The Austri­an Fede­ral Admi­ni­stra­ti­ve Court (BVwG) has ruled in a Judgment of Decem­ber 10, 2018 (Case No. W211 2188383 – 1). deci­ded on the pro­vi­si­on of infor­ma­ti­on by a bank under data pro­tec­tion law.

Indi­ca­ti­on of the pur­po­ses of processing

First, the BVwG held that the spe­ci­fi­ca­ti­on of the pro­ce­s­sing pur­po­ses in a pri­va­cy state­ment must be quite specific:

Pur­po­se state­ments such as “user expe­ri­ence impro­ve­ment”, “mar­ke­ting pur­po­ses”, “IT secu­ri­ty pur­po­ses”, “future rese­arch” are too gene­ral and do not meet the cri­ter­ion of suf­fi­ci­ent defi­ni­ten­ess. As a rule of thumb, it is advi­sa­ble to, to sta­te a pur­po­se idR in more than three wordswit­hout, howe­ver, fal­ling into spraw­ling, con­fu­sing and com­pli­ca­ted for­mu­la­ti­ons. Prac­ti­cal examp­les of how to defi­ne the pur­po­ses of pro­ce­s­sing can be found in Annex 3 of the WP203 of the Artic­le 29 Working Par­ty.

This shows that not only the sub­sump­ti­on of – objec­tively – data uses for mar­ke­ting and adver­ti­sing pur­po­ses under “rela­ted ser­vices” is not suf­fi­ci­ent­ly con­cre­te and trans­pa­rent, but also a Infor­ma­ti­on only con­cer­ning “mar­ke­ting and adver­ti­sing pur­po­ses” will not suf­fice. In light of the respondent’s pri­va­cy poli­cy, at least the pur­po­se of direct mail should have been disclosed.”

In this respect, the respon­si­ble par­ty – a bank – had vio­la­ted the customer’s right to information.

Spe­ci­fi­ca­ti­on of recipients

In con­trast, the infor­ma­ti­on on the reci­pi­en­ts of the data was not incom­ple­te. It is true that inter­nal depart­ments are also to be regard­ed as “reci­pi­en­ts” if the per­so­nal data are used for ano­ther task. Nevert­hel­ess, the mar­ke­ting depart­ment did not have to be spe­ci­fi­ed as a reci­pi­ent here:

The issue at hand is whe­ther the Adver­ti­sing and mar­ke­ting depart­ment and the depart­ment ” XXXX Costu­mer Expe­ri­ence Manage­ment” must be regard­ed as “other fields of acti­vi­ty” of the respon­dent […]. This is denied by the reco­gnizing sena­te: the […] is to be fol­lo­wed to the effect that the­se two fields of acti­vi­ty of the respon­dent are are not to be per­cei­ved as suf­fi­ci­ent­ly inde­pen­dent and “dif­fe­rentThe Group’s core busi­ness – ban­king – is not the pro­vi­si­on of ser­vices, but rather sup­port ser­vices or “acces­so­ry” services.

Pro­vi­si­on of copies

The BVwG then held that the bank was obli­ged under Artic­le 15 of the GDPR to pro­vi­de the cus­to­mer with a copy of the data from account move­ments over the past seven years. The request for infor­ma­ti­on was not exce­s­si­ve, in par­ti­cu­lar, becau­se the cus­to­mer had reque­sted infor­ma­ti­on for the first time. In addi­ti­on, the cus­to­mer had reque­sted infor­ma­ti­on on spe­ci­fic data, which is why the bank could not request a spe­ci­fi­ca­ti­on of the infor­ma­ti­on within the mea­ning of Reci­tal 63, which would have been pos­si­ble in the case of a non-spe­ci­fic request for information.

Local imple­men­ta­ti­on law, which could pro­vi­de for rest­ric­tions on the basis of Art. 23 GDPR, was not an issue, becau­se unli­ke, for instance Ger­ma­ny sees the Austri­an trans­po­si­ti­on law does not pro­vi­de for any rest­ric­tion of the right to information.