Datenschutzbehörde (DPA) – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian social security body searched the email logs of its employees without following proper procedures. The court ruled that this violated data protection rules because the employees were not properly informed or involved. This case highlights the importance of following correct procedures when handling employee data.
What happened
The social security body searched the email logfiles of 6,000 employees without involving the local works councils as required.
Who was affected
Three employees whose email data was searched without proper procedures were affected.
What the authority found
The court decided that the social security body did not follow the correct legal procedures for processing personal data, violating data protection rules.
Why this matters
This ruling emphasizes the need for companies to adhere to proper procedures when handling employee data. It serves as a reminder that even public bodies must respect the rights of their employees.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller was an Austrian social security body and the data subjects were three employees. On 30 July 2020, the controller’s administrative board had a a non-public meeting and created a transcript of that meeting that only 26 people had access to. On 15 August 2020, a website published an article containing verbatim statements from named participants in the confidential transcribed meeting. On 16 October 2020, the controller started an internal investigation into the handling of meeting records and data security. In February 2021, it carried out a search of the email server logfiles of all employees for communications sent to a specific recipient domain. The search covered 6,000 employees’ mail server logfiles and produced a list containing sender and recipient email addresses, delivery status, subject line, size, and date and time of sending, but the controller did not review email content. The controller involved the works council chair of the head office, but it did not involve the local works councils representing the three data subjects, despite the controller’s internal works agreement requiring the local works council to be involved. The data subjects complained to the DPA on 15 February 2022. They argued that the controller had unlawfully searched employees’ email data without a valid legal basis and not with the correct procedure. The DPA upheld the complaint. The controller appealed to the Federal Administrative Court. First, the court held that the searched logfiles contained personal data within the meaning of Article 4(1) GDPR. The sender and recipient email addresses identified employees because they contained their first and last names, so searching those logfiles therefore amounted to processing under Article 4(2) GDPR. Second, the court rejected the DPA’s view that the controller needed a specific statutory basis because it was a public body. The court held that, in its relationship with employees, the controller acted under private law rat
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Datenschutzbehörde (DPA) in AT
Details
Ruling Date
24 January 2024
Authority
Datenschutzbehörde
About this data
Cite as: Cookie Fines. Datenschutzbehörde (DPA) - Austria (2024). Retrieved from cookiefines.eu
Last updated: