DSB – Court Ruling (Austria, 2022)

The controller is an employer who allegedly surveilled its employees work phones and work email accounts from January until March 2021. The DSB (Austrian Data Protection Authority) heard of this conduct in media reports and initiated an ex officio investigation into the matter on 31 March 2021. On 29 July 2021 the DSB adopted an administrative act in which it declared the processing of the controller unlawful. The controller initiated court proceedings against the act claiming that its conduct was lawful and that the DSB - neither under national law nor under the GDPR - had the power to declare the processing unlawful. It argued that Article 58(2) GDPR does not provide a DPA with such a power, because "declaring the unlawfulness" is not listed there. Moreover, § 24 DSG (Austrian Data Protection Act) which provides the DPA with the power to make such a declaration only applies to proceedings which were initiated by a complaint and not by the DSB itself. The Federal Administrative Court (Bundesverwaltungsgericht – BVwG) decided in favour of the controller and set the administrative act aside. It found that there is no provision in national law or the GDPR that gave the DSB the power to declare the processing unlawful. The court first established that § 24 DSG, which provides the DSB with such a power, only applies to complaint proceedings and not ex officio proceedings. The court also rejected an analogous application of § 24 DSG, because it found that the legislator purposefully regulated complaint and ex officio proceedings differently so that there is no room for an analogous application. Moreover, it reasoned that in a complaint proceeding there is a data subject who may have a legal interest in the declaration in order to pursue further individual claims against the controller like a claim for damages; in ex officio proceedings no such interest exists. The court further found that there is no legal basis in the GDPR either, since Article 58(2) GDPR does n