DSB (Austria) – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's Federal Administrative Court ruled that a person's data could be shared with a market research company, despite their request for privacy. The court decided that the data sharing was legitimate because it was part of a contract. This case is relevant for businesses that use third-party services.
What happened
The court upheld a decision allowing the sharing of a person's phone number with a market research institute after they called a helpline.
Who was affected
A person who provided their phone number to Österreichische Post AG but did not want it shared with others.
What the authority found
The court ruled that the data sharing was justified under data protection laws because it was part of a valid processing agreement.
Why this matters
This case illustrates that companies can share data with service providers if they have proper agreements in place. Businesses should ensure they have clear contracts when working with third parties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he did not want the phone number be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Article 28 GDPR. The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he had already denied consent to any form of data sharing with a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller. The DSB dismissed the complaint. The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB. The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Article 29 GDPR). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Article 6 GDPR. In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Article 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services. According to § 6(8) PMG a postal service must further develop its service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of them by means of appropriate measures and proposals. Pursuant to § 32(3) PMG postal servic
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (5)
Other cases involving DSB (Austria) in AT
Court Ruling
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. DSB (Austria) - Austria (2021). Retrieved from cookiefines.eu
Last updated: