DSB (Austria) - DSB-D124.4462
Facts — On 03 May 2021, the data subject sent a request to the controller for the erasure of their financial asset information. The controller did not respond to their erasure request. On 17 July 2021, the data subject filed a complaint with the Austrian DPA (DSB) regarding the violation of their right to erasure under Article 17 GDPR. Over the course of the complaint proceedings, the controller refused the requested deletion. Holding — The DPA held that the European Union interprets the concept of data 'processing operations of courts acting in their judicial capacity', as defined in Article 55(3) GDPR, more broadly than under Austrian law. Referring to the decision of the CJEU in 'Autoriteit Persoonsgegevens' (C-245/20) EU:C:2022:216, the supervision of processing operations carried out by courts 'acting in their judicial capacity' could directly or indirectly affect judicial independence or influence their decisions. As judicial activities must be exercised autonomously and free from any external influence, they are therefore excluded from that authority's competence. Individuals must have no reasonable doubt about the independence and impartiality of the justice system. As judges may have access to the information provided by the Austrian Justice System, processing that data may influence their performance of judicial tasks and the decision-making process. Therefore, the DPA dismissed the complaint, as it has no supervisory competence over the data processing operations of courts 'acting in their judicial capacity' pursuant to Article 55(3) GDPR.
How it connects
Related across sources
Full text
Text File No.: 2021-0.909.100 dated June 12, 2023 (Case No.: DSB-D124.4462) [Note from Editor: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may have been abbreviated and/or altered for pseudonymization purposes. Obvious spelling, grammar, and punctuation errors have been corrected.] DECISION RULING The Data Protection Authority decides on the data protection complaint filed by Mag. Alfons A*** (complainant) on July 17, 2021, against the Regional Court of Wiener Neustadt (respondent) regarding a violation of the right to erasure as follows: - The complaint is dismissed. Legal basis: Article 51(1), Article 55(3), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016, p. 1; Sections 1, 18(1) and 24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 80 of the Court Organization Act (GOG), Imperial Law Gazette. No. 217/1896 as amended. Legal basis: Article 51, paragraph 1, Article 55, paragraph 3, Article 57, paragraph 1, letter f, and Article 77, paragraph 1, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), Official Journal No. L 119 of 4 May 2016, page 1; Sections 1, 18, paragraph 1, and 24, paragraph 1 and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended; Section 80, of the Court Organization Act (GOG), Imperial Law Gazette No. 217 of 1896, as amended. REASONING A. Submissions of the Parties and Procedural History A.1. In his initial letter of July 17, 2021, the complainant argued that the respondent had stored data and information concerning his highly personal assets (cash, gold, silver coins, coin collection, and similar items). He had submitted a request for their deletion from the automated judicial system (VJ). The Data Protection Authority had already confirmed its jurisdiction over the register in its decision of July 7, 2020, under file number D124.1796; 2020-0.205.284. The complainant initially submitted his request to the Federal Ministry of Justice and received a response stating that the public prosecutor's offices and courts were responsible. He subsequently submitted deletion requests to the Regional Court of Wiener Neustadt (the respondent in the present proceedings), the Regional Court of St. Pölten, and the Public Prosecutor's Office of St. Pölten. The respondent did not respond to the deletion request. According to Section 75 Paragraph 1 of the German Code of Criminal Procedure (StPO), “incorrect data or data obtained contrary to the provisions of this Act [...] must be corrected or deleted immediately.” The asset data was already incorrect at the time it was created, and furthermore, the data was collected illegally. According to Section 75, Paragraph 1, of the StPO, “incorrect data or data obtained contrary to the provisions of this Act [...] must be corrected or deleted immediately.” The asset data was already incorrect at the time it was created, and furthermore, the data was collected illegally. A.2. In a letter dated November 25, 2021, the respondent argued, in summary, that the processing of personal data in question was exempt from supervision by the data protection authority pursuant to Article 55 Paragraph 3 of the GDPR and Section 31 Paragraph 1 of the German Data Protection Act (DSG). Furthermore, the requirements of Section 75 of the StPO were not met, and the inaccuracy was merely alleged by the appellant. A.2. In a letter dated November 25, 2021, the respondent argued, in summary, that the processing of personal data in question was exempt from supervision by the data protection authority pursuant to Article 55(3) GDPR and Section 31(1) of the Austrian Data Protection Act (DSG). Furthermore, the respondent argued that the requirements of Section 75 of the Austrian Code of Criminal Procedure (StPO) were not met and that the appellant was merely alleging the inaccuracy of the data. A.3. In a letter dated December 26, 2021, the appellant, in the context of the granted right to be heard, argued, in summary, that all proceedings had been based solely on false accusations and that the data should be deleted pursuant to Section 75(1) of the Austrian Code of Criminal Procedure (StPO). The respondent further argued that the data protection authority was competent to handle the matter. B. Subject of the Complaint Based on the complainant's submissions, the subject of the complaint is whether the respondent violated the complainant's right to erasure by not complying with the request. First, it must be determined whether the data protection authority has jurisdiction to make a substantive assessment. C. Findings of the Facts C.1. By letter dated May 3, 2021, the complainant submitted a request for the erasure of his asset data, specifically "asset data concerning cash, gold, silver coins, silver bars, coin collections, and similar items" (formatting not reproduced verbatim): [Editor's note: The letter reproduced here as a facsimile (graphic file) cannot be pseudonymized with reasonable effort and has therefore been removed.] C.2. The respondent did not respond to this request before the complaint was filed. During the proceedings before the data protection authority, the respondent refused the erasure. Evaluation of evidence: These findings are based on the complaint of July 17, 2021, and the accompanying letter of May 3, 2021, as well as – particularly with regard to the refused deletion – on the respondent's statement of November 25, 2021. D. In legal terms, this means: D.1. On the jurisdiction of the data protection authority: Pursuant to Article 55(3) GDPR, supervisory authorities are not competent to supervise processing carried out by courts in the exercise of their judicial functions, with Recital 20 of the GDPR stating that this is intended to serve the independence of the judiciary in the exercise of its judicial functions, including decision-making. Article 20 of the GDPR states that this is intended to serve the independence of the judiciary in the performance of its judicial functions, including decision-making. Article 20 of the GDPR states that this is intended to serve the independence of the judiciary in the exercise of its judicial functions, including decision-making. While the GDPR does not contain any further details on the concept of judicial activity, according to established legal opinion, matters to be handled within the framework of the judicial administration bound by instructions do not fall under the concept of "judicial activity" (see in more detail Schmidl in Gantschacher/Jelinek/Schmidl/Spanberger, Commentary on the General Data Protection Regulation [2017] Art. 55 Note 3; Nguyen in Gola, General Data Protection Regulation [2017] Art. 55 para. 13; Selmayr in Ehmann/Selmayr, GDPR [2017] Art. 55 para. 12 et seq.). While the GDPR does not contain any further details on the concept of judicial activity, according to established legal opinion, matters to be handled within the framework of the judicial administration bound by instructions do not fall under the concept of "judicial activity" (see in more detail Schmidl in Gantschacher/Jelinek/Schmidl/Spanberger, Commentary on the General Data Protection Regulation [2017] Article 55, Note 3; Nguyen in Gola, General Data Protection Regulation [2017] Article 55, para. 13; Selmayr in Ehmann/Selmayr, GDPR [2017] Article 55, paras. 12 ff.). ``` According to the established case law of the Data Protection Authority, a court is considered to be acting within the scope of its judicial activities when a judge is exercising their judicial office or when a judge or public prosecutor is otherwise free from instructions while carrying out their assigned official duties (see the decisions of October 16, 2018, file number: DSB-D123.461/0004-DSB/2018, and of January 22, 2019, file number: DSB-D123.848/0001-DSB/2019). Ref. No. DSB-D123.461/0004-DSB/2018, and of January 22, 2019, Ref. No. DSB-D123.848/0001-DSB/2019). Ref. No. DSB-D123.848/0001-DSB/2019 In its judgment of 24 March 2022 in Case C-245/20, the CJEU held the following regarding the interpretation of Article 55(3) GDPR (emphasis added by the Data Protection Authority): “28. In order to determine the scope of the concept of processing carried out by courts in the course of their judicial activities within the meaning of Article 55(3) of Regulation 2016/679, it should be noted that when interpreting a provision of EU law, it is necessary to take into account not only its wording but also its context and the objectives pursued by the legislation of which it forms part (see, to that effect, inter alia, judgment of 6 October 2020, Jobcenter Krefeld, 2016/679). C-181/19, EU:C:2020:794, paragraph 61 and the case-law cited therein). “28 In determining the scope of the concept of processing carried out by courts in the course of their judicial activities within the meaning of Article 55(3) of Regulation 2016/679, it should be noted that when interpreting a provision of EU law, it is necessary to take into account not only its wording but also its context and the objectives pursued by the rules of which it forms part (see, to that effect, inter alia, judgment of 6 October 2020, Jobcenter Krefeld, C-181/19, EU:C:2020:794, paragraph 61 and the case-law cited therein). 29. It is clear from Article 55 of Regulation 2016/679 that this article establishes the competence for the supervision of the processing of personal data and, in particular, limits the competence conferred on the national supervisory authority. 30. Article 55(3) of Regulation 2016/679 therefore provides that national supervisory authorities are not competent for processing carried out by courts “in the course of their judicial activities”. 30. Article 55(3) of Regulation 2016/679 therefore provides that national supervisory authorities are not competent for processing carried out by courts “in the course of their judicial activities”. 31 According to recital 20 of Regulation 2016/679, in the light of which Article 55(3) of the Regulation must be interpreted, the supervision of processing operations carried out by courts “in the course of their judicial activities” should be entrusted to specific bodies within the judicial system of the Member State concerned, and not to its supervisory authority, so that “the independence of the judiciary in the exercise of its judicial functions, including its decision-making, remains unaffected.” Recital 20 of Regulation 2016/679, in the light of which Article 55(3) of the Regulation must be interpreted, states that the supervision of processing operations carried out by courts “in the course of their judicial activities” should be entrusted to specific bodies within the judicial system of the Member State concerned, and not to its supervisory authority, so that “the independence of the judiciary in the exercise of its judicial functions, including its decision-making, remains unaffected. 32. As the Advocate General stated in points 80 and 81 of his Opinion, it is clear from the wording of recital 20 of Regulation 2016/679, and in particular from the use of the word ‘including’, that the scope of the objective pursued by Article 55(3) of the Regulation, namely to safeguard the independence of the judiciary in the exercise of its judicial functions, cannot be limited solely to guaranteeing judicial independence in the context of the adoption of a specific judicial decision. 32 As the Advocate General stated in paragraphs 80 and 81 of his Opinion, it is clear from the wording of recital 20 of Regulation 2016/679, and in particular from the use of the word “including”, that the scope of the objective pursued by Article 55(3) of the Regulation, namely to safeguard the independence of the judiciary in the exercise of its judicial functions, cannot be limited solely to guaranteeing judicial independence in the context of the delivery of a specific judicial decision. 33 Safeguarding the independence of the judiciary generally requires that judicial functions be exercised with complete autonomy, without the courts being hierarchically linked to or subordinate to any body and without receiving orders or instructions from any body, thus protecting them from external interference or pressure that could jeopardize the independence of their members’ judgment and influence their decisions. The safeguarding of the guarantees of independence and impartiality required under Union law presupposes the existence of rules that make it possible to dispel any legitimate doubts among those subject to the law as to the imperviousness of the institution in question to external factors and its neutrality with regard to the interests concerned (see, to that effect, inter alia, judgments of 27 February 2018, Associação Sindical dos Juízes Portugueses, C-64/16, EU:C:2018:117, paragraph 44; of 25 July 2018, Minister for Justice and Equality [Deficiencies of the judicial system], C-216/18 PPU, EU:C:2018:586, paragraph 63; and of 24 June 2019, Commission v Poland [Independence of the Supreme Court], C-619/18, EU:C:2019:531, paragraph 63). 72, and of 21 December 2021, Euro Box Promotion and Others, C-357/19, C-379/19, C-547/19, C-811/19, C-840/19, EU:C:2021:1034, paragraph 225). 33 The safeguarding of the independence of the judiciary generally requires that judicial functions be exercised in complete autonomy, without the courts being hierarchically linked to or subordinate to any body and without receiving orders or instructions from any body, so that they are protected in this way from interference or external pressure which could jeopardize the independence of the judgment of its members and influence their decisions. The safeguarding of the guarantees of independence and impartiality required under Union law presupposes the existence of rules that make it possible to dispel any legitimate doubt among those subject to the law as to the imperviousness of the institution in question to external factors and to its neutrality with regard to the interests concerned; see, in this sense, inter alia, Judgments of 27 February 2018, Associação Sindical dos Juízes Portugueses, C-64/16, EU:C:2018:117, paragraph 44; of 25 July 2018, Minister for Justice and Equality [Deficiencies of the Justice System], C-216/18 PPU, EU:C:2018:586, paragraph 63; of 24 June 2019, Commission v Poland [Independence of the Supreme Court], C-619/18, EU:C:2019:531, paragraph 72; and of 21 December 2021, Euro Box Promotion and Others, C-357/19, C-379/19, C-547/19, C-811/19, C-840/19, EU:C:2021:1034, paragraph 225). 34. Consequently, the reference in Article 55(3) of Regulation 2016/679 to processing carried out by courts “in the course of their judicial activities” must be understood in the context of the Regulation as not being limited to the processing of personal data carried out by the courts in the context of specific legal cases, but rather encompassing, in a broader sense, all processing operations carried out by the courts in the course of their judicial activities, so that processing operations are excluded from the supervisory authority’s jurisdiction if its control could directly or indirectly affect the independence of the members or decisions of the courts. 34 Consequently, the reference in Article 55(3) of Regulation 2016/679 to processing carried out by courts “in the course of their judicial activities” must be understood in the context of the Regulation as not being limited to the processing of personal data carried out by courts in specific cases, but rather encompassing, more broadly, all processing operations carried out by courts in the course of their judicial activities. This means that processing operations are excluded from the supervisory authority’s jurisdiction if its oversight could directly or indirectly affect the independence of the members or decisions of the courts. 35 While the nature and purpose of the processing carried out by a court are primarily related to the review of the lawfulness of that processing, they may nevertheless indicate that the processing by that court falls within its “judicial activities.” 35 It must be noted that the term "judicial activity" is an autonomous concept under EU law, which cannot be interpreted based on the national understanding of the term in the context of monocratic or collegial judicial administration. As the cited judgment makes clear, the concept of judicial activity extends beyond the national understanding of judicial administration. The processing in question here relates to the maintenance of judicial files, which is also part of fulfilling the tasks of the ordinary courts. Based on the CJEU's broad understanding of the term "judicial activity," it must be assumed that the processing of personal data relating to the content of judicial files in the eJustice system pursuant to Section 80(2) of the Courts Act (GOG) must also fall under this definition. In particular, it must be assumed that a review and – as requested by the complainant – deletion of his personal data from the automated judicial system (which could also entail deletion from the paper file) requires the action of a judge in the exercise of his judicial office. Based on the broad understanding of the term "judicial activity" adopted by the CJEU, it must be assumed that the processing of personal data in connection with the content of court files in the eJustice system pursuant to Section 80, Paragraph 2, of the Courts Act (GOG) must also be subsumed under this term. In particular, it must be assumed that a review and – as requested by the complainant – deletion of his personal data from the automated judicial system (which could also entail deletion from the paper file) requires the action of a judge in the exercise of his judicial office. ] ... Insofar as the appellant argues that the Data Protection Authority already confirmed its jurisdiction regarding the procedural automation of the judiciary in its decision of July 7, 2020, file number D124.1796, 2020-0.205.284, it must be pointed out that the Federal Administrative Court, in its decision of March 31, 2023, file number W258 2234709-1/11E, ruled on the contested decision D124.1796, 2020-0.205.284 that the Data Protection Authority lacks jurisdiction to handle the matter.The Federal Administrative Court (BVwG) correctly states – with regard to the judgment of the European Court of Justice (ECJ) of 24 March 2022 – that even an indirect influence on the independence of a court's decisions is sufficient to preclude the supervisory authority of the national supervisory authority pursuant to Article 55(3) GDPR. Since judges can access information in the case file – such as evidence, decisions and their reasoning, which have been used in other – similar – proceedings – data processing in the case file may influence the formation of opinions and thus the decisions of courts. Control of data processing in the VJ by the data protection authority is therefore precluded in accordance with the cited case law of the CJEU in C-245/20. Insofar as the appellant argues that the data protection authority already confirmed its jurisdiction regarding the automation of judicial procedures in its decision of July 7, 2020, file number D124.1796, 2020-0.205.284, it must be pointed out that the Federal Administrative Court, in its decision of March 31, 2023, file number W258 2234709-1/11E, ruled on the contested decision D124.1796, 2020-0.205.284 that the data protection authority lacks jurisdiction to address the matter. The Federal Administrative Court (BVwG) correctly states – with regard to the judgment of the European Court of Justice (ECJ) of 24 March 2022 – that even an indirect influence on the independence of a court's decisions is sufficient to preclude the supervisory authority of the national supervisory authority pursuant to Article 55(3) GDPR. Since judges can access information in the case file – such as evidence, decisions, and their reasoning, which have been used in other – similar – proceedings – data processing in the case file may influence the formation of opinions and thus the decisions of courts. Therefore, in accordance with the cited ECJ case law in C-245/20, the data protection authority is not permitted to monitor data processing in the case file. D.2. Result Based on the reasoning presented by the Federal Administrative Court (BVwG) and the cited judgment of the European Court of Justice (ECJ), which interprets the term "judicial activity" broadly, the requirements of Article 55(3) GDPR are met in this case. Therefore, the decision was rendered accordingly.