BVwG - W252 2249734-1: Difference between revisions

From GDPRhub
mNo edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 49: Line 49:
|Party_Link_2=
|Party_Link_2=


|Appeal_From_Body=DSB
|Appeal_From_Body=DSB (Austria)
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Status=
Line 67: Line 67:


=== Facts ===
=== Facts ===
On 15 June 2020, a USB-sitck containing a set of documents, including internal information of a Firm, was anonymoulsy sent to the Austrian DPA. The DPA thus started an ex officio investigation and concluded, by decision of 6 November 2021, that the head of the company (the controller) failed to meet security requirements as it saved personal data on a private and unsafe data carrier.
On 15 June 2020, a USB-stick containing a set of documents, including internal information of a company, was anonymoulsy sent to the Austrian DPA (''Datenschutzbehörde - DSB'') . The DPA thus started an ex officio investigation and concluded, by decision of 6 November 2021, that the controller, as head of the company, failed to meet security requirements as it saved personal data on a private and unsafe device.


Upon learning about the decision, the controller appealed the decision to the BVwG, stating, inter alia, that the DPA was not allowed to start such a procedure against her and its decision lacked a reasonable motivation. She also submitted that the DPA failed to take into account the fact that the USB-stick had actually been stolen by an employee of the controller.  
Upon learning about the decision, the controller appealed the latter to the Austrian Federal Administrative Court (BVwG), stating, amongst other things, that the DPA was not allowed to start such a procedure against the controller and the decision lacked a reasonable motivation. The controller also submitted that the DPA failed to take into account the fact that the USB-stick had actually been stolen by an employee of the controller.  


On its part, the DPA claimed that the appeal should be rejected by the BVwG.
On its part, the DPA claimed that the appeal should be rejected by the Court.


=== Holding ===
=== Holding ===
The BVwG considered the appeal to be admissible and held that it cannot be inferred from [[Article 58 GDPR|Article 58 GDPR]] that competent Supervisory Authorities may adopt declaratory statements on the unlawfulness of processing activities on the basis of an ex officio investigation. In the Court's view, [[Article 58 GDPR|Article 58 GDPR]] does not contain an explicit legal basis for such decisions to be issued. In particular, the Court referred to [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 Article 24 of the Austrian Data Protection Law (''Datenschutzgesetz - DSG'']), which allows the Austrian DPA to issue decisions stating the infringement of a Data Protection provision only on the basis of a complaint filed by a data subject. Consequently, this is not possible in the case of an ex officio investigation by the DPA.  
The Court considered the appeal to be admissible and held that it cannot be inferred from [[Article 58 GDPR|Article 58 GDPR]] that competent supervisory authorities may adopt declaratory statements on the unlawfulness of processing activities on the basis of an ex officio investigation. In its decision, the Court referred to the a judgment by the Supreme Administrative Court of Austria (''Verwaltungsgerichtshof – VwGH'') in case Ro 2020/04/0032-8, and held that [[Article 58 GDPR|Article 58 GDPR]] does not contain an explicit legal basis for such decisions to be issued. In particular, the Court stressed the fact that according to [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 Article 24 of the Austrian Data Protection Law (''Datenschutzgesetz - DSG'']), the DPA is only specifically allowed to issue declaratory statements on the infringement of a data protection provision on the basis of a complaint. Consequently, this is not possible in the case of an ex officio investigation by the DPA.  


In light of this, the BVwG held that the appeal should be upheld since the decision by the DPA lacked a legal basis and shall thus be repealed.
In light of this, the Court held that the appeal should be upheld since the decision by the DPA lacked a legal basis and shall thus be repealed.


== Comment ==
== Comment ==
''Share your comments here!''
As already stated in a comment to decision [[BVwG - W258 2247028-1]], the BVwG, in this case too, refers to the decision of the VwGH in case Ro 2020/04/0032-8. 
 
In its judgment, the VwGH held, with respect to own volition inquiries by the DPA, that there is no explicit legal basis in Article 58 GDPR that allows a DPA to declare that there has been a violation of a GDPR provision. Further, the VwGH held that the Austrian legislator did not avail itself of the possibility to grant further competences to the DPA by virtue of Article 58(6) GDPR. As a matter of fact, in §24 DSG it is only specified that the DPA may issue a decision concerning the violation of a GDPR provisoin by a controller/processor in case this is requested by a complainant in a complaint filed with the DPA. According to the VwGH, the purpose of §24 is that of granting the complainant, whose rights have been infringed, the possibility to have a declaration of such infringement.  On the contrary, in case of ex officio proceedings, the VwGH held that there is no justification for interpreting §24 DSG as to extend this possibility to cases that do not originate from a complaint.
 
This makes the decision by the BVwG in this case a legitimate one, as the Court duly followed the jurisprudence of the higher instance VwGH, yet this strict interpretation of the law remains questionable. In particular, the fact that a DPA may adopt measures by virtue of Article 85 GDPR also in the context of an ex officio proceeding oftentimes implies the existence of a GDPR infringement, but the latter cannot be "declared" by the DPA. 


== Further Resources ==
== Further Resources ==

Latest revision as of 15:24, 26 November 2023

BVwG - W252 2249734-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 58 GDPR
§24 DSG
Decided: 06.09.2023
Published: 22.09.2023
Parties:
National Case Number/Name: W252 2249734-1
European Case Law Identifier:
Appeal from: DSB (Austria)
Appeal to:
Original Language(s): German
Original Source: BVwG (in German)
Initial Contributor: co

The Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) held that the Austrian DPA lacked a legal basis to adopt a decision on the legality of processing by a controller in the context of ex officio investigations.

English Summary

Facts

On 15 June 2020, a USB-stick containing a set of documents, including internal information of a company, was anonymoulsy sent to the Austrian DPA (Datenschutzbehörde - DSB) . The DPA thus started an ex officio investigation and concluded, by decision of 6 November 2021, that the controller, as head of the company, failed to meet security requirements as it saved personal data on a private and unsafe device.

Upon learning about the decision, the controller appealed the latter to the Austrian Federal Administrative Court (BVwG), stating, amongst other things, that the DPA was not allowed to start such a procedure against the controller and the decision lacked a reasonable motivation. The controller also submitted that the DPA failed to take into account the fact that the USB-stick had actually been stolen by an employee of the controller.

On its part, the DPA claimed that the appeal should be rejected by the Court.

Holding

The Court considered the appeal to be admissible and held that it cannot be inferred from Article 58 GDPR that competent supervisory authorities may adopt declaratory statements on the unlawfulness of processing activities on the basis of an ex officio investigation. In its decision, the Court referred to the a judgment by the Supreme Administrative Court of Austria (Verwaltungsgerichtshof – VwGH) in case Ro 2020/04/0032-8, and held that Article 58 GDPR does not contain an explicit legal basis for such decisions to be issued. In particular, the Court stressed the fact that according to Article 24 of the Austrian Data Protection Law (Datenschutzgesetz - DSG), the DPA is only specifically allowed to issue declaratory statements on the infringement of a data protection provision on the basis of a complaint. Consequently, this is not possible in the case of an ex officio investigation by the DPA.

In light of this, the Court held that the appeal should be upheld since the decision by the DPA lacked a legal basis and shall thus be repealed.

Comment

As already stated in a comment to decision BVwG - W258 2247028-1, the BVwG, in this case too, refers to the decision of the VwGH in case Ro 2020/04/0032-8.

In its judgment, the VwGH held, with respect to own volition inquiries by the DPA, that there is no explicit legal basis in Article 58 GDPR that allows a DPA to declare that there has been a violation of a GDPR provision. Further, the VwGH held that the Austrian legislator did not avail itself of the possibility to grant further competences to the DPA by virtue of Article 58(6) GDPR. As a matter of fact, in §24 DSG it is only specified that the DPA may issue a decision concerning the violation of a GDPR provisoin by a controller/processor in case this is requested by a complainant in a complaint filed with the DPA. According to the VwGH, the purpose of §24 is that of granting the complainant, whose rights have been infringed, the possibility to have a declaration of such infringement. On the contrary, in case of ex officio proceedings, the VwGH held that there is no justification for interpreting §24 DSG as to extend this possibility to cases that do not originate from a complaint.

This makes the decision by the BVwG in this case a legitimate one, as the Court duly followed the jurisprudence of the higher instance VwGH, yet this strict interpretation of the law remains questionable. In particular, the fact that a DPA may adopt measures by virtue of Article 85 GDPR also in the context of an ex officio proceeding oftentimes implies the existence of a GDPR infringement, but the latter cannot be "declared" by the DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision date

09/06/2023

standard

B-VG Art 133 Paragraph 4
DSG §24
GDPR Art58

B-VG Art. 133 today B-VG Art. 133 valid from January 1st, 2019 to May 24th, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from May 25th, 2018 to December 31st, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art I No. 164/2013 B-VG Art by BGBl amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934

DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art No. 133/2009 DSG Art. 2 § 24 valid from January 1st, 2000 to December 31st, 2009

saying

W252 2249734-1/10E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through judge Mag.a Elisabeth SCHMUT LL.M. as chairwoman and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag. Adriana MANDL as assessors on the complaint from XXXX, represented by MMMag. Dr. Franz Josef GIESINGER Rechtsanwalt GmbH, 6840 Götzis, Dr.-A.-Heinzle-Straße 34, rightly recognized in a non-public session in a data protection matter against the data protection authority's decision of November 16, 2021, GZ XXXX: The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairwoman and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag. Adriana MANDL as assessors on the complaint from Roman XXXX, represented by MMMag. Dr. Franz Josef GIESINGER Rechtsanwalt GmbH, 6840 Götzis, Dr.-A.-Heinzle-Straße 34, against the data protection authority's decision of November 16, 2021, GZ Roman XXXX, rightly recognized in a non-public session in a data protection matter:

A) The complaint will be followed and the contested decision will be repealed without replacement.

B) The revision is not permitted.

text

Reasons for the decision:

The Federal Administrative Court considered:

1. Proceedings and findings:

1.1. On June 15, 2020, the relevant authority received an unencrypted USB stick that had been found in the XXXX area, without any information about the person who sent it. This USB stick contained XXXX's internal documents, such as interrogation protocols including personal data.1.1. On June 15, 2020, the relevant authority received an unencrypted USB stick that had been found in the Roman XXXX area, without any information about the person who sent it. This USB stick contained Roman XXXX's internal documents, such as interrogation protocols including personal data.

1.2. The relevant authority then initiated an ex officio investigation procedure, particularly with regard to the technical and organizational security measures taken.

1.3. In a decision dated November 16, 2021, the authority concerned stated that the ex officio examination procedure was justified and determined that the responsible person, within the scope of her function as head of XXXX, was using a private and unsecured data medium on which she processes official documents have failed to ensure adequate security of data processing.1.3. In a decision dated November 16, 2021, the authority concerned stated that the ex officio examination procedure was justified and determined that the responsible person, within the scope of her function as head of Roman XXXX, had used a private and unsecured data medium on which she had stored official documents processed, failed to ensure adequate security of data processing.

1.4. The present complaint from the BF dated December 6, 2021 is directed against this decision. In it, she alleged, among other things, incorrect findings, the inadequacy of the procedure, lack of reasoning and an incorrect legal assessment. The authority concerned did not adequately take into account the fact that the USB stick had been unlawfully stolen by an employee. The BF could not have expected that one of its employees would steal the USB stick XXXX and restore deleted files from it. The authority concerned had therefore exceeded the standard of care.1.4. The present complaint from the BF dated December 6, 2021 is directed against this decision. In it, she alleged, among other things, incorrect findings, the inadequacy of the procedure, lack of reasoning and an incorrect legal assessment. The authority concerned did not adequately take into account the fact that the USB stick had been unlawfully stolen by an employee. The BF could not have expected that one of its employees would steal the Roman XXXX USB stick and restore deleted files from it. The authority concerned had therefore exceeded the standard of care.

1.5. The authority concerned submitted the complaint following the administrative act in a letter dated December 16, 2021, filed on December 21, 2021, and requested - with reference to the reasons for the contested decision - that the complaint be dismissed.

Evidence was collected by examining the administrative and court files.

2. Assessment of evidence:

The findings result from the harmless administrative act. In particular, the statement on the decision in the contested decision results from the decision also submitted by the authority concerned (OZ 1, p. 240).

3. Legal assessment:

To A)

The admissible complaint is justified.

3.1. Regarding the legal situation:

In its fundamental decision (VwGH December 14, 2021, Ro 2020/04/0032) with regard to ex officio examination procedures by the authority concerned, the VwGH stated that there was no legal basis for an independent decision about the possible authorization to carry out a procedure within the meaning of Article 58 Paragraph 2 of the GDPR or the possible illegality of the processing operation in question. Art 58 GDPR does not contain an express legal basis for an independent determination by the data protection authority of the possible illegality of a processing operation relevant to data protection law in a procedure initiated officially. Section 24 DSG provides for the possibility of detecting a violation of a right protected by data protection law upon request from a data subject. However, this provision regulates the individual complaint of a person whose right to protection of personal data concerning them has been violated and is not directly applicable to the procedure initiated officially by the data protection authority (cf. most recently VwGH September 1, 2022, Ra 2022/04/0066 with further references). In its fundamental decision (VwGH December 14, 2021, Ro 2020/04/0032) with regard to ex officio examination procedures by the authority concerned, the VwGH stated that there was no legal basis for an independent decision about the possible authorization to carry out a procedure within the meaning of Article 58, Paragraph 2, GDPR or the possible illegality of the processing operation in question. Article 58, GDPR does not contain an express legal basis for an independent determination by the data protection authority of the possible illegality of a processing operation relevant to data protection law in a procedure initiated ex officio. Paragraph 24, DSG provides for the possibility of detecting a violation of a right protected by data protection law upon request from a data subject. However, this provision regulates the individual complaint of a person whose right to protection of personal data concerning them has been violated and is not directly applicable to the procedure initiated officially by the data protection authority (see most recently VwGH September 1, 2022, Ra 2022/04/0066 with further references).

3.2. Applied to the facts of the case, this means:

In the ruling in this decision, the authority stated that the ex officio examination procedure was justified and found a violation of the law. There is no legal basis in either the GDPR or the DSG for such a objection by the authority concerned as part of an ex officio investigation. The Austrian legislature did not grant the data protection authority, as a supervisory authority within the meaning of the GDPR, any authority beyond the catalog of Art 58 GDPR (see VwGH September 1, 2022, Ra 2022/04/0066). In the ruling in this decision, the authority stated that the ex officio examination procedure was justified and found a violation of the law. There is no legal basis in either the GDPR or the DSG for such a objection by the authority concerned as part of an ex officio investigation. The Austrian legislature did not grant the data protection authority as a supervisory authority within the meaning of the GDPR any authority beyond the catalog of Article 58, GDPR (see VwGH September 1, 2022, Ra 2022/04/0066).

The contested decision was therefore issued without a legal basis, which is why the complaint had to be followed for this reason and the decision had to be repealed without replacement.

3.3. The decision therefore had to be made in accordance with the verdict.

3.4. Since it was already clear from the file situation that the contested decision should be repealed, the oral hearing - requested - could be dispensed with in accordance with Section 24 Paragraph 2 Z 1 VwGVG.3.4. Since it was already clear from the file situation that the contested decision should be repealed, the oral hearing - requested - could be dispensed with in accordance with paragraph 24, paragraph 2, number one, VwGVG.

Regarding B) Inadmissibility of the appeal:

According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Art 133 Paragraph 4 B-VG. This statement must be briefly justified. According to paragraph 25 a, paragraph one, VwGG, the administrative court must state in its decision or decision whether the appeal is permissible in accordance with Article 133, paragraph 4, B-VG. This statement needs to be briefly justified.

According to Article 133 Paragraph 4 B-VG, the appeal is not permitted because the decision does not depend on the solution of a legal question that is of fundamental importance. The adjudicating court was able to rely on the established case law of the Administrative Court cited in each case. According to Article 133, paragraph 4, B-VG, the appeal is not admissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The adjudicating court was able to rely on the established case law of the Administrative Court cited in each case.