Austrian DPA case law since 25 May 2018 (excerpt)

(No) competency of the Austrian DPA

SB-D037.500/0194-DSB/2018; 19.12.2018 | Link

Header: DPA is not competent to confirm conformity of answer to data access request

Content:

• Controller has asked DPA to confirm whether controller has correctly answered to an individual's request for data access
• DPA rejected controller's request by declaring it has only competency to decide upon the lawfulness of a controller's answer to a data access request upon an individual's complaint.
• The reason of this limitationis to safeguard the DPA's obligation to stay on a case by case basis flexible and consistent in its interpretation of the GDPR

Consultancy mechanism

DSB-D485.001/0003-DSB/2018; 18.12.2018 | Link

Header: A controller cannot ask for consultation under Art 36 GDPR if the controller's intention is to let have clarified whether its implemented security measures are appropriate under the GDPR. Consultation under Art 36 GDPR is only legitimate if the controller fails in proper risk mitigation.

Content:

• Controller intends to perform CCTV by implementing 12 cameras to protect its premises. DPIA showed significant risk that public areas and, with this, innocent bystanders may be captured.
• Controller asked for consultation under Art 36 GDPR to let have verified whether its CCTV setup is adequate under the GDPR
• DPA rejects controller's application for consultation. Consultation does not allow asking the DPA whether security measures taken are adequate under the GDPR. This needs to be self-assessed by the controller. Consultation is only legitimate if the controller cannot establish adequate security measures so that the envisaged data processing might effectuated significant risks.

Right of partial data deletion

DSB-D123.211/0004-DSB/2018; 05.12.2018 | Link

Header: An individual is allowed to request partial data deletion. If a controller denies feasibility of partial data deletion it has to give reason within the response time as set forth under the GDPR. If the controller decides to delete all data it does not only infringe the individual's right for data secrecy but also its right for data deletion.

Content:

• Claimant has filed a complaint because claimant has requested partial data deletion. Controller has reacted by deleting all data of claimant and by refusing partial data recovery.
• DPA affirmed claimant's view and ruled that an individual is allowed to ask for partial data deletion.
• If a controller deems partial data deletion not feasible it has to given reason within the GDPR's response deadlines. The reasoning has to be verifiable for the individual and for the DPA. If the controller instead deletes all the individual's data and denies partial data recovery it destroys the integrity of the individual's data set and, with this, infringes the individual's data secrecy and its right for data deletion.

Deletion through data anonymization

DSB-D123.270/0009-DSB/2018; 05.12.2018 | Link

Header: Data anonymization qualifies as deletion in terms of Art 17 GDPR.

Content:

• Claimant claimed improper data deletion because controller responded to its deletion request by anonymizing, not by deleting its data.
• DPA concedes that Art 17 GDPR asks for deletion but confirms it is within the discretion of the controller how to establish the status of deletion. Preventing identification (anonymization) forms a possible option provided that neither the controller, nor third parties can re-identify the data without disproportional efforts.
• Anonymization prevents the data from being further used or processed. This is not changed by the anticipation that future means or technics might allow identification of the now anonymous data. Anonymization does not require absolute impossibility of data reidentification.

Voluntariness of cookie consent

DSB-D122.931/0003-DSB/2018; 30.11.2018 | Link

Header: Although the GDPR generally prohibits coupled consent, consent may be freely given (and, thus, be valid) if it was declared in connection with processing activities that are clearly beneficial for the individual.  

Content:

• Claimant denies voluntariness of cookie consent obtained by controller. According to the controller's website setup the consent was deemed to be given purely by surfing on the website.
• DPA confirmed that voluntariness of consent requires to grant an individual the free choice whether or not to consent without any negative consequences arising from that choice. The controller has to give proof fur such voluntariness.
• In the present case the individual had the option not to provide consent and to instead utilize a service for EUR 6 per month (in case of cookie consent the service would be free). With this setup the DPA saw sufficient voluntariness of consent, not least because the individual had the option to switch to alternative websites (note: the controller / service provider was a newspaper publisher)  

Unlawful data processing  because of insufficient information under Art 14 GDPR

DSB-D122.954/0010-DSB/2018; 30.11.2018 | Link

Header: The fairness principle of Art 5 GDPR requires an individual to be informed under Art 14 GDPR if it gets stored in a goods credit database. Creditors' interests in such database cannot outweigh the privacy deficit arising from insufficient information of the individuals.

Content:

• Claimant asks for certain data to be deleted that give information about claimant's insolvency proceedings in a database. The database stored data about purchases financed by credits. Claimant had not been properly informed about his data being stored in that data base and claimant gave proof that its insolvency proceedings had already been settled.
• DPA affirmed claimants view by declaring the storage of claimant's data illegal. The principle of fairness would have required the controller to inform claimant under Art 14 GDPR about being stored in the database. Potential debtors' interests in the existence of such database cannot outweigh such lack in information.
• The data storage was furthermore illegal because the database entry indicates insolvency proceedings were still pending although they had already been settled at the date of entry.

No control competency on legislative action

DSB-D123.800/0001-DSB/2018; 28.11.2018 | Link 

Header: DPA has no competency to review data processing activities in connection with commissions of enquiry

Content:

• Claimant made representations in a parliamentarian commission of enquiry. The protocols of his representations have been made public. Claimant unsuccessfully requested deletion of his data.
• DPA qualified data processing in the course of parliamentarian enquires as an act of legislative action, including the protocols produced during such enquires.
• DPA denied its competency on deciding upon parliamentarian acts.

No competency to rule upon controller's response time under the GDPR

DSB-D123.223/0007-DSB/2018; 26.11.2018 | Link

Header: Art 77 GDPR does not allow an individual to let have determined by a DPA whether a controller's reply to a request for data access had been delivered in a timely manner.

Content:

• Claimant claimed infringement of Art 15 GDPR because controller has responded to his data access request after more than four months. Claimant asked the DPA to confirm the reply was not delivered within the GDPR's given deadline.
• DPA confirms that Art 15 GDPR shall entitle an individual to understand which of his data is processed by a controller and how its data gets processed.
• Claimant did not claim the reply of the was insufficient or unsatisfying. However, Art 77 GDPR does not allow to challenge the pure fact that the reply was not delivered within the GDPR's maximum period of three months.

Correction of data

DSB-D122.895/0005-DSB/2018; 20.11.2018 | Link

Header 1: Art 16 GDPR allows correction of data that is objectively false. It is of no relevance whether an individual subjectively deems the data to be false.

Header 2: If the data is used in authority or court proceedings the data is to be held true in terms of the GDPR if it correctly displays the results of the proceedings. It is of no relevance whether the data might subjectively be wrong in its content.

Header 3: Art 16 GDPR shall allow incomplete data to be completed. Data is incomplete if the data by itself might be correct but if the overall impression of the data might objectively lead to misleading conclusions.

Content:

• Claimant was employed with the controller. Controller suspected breach of employee duties and dismissed claimant. The suspicion turned out to be unfounded and the dismissal was declared null and void. The documentation of the case remained in the claimant's employee file.

• Claimant asked for amendment of his employee file to make it clear from its content that the suspected breach of employee duties in fact has not happened.

• DPA took the view that the file correctly displays the facts of the case by displaying there was a suspicion of breach of employee duties so the data was not to be deemed untrue in terms of Art 16 GDPR (and, thus, cannot be corrected).

• The DPA acknowledged that data should be amended if the data by itself might be correct but if the overall impression given by that data might objectively lead to misleading conclusions. In the present case the DPA did not identify such mislead because in the regulator's view the file gave sufficiently proof that the alleged breach of employee duties had been ill-founded.

Data storage after employment termination

DSB-D122.944/0007-DSB/2018; 15.11.2018 | Link

Header 1: Art 17 GDPR does not allow for data deletion if the requested data serves bookkeeping and accounting documentation under Sec 7 of the Federal Fiscal Code.

Header 2: A public authority must not process personal data upon the justification of Art 6 Para 1 lit f GDPR provided the authority processes the data in its role as an employer

Content:

• After termination of his employment claimant asks controller (public authority) to delete his sick leave data the controller has collected during claimant's employment.
• DPA confirms controller was right in refusing this request since the sick leave data forms evidence for tax and salary payments and thus its storage is supported by the statutory retention obligations of the Austrian Federal Fiscal Code.
• Claimant had also asked controller to delete specific notes in the file the controller kept stored for three years to identify (and reject) potential new job application of the claimant.
• Although the controller is a public authority and, as such, shall only process personal data upon statutory allowances the DPA has confirmed that the controller, in its role as employer, may perform the balancing interest test under Art 6 Abs 1 lit f GDPR to justify its storage of the disputed file notes. The DPA has further affirmed that under this balancing test the controller was allowed to keep the notes stored for a period of three years.

No use of published phone numbers for unsolicited marketing

DSB-D123.076/0003-DSB/2018; 31.10.2018 | Link

Header 1: Using a publicly available phone number for unsolicited marketing calls infringes the individual's data protection rights.

Header 2: Infringements of Art 14 GDPR can be brought before the DPA.

Content:

• Claimant has published his phone number on his website. The purpose of publishing his number was to invite users to ask for claimant's advisory services.
• Controller took the phone number from claimant's website to perform unsolicited marketing calls (cold calling).
• The DPA not only confirmed violation of Austrian telecommunications law but also of claimant's secrecy of data due to the processing of his phone number for unlawful purposes.
• Controller has further infringed Art 14 GDPR. Even if the calls performed by the controller do not qualify under Art 13 Para 4 lit b GDPR the controller would have been obliged to provide information about controller's collection of the phone number one month after collection the latest (Art 14 Para 3 lit a GDPR).

Data protection infringement through digital door spy

DSB-D123.204/0005-DSB/2018; 05.10.2018 | Link

Header: A digital door spy qualifies as CCTV under Sec 12 of the Austrian Data Protection Act. It affects intimate personal sphere of the controller's housemates and thus requires their consent.

Content:

• DPA understands a digital door spy to be a technical device that is implemented in the entrance door and allows picture taking of the entry zone before that door. The DPA qualifies such system as CCTV.
• The digital door spy allows tracking entries and leaves of the surrounding housemates and thus interferes with their intimate personal spheres.
• The DPA takes the view that a digital door spy must not be operated unless supported by housemates' consent.

Complaint needs to be filed in German

DSB-D130.092/0002-DSB/2018; 21.09.2018 | Link

Header: Although Art 77 GDPR allows international choice between multiple DPAs, any proceedings before the Austrian DPA have to be performed in the state's official language German.

Content:

• Claimant has filed a complaint in a language different than German.
• DPA issued an order for improvement and declared that it must not be taken from Art 77 GDPR, although this provision principally allows an individual to choose between multiple DPAs, that Art 77 GDPR allows complaints to be filed in Austrian in a language other than German.
• Art 77 GDPR shall only allow an individual to turn to an alternative DPA if the individual feels more comfortable with that DPA's language.

No right for data pseudonymization

DSB-D123.070/0005-DSB/2018; 13.09.2018 | Link

Header: Under the GDPR an individual is not entitled to ask for the implementation of specific security measures, such as data pseudonymization.

Content:

• Claimant complains infringement of his data protection rights but fails in demonstrating the activity of the controller that allegedly has caused the claimed infringement. Rather the claimant sees this infringement in the controller's general negligence to pseudonymize data.
• The DPA principally acknowledges that an individual might raise claims under the GDPR if that individual was affected by insufficient data security measures.
• However, the GDPR does not allow an individual to ask for the implementation of specific security measures independent from wrongful data use arising from potentially incompliant data security measures. Thus, Art 32 GDPR imposes an obligation but does not create entitlements for individuals.  

Data deletion vs securing of evidence

DSB-D123.085/0003-DSB/2018; 27.08.2018 | Link

Header: There is no right for data deletion under Art 17 GDPR if the data storage serves the purpose of exercising or defending legal claims. The threat of legal claims must exist objectively. Abstract fear of legal claims does not suffice.

Content:

• Claimant has unsuccessfully applied for a job at the controller and wanted to have his unsuccessful application data deleted. Controller denied deletion. Under the Austrian Equal Treatment Act the applicant could exercise claims for six months after his job request was denied. Controller kept the application data for evidence purposes.
• DPA accepted controller's view. Right for data deletion under Art 17 GDPR does not apply in cases of Art 17 Para 3 lit a to e GDPR, among of which is the processing of data to exercise or defend legal claims.
• However, this exception does only apply in case of legal claims raised against the controller. Purely theoretical fear of such claims does not suffice. The controller has to justify why he sees this exception applicable when storing data for evidence purposes.
• In the case at hand, the controller has referred to the applicable provisions of the Equal Treatment Act and it has specified the period of time it keeps the data to secure evidence.
• By storing the data for six months and an additional month in case the claimant raises claims before courts at the end of the law's six months' claims period the controller did in the view of the DPA not act in a disproportional manner and thus did not violate the GDPR.

Data breach notification

DSB-D084.133/0002-DSB/2018; 08.08.2018 | Link

Header: Large scale processing of special categories of data produces high risks for individuals under Art 34 Para 1 GDPR and therefore triggers individuals' notification obligation.

Content: 

• Controller informed the DPA about a data breach under Art 33 GDPR. It has lost records on substance misuse. Those records concerned several individuals. All in all, the overall volume of records contained 1.500 sets of non-encrypted personal data.
• DPA qualified the set of data as special categories of personal data in terms of Art 9 GDPR. It assessed whether the affected individuals are to be informed about the loss of the records.
• The DPA found there is reasonable risk that the records might be accessed by third parties and that the lost data has to be seen as large scale of specific categories of data. The loss of that data therefore constitutes a high risk for the affected individuals.
• The DPA therefore required the controller to inform the individuals.
• By considering the circumstances of the case it allowed a notification period of four weeks.

Consent to GPS-trackers in fleet cars

DSB-D213.658/0002-DSB/2018; 08.08.2018 | Link

Header: Employee consent to the use of GPS tracker in fleet cars does not provide a sufficient level of voluntariness.

Content:

• Controller asked employees for consent to implement GPS trackers in the company's fleet cars. The validity of consent for that purpose was challenged before the DPA.
• The DPA accepted controller's argument that preventing the fleet cars from theft is a valid purpose for the processing of the GPS data but it refused to accept consent as the appropriate legal basis for processing that data.
• The DPA deemed the legitimate interests balancing test more appropriate since consent in the present case suffers voluntariness due to the employer to employee relationship.
• However, since the GPS data was stored 93 days and, as such, potentially allows employee profiling the DPA expressed the controller must align its overall GPS tracking with the requirements of the GDPR.

Improvement of DP complaint, missing evidence

DSB-D130.006/0002-DSB/2018; 02.08.2018 | Link

Header: Claimant, when filing a complaint, needs to evidence of his claims. Failing in providing proper evidence leads to an improvement order. If a claimant does not satisfy that improvement order the complaint will be rejected.

Content:

• Claimant asks for data deletion because controller did not follow claimant's request to delete automatic completion of claimant's name in a search engine.
• DPA found that a complaint needs to provider proper evidence of the alleged misconduct. Besides the preceding correspondence between controller and claimant also those documents shall be provided that support claimant's claims.
• If no such proper documentation is provided the DPA may issue an improvement order. If claimant fails in satisfying that improvement order the complaint will be dismissed.
• Since the claimant failed in the present case to satisfy the DPA's improvement order his complaint was dismissed. However, by way of an obiter dictum the DPA underlined that the question whether or not a search engine's automatic name completion functionality shall be up to the GDPR's right for data deletion is an unsettled question of legal importance. The DPA deems it reasonable that such functionality may infringe the data secrecy right of an individual.

Marketing consent

DSB-D213.642/0002-DSB/2018; 31.07.2018 | Link

Header: Placing marketing consent directly above a document's overall signature line without explicitly demonstrating an opt in option gives the impression that the marketing consent forms an integral part of the document. This prevents the consent from voluntariness.

Content:

• The DPA initiated ex officio proceedings upon the following marketing consent used by an Austrian automotive organization (the consent language was used on a membership form):  

"I declare my consent that the "X" Automotive Association may process my personal data [address, phone number, e-mail address] in order to provide information to me about its offers and services about new products or driving safety trainings

• by postal delivery
• via electronic means
• by phone

and to distribute my data to its other organizational units for the said purpose. My membership remains unaffected from my consent.

Consent revocation: I am entitled to revoke my consent anytime by e-mail to [X-e-mail address] or by post to [X-postal address]. Such revocation does not affect the data processing performed until revocation."

Note: Directly below that language there was the overall membership form's signature field.

• In the view of the DPA it did not come sufficiently clear from the above that the individual is free to provide or to not provide consent to marketing when applying for membership. It indicates the individual is only free to choose the channel of marketing communication (postal delivery, electronic means or phone).
• Placing the consent language right above the form's signature field supports this impression. The individual gets the impression that consent to marketing forms an integral part of joining the organization. Also, the language on consent revocation support this because it gives an impression that the individual must first provide consent to make use of its right for consent revocation.
• In summary, the DPA came to the conclusion that the organization's form includes non-voluntary marketing consent. It requested the controller to adapt its form within three months.

Dashcam use

DSB-D485.000/0001-DSB/2018-I; DSB-D485.000/0001-DSB/2018-II; DSB-D485.000/0001-DSB/2018; 09.07.2018 | Link

Header 1: A dashcam that allows crash recording but can be permanently activated by using its "emergency" functionality infringes the principle of data minimization under Art 5 Para 1 lit c GDPR.

Header 2: The interest balancing test under Art 6 Para 1 lit f GDOR prohibits the dashcam use because of counter-interests of innocent bystanders since those bystanders cannot reasonably expect their pictures being taken by the dashcams.

Content:

• Controller asked the DPA for consultation under Art 36 GDPR. Controller operates dashcams that permanently capture their surroundings by periodically overwriting captured pictures if no accident-produced vibrations prevent the dashcams from overwriting. If the camera vibrates heavily or, alternatively, if the cameras' "emergency" functionality gets activated the dashcams keep stored data 60 seconds before and after that accident.
• The DPA found that controller's PIA leads to high risks for data subjects. The Austrian High Administrative Court has already ruled that dashcams shall not be allowed in Austria if they support permanent monitoring (VwGH 12,09.2016, Ro 2015/04/0011).
• The DPA ruled that the "emergency" functionality of the evaluated dashcams theoretically allows for permanent picture taking since it can manually get activated. In the view of the DPA this interferes with the principle of data minimization under Art 5 GDPR.
• Also, recital 47 of the GDPR states that legitimate interests shall not be assumed where individuals will not reasonably expect their data being processed. By considering this the DPA denied a positive outcome of the balancing interests test under Art 6 Para 1 lit f GDPR because road users and innocent bystanders may not expect being picture taken by dashcams since dashcams are not commonly used in the daily Austrian traffic routine.
• The DPA therefore issued a warning that the envisaged use of the dashcams does not comply with the GDPR so that they must not be operated in Austria.

Banking documentation access

DSB-D122.844/0006-DSB/2018; 21.06.2018 

Header: Under the Austrian Payment Service Act a banking institute, when providing customer faced documentation, is entitled to charge service fees. However, this law may not prevent an individual from requesting copies of data.

Content:

• Claimant asked a bank to provide documentation about his recent payments but denied paying service fees. After having learned that his request was not free of charge, the customer turned his request to a request for data access, including a request for a "copy of data" under Art 15 GDPR.
• The DPA affirmed applicability of the GDPR's entitlements parallel to possible alternative entitlements under other laws, such as the Austrian Payment Service Act. It accepted claimant's view and confirmed that under Art 15 GDPR the banking institute is obliged to provide the requested documents free of charge ("copy of data").
• The DPA did not deem claimant's request excessive in terms of the GDPR and thus denied entitlement for costs under the GDPR.

Information about recipients of unlawfully accessed data

DSB-D122.829/0003-DSB/2018; 06.06.2018 (follow up to DSB-D122.831/0003-DSB/2018; 04.06.2018) | Link

Header: A data controller needs to provide information about who has unlawfully accessed personal data of an individual

Content:

• When replying to a request for data access the controller needs not provide information about its internal employee data access allowances.
• If, however, an employee of that controller (as it was the case here) unlawfully accesses personal data such data access qualifies as data transfer and needs to be disclosed in the answer to the data access request.
• Thus, a controller needs to provide information about illegal data access performed by one of its employees.

Unlawful patient data access

DSB-D122.831/0003-DSB/2018; 04.06.2018 | Link

Header: DPA confirmed unlawful access to patient data stored in electronic health records

Content:

• Claimant raised suspicion that her health data had been accessed in an unlawful manner to unknown third parties.
• Hospital conceded there was no "plausible" reason for the accessing of the data.
• DPA ruled the data access unlawful.

Data storage for evidence purposes

DSB-D216.471/0001-DSB/2018; 28.05.2018 | Link

Header: An abstract anticipation that data might potentially be needed for evidence purposes in order to defend claims in future proceedings does not give sufficient justification for data storage

Content:

• Claimant asked for data deletion. The controller denied that request and claimed need for data storage.
• The controller stored the data under dispute for seven years to satisfy applicable statutory retention periods and another three years for evidence purposes in case it faces claims. The three year's storage period reflects the Austrian overall period of claims limitation.
• DPA accepted the statutory retention period the controller was referring to, but it refused to accept continuing data storage for hypothetical evidence purposes.

No data storage for possible future contacts

 DSB-D216.580/0002-DSB/2018; 28.05.2018 | Link

Header: Data storage for potential future contacts infringes Art 5, 17 GDPR if an individual asks for data deletion

Content:

• Claimant has asked the controller to delete all its data
• Controller has complied with deletion request but has preserved claimant's contact data since controller highly expected future contacts of claimant
• Controller has in the view of the DPA failed to give sufficient reason why it needs to preserve that contact data and thus has infringed Art 5, 17 GDPR.

Authors: János Böszörményi, Günther Leissler, Nicolaus Neumann & Veronika Wolfbauer