Datenschutzbehörde – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court decided that a person could not access all documents from an investigation by the Datenschutzbehörde because they were not a party to the case. This ruling is important as it clarifies the limits of access rights under GDPR. Businesses should be aware that individuals may not always have the right to full access to all documents related to investigations.
What happened
A person requested full access to documents from a DPA investigation but was denied because they were not involved in the case.
Who was affected
The individual represented by their parents who sought access to the investigation documents.
What the authority found
The court ruled that the Datenschutzbehörde lawfully only disclosed parts of the investigation documents, as the requester was not a party to the proceedings.
Why this matters
This case sets a precedent on the limits of access rights under GDPR, reminding businesses that individuals may not have unrestricted access to all investigation materials.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2022, the data subject (represented by their parents) filed an access request with the DPA. They aimed at accessing some documents concerning an investigation conducted by the DPA on a controller. According to a statement of the DPA, the data subject was not a party in this procedure. After receiving an answer only partially disclosing the file of this investigation, the data subject filed a complaint with the DPA (which, in this case, acts both as the supervisory authority and the controller), arguing that no complete copy of the documents of the file had been made available. The DPA rejected this complaint, pointing out that, on the one hand, it had disclosed the information provided for by Article 15(1) and (2) GDPR. On the other hand, the data subject does not have a right to inspect the entire file since they are not a party of this investigation proceeding. In a separate and previous legal proceeding before the BVwG, the data subject appealed this complaint. In this case, the BVwG did not upheld the complaint. It ruled that the DPA lawfully only partially disclosed the documents contained in the file and that the disclosed parts easily allow the data subject to get the information stated in Article 15(1) and (2) GDPR. As for Article 15(3) GDPR, the DPA suspended the proceedings, due to the fact that there was a preliminary ruling proceeding before the CJEU under number C-487/21. After the CJEU issued its judgement in case C-487/21, Österreichische Datenschutzbehörde and CRIF, the DPA rejected the data subject’s complaint. It argued that, in light of this judgement, Article 15(3) GDPR does not enshrine an independent right, but merely represents a modality of the provision of information. Therefore, the data subject appealed the DPA’s decision before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). First, the court noted that in case C-487/21, Österreichische Datenschutzbehörde and CRIF, the CJEU had ruled that Article 15(3) GDPR must b
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (2)
Other cases involving Datenschutzbehörde in AT
Court Ruling
Details
About this data
Cite as: Cookie Fines. Datenschutzbehörde - Austria (2024). Retrieved from cookiefines.eu
Last updated: