Gerhard A. (data subject) – Complaint Upheld (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A complaint by Gerhard A. was upheld after a company failed to provide him with access to his personal data. This matters because it reinforces that companies must fulfill access requests from users under data protection laws.
What happened
Gerhard A. requested access to his transaction data from a company but was denied.
Who was affected
Gerhard A., a user of the company's online store.
What the authority found
The data protection authority ruled that the company could not refuse the access request based on the user's intended use of the information.
Why this matters
This case highlights the right of users to access their personal data. Companies must be prepared to provide this information without unnecessary barriers.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
The data subject used a game console and an online store operated by the controller, a company established in the United Kingdom. He had a user account with the controller and used it to buy digital products. On 13 February 2024, the data subject, through his lawyers, sent an access request to the controller under Article 15 GDPR. He asked for transaction lists for all his accounts, including deposits and withdrawals, the relevant dates, and the games or services concerned. He also asked for information on his total gains or losses, whether these included sports betting, and which group company had concluded the contract with him. On 14 March 2024, the controller replied by email. It sent a copy of its privacy notice and referred the data subject to its privacy policy. However, it refused to provide the requested transaction information. It argued that the request did not serve a data protection purpose and that the data subject wanted the information for a civil claim. It also said that it could not identify items bought within a game’s in-game store. The controller stated that the data subject could already view and download his transaction history and further data through his user account at any time and without charge. The data subject expanded his position and argued that the controller had to provide access not only to transaction data, but to all personal data processed about him, including data not visible in the user account. First, the DPA rejected the controller’s argument that the access request was abusive under Article 12(5) GDPR and stated that a data subject does not need to justify an access request. It noted that the GDPR does not allow a controller to refuse access merely because the data subject may later use the information in court, saying that using access rights to assess possible legal claims does not, by itself, amount to abuse. Second, the DPA held that the controller did not infringe Article 15 GDPR in relation to the transaction data t
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Gerhard A. (data subject) in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Gerhard A. (data subject) - Austria (2025). Retrieved from cookiefines.eu
Last updated: