06.04.2019
In a recent decision (on December 20, 2018), the Supreme Court confirmed that it is possible for those affected by a data protection violation to appeal directly to the ordinary courts without first having to submit a complaint to the data protection authority.
The facts
The starting point for the proceedings was a custody dispute between divorced spouses, in which one party handed over various written records, chat logs and email correspondence of the other party to the expert (appointed by the guardianship court). These included special categories of data within the meaning of Art. 9 GDPR (information about health, sex life, etc.).
The other party, as the person affected, filed a lawsuit with the Salzburg Regional Court, seeking, among other things, an injunction against the copying, forwarding and distribution of their personal data contained in email correspondence and chat logs, as well as the deletion of this data and the destruction of any printouts that had already been made. The lower courts upheld the claim for the deletion of the data and the injunction against forwarding and copying (however, the plaintiff's claim for damages was already unsuccessful in the first instance).
Until the Supreme Court's decision, it was controversial in legal theory whether legal recourse could be taken without a prior complaint to the data protection authority and without further requirements.[1]
The legal opinion of the Supreme Court regarding Art 79 GDPR
The Supreme Court, citing various legal opinions,[2] states that claims for erasure can also be asserted in court proceedings. This makes it clear that, although the Austrian legislator has not issued any detailed provisions for this, Art. 79 GDPR (according to which “any person concerned […] without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, the right to an effective judicial remedy [has]if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation“) the ordinary courts can be called upon in the event of data protection violations in general, and are not only responsible for claims for (material or immaterial) damages, for which the regional courts are expressly responsible according to Section 29 DSG.
Although it was probably a concern of the Austrian legislator,[3] to prevent recourse to the courts on the basis of Articles 77 and 79 alone,[4] The decision of the Supreme Court confirms that the data protection authority and the ordinary courts have parallel jurisdiction in the case of data protection violations and for the assertion of the rights of those affected. This is in line with the prevailing opinion in the German-speaking world,[5] It is assumed that legal protection is two-pronged. Both procedures have advantages and disadvantages for those affected, particularly with regard to the cost,[6] which must be carefully weighed against each other in each individual case. Because civil actions before the ordinary courts for data protection violations (apart from Section 29 DSG) have not been regulated in more detail by the Austrian legislator, some procedural questions still arise,[7] which will hopefully be clarified by the legislature in the near future.
Confusing legal situation
How Jahnel correctly notes, the decision shows that the DSG has created such a fragmented legal situation that even a supreme court can make editorial errors: for example, the decision cited Section 45 DSG as the legal basis for the obligation to delete data, although this provision is contained in the third main part of the DSG, which of course (only) regulates the “Processing of personal data for security police purposes, including police state protection, military self-protection, the investigation and prosecution of criminal offences, the execution of sentences and the enforcement of measures“, so that Section 45 DSG could not be applicable in the present case.[8]
Interpretation of the household exemption
The interpretation of the “household exemption” of Art. 2 para. 2 lit. c GDPR, according to which the GDPR does not apply to the processing of personal data “by natural persons for the exercise of exclusively personal or family activities’ is applicable, the present decision is relevant.
The Supreme Court deals extensively with the question of how this exception is to be defined and comes to the conclusion that a personal or family activity is “hostile to the public”, “why, for example, the online posting of private family trees or personal information about other people, whether they are relatives or friends, is not covered by the exception [is].” Using the case law of the ECJ[9] and various schools of thought[10] the OGH comes to the conclusion that the defendant “by having the daten […] made available to both the expert and the guardianship court, exceeded the personal family sphere [has], so that he can no longer rely on the exception in Art 2 paragraph 2 lit c GDPR“.
The Supreme Court is thus making an important contribution to the ongoing clarification of the “household exemption” in data protection law and is correctly interpreting it narrowly so that it does not also cover the transmission of data in the context of court proceedings.
[1] Jahnel, Judicial legal protection under the GDPR confirmed. Comments on OGH 20.12.2018, 6 Ob 131/18k, Rz 7, jusIT 2019/42; see also Pitsch in Gantschacher/Jelinek/Schmidl/Spanberger (eds.), General Data Protection Regulation Art 79, 686 f and Tretzmüller, Private Enforcement. Non-pecuniary damages for data protection violations, in Jahnel (ed.), Yearbook of Data Protection Law (2017) 199 (217).
[2] Leupold/Schrems in Knyrim (ed.), DatKomm Art 79 Rz 9 (as of 01.10.2018); Martini in Paal/Pauly (eds.), GDPR. BDSG² Art 79 Rz 12 ff (2018).
[3] See AB 1761 BlgNR XXV. GP, 30.
[4] Jahnel, Judicial protection under the GDPR confirmed. Comments on OGH 20.12.2018, 6 Ob 131/18k, Rz 7, jusIT 2019/42.
[5] See footnote 1 and Bergt in Kühling/Buchner (eds.), GDPR. BDSG² Art 79 Rz 13 (2018); Nemitz in Ehmann/Selmayr (eds), General Data Protection Regulation² Art 79 Rz 8 (2018); Jahnel, The GDPR and the DSG 2018 – overview and problem points, in Krempelmeier/Staudinger/Weiser (eds), Data protection law according to the GDPR – key issues (2018) 29 (43 f).
[6] More details Jahnel, Judicial protection under the GDPR confirmed. Comments on OGH 20.12.2018, 6 Ob 131/18k, Rz 7, jusIT 2019/42.
[7] Schwamberger, The binding effect between civil and administrative proceedings under the GDPR, VbR 2018/117, 219.
[8] Jahnel, Judicial protection under the GDPR confirmed. Comments on OGH 20.12.2018, 6 Ob 131/18k, Rz 7, jusIT 2019/42.
[9] ECJ December 11, 2014, C-212/13 (Ryneš); ECJ November 6, 2003, C-101/01 (Lindqvist); see also ECJ July 10, 2018, C‑25/17 (Jehovan todistajat – uskonnollinen yhdyskunta).
[10] Among others Serious in Paal/Pauly (eds.), GDPR. BDSG² Art 2 Rz 21 (2018) mwN.