if only a part of several separable claims is contested in the appeal. Claims can be separated if each part is accessible to a separate claim without an internal connection to other parts (cf. VwGH 9.9.2015, Ro 2015/03/0032, VwGH 12.9.2018, Ra 2015/08 /0032, and VwGH 27.8.2020, Ra 2020/15/0035). Jurisdiction of the Administrative Court, the administrative court has to decide in principle in the matter itself and thus not only to settle the complaint brought against the administrative decision, but also the matter that had to be decided by the administrative authority. However, this authority to examine is not unlimited, rather its outermost scope is the "matter" of the challenged decision; this framework is further restricted in cases where the official decision is separable, if only a part of several separable claims is contested in the appeal. Claims can be separated if each part is accessible to a separate claim without an internal connection with other parts, compare VwGH 9.9.2015, Ro 2015/03/0032, VwGH 12.9.2018, Ra 2015/08/0032 , and VwGH 27.8.2020, Ra 2020/15/0035). 18 In the present constellation, however, an internal connection between point 1 and point 2 of the decision of the data protection authority can be assumed, because the (uncontested) determination of the data protection authority in point 1, according to which the second party involved both in the right to secrecy and in the right for deletion is violated, the Federal Administrative Court is restricted in its decision as to whether there is a violation of the right to correction and whether the application for the correction or restoration of the generals is to be granted or not (point 2). For example, the Federal Administrative Court could not reject the application for benefits on the grounds that in the present case - due to the lack of processing of personal data - there was no violation of the right to secrecy. The decision in point 1 has a significant influence on the decision in point 2 (cf. in this sense on the separability of claims also VwGH 28.2.2013, 2012/10/0074). In the present constellation, however, there is an inner connection between Point 1 and point 2 of the decision of the data protection authority, because the (uncontested) finding of the data protection authority in point 1, according to which the second party involved was violated both in the right to secrecy and in the right to deletion, the Federal Administrative Court in its decision whether there is a violation of the right to rectification and the request for the rectification or restoration of the generals is to be granted or not (point 2), restricted. For example, the Federal Administrative Court could not reject the application for benefits on the grounds that in the present case - due to the lack of processing of personal data - there was no violation of the right to secrecy. The decision in point 1 thus has a significant influence on the decision in point 2 (cf. VwGH 28.2.2013, 2012/10/0074) in this sense on the separability of claims). 19 3. If the appeal complains that the Federal Administrative Court wrongly referred to the legal situation applicable at the time of the decision (thus the DSG and the GDPR) in connection with the determination of "completed events", § 43 para. 2 VwGG can basically refer to the Statements in the decisions VwGH February 23, 2021, Ra 2019/04/0054, and VwGH September 2, 2021, Ra 2019/04/0108. In the present case, too, the appeal does not show that the facts on which the Federal Administrative Court based its decision would have to be assessed differently under application of the DSG 2000. To the extent that the appeal complains that the Federal Administrative Court had wrongly referred to the legal situation applicable at the time of the decision (thus the DSG and the GDPR) can basically refer to paragraph 43, paragraph 2, VwGG on the statements in the findings VwGH 23.2.2021, Ra 2019/04/0054, and VwGH 2.9. 2021, Ra 2019/04/0108. In the present case, too, the appeal does not show that the facts on which the Federal Administrative Court based its decision would have to be assessed differently in legal terms if the DSG 2000 were applied. 20 4.1. The appeal on the law argues that the Federal Administrative Court misjudges the case law of the Supreme Court that is relevant in the present case. In a more detailed decision on credit information agencies pursuant to § 152 GewO 1994, the latter made it unmistakably clear that a data subject with a right that requires an application must be free to request the deletion of just part of the data as a "minor". The Supreme Court has also clearly stated that the legislature places the right to erasure exclusively at the discretion of the person concerned. If you look at this statement in the overall structure of the decision, it turns out that the Supreme Court very well affirmed a partial deletion. The possibility of exercising a partial right to