DSB (Austria) – Court Ruling (Austria, 2021)

The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he did not want the phone number be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Article 28 GDPR. The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he had already denied consent to any form of data sharing with a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller. The DSB dismissed the complaint. The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB. The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Article 29 GDPR). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Article 6 GDPR. In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Article 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services. According to § 6(8) PMG a postal service must further develop its service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of them by means of appropriate measures and proposals. Pursuant to § 32(3) PMG postal servic