unknown data subject – Court Ruling (Austria, 2020)

On 19.02.2019, the data subject sent an access request under Article 15 GDPR to a controller (an Austrian municipality). The request was signed using an electronic signature. The controller did not consider the electronic signature a sufficient form of identification and required the data subject to produce an ID card under Article 12(6) GDPR. As the data subject did not do so, the controller refused to handle the access request under Article 11(2) GDPR. The data subject filed a complaint with the DSB, which shared the data subject's view and held that the electronic signature was a sufficient form of identification for an access request. The controller filed an complaint with the BVwG against the decision of the DSB. Is an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation sufficient to identify a data subject regarding an access request? The BVwG upheld the decision of the DSB. It ruled that the controller had never stated the reasons for its doubts concerning the identity of the data subject. The full name, address and e-mail address of the data subject were known to the controller and also used in the correspondence with the data subject. In addition, the data subject had put a qualified electronic signature on its access request. Hence, it was unclear, why the controller should have any doubts on the data subjects identity. Moreover, the BVwG shared the view of the data subject and the DSB that an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation a sufficient form of identification. The provision of an ID card is not the only mean of verifying a data subject's identity. Lastly, the BVWG held that § 24 Abs. 5 DSG which would bar the DSB (and BVwG/VwGH) from ordering a public entity to comply with the data subject's requests does not apply due to the primacy of application of Article 58(2)(c) GDPR. Consequently, the BVwG ordered the controller to comply with the data subject's request under Article 15 GDPR.