Datenschutzbehörde – CJEU Judgment (Austria, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice addressed a complaint about the Austrian data protection authority not acting on a user's repeated access requests. This ruling is significant because it clarifies how authorities should handle complaints and what constitutes excessive requests. It could impact how users interact with data protection agencies in the future.
What happened
The Court ruled on a case where a user complained that the Austrian data protection authority did not respond to his access requests.
Who was affected
A user who submitted multiple complaints to the Austrian data protection authority regarding access to his personal data.
What the authority found
The Court held that the authority's refusal to act on the user's complaint was incorrect and clarified the definition of excessive requests.
Why this matters
This ruling sets a precedent for how data protection authorities should respond to user complaints, ensuring that users' rights are upheld. It encourages individuals to assert their rights without fear of being labeled as excessive.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 17 February 2020, the data subject lodged a complaint with the Austrian DPA. He complained that the controller had not responded to his access request under Article 15 GDPR for access within one month. On 22 April 2020, the DPA made the decision to refuse to act on this complaint, arguing that it was “excessive” under Article 57(4) GDPR. The DPA observed in particular that, over a period of about 20 months, the data subject had sent it 77 complaints arguing that various controllers failed to respond within one month to his requests for access or erasure. Also, the DPA highlighted the fact that the data subject regularly contacted the DPA by telephone in order to report additional facts and to make additional requests. The data subject brought an action before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). On 22 December 2022, the BVwG upheld the data subject’s action. It held that, in order for requests to be "excessive” under Article 57(4) GDPR, it is not enough that these requests had been made repeatedly and frequently, but it is also needed that they had been manifestly vexatious or abusive. The DPA appealed this judgement before the Supreme Administrative Court (Verwaltunsgerichtshof – VwGH). This court decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling: # Must the concept of “requests” in Article 57(4) GDPR be interpreted as meaning that it also covers “complaints” under Article 77(1) GDPR? # Must Article 57(4) GDPR be interpreted as meaning that, for requests to be “excessive”, it is sufficient that a data subject has merely addressed a certain number of requests to a DPA within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)? # Must Article 57(4) GDPR be in
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (2)
Other cases involving Datenschutzbehörde in AT
CJEU Judgment
Details
Judgment Date
9 January 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8251About this data
Cite as: Cookie Fines. Datenschutzbehörde - Austria (2025). Retrieved from cookiefines.eu
Last updated: