DSB (Austria) – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's Federal Administrative Court ruled that a kindergarten shared children's personal information with a municipality without proper consent. This decision matters because it highlights the importance of obtaining consent before sharing personal data, especially for minors. Schools and similar organizations should ensure they have clear permissions in place.
What happened
The kindergarten shared a list of children's names and details with the municipality without asking for consent from their legal guardians.
Who was affected
The children attending the kindergarten, who are minors, were affected by the unauthorized sharing of their personal information.
What the authority found
The court decided that the kindergarten's consent did not cover sharing the data with the municipality, violating GDPR's requirement for valid consent.
Why this matters
This ruling emphasizes that organizations must be careful about how they share personal data and ensure that consent is specific and comprehensive. It sets a precedent for how consent must be handled, especially when it involves minors.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the legal guardians of the data subjects – a list to the municipality of its seat (the controller) which consisted of the name, date of birth and date of admission of all kids attending the kindergarten. Because the municipality did not want to bear the costs for children having their residence in another municipality, it sent a letter to all parents requesting them to take the letter to the municipality of their residence and ask for their financial support. This letter consisted of the already mentioned list as well as another list which additionally contained the days of absence, overall days and the calculated share of costs of each child. The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents. The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint. The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB. The court concluded that the head of the kindergarten was a third party according to Article 4(10) GDPR with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (5)
Other cases involving DSB (Austria) in AT
Court Ruling
Details
About this data
Cite as: Cookie Fines. DSB (Austria) - Austria (2021). Retrieved from cookiefines.eu
Last updated: