Complainant: Iris A*** – Dismissed (Austria, 2020)

The Respondent (Defence Department as part of the Austrian Federal Ministry of Defence) obtained data (including residential address) of the sister of a member of the Austrian Armed Forces as part of a so called "extended reliability check" which is foreseen in the Austrian Military Powers Act (Militärbefugnisgesetz - MBG) before a member is granted access to certain military assets. The data was provided by the member himself and with his consent in a "declaration of reliability". The sister (Complainant) had not been informed of this data collection by the Respondent but only learned about it from her brother. The Complainant argued, that her fundamental right to secrecy under § 1 DSG 2000 (Austrian Data Protection Act 2000, prior to the introduction of the GDPR) has been violated. Furthermore, she claimed that the Respondent has violated § 43 DSG (current Austrian Data Protection Act), as it did not inform her about the data collection. After hearing the Respondent and conducting an audit at its premises, the DSB held, that § 1 DSG 2000 had not been violated: The Respondent qualifies as a state authority within the meaning of § 1(2) DSG 2000. §§ 23 and 24 MBG constitute a qualified appropriate legal basis under § 1(2) DSG 2000 that allows for the Respondent's intervention to the Complainant's right to secrecy. With regard to the alleged violation of the information duties under § 43 DSG, the DSB held, that the complainant's data were not processed in a file system because the data only appear in the "supplement 2 to the extended declaration of reliability" and this supplement has to be specially selected from the total volume of data. Therefore §§ 36 et seqq. DSG, and thus also the obligation to inform the data subject under §43 DSG, did not apply.