Data subject – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian woman challenged how her personal data was handled by the Public Employment Service while she received unemployment benefits. The authority ruled that the processing was lawful because it was necessary for verifying eligibility, but the case highlights the importance of clear data handling practices for companies.
What happened
The Austrian Public Employment Service processed a woman's personal data related to her unemployment benefits without her consent during inactive periods.
Who was affected
The woman receiving unemployment benefits from the Austrian Public Employment Service was affected.
What the authority found
The authority decided that the processing of her data was lawful under the relevant laws, as it was necessary for the service's statutory duties.
Why this matters
This case emphasizes the need for organizations to ensure they have a valid legal basis for processing personal data, especially during periods when users are not actively engaged with services.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject received unemployment benefits from a regional office (the controller) of the Austrian Public Employment Service (AMS). From 18 November 2016 until at least 19 January 2019, the regional office processed the data subject's personal data in connection with benefit eligibility checks. The processing included scheduling control appointments and ordering medical examinations to assess the data subject’s ability to work. The processed data included identification data and health data, such as references to heart problems and doubts about work capacity. The controller also transferred health-related information to a pension institution. The data subject argued that the controller processed her data during periods in which no active supervisory or benefit relationship existed, including periods of illness and periods in which benefits had been suspended. She also argued that the controller accessed social security data without a legal basis during those periods. On 25 July 2019, the data subject filed a complaint with the DPA against the controller. The DPA forwarded the complaint to the federal organisation of the AMS, not the controller (the regional office responsible for the data subject). The DPA later rejected the complaint, as it held that AMS Austria was the controller as the regional offices lacked separate legal personality. It also held that the processing was lawful because the AMS had statutory duties to verify eligibility for unemployment benefits. The data subject appealed the DPA decision before the Federal Administrative Court. First, the court held that the GDPR applied because while the alleged infringement started before the GDPR became applicable on 25 May 2018, it continued on after. Second, the court held that the DPA had incorrectly assessed AMS Austria as the controller. The court noted that Article 4(7) GDPR expressly recognises a “public authority” as a controller. It also referred to Article 6(1)(e) GDPR, which covers processi
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Data subject in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Data subject - Austria (2023). Retrieved from cookiefines.eu
Last updated: