• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

Right to information – The Federal Administrative Court has ruled

13/05/2019 by Constanze Liebhart

On December 10, 2018, the Federal Administrative Court issued a far-reaching decision regarding the right to information. The subject of the proceedings was the effort that companies have to make in order to comply with requests for data information from data subjects. The court’s decision will have far-reaching consequences for data processing companies.

Previous story

In 2017, a private individual asked an Austrian bank to disclose what personal data the financial institution had stored about him. According to the latter, the bank forwarded personal data to a property management company, although the latter expressly prohibited the forwarding of data.

His request for information refers to all processed data, the information about their origin, possible recipients or groups of recipients, the purpose of the data use as well as the citation of the legal basis. Furthermore, he requested the names and addresses of service providers entrusted with the processing of his data.

Bank response

The financial institution provided the data subject with some records, but also mentioned in the cover letter that not all of the data had been provided, and gave the following reasons for this:

“All other personal data stored would not contain any personal information, but would be account- and product-related data and would serve the computer processing of banking transactions. “

Furthermore, an “Information on service providers” was enclosed as well as a list of when the institute is obligated to disclose data to authorities according to various legal requirements. Here, for example, the bank listed that data will be forwarded to the U.S. authorities if the person is subject to tax in the U.S..

Complaint to the data protection authority

In the opinion of the complainant (the data subject), the information provided by the bank was insufficient. He therefore filed an appeal pursuant to Sec. 31 para. 1 of the Austrian Data Protection Act 2000 and justified this on the grounds of incomplete or inaccurate information.

Die Bank entgegnete, dass sie regelmäßig Kontoaufstellungen zur Verfügung stellen würde, es einen Kontoauszugsdrucker gibt und Einsicht über das Online-Banking möglich ist. Aus diesem Grund sieht die Bank hier einen nicht begründbaren und nicht gerechtfertigten Aufwand. Der Beschwerdeführer bestreitet den unverhältnismäßigen Aufwand und beantrage das Hinzuziehen eines Sachverständigen aus dem Fachgebiet IT und Bankwesen. Der Betroffene konterte zudem, keinen E-Banking Zugang und dieser würde ohnehin nur Zugriff auf seine eigenen Kontodaten, nicht aber auf Daten, die bei den Konten Dritter gespeichert seinen, bieten.

Furthermore, the information was incomplete, as the transfer of data to internal departments such as marketing was not documented.

Decision of the data protection authority

The data protection authority upheld the applicant on only one point; the data disclosure was incomplete because it did not contain any information about the forwarding of data to the property management company. The bank was therefore requested to provide this information to the person concerned within two weeks.

The other disputed points were decided in favor of the bank.

The private individual appealed the authority’s decision to the Federal Administrative Court.

Court decision

The Federal Administrative Court corrected the decision of the data protection authority and argued as follows:

Simple understandable language

The GDPR requires in Article 12:

The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and all the notifications referred to in Articles 15 to 22 and Article 34 which relate to the processing, in a precise, transparent, intelligible and easily accessible form, in plain and simple language

GDPR Article 12, paragraph 1

As a result, the bank should have refrained from providing information to U.S. authorities, since the person concerned is not liable to pay taxes in the United States.

The court also referred to recital 58 of the GDPR.

Internal data sharing

Again, the court ruled that the bank’s disclosures were insufficient. The information “Performance of banking transactions and related services” is not detailed enough and does not meet the requirements of simple, understandable language according to GDPR Article 12. Recital 63 supported the judges’ reasoning.

Purpose statements such as “improvement of user-friendliness”, “marketing purposes”, “IT security purposes”, “future research” are too general and do not meet the criterion of sufficient definiteness. As a rule of thumb, it is advisable to state a purpose idR in more than three words, but without falling into sprawling, confusing and complicated formulations.

Excerpt from the decision of the Federal Administrative Court

Thus, it is also clear that the requirements of the GDPR are not easy to meet, a detailed indication without using in complicated formulations is an act on a knife edge.

The court’s decision therefore says that internal data disclosures must also be part of a data disclosure.

Proportionality

In this point, too, the Federal Administrative Court followed the argumentation of the person concerned.

The bank was of the opinion that the data could be accessed via e-banking and that any other data disclosure would be disproportionate. According to the court, this argument lacks any legal basis. Since the complainant does not have e-banking access, the institution has to find other ways to provide the requested data. The grounds for exception according to GDPR Article 12(5) cannot be applied, as these serve to defend against excessive demands. Since this is the complainant’s first affected party inquiry , it is not possible to speak of excessive abuse.

The information under Article 15 must therefore be provided free of charge and must cover the past seven years. The bank was given a period of only two weeks to provide the information.

Conclusion

The ruling shows once again that the GDPR is a complex construct and should not be taken lightly. There is no other way to explain the fact that a court and an authority make different decisions based on the same facts.

For the assessment of facts, not only the legal text but also the recitals are decisive. These explain the intentions of the legislator and bring clarity to the GDPR for me.

In conclusion, data disclosure to data subjects is one of the major challenges of the GDPR. Only when data management is in place can these requests be answered in a timely and complete manner. If data is stored in different systems, such as a CRM and a marketing application, it takes technical know-how to extract all the required data from both systems.

Category iconAustria,  GDPR Decisions,  News

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept