Court case 6Ob174/25v – Court Ruling (Austria, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a national security authority did not have to provide complete information to a person who requested access to their security assessment. This decision matters because it clarifies the limits of access rights in cases involving national security. It shows that some information may not be accessible due to specific legal exceptions.
What happened
A national security authority denied a person's request for complete information about their security assessment.
Who was affected
The individual who made the access request regarding their security assessment was affected.
What the authority found
The court decided that the individual could not access the information under privacy laws due to national security exceptions.
Why this matters
This ruling highlights the balance between privacy rights and national security, indicating that not all requests for information can be granted, especially in sensitive contexts.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject made an access request to a national security authority (the controller) who had conducted multiple security assessments about him. The data subject had been informed that the security assessment in connection with his use of the federal press service’s online accreditation had resulted in a negative recommendation. The data subject stated that the controller had provided him incomplete information as a response to the access request. In the proceedings before the court of first instance, the data subject demanded the controller to provide him access to complete and correct information according to Article 15 GDPR and claimed €100 in damages. In addition, he requested a declaration of the liability of the controller due to the inadequate execution of his access request. The court of first instance rejected the claims on the grounds of inadmissibility of legal recourse. The appeals court found GDPR did not apply to the case according to the exception in Article 2(2)(d) GDPR and held that the alleged infringement must be asserted before the DPA with legal recourse to the administrative court. The data subject stated in his appeal before the Austrian Supreme Court that he had the right to assert his claims in the ordinary course of law by virtue of Article 79 GDPR. The Austrian Supreme Court rejected the appeal with regard to the access request under Article 15 GDPR. It held that the data subject would only benefit from the dual nature of legal protection by the DPA and the civil courts within the scope of application of the GDPR. The court ruled that the GDPR was not applicable in the present case: the purpose of the security assessments was to evaluate the trustworthiness of a person and provide information on whether they would commit dangerous attacks. Therefore, they clearly fell within the scope of the exception in Article 2(2)(d) GDPR. The data subject was not able to prove that his personal data had also been processed for administrative, or
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 6Ob174/25v in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 6Ob174/25v - Austria (2026). Retrieved from cookiefines.eu
Last updated: