VwGH - Ro 2021/04/0033: Difference between revisions

From GDPRhub
No edit summary
Line 82: Line 82:


== Comment ==
== Comment ==
''Share your comments here!''
This is a surprising decision with potential adverse effects: even when the privacy policy of the contrroller refers to a legal basis (such as consent) the court considered that the DPA should solve the problem and fine another legal basis which might be appropriate. This should not be the role of DPA: the legal basis should be announced priori to th eprocessing in oder for the data subjects and the DPAs to assess a posteriori.
 
Announcing the legal ground for processing is also a requirement under the GDPR: allowing the party to change or discuss another legal ground during the procedure would undermine the whole purpose of transparency and priori announcement of the legal ground for processing. 
 
The fact the "wrong" legal basis was announced in the privacy policy shouild also be sanctioned as violation.


== Further Resources ==
== Further Resources ==

Revision as of 11:00, 7 April 2022

VwGH - Ro 2021/04/0033
Courts logo1.png
Court: VwGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 58(2)(f) GDPR
Decided: 08.02.2022
Published: 14.03.2022
Parties: J*Club
National Case Number/Name: Ro 2021/04/0033
European Case Law Identifier: ECLI:AT:VWGH:2022:RO2021040033.J00
Appeal from: BVwG (Austria)
W256 2227693-1
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: kc

The Austrian Supreme Administrative Court held that the previous instance court had to take into account all possible legal bases for processing pursuant to Article 6(1) GDPR even if the data protection authority had only based its investigation on Article 6(1)(a) GDPR.

English Summary

Facts

The controller operates a cross-company and cross-sector customer loyalty programme called "J*Club". Customers of participating retail outlets can register as members, collect points based on their purchases and subsequently redeem these points to receive discounts, etc. According to the privacy policy, the legal basis for the processing is consent pursuant to Article 6(1)(a) GDPR which is voluntary and can be revoked at any time.

In October 2019, the Austrian Data Protection Authority (DSB) conducted ex officio investigations and found that the controller's procedure did not fulfill the requirements of consent, therefore Article 6(1)(a) GDPR could not be used as a legal basis for processing. Since the controller had not made use of other legal bases, the processing was unlawful.

The controller appealed that decision before the Federal Administrative Court (BVwG). It argued that it had used legitimate interest, Article 6(1)(f) GDPR, beside consent as a legal basis.

Subsequently, in December 2019, the DSB amended its decision. It held that 1) the request for consent by the controller does not meet the requirements pursuant to Article 4(11) GDPR and Article 7 GDPR and that no other legal basis can be considered and the aforementioned processing is therefore unlawful. 2) the controller shall be prohibited from processing personal data for the purpose of profiling within the scope of Clause 1 and 3. 3) the complainant shall be granted a period of six months to implement point 2.

The BVwG granted the controller's appeal and annuled the decision in its entirety without replacement. It held that the DSB had incorrectly only based its decision on the lack of consent and not on other possible legal bases, thus not performed an exhaustive investigation. According to the BVwG, the sole examination of the legal basis of consent could not necessarily establish a violation of the principle of lawfulness and thus also no entitlement to the remedial power under Article 58(2)(d) and (f) GDPR based on that violation. However, the BVwG did not examine the existence of another basis for processing itself.

The DSB appealed before the Administrative Supreme Court (VwGH).

Holding

The VwGH partly upheld the BVwG decision.

Regarding point 1) of the DSB decision, the VwGH agreed with the BVwG that Article 58(2)(d) and (f) GDPR do not provide a legal basis for a separate appeal in the form of a determination of the infringement that is the reason for the remedial decision. A legal basis for a separate determination of the lawfulness of the administrative review procedure conducted by the authority is not apparent. Therefore, point 1) of the DSB decision had to be reversed without replacement.

Regarding point 2) and 3), the VwGH overturned the BVwG decision. The BVwG had applied the wrong scope. It was not limited on the application of Article 6(1)(a) GDPR, instead the BVwG should also have taken into consideration other bases for processing pursuant to Article 6(1) GDPR.

The VwGH did not perform further legal assessment due to the lack of findings by the BVwG.

Comment

This is a surprising decision with potential adverse effects: even when the privacy policy of the contrroller refers to a legal basis (such as consent) the court considered that the DPA should solve the problem and fine another legal basis which might be appropriate. This should not be the role of DPA: the legal basis should be announced priori to th eprocessing in oder for the data subjects and the DPAs to assess a posteriori.

Announcing the legal ground for processing is also a requirement under the GDPR: allowing the party to change or discuss another legal ground during the procedure would undermine the whole purpose of transparency and priori announcement of the legal ground for processing.

The fact the "wrong" legal basis was announced in the privacy policy shouild also be sanctioned as violation.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

regarding

The Administrative Court, through the Chairman of the Senate, Dr. Handstanger, the privy councilor Mag. Hainz-Sator and the privy councilor Dr. Pürgy as a judge, with the participation of the secretary Mag. Schara, on the revision of the data protection authority in 1030 Vienna, Barichgasse 40-42, against the decision of the Federal Administrative Court of August 31, 2021, Zl. W256 2227693-1/10E, regarding proceedings according to Art . 58 General Data Protection Regulation (participating party: U GmbH, represented by CMS Reich-Rohrwig Hainz Rechtsanwälte GmbH in 1010 Vienna, Gauermanngasse 2), rightly recognised:

saying

The appeal is partially followed and the contested finding is lifted to the extent that points 2 and 3 of the preliminary appeal decision of December 11, 2019 are eliminated without replacement due to the illegality of the content.

The appeal is dismissed in its scope of appeal going beyond this - regarding the elimination of point 1 of the preliminary appeal decision of December 11, 2019 without replacement.

There is no reimbursement of expenses.

Reason

1 1. The contested finding results in the following undisputed facts:

2 1.1. The party involved operates a cross-company and cross-industry customer loyalty program called "J*Club". Customers of the participating stores can register as members, collect points based on their purchases and then redeem them for discounts etc. As part of the member registration, point 4.4. of the data protection declaration under the heading "Automated processing and analysis (profiling for target group selections,[...])" pointed out that the operator, with the consent of the (club) member, is solely responsible for the member master data and purchasing data processed by himself and by the partners of the members for the automated personalization of advertising and marketing measures, analyze and thus gain new marketing profiling data. The legal basis for processing is consent in accordance with Art. 6 Para. 1 lit. a GDPR. According to point 4.4.6. According to the data protection declaration, this consent is voluntary and can be revoked at any time.

3 1.2. The authority concerned before the administrative court (hereinafter: appeal applicant) initiated an ex officio examination procedure against the participant in connection with the processing of personal data in the context of the registration of customer data for the purpose of personalized advertising strategies carried out by the participant for the customer loyalty program. Among other things, the party involved was asked to explain in what form the consent of the persons concerned was obtained for receiving personalized advertising and the information requirements according to Art. 13 GDPR were met.

4 In a decision dated October 23, 2019, the appeal applicant - summarized here - stated that the ex officio examination procedure was justified and determined that the request for consent to the processing of personal data from the persons registered with "J*Club". for the purpose of profiling by those involved with a specific wording does not meet the requirements for consent in accordance with Art. 4 Z 11 GDPR and Art. 7 GDPR and consequently the processing of personal data is inadmissible in the absence of valid consent (point 1.). Furthermore, the co-participant was instructed to adjust the obtaining of consent in accordance with Art. 4 Z 11 GDPR and Art. 7 GDPR within a period of three months, otherwise execution (point 2.). Furthermore, the participants were prohibited from using the consent obtained in accordance with point 1 for the purpose of profiling from May 1, 2020, unless valid consent was obtained from the data subjects within the same period (point 3).

In this notification, the appeal applicant stated that the consent to profiling that was the subject of the proceedings was obtained from the members in different forms of registration, whereby the requirements of Art. 4 Z 11 GDPR or Art. 7 GDPR for the form of consent in none of the possible types of registration will be met. Namely, the information about profiling would not be available in an easily accessible form, nor would it be formulated in clear and simple language. The consents could therefore not be used as a legal basis in accordance with Art. 6 Para. 1 lit. a GDPR. The co-participants did not rely on legitimate interests. Moreover, a weighing of interests would not be in favor of the parties involved. Therefore, neither the consent according to Art. 6 Para. 1 lit persons is not permitted. Due to the determination of a violation of Art. 7 Para. 2 GDPR and the lack of a legal basis for the data processing in question, the corresponding remedial orders had to be issued. Those involved are free to establish lawful data processing by obtaining new declarations of consent.

1.3. The party involved appealed against this decision to the Federal Administrative Court. Among other things, the latter argued that the legal basis for the processing was not only consent under Article 6 (1) (a) GDPR, but also the legitimate interest of those involved under Article 6 (1) (f) GDPR. The merging of different data and selection criteria with the aim of orienting advertising measures as closely as possible to the actual interests of those affected serves the legitimate interests of both parties. In this way, the person concerned is not bothered with unnecessary advertising. In addition, data processing can also be based on Art. 6 Para. 4 GDPR and the possibility of further processing. The justification for the decision is based exclusively on the examination of the legal basis of the consent. Other legal bases were not examined. In no way did the appeal applicant deal with the interests of those involved and those affected and did not make any statements in this regard.

1.4. As a result, on December 11, 2019, the appeal applicant made the preliminary appeal decision that is the subject of the proceedings and changed the ruling of the first decision so that it read overall (anonymization by the Administrative Court):

"1. The official examination procedure was justified and it is determined that

a) the request for consent to the processing of personal data from the data subjects registered at 'J*Club' for the purpose of profiling by the complainant with the wording '[...]' using the methods

i) Website 'www.J*-Club.at' and ii) Registration brochure ('Flyer')

does not meet the requirements for consent in accordance with Art. 4 Z 11 GDPR and Art. 7 GDPR and that

b) for the previous processing of personal data of the data subjects registered at 'J*Club' for the purpose of profiling by Ö*Club GmbH in addition to the consent obtained using the methods i) website 'www.J*-Club. at' and ii) registration brochure ('flyer') were obtained, no other legal basis under Art. 6 GDPR can be considered and the aforementioned previous processing is therefore unlawful.

2. Ö*Club GmbH is prohibited from processing the personal data of the data subjects registered at 'J*Club' for the purpose of profiling to the extent of clause 1.

3. The complainant is granted a period of six months to implement point 2."

The appellant explained that the methods mentioned in point 1, the registration via website and flyer, do not meet the requirements for a transparent and clearly visible obtaining of consent, which is why this is not a valid legal basis according to Art. 6 Para. 1 lit. a GDPR can be used. The party involved relied exclusively on this legal basis throughout the entire procedure, which is why other legal bases brought up in the complaint should not be taken into account. The supervisory authority has to check the processing operations using the processing directory, where the sole legal basis for the procedure is consent. It is not the task of the supervisory authority to use a "substitute permit". Rather, it is up to the person responsible to prove that they comply with the principles of the GDPR. In addition, the person responsible must decide in advance on which legal basis he bases his processing. It contradicts the principle of good faith if a person responsible, after consent has turned out to be invalid, subsequently relies on another legal basis. Insofar as the other party based the processing of the personal data on the legal basis of consent and did not point out an additional legal basis or further processing according to Art. 6 Para. 4 GDPR, they could no longer base the data processing on these legal bases. In addition, a weighing of interests would be to the detriment of those involved, because an accurate picture of the economic and social situation of the persons concerned would be created on the basis of the profiling. This should not be qualified as a harmless invasion of privacy. The economic advantage cannot justify the intervention in this. Furthermore, Art. 6 Para. 4 GDPR does not represent an independent legal basis, but requires a valid legal basis according to Art. 6 Para. 1 GDPR. In the absence of a legal basis, a corresponding ban should be imposed.

In a letter dated December 27, 2019, the co-participant submitted an application for submission and pointed out that the auditing powers had been exceeded by the appeal applicant. In addition, the co-participant explained that a statutory permit would not be omitted because additional consent was obtained. According to the system of the GDPR, the revocation of consent does not per se lead to inadmissible data processing. The applicability of the legal permissions does not depend on the person responsible having referred to the participation data and purchasing data used for profiling in accordance with point 4.1. and point 4.2. of the data protection declaration would be used on the legal basis of Art. 6 Para. 1 lit. b GDPR for the administration of the membership and for the processing of the customer loyalty program. Art. 6 para. 4 GDPR is therefore very much an option with regard to the further processing of the data. A balancing of interests in accordance with Art. 6 Para. 1 lit. f GDPR is by no means ruled out.

2. With the decision contested here, the Federal Administrative Court upheld the complaint of the parties involved without conducting an oral hearing and annulled the preliminary decision on the complaint as a whole without replacement. The appeal declared it admissible.

2.1. Without making any findings beyond the description of the course of the proceedings, the administrative court stated that the appeal applicant had limited the subject of the examination in her initial decision to the review of the declarations of consent as the legal basis for the data processing at issue in the proceedings. An examination of the other possible legal bases under Art. 6 GDPR did not take place. This was obviously not the subject of the examination and investigation procedure carried out ex officio. In doing so, the appeal applicant referred to her powers under Art. 58 (2) lit. d and f GDPR when issuing the decision. These powers of remedial action would each presuppose that a (determined) violation of the GDPR had occurred. However, the appellant failed to recognize that the examination of the legality of data processing was solely her responsibility and that she was not bound by a standard application claim by the person responsible in this assessment. The principle of lawfulness, which governs the entitlement or obligation to process, is not necessarily linked to the principles of transparency and fairness, which govern the manner in which processing is carried out. Another view would mean that any violation of the way of processing would result in the unlawfulness of the data processing and that even in the case of legitimate or even mandatory data processing, deletion would have to take place. However, such an exception-free obligation to delete cannot be derived from the GDPR. Moreover, it is clear from the wording of Art. 6 Para. 1 GDPR that the lawfulness of data processing can be based not only on one, but possibly on several legal bases that are of equal importance. The fact that, in the event of invalid consent, it is generally not possible to resort to other legal provisions of Art. 6 GDPR if the data subject has not been informed beforehand, cannot be inferred from the guidelines of Art. 29 Data Protection Group cited by the appealant. Rather, the statements there refer to the constellation of the revocation of a declaration of consent. Recital 47 of the GDPR also cannot be inferred that the lack of a declaration of consent makes any consideration of possible legitimate interests of a person responsible in the processing superfluous from the outset. The view of the appeal applicant that an invalid declaration of consent in connection with a lack of information from the person concerned about other legal bases in any case leads to unlawful data processing and makes it unnecessary to check the other possible legal bases, cannot therefore be followed. Solely dealing with the legal basis of the consent cannot therefore justify a violation of the principle of legality and thus no entitlement to take remedial action based on it under Art. 58 (2) lit. d and f GDPR. The preliminary decision on the appeal should therefore be remedied in its entirety without replacement. The appeal applicant is not prevented from issuing any instructions in accordance with Art. 58 (2) GDPR in a new official procedure with a changed subject matter. With this result, there is no need to deal with the (in)validity of the existing declarations of consent or the right to remedy claims. An oral hearing could have been omitted because it had already been established on the basis of the file situation that the contested decision was to be annulled.

2.2. The revision is admissible in accordance with Art. 133 Para. 4 B-VG because there is a lack of supreme court rulings on the question of whether to assess the legality of data processing in the event of invalid consent pursuant to Art. 6 Para. 1 lit Recourse to other permissions of Art. 6 GDPR is permissible.

3. The present revision by the relevant authority before the administrative court is directed against this finding.

The co-participant submitted a response to the appeal and a statement.

4. The Administrative Court considered in a senate formed in accordance with Section 12 (2) VwGG:

4.1. To justify the admissibility, the appeal on the law argues, among other things, that the administrative court deviated from the case law of the Administrative Court because the cancellation of a decision without replacement presupposes that it should not have been issued and that the situation corresponding to substantive law could only be created by cassation. A replacement without replacement therefore presupposes that the application in question may not be decided again. However, the contested decision does not indicate why the administrative court did not proceed with an amendment to the contested decision.

The revision is admissible for this reason alone and the result is partly justified.

4.2. The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, which are relevant in the event of a revision, on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (GDPR) , OJ L 119 of 4 May 2016, read in part:

"Art. 6 - Lawfulness of processing

(1) The processing is only lawful if at least one of the following conditions is met:

a) The data subject has given their consent to the processing of their personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

d) the processing is necessary to protect vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been delegated to the controller;

f) processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child acts.

...

Art. 7 - Conditions for consent

(1) If the processing is based on consent, the person responsible must be able to prove that the data subject has consented to the processing of their personal data.

(2) If the data subject's consent is given in the form of a written declaration which also concerns other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it is clearly distinguishable from the other matters is. Parts of the declaration are not binding if they constitute a violation of this regulation.

(3) The data subject has the right to revoke their consent at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation. The data subject will be informed of this before consent is given. Withdrawing consent must be as simple as giving consent.

(4) When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data, which are not required for the performance of the contract.

...

Art. 57 - Duties

(1) Without prejudice to other tasks set out in this Regulation, each supervisory authority in its territory

a) monitor and enforce the application of this Regulation;

...

h) carry out investigations into the application of this Regulation, including on the basis of information from another supervisory authority or other authority;

...

Art. 58 - Powers

(1) Each supervisory authority shall have all of the following investigative powers, allowing it to:

a) to instruct the controller, the processor and, where applicable, the controller's or processor's representative to provide any information necessary for the performance of their tasks,

b) conduct investigations in the form of privacy reviews,

...

d) to inform the person responsible or the processor of an alleged violation of this regulation,

...

