Google LLC – Complaint Upheld (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Austrian DPA upheld a complaint against Google LLC for not giving complete information to a user about their data. The user requested details about their data from YouTube but received incomplete information. This case shows that companies must be transparent about how they handle user data.
What happened
The DPA upheld a complaint against Google for failing to provide complete information following a data access request.
Who was affected
A user who requested access to their data from Google was affected.
What the authority found
The DPA ruled that Google did not fulfill its obligation to provide complete information, violating GDPR access rights.
Why this matters
This case highlights the need for companies to ensure they provide full transparency to users about their data. Website operators should improve their data access processes to comply with GDPR.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject, represented by noyb, brought a complaint against Google LLC (the controller) in January 2019. According to the data subject, the controller did not provide them with complete information following an access request for the YouTube service; instead, the controller provided limited information through a download portal, which excluded information the controller stated it would process in accordance with its privacy policy. For example, the data provided did contain information on the data processed through cookies or Facebook pixels. The DPA initiated the One-Stop Shop procedure and forwarded the case to the Irish DPA, who also believed it should be considered the lead DPA for the proceedings. However, the Irish DPA ultimately declared it was not responsible in 2022, and referred the case back to the DPA. The controller argued that the data subject had incorrectly initiated proceedings against them, as it was not the controller within the meaning of the GDPR. In addition, it argued that the data subject had received complete information and that its DPO was not responsible. The DPA first emphasised the importance of the right to access (Article 15 GDPR), as it enables the data subject to verify whether a controller is processing personal data lawfully. In addition, Article 12(2) GDPR places an obligation on controllers to facilitate data subjects in exercising their rights. The DPA then dismissed the controller’s argument to reject the complaint, as Google LLC was the controller at the time the case was filed with the DPA. Furthermore, the DPA stated that it would have not dismissed the case even if the data subject had not chosen an entirely accurate name for the controller; it was clear that the data subject wanted to prosecute the entity responsible for the YouTube service. The DPO was considered responsible for handling the complaint, as the Irish branch was not considered the controller for YouTube. The DPA found a violation of Article 12(1
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Google LLC in AT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Google LLC - Austria (2025). Retrieved from cookiefines.eu
Last updated: