BF (data subject) – Court Ruling (Austria, 2024)

The data subject had a heating supply contract with a private energy company, the controller. On 17 October 2019, the controller installed a smart heat meter in the data subject’s apartment. The device recorded various consumption and technical data, including energy usage, flow rates, and temperatures. It also stored historical operational data for error detection. The controller read the meter once per year on-site. Although the device technically supported remote reading via a radio module, the controller did not use this function. On 21 September 2020, the data subject filed a complaint with the DPA, arguing that the device unlawfully processed personal data and that the controller required a specific legal basis as a public authority. The DPA rejected the complaint on 11 October 2021. The data subject appealed to the court. First, the court held that the controller was not a public authority. It acted as a private company under a contractual relationship and had no statutory powers to exercise authority. Therefore, Article 6(1)(f) GDPR could apply. Second, the court held that the processing of consumption data (such as energy use, flow, and temperatures) complied with Article 6(1)(c) GDPR. National law required the collection and storage of such data for billing, energy efficiency, and system operation. This law satisfied the requirements of Article 6(3) GDPR by defining the purpose, scope, and retention periods. Third, the court held that the processing of additional technical and historical data (such as error logs and operational records) complied with Article 6(1)(f) GDPR. The controller had a legitimate interest in ensuring the proper functioning and maintenance of the device. The processing was necessary for detecting faults and maintaining system reliability. Finally, the court found that the data subject’s interests did not override the controller’s interests. Access to detailed historical data required specialised tools, and the data was only used i