(2) Each supervisory authority shall have all of the following remedial powers, allowing it to:

a) to warn a controller or a processor that envisaged processing operations are likely to infringe this Regulation,

b) to warn a controller or a processor if he has violated this Regulation with processing operations,

...

d) to instruct the controller or the processor to bring processing operations in line with this Regulation, if necessary, in a specific way and within a specific period of time,

...

f) to impose a temporary or permanent restriction on processing, including a ban,

...

i) impose a fine in accordance with Article 83 in addition to or instead of measures referred to in this paragraph, depending on the circumstances of the case,

...

Art. 78 - Right to an effective judicial remedy against a supervisory authority

(1) Every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority affecting them, without prejudice to any other administrative or extrajudicial remedy.

...

(3) The courts of the Member State in which the supervisory authority has its registered office shall have jurisdiction over proceedings against a supervisory authority.

... ."

5 The recitals of the GDPR that are relevant for the revision are:

"(129) In order to ensure the consistent supervision and enforcement of this Regulation across the Union, the supervisory authorities in each Member State should have the same tasks and effective powers, including, in particular in the case of complaints from natural persons, powers of investigation, powers of redress and sanctions, and powers of approval and advisory powers and, without prejudice to the powers of law enforcement authorities under Member State law, the power to bring breaches of this Regulation to the attention of the judicial authorities and to institute judicial proceedings. This should include the power to impose a temporary or permanent restriction on processing, including a ban. Member States may set other tasks related to the protection of personal data under this Regulation. The powers of the supervisory authorities should be exercised impartially, fairly and within a reasonable time, in accordance with the appropriate procedural safeguards under Union and Member State law. In particular, with a view to ensuring compliance with this Regulation, any measure should be appropriate, necessary and proportionate, taking into account the circumstances of each individual case, the right of every person to be heard before taking an individual measure that has adverse effects would have to pay attention to this person and to avoid unnecessary costs and undue inconvenience for the persons concerned. Investigative powers regarding access to premises should be exercised in accordance with specific requirements in Member States' procedural law, such as the requirement for prior judicial authorisation. Any legally binding action by the supervisory authority should be in writing and it should be clear and unambiguous; the supervisory authority that issued the measure and the date on which the measure was issued should be indicated and the measure should be signed by the head or a member of the supervisory authority authorized by him and a justification for the measure and a reference to include the right to an effective remedy. This should not preclude additional requirements under Member States' procedural law. The adoption of a legally binding decision requires that it can be subject to judicial review in the Member State of the supervisory authority that issued the decision.

...

(143) ... Without prejudice to this right under Article 263 TFEU, any natural or legal person should have the right to an effective judicial remedy before the competent national court against a decision of a supervisory authority which has legal effects on that person. Such a decision concerns in particular the exercise by the supervisory authority of investigative, remedial and approval powers or the rejection or dismissal of complaints. However, the right to an effective judicial remedy does not include non-legally binding measures by supervisory authorities such as opinions or recommendations issued by them. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is located and should be conducted in accordance with the procedural law of that Member State. These courts should have full jurisdiction, including jurisdiction to consider all issues of fact and law relevant to the litigation before them. If a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring an action before the courts of the same Member State."

6 4.3. Regarding point 1 of the notice:

4.3.1. First of all, it should be noted that the decision points contested before the administrative court are separable insofar as the decision contained in decision point 1. as such does not form a necessary basis for the decision in decision points 2. and 3. The exercise of the right to remedy pursuant to Art. 58 (2) lit . the unlawfulness of the data processing. Points 2 and 3 can therefore have legal validity regardless of the elimination of point 1 - independently.

4.3.2. In the case at hand, the appellant exercised the remedial powers granted to it by Art. 58 (2) lit. d and f GDPR to instruct the person responsible - case-specifically the other party - or the processor to carry out processing operations in a certain way and within a certain period of time in accordance with this regulation to bring (lit. d) or to impose a temporary or final restriction of processing, including a ban (lit. f). For systematic reasons alone, the exercise of the remedial powers mentioned requires that the supervisory authority, in the course of exercising suitable investigative powers, ascertained the relevant facts and determined a violation of the provisions of the GDPR caused by the data processing operations in question (cf. Polenz in Simitis/Hornung /Spiecker (editor), data protection law (2019), Art. 58, margin no. 33).

Therefore, the statement contained in point 1 of the preliminary appeal decision, according to which in the present case the request for consent to the processing of personal data for the purpose of profiling by the party involved does not meet the requirements for consent pursuant to Art. 4 Z 11 GDPR and Art. 7 GDPR or that there is no other legal basis under Art. 6 GDPR for the previous processing of personal data and that the previous processing mentioned is therefore lawful, be a substantive prerequisite for the instruction expressed in point 2. Contrary to what the relevant authority apparently believes, Art. 58 Para. 2 lit. d and lit. There is no apparent legal basis for a separate determination of the legality of the ex officio examination procedure carried out by the authority.

For these reasons, the administrative court - as a result - rightly ruled that point 1 of the preliminary appeal decision should be eliminated without replacement, which is why the appeal cannot be successful to this extent. The determinations made there must be corrected without replacement (cf. VwGH December 14, 2021, Ro 2020/04/0032).

7 4.4. Re points 2 and 3 of the decision:

4.4.1. In accordance with Art. 78 Para. 1 and 3 GDPR in conjunction with Recital 143, the procedure for complaints against decisions by the national supervisory authority is based on the respective Member State procedural law (cf. Jahnel, commentary on the General Data Protection Regulation [GDPR], Art. 78, margin no. 8; Nemitz in Ehmann/Selmayr [editor], General Data Protection Regulation [2017], Art. 78, para. 7).

8 According to the case law of the Administrative Court, the scope of the examination determined by the complaint pursuant to Section 27 VwGVG is not exclusively linked to the complainant's submissions. The outermost framework for the authority to examine is the "matter" of the contested decision (VwGH March 16, 2016, Ra 2015/04/0042). According to the case law of the Administrative Court, the "matter" of the decision complaint procedure before the administrative court is (only) the matter that formed the content of the ruling of the authority concerned (VwGH September 9, 2015, Ro 2015/03/0032, with further references), i.e. the matter which was decided by the relevant authority (VwGH Ra 2015/04/0042).

9 4.4.2. The relevant content of point 2 of the preliminary appeal decision is the prohibition of the processing of personal data of the persons involved through participation in the J*Club and the persons concerned registered with it for the purpose of profiling. The "matter" of the complaints procedure was therefore the review of the legality of the exercise of the right to remedy granted by Art. 58 Para. 2 lit. f GDPR and the associated question of whether the data processing in question was lawful within the meaning of Art (see VwGH 17.12.2014, Ra 2014/03/0049, and 27.11.2020, Ra 2020/03/0086, for similar constellations). The fact that the legal assessment by the appeal applicant in the official procedure may have fallen short because - as the administrative court wrongly believed - only examined one of several possible justification facts has no influence on the scope of the "matter". This only relates to the question of the legal assessment of established facts by the relevant authority. It is not apparent to what extent the scope of the examination opened up to the administrative court would have been restricted due to a legal assessment that the administrative court regarded as incorrect compared to the "matter" of the contested decision. There were no barriers to the administrative court’s examination of the legality of the data processing in question based on the legal basis of Art. 6 Para. 1 GDPR due to a possibly incorrect legal assessment by the appeal applicant. The legal opinion of the administrative court, according to which an examination of the legality of the data processing given in the case on the basis of further permissions of Art. 6 Para. Ra 2019/04/0055).

10 Against this background, a reversal of the preliminary complaint decision, which represents a merit decision in the matter of the complaint, by the administrative court on a case-by-case basis was out of the question. However, the verdict of the contested decision cannot be regarded as a misinterpretation and thus as a remittance to the appeal applicant within the meaning of Section 28 (3) second sentence VwGVG. The express legal justification of the administrative court, which also releases the authority concerned to initiate a new procedure in accordance with Art. 58 GDPR, speaks against such a view.

11 By basing its decision on an incorrect legal assessment of the "matter" of the complaints procedure, the administrative court charged the contested finding with regard to the elimination of the scope going beyond point 1 of the complaint decision with illegality of the content. It was therefore already to be repealed in accordance with Section 42 (2) Z 1 VwGG.

12 Due to the lack of findings by the administrative court on the present declarations of consent and the other circumstances of the data processing at issue, statements on the justification facts of Art. 6 GDPR are superfluous.

13 4.5. For the sake of completeness, it should be pointed out for the continued proceedings that the existence of any justification facts will have to be discussed with the other party in the context of a hearing.

14 4.6. According to Section 47 (4) VwGG, there is no cost allocation.

Vienna, February 8, 2022