erasure also arises from the fact that certain personal data of a data subject no longer meet the requirement of being correct and up-to-date, while this may still be the case for other parts of the data. It must also be possible to delete only a part of the data record in order to comply with the principles of § 6 DSG 2000 and Art. 5 GDPR. In the matter, the appeal argues that the Federal Administrative Court misjudges the relevant case law of the Supreme Court. In a more detailed decision on credit information agencies in accordance with Section 152, GewO 1994, the person concerned must be free to request the deletion of just part of the data as a "minus" if a right requires an application. The Supreme Court has also clearly stated that the legislature places the right to erasure exclusively at the discretion of the person concerned. If you look at this statement in the overall structure of the decision, it turns out that the Supreme Court very well affirmed a partial deletion. The possibility of exercising a partial right to erasure also arises from the fact that certain personal data of a data subject no longer meet the requirement of being correct and up-to-date, while this may still be the case for other parts of the data. It must also be possible to delete only part of the data set in order to comply with the principles of paragraph 6, DSG 2000 or Article 5, GDPR. The revision also argues that “negative entries” in creditworthiness databases are also meaningful. The deletion of the entire record in a credit agency's database creates the impression (apparently intended) that the person concerned is not creditworthy. In this respect, there is a very real danger that the wrong image will be conveyed. The non-appearance in the context of a creditworthiness database is to be qualified as processing because negative entries in creditworthiness databases are also meaningful. 21 4.2. With this argument, the appeal on the law does not succeed in showing that the contested decision is unlawful: In its judgment of October 1, 2008, 6 Ob 195/08g, referred to both by the appeal and by the Federal Administrative Court, the Supreme Court in connection with credit reporting agencies pursuant to § 152 GewO 1994 (with reference to the legal materials) stated that the Legislators thought it sensible to grant people the right to object to being included in such directories if, contrary to the average assessment of confidentiality interests, they fear that their interests would be violated by the inclusion of their data in such a directory. The possibility of objection ensures that, on the one hand, directories of this type, which the vast majority of the population finds sensible and useful, can legally exist and, on the other hand, that interests that deviate from the average can be taken into account accordingly. For the Supreme Court, this means that the legislature places the right to erasure exclusively at the discretion of the person concerned. A demonstration of a special interest in secrecy or interests that are objectively worthy of protection is therefore not relevant. Judgment of October 1, 2008, 6 Ob 195/08g, in connection with credit reporting agencies pursuant to Section 152, GewO 1994 (with reference to the legal materials), that it seemed sensible to the legislator to grant people a right to object to inclusion in such directories, if, contrary to the average assessment of confidentiality interests, they fear that their interests will be violated by including their data in such a directory. The possibility of objection ensures that, on the one hand, directories of this type, which the vast majority of the population finds sensible and useful, can legally exist and, on the other hand, that interests that deviate from the average can be taken into account accordingly. For the Supreme Court, this means that the legislature places the right to erasure exclusively at the discretion of the person concerned. A demonstration of a special interest in secrecy or interests that are objectively worthy of protection is therefore not relevant. The OGH 6 Ob 195/08g judgment and the statement by the Supreme Court that the person concerned was also entitled to request partial deletion were based on a situation in which the operator of the credit agency refused to delete the data relating to the plaintiff in its entirety and also opposed the wording of the complaint. In addition, the Supreme Court made it clear that the person concerned (although the law only speaks of an objection to being included in a file) is also free to request the deletion of just part of the entry as a mere minus. However, the Supreme Court has also stated that this does not affect the legitimate interests of the operator of the credit reporting agency, because he is not obliged to leave the entry in his file reduced by the data record affected by the request for deletion. 