BF (data subject) – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a private energy company properly processed data from a smart heat meter installed in a customer's apartment. The customer complained that the company needed a legal basis to process their data, but the court found that the company was acting within its rights under a contract. This decision clarifies how companies can handle personal data related to utility services.
What happened
The court found that the energy company legally processed data from a smart heat meter installed in a customer's apartment.
Who was affected
The customer whose energy consumption data was recorded by the smart heat meter.
What the authority found
The court decided that the energy company was not a public authority and had a valid legal basis for processing the data under GDPR.
Why this matters
This ruling highlights that private companies can process personal data under contractual obligations. It serves as a reminder for service providers to ensure they have a clear legal basis for data processing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject had a heating supply contract with a private energy company, the controller. On 17 October 2019, the controller installed a smart heat meter in the data subject’s apartment. The device recorded various consumption and technical data, including energy usage, flow rates, and temperatures. It also stored historical operational data for error detection. The controller read the meter once per year on-site. Although the device technically supported remote reading via a radio module, the controller did not use this function. On 21 September 2020, the data subject filed a complaint with the DPA, arguing that the device unlawfully processed personal data and that the controller required a specific legal basis as a public authority. The DPA rejected the complaint on 11 October 2021. The data subject appealed to the court. First, the court held that the controller was not a public authority. It acted as a private company under a contractual relationship and had no statutory powers to exercise authority. Therefore, Article 6(1)(f) GDPR could apply. Second, the court held that the processing of consumption data (such as energy use, flow, and temperatures) complied with Article 6(1)(c) GDPR. National law required the collection and storage of such data for billing, energy efficiency, and system operation. This law satisfied the requirements of Article 6(3) GDPR by defining the purpose, scope, and retention periods. Third, the court held that the processing of additional technical and historical data (such as error logs and operational records) complied with Article 6(1)(f) GDPR. The controller had a legitimate interest in ensuring the proper functioning and maintenance of the device. The processing was necessary for detecting faults and maintaining system reliability. Finally, the court found that the data subject’s interests did not override the controller’s interests. Access to detailed historical data required specialised tools, and the data was only used i
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for BF (data subject) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. BF (data subject) - Austria (2024). Retrieved from cookiefines.eu
Last updated: