Recent decisions of the Austrian Data Protection Authority (DPA)
1.Admissibility of automated license plate recognition in a parking garage for the purpose of billing for garage use Case no. DSB-D123.652/0001-DSB/2019
With the decision of 4 July 2019, the DPA had to deal with the question of the permissibility of automated license plate recognition in a parking garage for the purpose of billing for the use of the garage. The respondent is the operator of a large shopping centre which provides the use of a parking garage. When entering the respondent's car park, the number plate of the complainant's car is automatically recorded by a camera before passing the entrance barrier. The complainant claimed a violation of the right to confidentiality as well as a violation of the prohibition of coupling, since - in summary - the use of the parking garage was only possible if one tolerated the automated recording of the license plate number. The respondent based the processing in question on legitimate interests under Article 6 para 1 lit f GDPR. The DPA first noted that other personal data are processed in addition to the registration number, namely the exact time and place where the complainant as holder (and, in this case, the driver) was located. Likewise, the information and labelling obligations were manifestly not properly implemented, since the purpose of the processing, namely the registration of the licence plate for the purpose of billing for garage use, was not stated on the sign before the entrance. In the opinion of the DPA, however, this is irrelevant: although reasonable expectations must be taken into account when weighing up interests, automated license plate recognition for the purpose of billing for garage use is not unusual ( see the decision of the DPA of 18 March 2019, DSB-D196.007/0005-DSB/2019, which approved the content of conduct rules pursuant to Art 40 para 5 GPPR regarding garage and parking lot operations in Austria). In addition, the respondent also cited appropriate technical and organisational measures to protect the interests of the complainant accordingly (including immediate deletion of personal data after settlement of the bill). The DPA considers that the legitimate interests lie in the promptness and efficiency of such processing in order to process such short-term contracts (parking garage use). Conversely, the complainant had not brought any legitimate interests into play, in particular the respondent had not processed the complainant's data for any other purpose than the settlement of the bill. It was not necessary to address a possible violation of the "prohibition of linkage" as stipulated in Art 7 para 4 GDPR, since the defendant did not base the processing on consent pursuant to Art 6 para 1 lit a GDPR. A violation of the information obligations under Art 13 GDPR was not the subject of the proceedings. The complaint was therefore dismissed and the decision is final.
2. Official investigation of an image processing (automatically operated photo system on the summer sledge run) on the basis of a declaration of consent inseparably linked to the contract of use - Case no. DSB-D213.679/003-DSB
A cable car operated a summer sledge run. There was an action cam in the cable car, which automatically took a photo of the guests at a place that has previously been marked sufficiently clearly and visibly. In advance, a light barrier activated the trigger of the action cam. The action cam and the photos were indicated by bilingual signs in the entrance area of the cable car and at the entrance to the summer sledge run. These signs informed that the use of the summer sledge run as well as the possibility to purchase a photo of the action cam is a common and uniform subject of the contract. Also on the homepage of the data controller there was a reference to the action cam and to the pictures taken at the sledge run. According to the data controller, the guest on the sled (conclusively) agreed to the image recording by purchasing the ticket. On the sledge run itself, the distance to the action cam was shown continuously (e.g. in how many meters distance the picture is taken). Every guest had the possibility to prevent the identification on the picture by covering the face or other measures (e.g. turning to the side). These photos were deleted every day at 23:00, and therefore the maximum storage time was only 14 hours. In this case, the DPA only examined whether the consent granted met the requirements of the GDPR. The procedure was - in the absence of any submissions by the data controller - limited to this (one) legal basis. No other legal basis was put forward and was therefore not the subject of the examination procedure. The DPA came to the conclusion that the consent did not comply with the requirements of Art 7 GDPR. The consent to take pictures and thus the concrete processing of personal data is linked to the fulfilment of the contract (summer sledge use contract), even though the consent to take pictures by the action cam is not necessary for the fulfilment of the summer sledge use contract. Even the possibility of covering one' s face or turning to the side before passing the light barrier does not change this, as in these cases personal data is still collected. In this case, the guests of the sledge run can still be identified with reasonable effort. The data controller had therfore been instructed to refrain from the current form of image processing (i.e. on the basis of a declaration of consent inseparably linked to the contract of use) with immediate effect in case of any other execution.
3. Improper disclosure of health information in a WhatsApp chat group - Case no. DSB-D124.285/0005-DSB/2019 (not yet final)
The DPA had to deal with the question whether a report of incapacity to work (without diagnosis) is to be qualified as a health data within the meaning of Art 9 para 1 GDPR and whether the disclosure of such a report of incapacity to work in a WhatsApp chat group was made unlawfully. The respondent was the complainant's former employer. The complainant called in sick and submitted the report of incapacity to work to a superior of the respondent. This superior, who was attributable to the respondent, shared the aforementioned notification of incapacity to work using the WhatsApp short messaging service in a WhatsApp chat group in which the complainant and other employees of the respondent participated.The DPA first referred to the case C-101/01 (Lindqvist) of the European Court of Justice, according to which the concept of 'data relating to health' must be interpreted broadly, and stated that this judgment is also transferable to the new legal situation. Although there was no concrete reason for the incapacity for work on the notification of incapacity for work in question, the DPA considered that the information on the concrete period of incapacity for work (beginning of the incapacity for work and date of reappointment with the attending physician) was sufficiently informative about the physical or mental state of health of a person to be qualified as a "health data" under Article 4 no 15 GDPR. There was no apparent legal basis for the disclosure of the report of incapacity to work, which contained not only health data but also other information such as the social security number and the full address of the complainant. Therefore, in the absence of a legal basis, a violation of the right to confidentiality due to an improper disclosure of health data in a WhatsApp chat group was found. In addition to these proceedings, two other parallel complaints were filed against the respondent on the same facts. The DPA therefore also made official use of its authority under Art 58 para 2 lit f GDPR and imposed a restriction on the respondent with the provison that it refrain from disclosing data on its employees in connection with a report of incapacity for work using the WhatsApp short messaging service. This decision and the restriction imposed on the respondent are not legally binding yet.
Article provided by: Clemens Thiele (Eurolawyers, Austria)
Dr. Tobias Höllwarth (Managing Director INPLP)