# BVwG - W292 2270002-1

- Type: Case Law
- Source: GDPRhub
- Date: 2023-07-27
- Original: https://gdprhub.eu/index.php?title=BVwG_-_W292_2270002-1
- Canonical: https://overview.legal/posts/109002
- Topics: Profiling, Public Sector, Criminal Data, Accuracy, Child Consent, Types of Special Categories of Personal Data, Notified Body Competence Challenges and Dispute Resolution, Automated Decision-Making, Right to be Forgotten, Public Authority

## Summary

Facts — On 4 October 2020, the controller sent a non-anonymised court judgement of the Regional Criminal Court (Landesgericht für Strafsachen) as a PDF file to a different recipient via WhatsApp. Less than a year later, on 28 July 2021, the same non-anonymised court judgement was sent to the same recipient again, this time via email. The data subject lodged two complaints with the DPA (DSB) regarding the violation of their right to secrecy under § 1(1) DSG. In the first proceedings (DSB-D124.5125), the DPA ruled on the transmission of the judgement via WhatsApp and notably highlighted that the transmission via email was not the subject of the proceedings. In the second procedure (DSB-D124.0310/22) concerning the transmission via email, the DPA dismissed the complaint on the grounds that the data subject had no legitimate interest of legal protection and referred to its first administrative decision. The data subject appealed against the second decision of the DPA and asked the court to decide in that subject matter. In their opinion, the two transmissions of the judgement at different times represent two separate data processing operations. Holding — First, the court held that, in this specific case, there was no identity of the subject matter in comparison with the first proceedings within the meaning of § 68(1) AVG. In accordance with established legal practice (VwGH 31.07.2006, 2006/05/0158; VwGH 21.06.2007, 2006/10/0093 etc.), the court based its decision on the legal and temporal identity of the case. On the one hand, the data processing operation via email took place at a later date. On the other hand, the resulting time difference could lead to a potentially different legal assessment compared to the previous proceedings. Second, the court ruled that it could only examine the rightfulness of the dismissal of the complaint and therefore could not rule on the subject matter itself (See, for example, VwGH 18.12.2014, Ra 2014/07/0002). Third, the court held that no appeal to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof) was admissible pursuant to Article 133(4) B-VG, as the decision raised no legal questions of fundamental importance. Therefore, the court quashed the DPA's administrative decision DSB-D124.0310/22.

## Full text

Decision Date July 27, 2023 Legal Norm General Administrative Procedure Act (AVG) §68 Federal Constitutional Law (B-VG) Art. 133 para. 4 Data Protection Act (DSG) §1 Data Protection Act (DSG) §24 Data Protection Act (DSG) §4 General Data Protection Regulation (GDPR) Art. 4 General Data Protection Regulation (GDPR) Art. 6 General Administrative Procedure Act (AVG) § 68 (now AVG § 68) valid from January 1, 2014, last amended by Federal Law Gazette I No. 33/2013. General Administrative Procedure Act (AVG) § 68 valid from July 1, 1995, to December 31, 2013, last amended by Federal Law Gazette No. 471/1995. General Administrative Procedure Act (AVG) § 68 valid from February 1, 1991, to June 30, 1995. Federal Constitutional Law (B-VG) Art. 133 (now B-VG Art. 133) valid from January 1, 2019, to May 24, 2018, last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019, last amended by BGBl. I No. 22/2018; B-VG Art. 133 valid from 25.05.2018 to 31.12.2018, last amended by BGBl. I No. 22/2018; B-VG Art. 133 valid from 01.08.2014 to 24.05.2018, last amended by BGBl. I No. 164/2013; B-VG Art. 133 valid from 01.01.2014 to 31.07.2014, last amended by BGBl. I No. 51/2012; B-VG Art. 133 valid from 01.01.2004 to 31.12.2013, last amended by Federal Law Gazette I No. 100/2003, Federal Constitutional Law, Article 133, valid from 01.01.1975 to 31.12.2003, last amended by Federal Law Gazette No. 444/1974; Federal Constitutional Law, Article 133, valid from 25.12.1946 to 31.12.1974, last amended by Federal Law Gazette No. 211/1946; Federal Constitutional Law, Article 133, valid from 19.12.1945 to 24.12.1946, last amended by State Law Gazette. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934 DSG Art. 1 § 1 now DSG Art. 1 § 1 valid from January 1, 2014, last amended by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from January 1, 2000 to December 31, 2013 DSG Art. 2 § 24 now DSG Art. 2 § 24 valid from July 15, 2024, last amended by Federal Law Gazette I No. 70/2024 DSG Art. 2 § 24 valid from May 25, 2018 to July 14, 2024, last amended by Federal Law Gazette I No. 120/2017 DSG Art. 2 § Article 24, valid from January 1, 2010 to May 24, 2018, last amended by Federal Law Gazette I No. 133/2009. Article 2, Section 24 of the Data Protection Act (DSG) valid from January 1, 2000 to December 31, 2009. Article 2, Section 4 of the Data Protection Act (DSG) now: Article 2, Section 4 of the Data Protection Act (DSG) valid from January 1, 2020, last amended by Federal Law Gazette I No. 14/2019. Article 2, Section 4 of the Data Protection Act (DSG) valid from May 25, 2018 to December 31, 2019, last amended by Federal Law Gazette I No. 24/2018. Article 2, Section 4 of the Data Protection Act (DSG) valid from May 25, 2018 to May 24, 2018, last amended by Federal Law Gazette I No. 120/2017. Article 2, Section 4. Valid from January 1, 2010 to May 24, 2018, last amended by Federal Law Gazette I No. 133/2009. Data Protection Act, Art. 2, § 4, valid from January 1, 2000 to December 31, 2009. Ruling W292 2270002-1/4E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court, composed of Judge Herwig Zaczek as presiding judge and lay judges Martina Chlessil and René Bogendorfer as associate judges, has ruled on the appeal of XXXX, represented by Franz Doppelhofer, attorney-at-law, residing at Mitterstraße 177, 8055 Seiersberg-Pirka, against the decision of the Data Protection Authority dated March 2, 2023, file number D124.0310/22/XXXX (intervening party: XXXX), in a non-public session. The Federal Administrative Court, composed of Judge Herwig Zaczek as presiding judge and lay judges Martina Chlessil and René Bogendorfer as associate judges, has ruled on the appeal of [name omitted], represented by Franz Doppelhofer, attorney-at-law, residing at Mitterstraße 177, 8055 Seiersberg-Pirka. 177, against the decision of the Data Protection Authority of March 2, 2023, file no. D124.0310/22 / Roman numeral 40 (intervening party: Roman numeral 40), in a non-public session A1) The decision of the Data Protection Authority of March 2, 2023, file no. D124.0310/22 (XXXX), is hereby set aside without substitution. A2) The decision is hereby set aside: The application for a decision on the merits by the Federal Administrative Court is dismissed. B) The appeal on points of law is inadmissible pursuant to Article 133, paragraph 4, of the Federal Constitutional Law. Text Reasons for the Decision: I. Procedural History: 1. The initial proceedings were one of two data protection complaints before the Data Protection Authority (respondent authority) for a violation of the right to confidentiality pursuant to Section 1 Paragraph 1 in conjunction with Section 24 of the Data Protection Act. In both proceedings, the complainant and the co-respondent party (XXXX) were the opposing parties. The complainant alleged a violation of the right to confidentiality in each case due to the transmission of the same PDF file to the same recipient – but at different times and using technically different methods. 1. The initial proceedings were one of two data protection complaints before the Data Protection Authority (respondent authority) concerning a violation of the right to confidentiality pursuant to Section 1, Paragraph 1, in conjunction with Section 24 of the Data Protection Act. In both proceedings, the complainant and the co-respondent (Roman numeral 40) were the opposing parties. In each case, the complainant alleged a violation of the right to confidentiality due to the transmission of the same PDF file to the same recipient – albeit at different times and using different technical methods. 2. In the proceedings under file number D124.5125, the subject of the complaint was the transmission of a non-anonymized judgment of the Regional Court for Criminal Matters XXXX in the form of a PDF file via the WhatsApp messaging service on October 4, 2020, to a third party (XXXX). In the course of the proceedings before the respondent authority, it emerged that the same PDF file was sent again approximately one year later, this time in non-anonymized form, but via email, to the same recipient. This occurred because the recipient was allegedly unable to open the PDF file (or not fully open it) during the initial transmission via WhatsApp. 2. In the proceedings under file number D124.5125, the subject of the appeal was the transmission of a non-anonymized judgment of the Regional Court for Criminal Matters (Roman 40 to Roman 40) in the form of a PDF file via the messaging service WhatsApp on October 4, 2020, to a third party (Roman 40). In the course of the proceedings before the respondent authority, it emerged that the same PDF file was sent again approximately one year later, this time in non-anonymized form, but via email, to the same recipient. This occurred because the recipient was allegedly unable to open the PDF file (or not fully open it) during the initial transmission via WhatsApp. ... 3. The transmission by email on July 28, 2021, formed the basis for the second proceedings before the respondent authority under file number D124.0310/22 (XXXX), in which the appellant sought a declaration that the right to confidentiality had been violated by the (renewed) transmission of the non-anonymized judgment of the Regional Court for Criminal Matters XXXX under file number XXXX via email by the respondent XXXX. The transmission by email on July 28, 2021, formed the basis for the second proceeding before the respondent authority under file number D124.0310/22 (Roman numeral 40), in which the appellant sought a declaration that her right to confidentiality had been violated by the (renewed) transmission of the non-anonymized judgment of the Regional Court for Criminal Matters (Roman numeral 40) under file number 40 via email by the respondent (Roman numeral 40). 4. In the contested decision, the respondent authority dismissed the appeal for lack of standing and a legitimate interest in obtaining a declaratory judgment on the part of the appellant and referred the matter to the proceedings under file number D124.5125. 4. 5. The present appeal is directed against this, in which the appellant argues, in summary, that the two transmissions of the PDF file in question constitute two separate processing operations, since different transmission methods and widely separated times of transmission were used. Therefore, the appellant maintains a legitimate interest in obtaining a ruling that the right to confidentiality under Section 1(1) of the GDPR was violated, even in the case of the second transmission of the PDF file via email, months after the first transmission via WhatsApp. In this context, the appellant also requests a decision on the merits from the Federal Administrative Court. The present appeal is directed against this decision. In summary, the appellant argues that the two transmissions of the PDF file in question constitute two distinct processing operations, as they involved different methods of transmission and occurred at widely separated times. Therefore, the appellant maintains a legitimate interest in obtaining a ruling that the second transmission of the PDF file via email, months after the first via WhatsApp, violated the right to confidentiality under Section 1, Paragraph 1 of the GDPR. In this context, the appellant also requests a decision on the merits from the Federal Administrative Court. 6. The respondent authority submitted the appeal, along with the relevant administrative act, to the Federal Administrative Court by letter dated April 7, 2023, without availing itself of the option of a preliminary ruling on the appeal. The respondent authority submitted the appeal, along with the relevant administrative act, to the Federal Administrative Court by letter dated April 7, 2023, without making use of the possibility of obtaining a preliminary ruling on the appeal. ... 6. The respondent authority submitted the appeal, along with the relevant administrative act, to the Federal Administrative Court by letter dated April 7, 2023, without availing itself of the possibility of a preliminary decision on the appeal. II. The Federal Administrative Court considered the following: 1. Findings: 1.1. Both appeal proceedings D124.5125 and D124.0310/22 concerned the transmission of the non-anonymized judgment of the Regional Court for Criminal Matters XXXX, file number XXXX, as a PDF document to XXXX. In both appeal proceedings, XXXX was the appellant and XXXX the respondent (intervening party – mP in the proceedings before the Federal Administrative Court). Both appeal proceedings D124.5125 and D124.0310/22 concerned the transmission of the non-anonymized judgment of the Regional Court for Criminal Matters (reference number 40) as a PDF document to [name 40]. In both appeal proceedings, [name 40] was the appellant and [name 40] was the respondent (intervening party – mP in the proceedings). 1.2. In appeal proceedings D 124.5125 [initial proceedings], the respondent authority had to assess the transmission of the PDF document via the WhatsApp messaging service on October 4, 2020, and the operative part of the decision issued in the matter reads as follows: "The appeal is granted, and it is determined that the respondent violated the appellant's right to confidentiality by transmitting the judgment of the Regional Court for Criminal Matters XXXX, case number XXXX, dated August 5, 2020, concerning the appellant, as well as the appeal filed against it on September 22, 2020, to a third party via WhatsApp on October 4, 2020." and transmitted the appeal filed against it on September 22, 2020, to a third party.” In its reasoning, the respondent authority stated verbatim in the section “Subject of the Complaint”: “(…) The subject of the complaint is not the question of whether the respondent violated the complainant’s right to confidentiality by transmitting a judgment by email to […] on July 28, 2021.” No appeal was lodged against this decision. 1.3. The data protection complaint proceedings under file number D 124.0310/22 [follow-up proceedings] concern the transmission of the judgment of the Regional Court for Criminal Matters XXXX of XXXX dated August 5, 2020, concerning the complainant, as a PDF document via email on July 28, 2021, to XXXX. The respondent authority rejected the complainant's data protection complaint with the contested decision of March 2, 2023, for lack of standing and declaratory interest, against which the complainant filed an appeal against the decision with the Federal Administrative Court on March 29, 2023. 1.3. The data protection complaint proceedings under file number D 124.0310/22 [subsequent proceedings] concern the transmission of the judgment of the Regional Court for Criminal Matters (Roman 40) of August 5, 2020, concerning the complainant, as a PDF document via email on July 28, 2021, to Roman 40. The respondent authority rejected the complainant's data protection complaint with the contested decision of March 2, 2023, for lack of standing and declaratory interest. The complainant filed an appeal against this decision with the Federal Administrative Court on March 29, 2023. 2. Evaluation of Evidence: The findings are based on the administrative act, which is unobjectionable in this respect, and the facts underlying the contested decision were not disputed by the parties. 3. Legal Assessment: Pursuant to Section 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by a single judge unless federal or state law provides for a decision by a panel. Pursuant to Section 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by a single judge unless federal or state law provides for a decision by a panel. Pursuant to Section 27 of the Data Protection Act (DSG), the Senate has jurisdiction in this matter. 3.1. Applicable Law: 3.1.1. The relevant provisions of the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act - DSG) as amended by Federal Law Gazette I No. 24/2018 are (in excerpts): 3.1.1. The relevant provisions of the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act - DSG), as amended by Federal Law Gazette Part One, No. 24 of 2018, read as follows (in excerpts): "Fundamental Right to Data Protection Section 1. (1) Everyone has the right to the confidentiality of their personal data, particularly with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. Such an interest is excluded if data is not subject to a claim for confidentiality due to its general availability or because it cannot be traced back to the data subject. (2) Insofar as the use of personal data is not Unless the processing of personal data is in the vital interest of the data subject or carried out with their consent, restrictions on the right to confidentiality are only permissible to protect overriding legitimate interests of another party. In the case of interventions by a state authority, such restrictions are only permissible on the basis of laws that are necessary for the reasons stated in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only permit the use of data that is particularly sensitive by its nature to protect important public interests and must simultaneously establish appropriate safeguards for the protection of the data subjects' confidentiality interests. Even in the case of permissible restrictions, the interference with the fundamental right must always be carried out in the least intrusive manner necessary to achieve the objective. Insofar as the processing of personal data is not in the vital interest of the data subject or carried out with their consent, restrictions on the right to confidentiality are only permissible to protect overriding legitimate interests of another party. In the case of interventions by a state authority, such restrictions are only permissible on the basis of laws that are necessary for the reasons stated in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). (1) Insofar as the use of personal data is not in the vital interest of the data subject or with their consent, restrictions on the right to confidentiality are permissible only to safeguard overriding legitimate interests of another, and in the case of interference by a public authority, only on the basis of laws that are necessary for the reasons stated in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 of 1958. Such laws may permit the use of data that are particularly worthy of protection by their nature only to safeguard important public interests and must at the same time establish appropriate safeguards for the protection of the data subjects' interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the least intrusive manner that achieves the objective. (2) Insofar as the use of personal data is not in the vital interest of the data subject or is carried out with their consent, restrictions on the right to confidentiality are permissible only to safeguard overriding legitimate interests of another, and in the case of interference by a public authority, only on the basis of laws that are necessary for the reasons stated in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 of 1958. Such laws may permit the use of data that are particularly worthy of protection by their nature only to safeguard important public interests. The use of personal data must be permitted to protect important public interests and must simultaneously establish appropriate safeguards for the protection of the data subjects' privacy interests. Even in the case of permissible restrictions, the interference with the fundamental right must always be carried out in the least intrusive manner necessary to achieve the objective. Insofar as the use of personal data is not in the vital interest of the data subject or with their consent, restrictions on the right to confidentiality are only permissible to protect overriding legitimate interests of another party, and in the case of interference by a state authority, only on the basis of laws that are necessary for the reasons stated in Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 of 1958. Such laws may permit the use of data that is particularly worthy of protection by its nature only to protect important public interests and must simultaneously establish appropriate safeguards for the protection of the data subjects' privacy interests. Even in the case of permissible restrictions, the interference with the fundamental right must always be carried out in the least intrusive manner necessary to achieve the objective. (3) Everyone has the right, insofar as personal data concerning him or her are intended for automated processing or for processing in manually maintained files (i.e., without automated support), in accordance with legal provisions: 1. the right to information about who processes which data concerning him or her, where the data originates, and for what purpose it is used, in particular also to whom it is transmitted; 2. the right to rectification of inaccurate data and the right to erasure of unlawfully processed data. (4) Restrictions on the rights under paragraph 3 are only permissible under the conditions specified in paragraph 2. Scope and Implementing Provisions Section 4. (1) The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No. L 119 of 4 May 2016, p. 1, (hereinafter: GDPR) and this Federal Act apply to the wholly or partly automated processing of personal data of natural persons as well as to the non-automated processing of personal data of natural persons that are stored or are intended to be stored in a filing system, unless the more specific provisions of Chapter 3 of this Federal Act take precedence. Paragraph 4, (1) The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal No. L 119 of 4 May 2016, p. 1, (hereinafter: GDPR) and this Federal Act apply to the wholly or partly automated processing of personal data of natural persons as well as to the non-automated