Data subject – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that the regional office of the Public Employment Service processed a person's data without a proper legal basis. This case matters because it highlights the importance of having a clear reason for handling personal information, especially during times when benefits are not active. It serves as a reminder for companies to ensure they have valid reasons for processing personal data.
What happened
The regional office of the Austrian Public Employment Service processed a person's personal data during periods when no active benefit relationship existed.
Who was affected
The person who received unemployment benefits and whose personal data was processed by the regional office of the Public Employment Service.
What the authority found
The court found that the regional office did not have a valid legal basis for processing the person's data during certain periods, violating data protection rules.
Why this matters
This ruling emphasizes that organizations must have a legitimate reason for processing personal data, even when verifying eligibility for benefits. Companies should review their data handling practices to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject received unemployment benefits from a regional office (the controller) of the Austrian Public Employment Service (AMS). From 18 November 2016 until at least 19 January 2019, the regional office processed the data subject's personal data in connection with benefit eligibility checks. The processing included scheduling control appointments and ordering medical examinations to assess the data subject’s ability to work. The processed data included identification data and health data, such as references to heart problems and doubts about work capacity. The controller also transferred health-related information to a pension institution. The data subject argued that the controller processed her data during periods in which no active supervisory or benefit relationship existed, including periods of illness and periods in which benefits had been suspended. She also argued that the controller accessed social security data without a legal basis during those periods. On 25 July 2019, the data subject filed a complaint with the DPA against the controller. The DPA forwarded the complaint to the federal organisation of the AMS, not the controller (the regional office responsible for the data subject). The DPA later rejected the complaint, as it held that AMS Austria was the controller as the regional offices lacked separate legal personality. It also held that the processing was lawful because the AMS had statutory duties to verify eligibility for unemployment benefits. The data subject appealed the DPA decision before the Federal Administrative Court. First, the court held that the GDPR applied because while the alleged infringement started before the GDPR became applicable on 25 May 2018, it continued on after. Second, the court held that the DPA had incorrectly assessed AMS Austria as the controller. The court noted that Article 4(7) GDPR expressly recognises a “public authority” as a controller. It also referred to Article 6(1)(e) GDPR, which covers processi
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data subject in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
14 December 2023
Authority
About this data
Cite as: Cookie Fines. Data subject - Austria (2023). Retrieved from cookiefines.eu
Last updated: