Dr. Ludwig A*** – Complaint Upheld (Austria, 2019)

The data subject, an Austrian resident, filed a complaint under Article 77 GDPR against the controller, a Swiss based company that offers its services (including hotels) i.a. in Austria under http://www.alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement for the controller's newsletter including a subscription link. The data subject did not receive any information in line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to the data subject's complaint stating that any violation of Article 13 GDPR has been rectified under § 24(6) DSG by the information given in that reply. The data subject replied that § 24(6) DSG does not apply on violations of Article 13 GDPR and that - even if it would apply - the controller had still failed to provide all information required under Article 13 GDPR. In essence, the DSD had to decide whether or not §24(6) DSG that allows a controller to rectify data protection violations until the end of the proceedings before the DSB also applies on violations of Article 13 (and 14) GDPR. The DSB held that § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore rectify any violation of the GDPR information obligations until the end of the proceedings before the DSB. If a controller does so, the DSB stops proceedings and no formal decision is issued. Nevertheless, as the controller failed to provide information under Article 13(1)(a) to (f) GDPR even until the end of proceedings, the DSD held that the controller was still under the obligation to provide this information within four weeks. Also the controller was put under the obligation to adapt its data protection notice accordingly within a period of four weeks and to submit the adapted notice to the DSB.