The Austrian Federal Administrative Court (BVwG) has ruled in the Judgment W214 2254151 – 1 of August 21, 2024 in connection with a dispute between two condominium owners and the administrator:
- The owners’ consumption data is indisputably personal data within the meaning of the GDPR.
- Who the responsible party is depends on who de facto decides on the processing:
The alignment of the definition as the person responsible […] is generally a functionalist viewaccording to which responsibility is determined on the basis of the actual influence is assigned to the decision. The means refers not only to the technical and organizational methods, but also to the “how” of processing. This refers to decisions, how which data is processed, to whom it is transmitted or when it is deleted. Responsibility can also arise from the de facto anticipation of a decision. If an actor actually and de facto makes the decision to start processing data, this actor is to be regarded as the controller within the meaning of the GDPR. The decisive factor is who decides and not who decides lawfully.
- Therefore, the processor who presumes to make such a determination is not only a Processor in breach of contractbut also a responsible person (including the FDPIC i.S. Xplain):
For example, a processor can become a controller if it determines the purposes and means of processing itself without being legitimized to do so […].
- With regard to the distinction between the controller and the processor, the BVwG follows the corresponding Guidelines of the EDSA the “Center of gravity theory”, which the BayLDA in particular states in its FAQ (see here):
The role of a processor is not determined by the type of entity that processes data, but by its specific activities in a given context. […] In practice, the service provider may, in cases where the service provided not specifically for processing processing of personal data or in which such processing is intended to not a key element of the service be able to independently determine the purposes and means of this processing, which is necessary for the provision of the service. In this case, the service provider as separate responsible person and not as a processor. A case-by-case analysis is required […].
- The person responsible may also be neither access to the personal data has still controls these:
The ECJ also states in two recent decisions that the circumstances that the natural or legal person, public authority, agency or other body does not itself process personal data or does not itself have direct access to the personal data do not preclude it from being classified as a controller within the meaning of Art. 4(7) GDPR (ECJ 05.12.2023, C‑683/21, para. 35, and ECJ 07.03.2024, C‑604/22, para. 69). The fact that a controller does not control the personal data it receives and disseminates it unchanged cannot have any influence on the question of whether it can be considered a controller (ECJ 11.01.2024, C‑231/22, para. 37 and 38, Moniteur Belge).
- In the present case, the Property manager a responsible personbecause they :
In the present case, the co-participating party [sc. the administrator] – as established – commissioned i‑GmbH with the annual meter reading […] under a service agreement. The concluded service contract includes, among other things, the scope of services […], the data required for the preparation of the invoice and the services of i‑GmbH […]. The co-participating party has therefore […] influence the decision on the purposes and means of processing in its own interest taken. […] especially since the co-participating party has made the final decision to actively approve the manner of processing […].
The co-participating party has also entered into an agreement with i‑GmbH. Agreement concluded on order processing in accordance with Art. 28 GDPRfrom which it follows that i‑GmbH […] is bound by the instructions [of the co-participating party].
Contrary to the statements of the authority concerned, […] the fact that the co-participating party does not draw up the heating cost statements itself and cannot amend or correct the individual invoices either, because it does not itself carry out any processing operations relating to personal data in connection with the statement […]. […].
The question as to whether property owners and property management companies should jointly responsible are. This is undoubtedly a case-by-case decision. In practice (at least in Switzerland), however, real estate management companies or institutional owners often require the conclusion of an agreement on joint responsibility, which describes, among other things, the specific data flows (e.g. notification of the tenant report, reservation of consent to certain rentals, procedure in the event of debt collection cases, etc.), but also the rights of the data subjects (e.g. information of the tenants by the manager also with regard to the processing of the ownership).