Court case W171 2302513-1 – Court Ruling (Austria, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller was an Austrian magazine publisher based in Vienna. Its business consisted in publishing and distributing weekly, monthly and other periodicals. The data subject was a long-standing customer of the controller. They held multiple subscriptions. On 7 March 2022, the data subject received an informational email with regard to one of their subscriptions. The email contained links allowing users to unsubscribe from further emails or manage their email settings. The unsubscribe link led to a website operated by the controller’s marketing software provider. The provider was a company specializing in mass email marketing solutions. Its parent company was headquartered in USA, while its subsidiary was based in Germany. The data subject complained to the controller and requested information regarding the receipt of this email. Additionally, they contended that the transfer of their data to the United States was unlawful. On 25 April 2022, the data subject lodged a complaint with the Austrian DPA. They argued that the controller had failed to properly respond to their access request, had not provided the required information under the GDPR and had apparently transferred personal data to the United States without a valid legal basis. The controller alleged that the failure to respond happened because of an internal error. It argued that it had subsequently provided the data subject with the information required under Article 13 GDPR, Article 14 GDPR and Article 15 GDPR. The controller further submitted that for the sending of informational emails, it used a marketing software provider, acting as a processor, which offered services for the mass sending of emails. According to the controller, only the data subject’s first name, surname and email address were shared for this purpose. It acknowledged that a transfer to third countries could not be ruled out, but argued that any such transfer was covered by Standard Contractual Clauses (SCCs) and additional technic
GDPR Articles Cited
The controller was an Austrian magazine publisher based in Vienna. Its business consisted in publishing and distributing weekly, monthly and other periodicals. The data subject was a long-standing customer of the controller. They held multiple subscriptions. On 7 March 2022, the data subject received an informational email with regard to one of their subscriptions. The email contained links allowing users to unsubscribe from further emails or manage their email settings. The unsubscribe link led to a website operated by the controller’s marketing software provider. The provider was a company specializing in mass email marketing solutions. Its parent company was headquartered in USA, while its subsidiary was based in Germany. The data subject complained to the controller and requested information regarding the receipt of this email. Additionally, they contended that the transfer of their data to the United States was unlawful. On 25 April 2022, the data subject lodged a complaint with the Austrian DPA. They argued that the controller had failed to properly respond to their access request, had not provided the required information under the GDPR and had apparently transferred personal data to the United States without a valid legal basis. The controller alleged that the failure to respond happened because of an internal error. It argued that it had subsequently provided the data subject with the information required under Article 13 GDPR, Article 14 GDPR and Article 15 GDPR. The controller further submitted that for the sending of informational emails, it used a marketing software provider, acting as a processor, which offered services for the mass sending of emails. According to the controller, only the data subject’s first name, surname and email address were shared for this purpose. It acknowledged that a transfer to third countries could not be ruled out, but argued that any such transfer was covered by Standard Contractual Clauses (SCCs) and additional technic
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W171 2302513-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W171 2302513-1 - Austria (2026). Retrieved from cookiefines.eu
Last updated: