LG Feldkirch - 8 Cg 120/21f
From GDPRhub
| LG Feldkirch - 8 Cg 120/21f | |
|---|---|
 | |
| Court: | LG Feldkirch (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 15 GDPR Article 15(1) GDPR Article 15(2) GDPR |
| Decided: | 08.04.2025 |
| Published: | 22.04.2025 |
| Parties: | Apple Distribution International Ltd. |
| National Case Number/Name: | 8 Cg 120/21f |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | GDPRhub (in German) |
| Initial Contributor: | cwa |
A court found that Apple failed to comply with a data subject’s access request and ordered them to provide the requested information in a comprehensible form.
English Summary
Facts
On December 7 2021, the data subject initiated court proceedings against Apple Distribution International Ltd. (controller) on the grounds that they failed to comply with their access request. The data subject requested, in particular, access to the specific recipients of their data, the contents of any disclosures or transmissions of their data, the storage period for their or criteria for determining it, and specific information under Article 15(2) GDPR.
In response to the access request, the controller included some files which were incomplete and incomprehensible to the data subject. Furthermore, information about advertising placements were not provided and the data subject was not informed about which of the data subject’s data was fed into the advertising algorithm. Finally, the data subject was given complex data structures and records containing links which could not be decrypted.
The controller denied the claim and argued that they had fully complied with the data subject’s access request. The controller argued that they do not keep detailed records documenting which specific personal data was disclosed to different recipients or processors and stated that their retention periods are determined with reference to the purposes for each processing activity. The controller also acknowledged that they make third country transfers via standard contractual clauses, despite the data subject not having been given any information on these in response to their access request.
An expert witness attested to the fact that some of the data provided was incomplete, that the controller had further data relating to the data subject, and noted that some of the structures of the data provided were so convoluted that he himself could not decipher them.
Holding
The Court accepted the evidence provided by the expert witness and ruled that the controller had violated the data subject’s right of access. The Court regarded the violation as “serious” in nature.
The court ordered the controller to provide the data subject with complete and comprehensible information about the person data they process about them within 14 days. The data provided should include the specific recipients of the data, the contents of such disclosures and the specific storage period of the data or criteria used to determine it.
The controller was also ordered to reimburse the data subject for their legal costs.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Deposited on 08.04.2025 - 15:539188 Cg 120/21f
* / 0 . 1
* / . + " 2+ * +
* 2 . . "
* + 3
3
+ ) 2* $ # +
* 4 * + 5 *
, / 6 "
* + 7+
8 * 9 4 .
. + + * 2 *
. 2 + : * 2
2 * "+
/ 3 * * / * +
+ + " . $ .
* / +
/ * + *2 "
# * + 0 . 1 + 3 ;
) . + . +
1 + + " +
$ * 0 . 1 +
* . + + * ; * * " ;
+ + + 0 . 1 +
+ * <=> % 2
+ * 4 " . 0 . 1
7+ + 2+ * + * "+
3 + *
5 . + "$" .
+ + . + * " 4
2+ . 7+
: * .
* 2+ . 2
. .
* * + + )
' - (Supplement ./1, p. 5 a n d 6). ?
Deposited on 08.04.2025 - 15:5310188 Cg 120/21f
From an information technology perspective, the file guides, which explain the respective files and
are provided in English by default, cannot be used to determine who the specific recipients of the
plaintiff's data are (ON 72.1, p. 11).
In the data copy (Exhibit ./C) there is a list (Exhibit ./23) in which the apps downloaded by the
plaintiff are recorded in the column "Item Description" and recipients of personal data of the plaintiff
of the respective app in the column "Seller". Some of the names listed in the "Seller" category are
app names and providers, although in some cases it is not clear whether they are legal entities or
natural persons. Some of the apps listed were downloaded by the plaintiff in 2014 and no longer
exist today, which is why it is not possible to determine from an IT perspective what kind of app it
was at the time. At that time, it would have been possible for the defendant to identify the app
provider in more detail through the app provider's developer account (ON 99.1, p. 10 to 12).
During the pending proceedings, the defendant provided additional information on recipients who
offered apps in the app store of the defendant and who were used by the plaintiff. The additional
information the names of cities and countries in which the recipients designated as "sellers" are
located (ON 113, p. 3 para. 2). In order to access the contact details of the recipients so that the
rights of the data subjects can be exercised, they must be searched for independently by entering
them in a search engine or in the app store for the respective app. From an IT perspective, it is
only partially possible to obtain contact data.
Contact data can no longer be collected retrospectively if the app operator dissolves its company
and deletes the account.
From an information technology perspective, the seller data is stored once at the defendant and is
then referred to. As a user, the plaintiff does not have access to the recipient's contact details
stored with the defendant, but must view these, if still available, in the app store. A search engine
query by the plaintiff would be possible, but not always promising. The defendant would incur
enormous costs if the contact data were also to be stored in the data records, which would also
require enormous storage capacities.
The plaintiff also requested information about
(ii) the content of any disclosures or transmissions of its data
Deposited on 08.04.2025 - 15:5311188 Cg 120/21f
With regard to the specific content of the disclosures of the plaintiff's data, the defendant stated
that it does not keep detailed records documenting which specific personal data was disclosed to
which recipient or processor (Exhibit ./1, p. 6, ON 72.1, 4). The defendant stated that it did not
have such information.
At the oral hearing (ON 72.1, p. 6), the plaintiff offered the defendant to limit the request for
information if he received written confirmation from the defendant that the defendant really had no
information about the content of disclosures or transfers of the plaintiff's personal data.
No such confirmation was submitted by the defendant.
Concerning (iii) the specific storage period or the specific criteria for determining the
storage period in relation to the plaintiff's personal data
the defendant stated that it would retain personal data for as long as " 2 0 2
5. [...]
*
", including ". * *
* * * . + * +
" i+ st, to store. Furthermore was about informed,
that Apple
personal data for as long as necessary to fulfill the purposes described in the Data Protection
Policy and according to service-specific overviews on data protection. The defendant stated that
the criteria used to determine the retention period are from the processing purposes (ON 16 para.
18). In addition, Apple links the assessment of the retention period to its necessity and retains
personal data - if necessary - for the
" 2 : * * " (Enclosure5./1, p. 6 and 7).
In addition to the Austrian statutory provisions, the data provided by the defendant does not
provide any indication of specific criteria on the basis of which the defendant determines the
storage period. The defendant has been storing the plaintiff's data since 2011. 804 data records
dating back to May 2011 were found when the plaintiff purchased apps and subscriptions. It can
be assumed that the defendant itself does not delete data from apps that the plaintiff has already
deleted. It cannot be determined whether the has systematically established criteria regarding the
deletion of data (ON 99.1, p. 13).
Deposited on 08.04.2025 - 15:5312188 Cg 120/21f
For information about (iv) specific information pursuant to Art 15 (2) GDPR
the defendant stated that Apple also transfers personal data in connection with Apple IDs to
countries that are not members of the European Union and the European Economic Area.
Reference is made to Apple's privacy policy, in particular to the heading "Transfer of personal data
between countries", and that such transfers are made on the basis of the standard contractual
clauses (Exhibit ./1, p. 8, para. 10).
The files available on the defendant's data portal do not contain any information on the transfer of
data to third countries, nor is there any information on the corresponding security guarantees (ON
49, p. 7, para. 12).
The defendant would be able to describe the nested data structures in a comprehensible manner.
In addition, the defendant would be able to provide more detailed information on the plaintiff's
personal data collected for the advertising placement. It is also possible for the defendant to
provide information about the incompleteness of the column contents of the CSV file (enclosure
./K) and to provide missing contents if necessary.
The findings are based on the following assessment of the evidence:
First of all, reference is made to the uncontested or consistent evidence listed in brackets in the
individual findings, which could be used as a basis for the findings without hesitation. Insofar as
these are documents, their authenticity was not disputed and there were no doubts as to their
accuracy.
The findings regarding the processing of the plaintiff's personal data by the defendant are based
on the information technology report of the expert . The expert is an experienced specialist in
the field of information technology. He initially provided a written expert opinion and made written
additions to it, which are conclusive, comprehensible and uncontradicted. He was also available for
oral discussions at the hearings.
The expert's assessments of the processing of the plaintiff's personal data by the defendant can
be reconciled with the information provided by the plaintiff and are not contradictory.
The expert based his opinion on the information provided by the plaintiff and the defendant.
Deposited on 08.04.2025 - 15:5313188 Cg 120/21f
The expert's assessments of the processing of the plaintiff's personal data by the defendant are
based on this.
The expert gave very detailed reasons as to which parts of the information provided by the
defendant were incomplete. The expert also commented on the data structures that were provided
in an unrecognizable form for the plaintiff as a party to the proceedings (Exhibit ./J). Insofar as it
was possible to discuss the data structures, the expert explained them in detail at the hearing,
whereby data structures were also available in such a convoluted form that even the expert was
unable to decipher them.
The expert also clearly stated what information the defendant still had and could provide further
information. According to the expert, the defendant would be able to describe the nested data
structures in a comprehensible manner. In addition, the defendant would be able to provide more
detailed information on the plaintiff's personal data collected for the advertising placement. It is
also possible for the defendant to provide information about the incompleteness of the column
contents of the CSV file (enclosure ./K) and to provide missing contents if necessary.
The plaintiff requested the examination of the witnesses
.
The defendant's representative explained that - translated into Austrian law - is the
managing director of the defendant, who is responsible for the operational business and has no
personal knowledge of the stored data relating to the plaintiff. Regarding the person ,
the defendant's representative explains that he is, so to speak, the managing director of Apple Inc,
the parent company of the defendant.
The expert explained to these witnesses that information about the IDs, how they are linked and
what happens in the background of this software can only be provided by persons who are familiar
with the defendant's software. The expert was therefore of the opinion that the persons requested
by the plaintiff would probably not be able to provide the information about the IDs and other data
requested by the plaintiff.
Since the data information provided and the expert's involvement in reviewing the data submitted
provided sufficient evidence for the assessment of the data information, it was not necessary to
question the two requested witnesses.
Deposited on 08.04.2025 - 15:5314188 Cg 120/21f
The facts of the case are subject to the following legal assessment:
The plaintiff requests information from the defendant as the controller within the meaning of Art
4(7) GDPR about the processing of his personal data and bases his request on Art 15 GDPR.
If personal data is processed, the principles of processing pursuant to Art. 5 GDPR must be
complied with. In particular, Article 5(1)(a) stipulates that personal data must be processed
lawfully, fairly and in a way that is comprehensible to the data subject ("lawfulness, fairness and
transparency"). The principle of transparency means that all information and communications
relating to the processing of personal data must be easily accessible and comprehensible and
written in clear and plain language. In order to ensure the effective exercise of data subjects'
rights, in particular the right to information, the requirements of the transparency principle must be
met when providing information and notifications on the processing of personal data.
In addition to the data protection principle of transparency in accordance with Art. 5 GDPR, the
controller is also subject to a transparency obligation in accordance with Art. 12 GDPR.
Accordingly, the controller must take appropriate measures to provide the data subject with all
communications, in particular those under Art 15 GDPR, which relate to processing, in a concise,
transparent, intelligible and easily accessible form, using clear and plain language.
Taking into account the principles of data protection law and the duty of transparency, the data
subject has the right under Art. 15 GDPR to obtain confirmation from the controller as to whether
or not personal data concerning him or her are being processed, and, where that is the case,
access to the personal data and the following information:
a) the purposes of processing;
b) the categories of personal data that processed;
c) the recipients or categories of recipients to whom the personal data have been or will be
disclosed, in particular recipients in third countries or international organizations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not
possible, the criteria used to determine that period;
Deposited on 08.04.2025 - 15:5315188 Cg 120/21f
e) the existence of the right to request from the controller rectification or erasure of personal data
or restriction of processing of personal data concerning the data subject or to object to such
processing;
f) the existence of a right of appeal to a supervisory authority;
g) if the personal data not collected from the data subject, all available information about the origin
of the data;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and
(4) and, at least in those cases, meaningful information about the logic involved, as well as the
significance and the envisaged consequences of such processing for the data subject.
(2. Where personal data are transferred to a third country or to an international organization, the
data subject shall have the right to be informed of the appropriate safeguards pursuant to Article
46 relating to the transfer.
The right to be provided with a copy of the personal data that is the subject of the processing
results from para. 3.
Based on the findings, the plaintiff was provided with information about the processing of his
personal data. However, this is limited to the extent that the files transmitted in the data copy were
incomplete and incomprehensible - even provided in a way that could not be understood even by a
specialist. Examples of this are files with completely empty columns. Furthermore, the number of
columns listed does not correspond to the actual number of columns and 538 entries within a file
have no values. Likewise, information about advertising placements available to the defendant was
not provided and it was not explained which of the plaintiff's data was fed into the corresponding
algorithm. Furthermore, the plaintiff was provided with nested data structures and data records
with links that could not be decrypted.
The violation of the right of access is to be regarded as a serious violation of the provisions of the
GDPR, as it is a data subject right within the meaning of Art 15 GDPR.
Time limits and admissibility of legal action:
The time limit for responding to the request for information begins when the request is received by
the controller (BvwG 12.03.2021, W211 2223696-1) and
Deposited on 08.04.2025 - 15:5316188 Cg 120/21f
Certificate
template
.
is then one month in accordance with Art 12 (3) GDPR.
The assertion of the right to information pursuant to Art. 15 GDPR can also be enforced in court,
parallel to the possibility of lodging a complaint with the competent supervisory authority. The
provision of Section 29 (2) DSG applies both to civil law claims under the DSG and under the
GDPR, according to which the Feldkirch Regional Court is authorized to make a decision in terms
of subject matter and location (OGH 6 Nc 19/21b).
The decision on costs is based on Section 41 (1) ZPO and Section 54 (1a) ZPO:
Pursuant to Section 41 (1) ZPO, the party that is completely unsuccessful in the legal dispute must
reimburse its opponent for all costs caused by the legal costs that are necessary for the
appropriate prosecution or legal defense.
The plaintiff has prevailed with his claim in its entirety, so that the defendant must reimburse him
for all costs necessary for the appropriate legal defense.
The defendant raised objections in due time by letter dated 19.3.2025 in accordance with
§ Section 54 (1a) ZPO against the plaintiff's list of costs (ON 126), which are partially justified.
The document in question is apparently ON 19, for which no reimbursement of costs is due, as it
was submitted solely because the plaintiff not designated the enclosures in accordance with the
ZPO. For a document submission - even if it was ordered by the court - reimbursement of costs is
only due if the document submission could not have been carried out differently, without this
additional effort and without disadvantage with the same result (see Obermaier,
Kostenhandbuch4, Rz 3.68, No. 16). This is to be agreed with.
The recorded costs are reduced by an amount of EUR 46.72.
The pleading , ON 31, was to be paid on the basis of EUR 6,666.67 due to the
limitation of the claim in ON 13 and ON 31. This was because the plaintiff had asserted nine
claims. This view, as well as all other objections based on a change in the basis of assessment
due to a limitation of the claim, cannot be upheld, as the individual claims are those which in their
entirety correspond to a request for information. The proceedings are therefore based on a request
for information pursuant to Art. 15 GDPR, which is why the requests do not have to be
Deposited on 08.04.2025 - 15:5317188 Cg 120/21f
,
are assessed.
In accordance with § 14 RATG, the basis of assessment is the value in dispute of EUR 10,000.00.
The objection that the new submission of documents , ON 34, was made because
the enclosures ./D to ./F were still not designated in accordance with the ZPO and were repeatedly
sent to the court to correct the designation must be accepted, as the submission of documents
relates exclusively to the plaintiff's sphere and is therefore not to be honored.
The recorded costs are reduced by an amount of EUR 48.82.
The objection that the statement on the application to extend the deadline of 20.10.2023, ON 57, is
not necessary for the appropriate prosecution and therefore should not be honored is to be agreed
with.
The recorded costs are reduced by an amount of EUR 58.76. Statement of
21.3.2024.
The objection that the pleading with ON 76, documents that had already been submitted at the
hearing on 15.3.2024, had merely been transmitted electronically again and thus exclusively
concerned the plaintiff's sphere, must be upheld. The pleading is not to be honored.
The recorded costs are reduced by an amount of EUR 58.76.
The defendant further that the ON 31, dated
23.2.2024, ON 69, , ON 78, , ON 97 and ,
ON 115, were not to be honored, since they were not preparatory pleadings within the meaning of
§ 257 ZPO and had not been ordered by the court. Furthermore, these pleadings were not
necessary for the appropriate prosecution and could have been presented orally at the hearing.
It should be noted that the parties may also submit written pleadings that have not been ordered
by the court in order to communicate motions, means of attack and defense, allegations and
evidence they wish to assert that are not yet contained in the complaint or response (Section 257
(3) ZPO). These pleadings serve to supplement the previous procedural material not yet contained
in the respective pleading initiating the proceedings and to file an application within the meaning of
Section 229 ZPO. A prerequisite for their admissibility is that they are received by the court and the
opposing party no later than one week before the preparatory hearing (Obermaier aaO Rz mwN).
Deposited on 08.04.2025 - 15:5318188 Cg 120/21f
According to these statements, the plaintiff's pleadings , ON 31, of , ON
69, , ON 78, , ON 97 and ,
ON 115 were all deemed admissible within the meaning of Section 257 (3) ZPO. The content of
the pleadings corresponded to the plaintiff's legal defense and supplemented the pleading initiating
the proceedings. In addition, the aforementioned pleadings were received by the court on time, in
each case one week before the respective hearings and were also accessible to the defendant
through inspection of the electronically managed file. For the reasons stated above, the
aforementioned pleadings are to be remunerated as other pleadings not mentioned in tariff item 1
or 3 in accordance with TP2 and on the basis of the value in dispute of EUR 10,000.00 in
accordance with § 14 RATG. They are to be remunerated as follows:
Other pleadings TP 2 EUR 144,80
60% standard rate EUR 86,66
ERV increase contribution EUR 2,10
The recorded costs are reduced by a difference of EUR 1,153.10.
The objection that the pleading , ON 101, is merely a simple communication that
at best be remunerated in accordance with TP1 is countered by the fact that it is a communication
ordered by the court and its scope justifies remuneration in accordance with TP3A.
Due to the above-mentioned reductions, the total costs are reduced to the amount of EUR
11,561.52
plus 20 % VAT EUR 2,312.30
EUR 13.873,82
Cash expenses EUR 7.335,00
EUR 21.208,82
Feldkirch Regional Court, Department 008
Feldkirch, April 08, 2025
Electronic copy according to § 79
GOG
