Dr. Franziska A. – Complaint Upheld (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Dr. Franziska A. won a case against a local authority that shared her private registration data without her knowledge. This is significant because it reinforces the right to privacy and the need for organizations to protect sensitive information. Businesses should be aware that sharing personal data without consent can lead to serious consequences.
What happened
A local authority shared Dr. Franziska A.'s registration data with a detective agency without informing her.
Who was affected
Dr. Franziska A., whose private registration data was disclosed without her consent.
What the authority found
The authority was found to have unlawfully processed personal data, violating GDPR's requirements for privacy and consent.
Why this matters
This case highlights the importance of safeguarding personal information and the legal obligations organizations have to protect it. Companies must ensure they have a valid reason before sharing any personal data.
GDPR Articles Cited
National Law Articles
Entities Involved
The data subject (Dr. Franziska A.) has an existing prohibition to disclose her registration data due to her occupation as a prosecutor. Nevertheless, an employee of the controller (Marktgemeinde N., a market town) passed said information to a detective agency upon their request on the 27 December 2021. The data subject was not informed. On 27 January 2023, as a consequence of the detective agency gaining access, the data was used in proceedings to which the data subject's mother was party. The mother informed the data subject shortly afterwards. Subsequently, the data subject demanded information from the municipal authority as to who had been given access to her registration data in the past three years on 31 January 2023. The authority's answer on 17 February 2023 included the the accessing and sharing of the registration data by the controller. On 2 March 2023 the controller confirmed this and referred to a decree of the ministry of the interior of 2015 as a legal basis. The data subject lodged a complaint with the data protection authority claiming a violation of the right to secrecy on 5 April 2023. Following that, the controller apologized on 14 April 2023 and stated that the decree from 2015 did not apply in this case and that they had made a mistake The Austrian DPA stated that not the employee but the controller as an entity is responsible in their role as a public authority. As such, they need a legal basis for the processing of personal data that is in accord with the MeldeG (the Austrian law of registration). The prohibition of disclosure of the data subject's registration data requires the controller to either withhold the personal data from the requesting entity or to inform the data subject of the request and allow her to state her opinion on the matter according to § 18(5) MeldeG. Since neither was done, the processing of personal data was already unlawful and in violation of the GDPR and more specifically the right to secrecy according to § 1(1
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Dr. Franziska A. in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Dr. Franziska A. - Austria (2023). Retrieved from cookiefines.eu
Last updated: