Ex-employee (data subject) – Complaint Upheld (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An ex-employee complained that the Austrian Federal Ministry of the Interior shared confidential files containing his personal information without redacting sensitive details. The court agreed, stating that the ministry should have protected the ex-employee's information as it could endanger intelligence sources. This ruling emphasizes the importance of safeguarding personal data, even in government inquiries.
What happened
The Austrian Federal Ministry of the Interior disclosed unredacted personal data of an ex-employee to a parliamentary inquiry committee.
Who was affected
The ex-employee whose personal information was disclosed without redaction.
What the authority found
The authority ruled that the ministry violated confidentiality rules by disclosing information that could endanger an intelligence source.
Why this matters
This case highlights the need for public bodies to carefully consider data protection when sharing information, especially regarding sensitive personal data. It serves as a reminder for organizations to prioritize confidentiality in their operations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
The data subject worked for the former Austrian Federal Office for the Protection of the Constitution and Counterterrorism (BVT). In 2018, the Austrian Federal Ministry of the Interior submitted files to the BVT parliamentary inquiry committee of the Austrian National Council (BVT-UA). The ministry transferred the files with the classification level “Confidential”. However, the files contained unredacted personal data relating to the data subject and details about the data subject’s professional activities. The disclosure reached the 18 members of the inquiry committee, while all members of the Austrian National Council could inspect the documents. The ministry argued that a federal constitutional law obliged public bodies to provide parliamentary inquiry committees with complete and unredacted files within the scope of the investigation. The data subject filed a complaint with the Austrian DPA, arguing that the disclosure violated the right to confidentiality under local laws and the GDPR. First, the DPA noted that the federal constitutional law generally required authorities to provide inquiry committees with unredacted files. However, the DPA stressed that there is an exception for information whose disclosure could endanger intelligence sources. It found that the data subject qualified as such a protected intelligence source. Therefore, the ministry should not have disclosed information revealing the data subject’s intelligence-related activities without redactions. Second, the DPA held that the ministry breached the proportionality requirement under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht= § 1(2) DSG], as it should have used the least intrusive means available. According to the DPA, the ministry could have achieved its goals by submitting redacted files instead of fully identifiable documents. Third, the DPA held that the disclosure also violated Article 5(1)(a) GDPR
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Ex-employee (data subject) in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Ex-employee (data subject) - Austria (2021). Retrieved from cookiefines.eu
Last updated: