Wikimedia Foundation Inc – Dismissed (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian artist asked Wikimedia Foundation to delete inaccurate data about him on Wikipedia. Wikimedia refused, saying they don't fall under GDPR because they're based in the USA and the data was for public interest. The Austrian authority dismissed the complaint, agreeing with Wikimedia's reasoning.
What happened
Wikimedia Foundation refused to delete inaccurate data about an Austrian artist on Wikipedia, arguing GDPR didn't apply to them.
Who was affected
An Austrian artist who was unhappy with how his film credits were listed on Wikipedia.
What the authority found
The Austrian authority agreed with Wikimedia that GDPR didn't apply because they are based in the USA and the data was for journalistic purposes.
Why this matters
This case highlights the complexities of GDPR's territorial scope, especially for non-EU companies like Wikimedia. It shows that businesses outside the EU might not always be subject to GDPR even if they have some connections to EU countries.
GDPR Articles Cited
The data subject is an Austrian artist who is known to a wider public in Austria through his work as a filmmaker, screenwriter and cameraman. The controller, Wikimedia Foundation Inc, is the operator of Wikipedia.org. The data subject requested the controller to erase all his data under Article 17 GDPR, because the data was inaccurate and not up to date. The registered films were not up to date and there were also errors with certain films, in which he was either not correctly listed or the films had incorrect titles. The controller refused the erasure request based on two reasons. Firstly, the controller claimed that it did not fall under the territorial scope of the GDPR (Article 3 GDPR) as it was based exclusively in the USA and under US law, and thus the GDPR is not applicable. It also did not provide any goods or services to persons such as the data subject. Secondly, the data processing was lawful due to the legitimate interest of the public as the data subject is a public figure and the processing was carried out for journalistic purposes. Even if the GDPR was applicable, the controller claimed that the data subject would not be entitled to erasure because the media privilege would apply. The data subject filed a complaint with the Austrian DPA (Datenschutzbehörde, DSB), claiming that data processed by the controller was not factually accurate or up to date. The principle of accuracy under Article 5(1)(d) GDPR obliges the controller to ensure that the data is both factually correct and, if necessary, up to date. Regarding the applicability of the GDPR, the DPA found that, although the controller was based in the USA, it had a total of 38 national branch associations with at least one of them located in Austria. There was also an automatic redirection (after entering a search term) from "http://wikipedia.at" to "https://de.wikipedia.org", which clearly showed the close links between the controller’s (branch) associations and the controller itself and the ai
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for Wikimedia Foundation Inc in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Wikimedia Foundation Inc - Austria (2023). Retrieved from cookiefines.eu
Last updated: