OLG Graz - 2 R 192/24h
From GDPRhub
| OLG Graz - 2 R 192/24h | |
|---|---|
 | |
| Court: | OLG Graz (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 12 GDPR Article 12(2) GDPR Article 15 GDPR § 45 ZPO |
| Decided: | 09.12.2024 |
| Published: | 18.03.2025 |
| Parties: | |
| National Case Number/Name: | 2 R 192/24h |
| European Case Law Identifier: | |
| Appeal from: | LG Klagenfurt (Austria) |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | cwa |
A court held that an online casino-game provider wrongfully dismissed an access requests by demanding a power of attorney signed with ink or with a qualified electronic signature, thus violating Article 12 GDPR.
English Summary
Facts
The data controller is an online casino-game provider. The data subject set up an account, deposited money and lost it on the website.
On 23rd May 2024, the data subject submitted (through his representative) an access request with the controller requesting access to their personal data, and specifically, all deposits and withdrawals and the stakes, wins and losses made on his account. The access request was made through the data subject’s representative, and included an electronically signed power of attorney and a copy of the data subject’s ID.
On 26th May 2024, the controller refused the applicant’s request, asking for a handwritten power of attorney signed by the plaintiff in ink.
The data subject did not respond to the controller’s response and filed the present action on 5th July 2024 with the Regional Court of Klagenfurt. The data subject sought that the controller be compelled to provide a digital copy of the data requested.
On August 1st 2024, the controller sent further communication to the data subject’s representative and, in light of having received notice of the claim filed, deemed there to be a legally valid power of attorney within the meaning of Section 8 RAO and provided the information requested by the data subject on 23rd May.
On 9th October, the data subject, having received the requested information, limited the scope of their filing to request only reimbursement of the costs incurred in the court proceeding. The trial court ruled that the controller could not rely on § 45 ZPO, an Austrian Civil Procedure provision which requires plaintiffs in a proceeding to bear the costs of such proceeding where the cause of action is not attributable to the action of the defendant and the defendant immediately acknowledges the claim in action. The controller had argued that this provision should apply as the power of attorney received in May 2024 was invalid.
The trial judge ordered the controller to reimburse the data subject for their legal costs, to the tune of €1559.60. The judge also held that the requesting of a power of attorney in ink by the controller violated their obligation under Article 12(2) GDPR to facilitate the data subject in making an access request. The court noted that no reasonable doubt as to the identity of the data subject could have been held by the controller as the data subject’s signatures on both their ID and the power of attorney were identical.
The controller appealed this decision to the Higher Regional Court, alleging incorrect legal assessment by the trial court, and requesting the controller be required to reimburse their legal costs of €1,170.35.
Holding
The appellate Court firstly highlighted that, contrary to the controller’s claims, there are no special formality requirements for the validity of a signed power of attorney, either under Austrian civil law, or for identity verification under the GDPR.
The Court noted that the controller is obliged to demonstrate that they are not in a position to identify a data subject where they refuse to respond to a data subject right request on that basis.
The Court held that in requesting the hand-signed power of attorney, the controller failed to demonstrate that they were not in a position to identify the data subject, and infringed Article 12 GDPR.
Accordingly, the Court rejected the appeal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Head
The Higher Regional Court of Graz, acting as an appeal court, with Judge Dr. Kirsch (presiding), Judge Maga. Schiller, and Judge Mag. Scheuerer, has decided in a closed session in the case of plaintiff A*, born on **, **, represented by Allmayer-Beck Stockert Rechtsanwälte GmbH in Vienna, against defendant B*, **-Malta, represented by BK.PARTNERS Bugelnig Kirner Rechtsanwälte OG in Vienna, regarding (limited to) procedural costs, on the defendant's appeal against the judgment of the Regional Court of Klagenfurt of November 5, 2024, **-11:
Ruling
The appeal is dismissed.
The defendant is obliged to reimburse the plaintiff within 14 days for the costs of responding to the appeal, determined at EUR 336.82 (including EUR 56.14 VAT).
The appeal on points of law is inadmissible in any event.
Text
GROUND:
The defendant offers online gambling (so-called "casino games") in Austria via its German-language website (**). The plaintiff, who resides in Austria, opened an account ("Account") on the aforementioned website. He transferred funds to this account, wagered them on the defendant's casino games, and lost.
Referring to the plaintiff's authorization, the plaintiff's representative sent an email to the defendant on May 23, 2024, which reads in part:
She enclosed a power of attorney with this letter, which was electronically signed by the plaintiff as follows.
At the same time, the plaintiff's representative sent the following copy of her ID to the defendant:
In her reply dated May 26, 2024, the defendant pointed out that she needed to specify the company to which the data protection request referred. She also requested the plaintiff's representative to provide a valid copy of the power of attorney. She pointed out that she would only accept a power of attorney if it was handwritten and signed in ink by the customer.
The plaintiff left this letter from the defendant unanswered. On July 5, 2024, he filed the present lawsuit.
On August 1, 2024, the defendant sent a letter to the plaintiff's representative, in which she again referred to the request of May 23, 2024, and the reasons why it had not yet been complied with. She stated that she had received the lawsuit, which is why a legally valid power of attorney existed within the meaning of Section 8 of the German Lawyers' Act (RAO). At the same time, she provided the information requested in the plaintiff's representative's letter of May 23, 2024. On August 1, 2024, the defendant sent a letter to the plaintiff's representative, in which she again referred to the request of May 23, 2024, and the reasons why it had not yet been complied with. She stated that she had received the lawsuit, which is why a legally valid power of attorney existed within the meaning of Section 8 of the RAO. At the same time, she provided the information requested in the plaintiff's representative's letter of May 23, 2024.
The signatures on the power of attorney and the signature on the ID copy have the same typeface.
During the proceedings, the plaintiff – based on Article 15 (1) and (3) GDPR – requested that the defendant be ordered to provide him with a digital copy of his data, which was being processed by the defendant. Despite a request, the defendant refused, for flimsy reasons, to provide a list or data showing all deposits and withdrawals, as well as stakes, winnings, and losses made on sports bets. During the proceedings, the plaintiff – based on Article 15 (1) and (3) GDPR – requested that the defendant be ordered to provide him with a digital copy of his data, which was being processed by the defendant. Despite a request, the defendant refused, for flimsy reasons, to provide a list or data showing all deposits and withdrawals, as well as stakes, winnings, and losses made on sports bets.
On August 1, 2024, the defendant fully complied with the plaintiff's request for information and acknowledged the plaintiff's request for information in its defense.
In a written submission dated October 9, 2024, the plaintiff limited his claim for reimbursement of costs. The defendant rejected the request for accounting and information submitted by the plaintiff's representative on his behalf pursuant to Article 15 GDPR on May 23, 2024, because the power of attorney submitted at the same time was not signed by the plaintiff in handwritten ink. Since the submission of a handwritten power of attorney is not a prerequisite for such a request, the defendant did not respond to the defendant's letter and filed the lawsuit. The defendant therefore gave grounds for bringing the lawsuit. Despite the fulfillment and acknowledgment of the claim in the defense, the defendant could not invoke Section 45 of the Code of Civil Procedure (ZPO). In a written submission dated October 9, 2024, the plaintiff limited his claim for reimbursement of costs. The defendant rejected the request for accounting and information submitted by the plaintiff's representative on his behalf pursuant to Article 15 of the GDPR on May 23, 2024, because the power of attorney submitted at the same time was not signed by the plaintiff in ink. Since the submission of a handwritten power of attorney is not a prerequisite for such a request, the defendant did not respond to the defendant's letter and the lawsuit was filed. The defendant therefore gave grounds for bringing the action. Despite the fulfillment and acknowledgment of the claim in the defense, the defendant could not invoke Section 45 of the Code of Civil Procedure (ZPO).
The defendant argues that the letter of demand dated May 23, 2024, lacked a legally valid power of attorney. The "simple" electronic signature does not comply with the statutory requirements and also deviates from the signature on the identification document. The defendant requested the plaintiff's representative to submit a correct power of attorney in a letter dated May 26, 2024. The plaintiff's representative did not respond to this message but immediately filed the lawsuit.
In the contested judgment, the court of first instance ordered the defendant to reimburse the plaintiff for the legal costs determined at EUR 1,559.60 (including EUR 204.10 in sales tax and EUR 335.00 in out-of-pocket expenses). In addition to the facts summarized above, the court also made the findings of fact contained on pages 3 to 5 of the judgment, to which the appeal court refers. In its legal assessment, the court of first instance concluded that the defendant's demand for the requester's signature in ink violated the principle of facilitation under Article 12 (2) GDPR. Only if the data protection controller has reasonable doubts about the identity of the requester may it request additional information to identify them. The defendant failed to demonstrate such doubts, but merely "generally" demanded a handwritten power of attorney signed in ink. The court also found no reasonable doubts about the identity of the requester because the plaintiff's signatures on the power of attorney (Exhibit ./6) and the ID copy (Exhibit ./7) matched. The defendant's conduct gave rise to the lawsuit. By the contested judgment, the court of first instance ordered the defendant to reimburse the plaintiff for the legal costs amounting to EUR 1,559.60 (including EUR 204.10 in sales tax and EUR 335.00 in cash expenses). In addition to the facts summarized at the beginning, the court also made the findings of fact contained on pages 3 to 5 of the judgment, to which the appeal court refers. In its legal assessment, the court of first instance concluded that the defendant's demand for a signature in ink from the person requesting information violated the principle of facilitation under Article 12, Paragraph 2, GDPR. Only if the data protection controller has reasonable doubts about the identity of the person requesting information can it request additional information to identify them. The defendant failed to demonstrate such doubts, but merely "generally" requested a handwritten power of attorney signed in ink. The court also found no reasonable doubts about the identity of the person requesting information because the plaintiff's signatures on the power of attorney (Exhibit ./6) and the copy of the ID card (Exhibit ./7) matched. The defendant's conduct gave rise to the lawsuit.
The defendant's appeal is directed against this judgment on the grounds of incorrect legal assessment, including secondary declaratory errors. The defendant requests that the contested decision be amended to require the plaintiff to reimburse its procedural costs in the amount of EUR 1,170.35 (including EUR 178.53 in VAT).
The plaintiff requests that the appeal be dismissed.
Legal Assessment
The appeal is unfounded.
1. If the plaintiff limits the claim to reimbursement of costs, the legal dispute regarding the claim for costs—and thus, as a preliminary question, the original justification of the claim—must continue without any relief from the burden of proof. Case law in such proceedings decides by judgment, against which an appeal is admissible (Fucik in Rechberger/Klicka5 § 41 ZPO Rz 3; RS0036080). If the plaintiff limits the claim to reimbursement of costs, the legal dispute regarding the claim for costs – and thus, as a preliminary question, the original legitimacy of the claim – must continue without any easing of the burden of proof. Case law in such proceedings decides by judgment, against which an appeal is admissible (Fucik in Rechberger/Klicka5 Paragraph 41, ZPO Rz 3; RS0036080).
2. The plaintiff – represented by a lawyer – submitted a request for information to the defendant pursuant to Art. 15 GDPR. He demonstrated his representative's authorization by attaching a power of attorney signed electronically by him. A copy of the plaintiff's identity card was sent to the defendant as further proof of identity. The signature – albeit electronic – on the submitted power of attorney was in the same typeface as the one on the copy of the ID card. Nevertheless, the defendant did not comply with the request for information. Instead, it demanded the submission of a power of attorney signed by the plaintiff in ink. The plaintiff – represented by a lawyer – submitted a request for information to the defendant pursuant to Article 15 of the GDPR. He verified his representative's authorization by attaching a power of attorney signed electronically. A copy of the plaintiff's identity card was sent to the defendant as further proof of identity. The signature on the submitted power of attorney – although electronic – was in the same typeface as the one on the ID card copy. Nevertheless, the defendant did not comply with the request for information. Instead, it demanded the submission of a power of attorney signed by the plaintiff in ink.
3. Article 12 GDPR regulates the procedure for the controller (here, the defendant) to fulfill the data subject's rights and specifies the principle of transparency. Articles 13 and 14 GDPR then stipulate extensive active information obligations for the controller. This is followed by the data subject's rights: The fundamental rights to information, erasure, and rectification, already provided for in Section 1 of the Data Protection Act and partly in Article 8 of the Charter of Fundamental Rights, are further developed in Articles 15–17 of the GDPR (Haidinger/Illibauer in Knyrim, Datenschutzrecht4, Chapter 8, para. 8.2). 3. Article 12 GDPR regulates the procedure for the controller (here, the defendant) to fulfill the data subject's rights and specifies the principle of transparency. Articles 13 and 14 GDPR then stipulate extensive active information obligations for the controller. This is followed by the rights of the data subject: The fundamental rights to information, erasure, and rectification, already provided for in paragraph 1 of the Data Protection Act (DSG) and partly in Article 8 of the Charter of Fundamental Rights, are further defined in Articles 15 to 17 of the GDPR (Haidinger/Illibauer in Knyrim, Datenschutzrecht4, Chapter 8, paragraph 8.2).
The controller must make it as easy as possible for the data subject to exercise their rights (“facilitation principle,” Article 12(2) GDPR). If they have doubts about the identity of the person making the request pursuant to Articles 15 to 21 of the GDPR, they may request additional information necessary to confirm the identity of the data subject (Article 12(6) GDPR). There is no obligation for the data subject to disclose their identity at the time of the request (as required by Article 26(1) of the Data Protection Act). The controller may not generally request proof of identity, but must examine and decide on a case-by-case basis. Identification documents or other authentication methods such as qualified electronic signatures are usually suitable for identification (Haidinger/Illibauer, op. cit., para. 8.25). The controller must make it as easy as possible for the data subject to exercise their data subject rights (“facilitation principle,” Article 12, paragraph 2, GDPR). If the controller has doubts about the identity of the person making the request pursuant to Articles 15 to 21 GDPR, the controller may request additional information necessary to confirm the identity of the data subject (Article 12, paragraph 6, GDPR). There is no obligation for the data subject to disclose their identity at the time of the request (as provided for in Section 26, paragraph 1, DSG). The controller may not generally request proof of identity, but must examine and decide on a case-by-case basis. Identification documents or other authentication methods such as qualified electronic signatures are usually suitable for identification (Haidinger/Illibauer, op. cit., para. 8.25).
If the controller cannot identify the data subject, they may refuse to act on a data subject's request (Article 12(2) GDPR). In these cases, the controller must credibly demonstrate that they are unable to identify the data subject. If the controller cannot identify the data subject, they may refuse to act on a data subject's request (Article 12(2) GDPR). In these cases, the controller must credibly demonstrate that they are unable to identify the data subject.
The request for information must be answered promptly, and at the latest within one month of receipt.
4. Thus, the plaintiff's right to request information about his personal data pursuant to Article 15 GDPR is counterbalanced by the obligation of the data controller (here, the defendant) to establish the identity of the person requesting the information. The defendant was able to establish his identity based on the documents submitted (electronically signed power of attorney including a copy of the identity card; identical signatures). Contrary to the defendant's opinion, there are no special formal requirements for concluding an authorization agreement (Section 1005 of the Austrian Civil Code (ABGB); RS0019359), so the plaintiff's power of attorney submitted by the plaintiff's representative was legally valid. The GDPR also does not stipulate an obligation to submit a power of attorney with a qualified electronic signature or one signed in ink. Furthermore, the plaintiff's representative addressed any potential doubts about the plaintiff's identity in advance by attaching a copy of the plaintiff's identity to the letter of demand. 4. Thus, the plaintiff's right to request information about his personal data pursuant to Article 15 of the GDPR is counteracted by the obligation of the data controller (here the defendant) to establish the identity of the person requesting the information. The defendant was able to establish this identity based on the documents submitted (electronically signed power of attorney including a copy of the plaintiff's ID card; identical signatures). Contrary to the defendant's opinion, there are no special formal requirements for concluding a power of attorney agreement (Section 1005, ABGB; RS0019359), so the plaintiff's power of attorney submitted by the plaintiff's representative was legally valid. The GDPR also does not stipulate an obligation to provide a power of attorney with a qualified electronic signature or signed in ink. Furthermore, the plaintiff's representative preemptively addressed potential doubts about the plaintiff's identity by attaching a copy of the plaintiff's ID card to the letter of demand.
By refusing to act on the plaintiff's request, the defendant should have credibly demonstrated that it was unable to identify the data subject. However, the defendant – without expressing any doubt about the plaintiff's identity – merely requested a handwritten power of attorney signed in ink. This practice clearly violated Article 12 GDPR (Haidinger/Illibauer in Knyrim, loc. cit., para. 8.28f), thus requiring the plaintiff to bring the action. In refusing to act on the plaintiff's request, the defendant would have had to credibly demonstrate that it was unable to identify the data subject. However, without expressing any doubt about the plaintiff's identity, the defendant merely requested a power of attorney signed in handwritten ink. This practice clearly violated Article 12 GDPR (Haidinger/Illibauer in Knyrim, loc. cit., para. 8.28f), thus requiring the plaintiff to bring the action.
The appeal was therefore dismissed.
The decision regarding the costs of the appeal proceedings is based on Sections 41, Paragraph 1, and 50, Paragraph 1 of the Code of Civil Procedure (ZPO), and Section 11, Paragraph 1, Sentence 2 of the Civil Procedure Act (RATG). The decision regarding the costs of the appeal proceedings is based on Sections 41, Paragraph 1, and 50, Paragraph 1 of the Code of Civil Procedure (ZPO), and Section 11, Paragraph 1, Sentence 2 of the RATG.
The ruling regarding the inadmissibility of the appeal on points of law is based on Section 528, Paragraph 2, Item 3 of the Code of Civil Procedure.