processing of personal data of natural persons that are stored or are intended to be stored in a filing system, unless the more specific provisions of Chapter 3 of this Federal Act take precedence. (2) Where the rectification or erasure of personal data processed by automated means cannot be carried out immediately because, for economic or technical reasons, it can only be carried out at certain times, the processing of the personal data in question must be restricted until such time as is necessary, in accordance with Article 18(2) GDPR. (2) Where the rectification or erasure of personal data processed by automated means cannot be carried out immediately because, for economic or technical reasons, it can only be carried out at certain times, the processing of the personal data in question must be restricted until such time as is necessary, in accordance with Article 18(2) GDPR. (3) The processing of personal data relating to criminal offenses or omissions, including but not limited to suspected criminal offenses, as well as criminal convictions or preventive measures, is permissible in compliance with the GDPR if: 1. there is an explicit legal authorization or obligation to process such data; or 2. the processing of this data is otherwise permissible due to statutory due diligence obligations; or the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Article 6(1)(f) GDPR, and the manner in which the data processing is carried out ensures the protection of the interests of the data subject in accordance with the GDPR and this Federal Act. The processing of this data is otherwise lawful due to statutory due diligence obligations, or the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Article 6(1)(f) GDPR, and the manner in which the data processing is carried out ensures the protection of the interests of the data subject in accordance with the GDPR and this Federal Act. (4) In the case of an offer of information society services made directly to a child, consent pursuant to Article 6(1)(a) GDPR for the processing of the child's personal data is lawful if the child has reached the age of fourteen. (4) In the case of an offer of information society services made directly to a child, consent pursuant to Article 6(1)(a) GDPR for the processing of the child's personal data is lawful if the child has reached the age of fourteen. (5) The data subject's right of access under Article 15 GDPR does not apply to a controller acting in an official capacity, without prejudice to other legal restrictions, if providing such access would jeopardize the performance of a task assigned to the controller by law. (6) The data subject's right of access under Article 15 GDPR does not generally apply to a controller acting in an official capacity, without prejudice to other legal restrictions, if providing such access would jeopardize the performance of a task assigned to the controller by law. (6) The data subject's right of access under Article 15 GDPR does not generally apply to a controller, without prejudice to other legal restrictions, if providing such access would jeopardize a trade or business secret of the controller or a third party. (6) The data subject's right of access under Article 15 GDPR does not generally apply to a controller, without prejudice to other legal restrictions, if providing such access would jeopardize a trade or business secret of the controller or a third party. (6) 3.1.2. The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119 of 4 May 2016, hereinafter referred to as GDPR, read in part: 3.1.2. The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal L 119 of 4 May 2016, hereinafter referred to as GDPR, read in part: "Article 4 Definitions For the purposes of this Regulation, the term: (1) ‘personal data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’);" An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; (2) ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction; […] (7) ‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law; […] Article 6 Lawfulness of processing (1) Processing shall be lawful only if at least one of the following conditions is met: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of paragraph 1 shall not apply to processing carried out by public authorities in the performance of their tasks. […] 3.1.3. The relevant provisions of the General Administrative Procedure Act 1991, as amended by Federal Law Gazette I No. 33/2013, read in part as follows: 3.1.3. The relevant provisions of the General Administrative Procedure Act 1991, as amended by Federal Law Gazette Part One, No. 33 of 2013, read in part as follows: Amendment and Remediation Ex officio Section 68. (1) Applications by parties seeking the amendment of a decision that is not or is no longer subject to appeal, except in the cases specified in Sections 69 and 71, shall be rejected as a matter of law if the authority does not find grounds for an order pursuant to paragraphs 2 to 4. Section 68, (1) Applications by parties seeking the amendment of a decision that is not or is no longer subject to appeal, except in the cases specified in Sections 69 and 71, shall be rejected as a matter of law if the authority does not find grounds for an order pursuant to paragraphs 2 to 4. (2) Decisions from which no rights have arisen may be revoked or amended ex officio by the issuing authority or, in the exercise of its supervisory powers, by the competent higher authority. (3) Other decisions may be amended in the public interest by the authority that issued the decision as the last instance or by the competent higher authority, insofar as this is necessary and unavoidable to eliminate deficiencies that endanger human life or health or to avert serious economic damage. In all cases, the authority must proceed with the utmost care to protect acquired rights. (3) The issuing authority or the competent higher authority may amend other decisions in the public interest to the extent necessary and unavoidable to eliminate deficiencies that endanger human life or health or to prevent serious economic damage. (4) Furthermore, decisions may be declared void ex officio by the competent higher authority in the exercise of its supervisory powers if the decision 1. was issued by an incompetent authority or by a collegial body that is not properly constituted, 2. would result in a criminal offense, 3. is factually unenforceable, or 4. suffers from a defect expressly subject to nullity by statutory provision. (5) A declaration of nullity for the reasons stated in paragraph 4, point 1, is no longer permissible after three years have elapsed since the date specified in Section 63, paragraph 5. (6) The powers granted to the authority in the administrative regulations to revoke or restrict an authorization outside of an appeal procedure remain unaffected. (7) No one has a right to the exercise of the authority's right to amend and rectify decisions pursuant to paragraphs 2 to 4. Malicious supervisory complaints and applications for amendment are subject to penalties under Section 35. 3.2. Regarding A1) 3.2.1. A decision of an Administrative Court (VwG) also becomes legally binding upon its issuance (see, in this regard, the Austrian Administrative Court (VwGH) decision of November 26, 2015, Ro 2015/07/0018), whereby all parties to a legally concluded proceeding have a legal right to have the legally binding effect observed (VwGH decision of January 19, 2016, Ra 2015/01/0070). In connection with this principle, the relevant case law on Section 68 of the General Administrative Procedure Act (AVG) can be applied analogously. It follows that a single legal matter can only be decided once with legal force (ne bis in idem). Legal force has the effect that the matter, which has been definitively and irrevocably settled by the decision, cannot be decided again (prohibition of repetition). A new decision is precluded by the procedural obstacle of res judicata (see Austrian Administrative Court [VwGH] decision of April 24, 2015, 2011/17/0244). Furthermore, the principle of res judicata generally implies a binding effect on an administrative decision (see, for example, Austrian Administrative Court [VwGH] decision of January 19, 2016, Ra 2015/01/0070) (Austrian Administrative Court [VwGH] decision of April 28, 2017, Ra 2017/03/0027). Res judicata exists only if, since the decision in the matter, there has been no change in the legal situation or in the factual circumstances considered decisive at the time (Frank in Reissner/Neumayr, ZellKomm ÖffDR § 13 DVG). 3.2.1. A decision of an Administrative Court (VwG) also becomes legally binding upon its issuance (see VwGH of November 26, 2015, Ro 2015/07/0018), whereby all parties to a legally concluded proceeding have a legal right to have the legally binding effect observed (VwGH of January 19, 2016, Ra 2015/01/0070). In connection with this principle, the relevant case law on Section 68 of the General Administrative Procedure Act (AVG) can be applied analogously. It follows that a single legal matter can only be decided once with legal force (ne bis in idem). Legal force entails the effect that the matter, which has been definitively and irrevocably settled by the decision, cannot be decided again (prohibition of repetition). A new decision is precluded by the procedural obstacle of res judicata (see Austrian Administrative Court [VwGH] decision of April 24, 2015, 2011/17/0244). Furthermore, the principle of res judicata generally implies a binding effect on an administrative decision (see, for example, Austrian Administrative Court [VwGH] decision of January 19, 2016, Ra 2015/01/0070; Austrian Administrative Court [VwGH] decision of April 28, 2017, Ra 2017/03/0027). Res judicata exists only if, since the decision in the matter, there has been no change in the legal situation or in the factual circumstances considered decisive at the time (Frank in Reissner/Neumayr, ZellKomm ÖffDR Paragraph 13, DVG). 3.2.2. According to the established case law of the Administrative Court, the prerequisite for dismissal on the grounds of "a matter already decided" within the meaning of Section 68 Paragraph 1 of the General Administrative Procedure Act (AVG) is the factual identity of the case. If significant changes in the facts have occurred since the issuance of the legally binding decision, the case is no longer identical (see decision of February 5, 1986, 84/09/0118). The subject of the substantive legal force resulting from the formal legal force is only the ruling contained in the decision on the administrative matter, based on the factual situation as expressed in the relevant facts assumed by the authority and the legal situation on which the authority relied (Administrative Court decision of April 4, 2001, 98/09/0041). 3.2.2. According to the established case law of the Administrative Court, a prerequisite for dismissal on the grounds of "a matter already decided" within the meaning of Section 68, paragraph 1, of the General Administrative Procedure Act (AVG) is the actual identity of the case. If significant changes in the facts have occurred since the issuance of the legally binding decision, the case is no longer identical (see decision of February 5, 1986, 84/09/0118). The subject of the substantive legal force resulting from the formal legal force of the decision is only the ruling contained in the decision on the administrative matter, based on the factual situation as it is expressed in the relevant facts assumed by the authority and the legal situation on which the authority relied (Administrative Court decision of April 4, 2001, 98/09/0041). 3.2.3. The "identity of the case" is one of the prerequisites for the applicability of Section 68 of the AVG. According to the established case law of the Austrian Administrative Court (VwGH), this is the case if the facts relevant to the decision, which formed the basis of the preliminary ruling, have not changed. When assessing the identity of the matter, it must be determined from a primarily legal perspective (and not from a purely technical or mathematical one [VwGH 26. 2. 1974, 500/72; 9. 7. 1992, 92/06/0062; 27. 6. 2006, 2005/06/0358]) whether a material change has occurred in the facts relevant to the decision (VwGH 22. 11. 2004; 2001/10/0035; 21. 6. 2007, 2006/10/0093; see also Kolonovits/Muzak/Stöger para. 483) (Hengstschläger/Leeb, AVG § 68).3.2.3. For the applicability of Section 68 of the General Administrative Procedure Act (AVG), the "identity of the matter" is one of the prerequisites. According to the established case law of the Austrian Administrative Court (VwGH), this is the case if the facts relevant to the decision, which formed the basis of the preliminary ruling, have not changed. When assessing the identity of the matter, it must be determined from a primarily legal perspective (and not from a purely technical or mathematical one [Austrian Administrative Court [VwGH] 26 February 1974, 500/72; 9 July 1992, 92/06/0062; 27 June 2006, 2005/06/0358]) whether a material change has occurred in the facts relevant to the decision (Austrian Administrative Court [VwGH] 22 November 2004; 2001/10/0035; 21 June 2007, 2006/10/0093; see also Kolonovits/Muzak/Stöger, para. 483) (Hengstschläger/Leeb, AVG, Section 68). 3.2.4. Although the Administrative Court has repeatedly ruled that identity of the case exists even if the authority, in proceedings that have already been concluded with final legal effect, decided the legal question based on a flawed investigation or an incomplete or incorrect legal assessment (see the decisions of the Administrative Court of 18 December 1973, file no. 35/73, of 25 October 2000, file no. 99/06/0169, and of 22 May 2001, file no. 2001/05/0075), it cannot be inferred from this that an authority is prevented from assessing similar criminal conduct differently at different times. Rather, this case law indicates that neither flawed investigations nor an incorrect solution to a legal question in proceedings that have already been concluded with final legal effect can alter the case as decided, so that reopening these circumstances is precluded when identity of the case exists. As already explained, if the offenses occurred at different times, the matter is not identical (Austrian Administrative Court [VwGH] of July 31, 2006, 2006/05/0158). 3.2.4. While the Administrative Court has repeatedly held that the matter is identical even if the authority, in proceedings that have already been concluded with final legal effect, decided the legal question based on a deficient investigation or an incomplete or incorrect legal assessment (see the decisions of the Administrative Court of December 18, 1973, file no. 35/73, of October 25, 2000, file no. 99/06/0169, and of May 22, 2001, file no. 2001/05/0075), this does not preclude an authority from assessing similar criminal conduct differently at different times. Rather, this case law establishes that neither inadequate investigations nor an incorrect resolution of a legal question in proceedings that have already been concluded with final legal effect can alter the case at hand, so that reopening these circumstances is precluded if the case is identical. As already explained, however, if the time periods of the offense differ, the case is not identical (Austrian Administrative Court [VwGH] of July 31, 2006, 2006/05/0158). 3.2.5. In this specific case, it follows that although both data protection complaint proceedings involved an agreement on the transmission of the same PDF file to the same recipient, the transmission in the first case occurred on October 4, 2020, via the messaging service WhatsApp, while in the second case, almost a year later on July 28, 2021, it occurred via email. 3.2.6. In the decision concluding the initial proceedings under file number D124.5125, the respondent authority, although the transmission by email had already been addressed at that time and in those proceedings, dealt exclusively with the transmission of the PDF file via WhatsApp on October 4, 2020. The relevant factual findings of the decision issued in the initial proceedings also relate exclusively to the transmission via WhatsApp on October 4, 2020, and the respondent authority clearly emphasizes this fact in its reasoning, stating that "the transmission of the judgment by email on July 28, 2021, was not the subject of this appeal." 3.2.7. Assuming that the data protection assessment concerned the transmission of the PDF file by email on July 28, 2021, not only the temporal but also the legal identity of the matter must be denied, since the temporal difference alone could lead to a different legal assessment in the proceedings under file number D124.0310/22 compared to the initial proceedings under file number D124.5125, for example, because the latter transmission was temporally connected to the assertion or defense of legal claims. 3.2.8. The appellant's legal position, namely that the transmission of the PDF file via WhatsApp on October 4, 2020, and via email on July 28, 2021, constitute two distinct data processing operations, each of which, considered separately, could infringe the right to confidentiality guaranteed by Section 1 of the Data Protection Act (DSG), was therefore to be upheld. Due to the lack of identity of the matter, the decision of the respondent authority was thus to be set aside without substitution. Regarding the legal consequences, the respondent authority is referred to the provisions of Section 28 Paragraph 5 of the Administrative Court Procedure Act (VwGVG) (see Austrian Administrative Court [VwGH], March 29, 2023, Ra 2022/01/0297 with further references). 3.2.8. The appellant's legal position, namely that the transmission of the PDF file via WhatsApp on October 4, 2020, and via email on July 28, 2021, constitute two distinct data processing operations, each of which, considered separately, could infringe the right to confidentiality guaranteed by Section 1 of the Data Protection Act (DSG), was therefore to be upheld. Due to the lack of identity of the matter, the decision of the respondent authority was thus to be set aside without substitution. Regarding the legal consequences, the respondent authority is referred to the provision of Section 28, Paragraph 5 of the Administrative Court Procedure Act (VwGVG) (see Austrian Administrative Court [VwGH], March 29, 2023, Ra 2022/01/0297 with further references). 3.2.9. Regarding the omission of an oral hearing: An oral hearing was not required due to the fulfillment of the requirements of Section 24 Paragraph 2 Item 1 of the Administrative Court Procedure Act (VwGVG), as it was already established from the case file that the decision under appeal was to be overturned. 3.3. Regarding A2) The Administrative Court has repeatedly ruled that if the respondent authority has rejected an application, the only issue in the appeal proceedings is the question of the legality of the rejection (see Administrative Court decisions of December 18, 2014, Ra 2014/07/0002, 0003; June 23, 2015, Ra 2015/22/0040; and September 16, 2015, Ra 2015/22/0082 to 0084, all with further references). The Federal Administrative Court is therefore precluded from making a substantive decision on the application at issue. A referral back to the lower court pursuant to Section 28 Paragraph 3 of the Administrative Court Procedure Act (VwGVG) is also not possible (see Administrative Court decision of December 16, 2009, 2008/12/0219). The appellant's request that the Federal Administrative Court decide the matter itself and find a violation of the appellant's right to confidentiality under Section 1 of the Data Protection Act (DSG) was therefore to be dismissed. The Administrative Court has repeatedly held that, if the respondent authority has rejected an application, the only issue in the appeal proceedings is the question of the legality of the rejection (see VwGH 18.12.2014, Ra 2014/07/0002, 0003; 23.06.2015, Ra 2015/22/0040; and 16.09.2015, Ra 2015/22/0082 to 0084, all with further references). A substantive decision on the application at issue is therefore precluded for the Federal Administrative Court. A referral back to the lower court pursuant to Section 28, Paragraph 3, of the Administrative Court Procedure Act (VwGVG) is also not possible (see VwGH 16.12.2009, 2008/12/0219). The appellant's request that the Federal Administrative Court decide the matter itself and find a violation of the appellant's right to confidentiality under Section 1, Data Protection Act (DSG), was therefore to be dismissed. 3.4. Regarding B) Inadmissibility of the appeal: Pursuant to Section 25a, Paragraph 1, of the Administrative Court Act (VwGG), the Administrative Court must state in the operative part of its judgment or decision whether the appeal is admissible pursuant to Article 133, Paragraph 4, of the Federal Constitutional Law (B-VG). The statement must be briefly reasoned. Pursuant to Section 25a, Paragraph 1, of the Administrative Court Act (VwGG), the Administrative Court must state in the operative part of its judgment or decision whether the appeal is admissible pursuant to Article 133, Paragraph 4, of the Federal Constitutional Law (B-VG). The statement must be briefly reasoned. The appeal is inadmissible pursuant to Article 133, paragraph 4 of the Austrian Federal Constitutional Law (B-VG) because the decision does not depend on the resolution of a legal question of fundamental importance extending beyond the specific case at hand. The present decision neither deviates from the established case law of the Administrative Court (see the case law of the Administrative Court cited above in the context of the legal assessment of points A1) and A2) nor is there a lack of relevant case law; furthermore, the existing case law of the Administrative Court cannot be considered inconsistent. The appeal is inadmissible pursuant to Article 133, paragraph 4 of the Austrian Federal Constitutional Law (B-VG) because the decision does not depend on the resolution of a legal question of fundamental importance extending beyond the specific case at hand. The present decision neither deviates from the established case law of the Administrative Court (see the case law of the Administrative Court cited above in the context of the legal assessment of points A1) and A2) nor is there a lack of relevant case law; furthermore, the existing case law of the Administrative Court cannot be considered inconsistent. Therefore, the decision was rendered accordingly.

---
Generated by overview.legal · https://overview.legal/posts/109002 · 2026-07-16
