Google LLC – Complaint Upheld (Austria, 2025)
Google was found to have not fully informed users about their data when they requested access. The Austrian DPA upheld a complaint stating that Google didn't provide complete information regarding third-party cookies. This case shows that companies must be transparent about how they use personal data.
What happened
The Austrian DPA upheld a complaint against Google for not providing complete information after a user requested access to their data.
Who was affected
Users of Google's services who requested their personal data were affected by the lack of complete information provided by Google.
What the authority found
The DPA ruled that Google did not comply with its obligations to facilitate user access to personal data, violating GDPR's transparency requirements.
Why this matters
This decision reinforces the need for companies to be transparent and thorough when responding to user data requests. Website operators should review their data access processes to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject, represented by noyb, brought a complaint against Google LLC (the controller) in January 2019. According to the data subject, the controller did not provide them with complete information following an access request for the YouTube service; instead, the controller provided limited information through a download portal, which excluded information the controller stated it would process in accordance with its privacy policy. For example, the data provided did contain information on the data processed through cookies or Facebook pixels. The DPA initiated the One-Stop Shop procedure and forwarded the case to the Irish DPA, who also believed it should be considered the lead DPA for the proceedings. However, the Irish DPA ultimately declared it was not responsible in 2022, and referred the case back to the DPA. The controller argued that the data subject had incorrectly initiated proceedings against them, as it was not the controller within the meaning of the GDPR. In addition, it argued that the data subject had received complete information and that its DPO was not responsible. The DPA first emphasised the importance of the right to access (Article 15 GDPR), as it enables the data subject to verify whether a controller is processing personal data lawfully. In addition, Article 12(2) GDPR places an obligation on controllers to facilitate data subjects in exercising their rights. The DPA then dismissed the controller’s argument to reject the complaint, as Google LLC was the controller at the time the case was filed with the DPA. Furthermore, the DPA stated that it would have not dismissed the case even if the data subject had not chosen an entirely accurate name for the controller; it was clear that the data subject wanted to prosecute the entity responsible for the YouTube service. The DPO was considered responsible for handling the complaint, as the Irish branch was not considered the controller for YouTube. The DPA found a violation of Article 12(1
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Google LLC in AT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Google LLC - Austria (2025). Retrieved from cookiefines.eu
Last updated: