Three interesting decisions on Austrian data protection law

28.02.2019

This article presents three interesting decisions on Austrian data protection law, in particular dealing with an unlawful video surveillance and its imposed fine, voluntary consent to the setting of cookies and the breach of duty to provide information where personal data has not been obtained from the data subject.

Criminal Knowledge – fine for video surveillance system based on Art 84 GDPR – Case no. DSB-D550.038/0003-DSB/2018

In this decision the Austrian Data Protection Authority (DPA) had to deal with an unlawful video surveillance system. According to Austrian Data Protection Law (DSG 2018) a video surveillance is permissible, in particular if it serves the preventive protection of persons or property on private properties used exclusively by the data controller and does not extend beyond the property, with the exception of the inclusion of public traffic areas, which may be unavoidable for the purpose of attaining the intended purpose.

In this case the surveillance covered the public area (public parking lot and traffic area) and private individuals in front of the entrance of the data controller. The DPA decided that the video surveillance in this way is not permitted because it was in no way appropriate and not limited to what it was necessary. In addition, there was no logging of processing operations related to video surveillance. § 13 para 2 DSG 2018 stipulates that the data controller must protocol every processing operation for an image recording, unless it is a matter of real-time monitoring. The missing logging already started before 25th of May 2018, so that the data controller not only violated § 13 para 2 DSG 2018, but also § 50b para 1 DSG 2000 (for the period before 25th of May 2018). On top of that, the video surveillance was not suitably marked. There was no sign on the parking lot. In accordance with § 13 para 5 DSG 2018, the data controller must mark the video surveillance suitably. The data controller must be clearly identifiable from the label, unless this is already known to the persons concerned under the circumstances of the case. Labelling must be carried out locally in such a way that any potentially affected person approaching a monitored object has the opportunity to avoid video surveillance. 

On the basis of § 62 para 1 no 4 DSG 2018, which is based on Art 84 GDPR, the DPA imposed an administrative fine of EUR 4,800 due to a not sufficiently marked video surveillance and recording a large part of the sidewalk. Compared to similar cases before the GDPR came into force, the administrative times are more than 5 times.

Voluntary consent to the setting of cookies against access to an online newspaper - Case no. DSB-D122.931/0003-DSB/2018

The DPA had to deal, among other things, with the question of whether the requirements for voluntary consent would be met if, when visiting the webpage of the respondent, who operates an online platform including an online newspaper, consent was obtained to the setting of cookies and in return access to this webpage was granted. It was initially stated that, in accordance with the previous case law of the DPA, the complainant may also rely on any other provision apart from Chapter III of the GDPR (which lists the rights of data subjects in a taxative manner) - including an alleged involuntary consent - insofar as this could possibly constitute a violation of the right to confidentiality under § 1 para 1 DSG 2018. In addition, it was stated that the provisions of Directive 2002/58/EC (ePrivacy Directive) and the TKG 2003 of the GDPR take precedence as lex specialis. The question of the legal basis or the legal basis for permitting the use of cookies is therefore governed by § 96 para 3 TKG 2003, according to which the collection of data (or the use of "advertising cookies") is only permissible if consent has been given. At the same time, Directive 2002/58/EC refers to Directive 95/46/EC (Data Protection Directive), which has no longer been applicable since the GDPR came into force, with regard to the more detailed conditions governing this voluntary nature. In a systematic interpretation, the provisions of the GDPR must therefore now be used to assess the existence of voluntary consent. The DPA reviewed the facts of the case and considered the fact that the respondent offered a paid subscription for a small fee as an alternative. In particular, the question was examined as to whether the submission of a consent by the complainant had considerable negative consequences or whether there was a genuine or free choice. As a result, the complaint was dismissed because, if the consent was not given, either the payment subscription offered or the physically appearing newspaper of the respondent could be used as a consequence. In addition, it had to be considered in the present case that the complainant also has a clearly identifiable advantage when he gives his consent - namely the maintenance of full access to a webpage with journalistic online articles and a moderated forum. The basic right to data protection cannot only be understood as a right of defence, but also includes - within certain limits, of course - sovereignty over one's own data in the sense of informational self-determination. However, this data sovereignty must not only be expressed in the exercise of the data subject's rights but can also be used in the form of the granting of consent against a clearly discernible advantage, whereby the distinction is always a case-by-case assessment.

Breach of duty to inform in case of cold calling – Case no DSB-D123.076/0003.DSB/2018

At the end of June, the complainant was contacted via telephone by the respondent of a selling company for advertising purposes. However, the complainant, who is also an entrepreneur, had not given his consent within the meaning of § 107 para 1 TKG 2003 (Austrian Telecommunications Act) for contact via telephone for advertising purposes. When asked where the telephone number came from, the complainant did not provide any information. The complainant then addressed the DPA and asserted the infringement of the right to confidentiality and the duty to provide information pursuant to Art 14 GDPR. In the proceedings, the complainant stated that the called party's mobile phone number was published online and that it was the telephone number of a company, not of a natural person. The DPA had to deal with the question of a possible violation of the right to confidentiality through the use of the telephone number for advertising measures as well as with the question of whether the respondent would have complied with his information obligation by initially not providing the complainant with complete information on the data processing during the telephone conversation. The DPA granted the complaint. The fact that the complainant's mobile phone number was merely posted on the website of a regional association to which he belonged did not entitle the respondent under any circumstances to carry out unsolicited advertising calls. In this respect, there is a change of purpose. The complaint was therefore justified in this respect. Regardless of the provision of § 107 para 1 TKG 2003, the violation of which is sanctioned under administrative criminal law, or which the telecommunications authorities are ultimately responsible, the violation of the duty to provide information according to art 14 GDPR was acknowledged by the DPA in the same way.

 

Article provided by: Clemens Thiele (EUROLAWYER Rechtsanwälte)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.