On December 10, 2018, the Federal Administrative Court issued a far-reaching decision regarding the right to information. The subject of the proceedings was the effort that companies have to make in order to comply with requests for data information from data subjects. The court’s decision will have far-reaching consequences for data processing companies.
In 2017, a private individual asked an Austrian bank to disclose what personal data the financial institution had stored about him. According to the latter, the bank forwarded personal data to a property management company, although the latter expressly prohibited the forwarding of data.
His request for information refers to all processed data, the information about their origin, possible recipients or groups of recipients, the purpose of the data use as well as the citation of the legal basis. Furthermore, he requested the names and addresses of service providers entrusted with the processing of his data.
The financial institution provided the data subject with some records, but also mentioned in the cover letter that not all of the data had been provided, and gave the following reasons for this:
“All other personal data stored would not contain any personal information, but would be account- and product-related data and would serve the computer processing of banking transactions. “
Furthermore, an “Information on service providers” was enclosed as well as a list of when the institute is obligated to disclose data to authorities according to various legal requirements. Here, for example, the bank listed that data will be forwarded to the U.S. authorities if the person is subject to tax in the U.S..
Complaint to the data protection authority
In the opinion of the complainant (the data subject), the information provided by the bank was insufficient. He therefore filed an appeal pursuant to Sec. 31 para. 1 of the Austrian Data Protection Act 2000 and justified this on the grounds of incomplete or inaccurate information.
Die Bank entgegnete, dass sie regelmäßig Kontoaufstellungen zur Verfügung stellen würde, es einen Kontoauszugsdrucker gibt und Einsicht über das Online-Banking möglich ist. Aus diesem Grund sieht die Bank hier einen nicht begründbaren und nicht gerechtfertigten Aufwand. Der Beschwerdeführer bestreitet den unverhältnismäßigen Aufwand und beantrage das Hinzuziehen eines Sachverständigen aus dem Fachgebiet IT und Bankwesen. Der Betroffene konterte zudem, keinen E-Banking Zugang und dieser würde ohnehin nur Zugriff auf seine eigenen Kontodaten, nicht aber auf Daten, die bei den Konten Dritter gespeichert seinen, bieten.
Furthermore, the information was incomplete, as the transfer of data to internal departments such as marketing was not documented.
Decision of the data protection authority
The data protection authority upheld the applicant on only one point; the data disclosure was incomplete because it did not contain any information about the forwarding of data to the property management company. The bank was therefore requested to provide this information to the person concerned within two weeks.
The other disputed points were decided in favor of the bank.
The private individual appealed the authority’s decision to the Federal Administrative Court.
The Federal Administrative Court corrected the decision of the data protection authority and argued as follows:
Simple understandable language
The GDPR requires in Article 12:
The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and all the notifications referred to in Articles 15 to 22 and Article 34 which relate to the processing, in a precise, transparent, intelligible and easily accessible form, in plain and simple languageGDPR Article 12, paragraph 1
As a result, the bank should have refrained from providing information to U.S. authorities, since the person concerned is not liable to pay taxes in the United States.
The court also referred to recital 58 of the GDPR.
Internal data sharing
Again, the court ruled that the bank’s disclosures were insufficient. The information “Performance of banking transactions and related services” is not detailed enough and does not meet the requirements of simple, understandable language according to GDPR Article 12. Recital 63 supported the judges’ reasoning.
Purpose statements such as “improvement of user-friendliness”, “marketing purposes”, “IT security purposes”, “future research” are too general and do not meet the criterion of sufficient definiteness. As a rule of thumb, it is advisable to state a purpose idR in more than three words, but without falling into sprawling, confusing and complicated formulations.Excerpt from the decision of the Federal Administrative Court
Thus, it is also clear that the requirements of the GDPR are not easy to meet, a detailed indication without using in complicated formulations is an act on a knife edge.
The court’s decision therefore says that internal data disclosures must also be part of a data disclosure.
In this point, too, the Federal Administrative Court followed the argumentation of the person concerned.
The bank was of the opinion that the data could be accessed via e-banking and that any other data disclosure would be disproportionate. According to the court, this argument lacks any legal basis. Since the complainant does not have e-banking access, the institution has to find other ways to provide the requested data. The grounds for exception according to GDPR Article 12(5) cannot be applied, as these serve to defend against excessive demands. Since this is the complainant’s first affected party inquiry , it is not possible to speak of excessive abuse.
The information under Article 15 must therefore be provided free of charge and must cover the past seven years. The bank was given a period of only two weeks to provide the information.
The ruling shows once again that the GDPR is a complex construct and should not be taken lightly. There is no other way to explain the fact that a court and an authority make different decisions based on the same facts.
In conclusion, data disclosure to data subjects is one of the major challenges of the GDPR. Only when data management is in place can these requests be answered in a timely and complete manner. If data is stored in different systems, such as a CRM and a marketing application, it takes technical know-how to extract all the required data from both systems.