Father (data subject) – Court Ruling (Austria, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A father challenged the use of video footage from a retail store's surveillance system by the child's mother in a custody case. The court ruled that the retail branch was not responsible for the footage and that the mother's use of it was lawful. This decision highlights the importance of understanding who controls data in family and legal matters.
What happened
The father argued that the mother used retail surveillance footage unlawfully in a family court case.
Who was affected
The father, who shared custody of a minor child, was affected by the mother's use of the footage.
What the authority found
The court decided that the retail branch was not the controller of the CCTV footage, and the mother's processing was lawful under GDPR.
Why this matters
This ruling clarifies the responsibilities of different parties in data handling, especially in sensitive situations like custody disputes. It serves as a reminder for individuals to be aware of data ownership and usage rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The father (the data subject) and the mother (controller) shared a minor child. On 18 May 2024, the data subject brought the child to the retail branch where the controller worked and left the child there. A video surveillance system by the branch recorded the handover. The controller obtained access to the footage and on 1 July 2024, she submitted it to the family court to raise concerns about the child's welfare. During the proceedings, a court-appointed expert assessed the incident and concluded that the father's conduct did not amount to a child welfare risk. On 12 July 2024, the data subject filed a complaint with the DPA. He argued that the use of the retail camera footage for private purposes breached the purpose limitation principle and lacked a legal basis. He also claimed that the retail branch had inadequate security measures because the mother had been able to access the footage. The DPA rejected the complaint. It found that the retail branch was not the controller for the video surveillance processing and that the mother's processing was lawful under Article 6(1)(f) GDPR. The father appealed to the court. First, the court held that the complaint against the retail branch failed because the branch was not the controller for the CCTV system, as another company within the corporate group had decided the purposes and means of the surveillance. Second, the court held that the mother was also a controller for the separate processing, purposes, and for submitting it to the family court. Third, the court assessed the lawfulness of the mother's processing under Article 6(1)(f) GDPR. The court found that the mother had a legitimate interest in asserting her rights in the child contact proceedings and in addressing a potentially problematic handover situation. The court also considered the child's interest in avoiding harmful or conflict-laden handovers to be a relevant third-party legitimate interest. It noted that behaviour and interactions during child hando
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Father (data subject) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Father (data subject) - Austria (2026). Retrieved from cookiefines.eu
Last updated: