The Austrian Federal Administrative Court (BVwG) has ruled in a Judgment of December 10, 2018 (Case No. W211 2188383 – 1). decided on the provision of information by a bank under data protection law.
Indication of the purposes of processing
First, the BVwG held that the specification of the processing purposes in a privacy statement must be quite specific:
Purpose statements such as “user experience improvement”, “marketing purposes”, “IT security purposes”, “future research” are too general and do not meet the criterion of sufficient definiteness. As a rule of thumb, it is advisable to, to state a purpose idR in more than three wordswithout, however, falling into sprawling, confusing and complicated formulations. Practical examples of how to define the purposes of processing can be found in Annex 3 of the WP203 of the Article 29 Working Party.
This shows that not only the subsumption of – objectively – data uses for marketing and advertising purposes under “related services” is not sufficiently concrete and transparent, but also a Information only concerning “marketing and advertising purposes” will not suffice. In light of the respondent’s privacy policy, at least the purpose of direct mail should have been disclosed.”
In this respect, the responsible party – a bank – had violated the customer’s right to information.
Specification of recipients
In contrast, the information on the recipients of the data was not incomplete. It is true that internal departments are also to be regarded as “recipients” if the personal data are used for another task. Nevertheless, the marketing department did not have to be specified as a recipient here:
The issue at hand is whether the Advertising and marketing department and the department ” XXXX Costumer Experience Management” must be regarded as “other fields of activity” of the respondent […]. This is denied by the recognizing senate: the […] is to be followed to the effect that these two fields of activity of the respondent are are not to be perceived as sufficiently independent and “differentThe Group’s core business – banking – is not the provision of services, but rather support services or “accessory” services.
Provision of copies
The BVwG then held that the bank was obliged under Article 15 of the GDPR to provide the customer with a copy of the data from account movements over the past seven years. The request for information was not excessive, in particular, because the customer had requested information for the first time. In addition, the customer had requested information on specific data, which is why the bank could not request a specification of the information within the meaning of Recital 63, which would have been possible in the case of a non-specific request for information.
Local implementation law, which could provide for restrictions on the basis of Art. 23 GDPR, was not an issue, because unlike, for instance Germany sees the Austrian transposition law does not provide for any restriction of the right to information.