22 However, it is neither said nor can the conclusion be drawn from this that a deletion of data going beyond a partial request for deletion leads to a violation of the right to deletion. 23 "Delete" means a measure with the effect that the client no longer has the data (cf. "Delete" means a measure with the effect that the client no longer has the data, compare Jahnel, data protection law [2010] para. 3/112). Accordingly, the purpose of the right to erasure is to irreversibly deny the data user access to certain personal data and to make it permanently impossible for the client and all persons attributable to him to gain knowledge of the material information (cf. Data Protection Law [2010] margin no. 3/112 ). Accordingly, the purpose of the deletion claim is that the data user is irreversibly deprived of access to certain personal data and that the client and all persons attributable to his sphere are permanently unable to gain knowledge of the material information see Ennöckl, Der Schutz der Datenschutz in der Europäische Datenverarbeitung [2014 ] 463 mwN). Based on this, the right to erasure cannot be violated by a complete erasure (already conceptual) that goes beyond a partial erasure request. 24 The same applies to the alleged violation of the right to secrecy. 25 It is true that creditworthiness data is generally considered to have a “special level of intervention” in the right to secrecy (cf. Although creditworthiness data is generally considered to have a “particular level of interference” in the right to secrecy, compare Thiele/Wagner, DSG [2022] § 1 para. 138 mwN) . In the present context, however, it must also be taken into account that the existence of personal data requires a material element, i.e. information about a data subject must be provided. This criterion is to be understood broadly and includes all types of information that can be given about an individual person without being restricted on a content level. However, statements that do not convey any information cannot represent any data due to a lack of material information (cf., DSG [2022] paragraph one, margin no. 138 with further references). In the present context, however, it must also be taken into account that the existence of personal data requires a material element, i.e. information about a data subject must be provided. This criterion is to be understood broadly and includes all types of information that can be given about an individual person without being restricted on a content level. Statements that do not convey any information, but cannot represent any data due to a lack of material information, compare Ennöckl, loc.cit., 108). 26 The object of the free trade of the credit reporting agencies according to § 152 GewO 1994 is the provision of information about credit relationships for business purposes (cf. the object of the free trade of the credit reporting agencies according to Paragraph 152, GewO 1994 is the providing of information about credit relationships for business purposes, compare Stolzlechner etc al, GewO4 [2020] § 152 margin no. 2). However, these "credit rating databases" (allowed according to the GewO 1994) are not legally required to be included in a publicly accessible file. Section 152 GewO 1994 only provides for the possibility of maintaining such a database, but it cannot be regarded as a legal mandate to collect data (cf. [2020] paragraph 152, margin no. 2). However, these "credit rating databases" (allowed according to the GewO 1994) are not legally required to be included in a publicly accessible file. Paragraph 152, GewO 1994 only provides for the possibility of maintaining such a database, but it cannot be regarded as a legal obligation to collect data, compare Riesz, § 152 in: Ennöckl/N. Raschauer/Wessely [ed.], GewO Vol. II [2015] margin no. 2, as well as OGH January 21, 2015, 17 Os 43/14y), paragraph 152, in: Ennöckl/N. Raschauer/Wessely [editors], GewO Vol. Roman II [2015] margin no. 2, as well as OGH January 21, 2015, 17 Os 43/14y). 27 Contrary to the appeal on the law, the fact that it does not (or no longer) appear does not allow any compelling conclusions to be drawn about the creditworthiness of the person concerned. This means that the non-appearance (no longer) does not represent personal data in the sense described above, which is why the right to secrecy cannot be violated by the complete deletion of the data of the second party involved, which goes beyond a partial deletion request. Insofar as any economic disadvantages for the person concerned are alleged, this does not lead to any other result for the data protection assessment relevant here. 28 5. For the reasons set out, the revision was to be dismissed in accordance with Section 42 (1) VwGG. For the reasons set out, the revision in accordance with Section 42, paragraph one, VwGG was to be dismissed. 29 The decision on reimbursement of expenses is based on §§ 47 ff VwGG in conjunction with the VwGH Vienna, March 28, 2023
