OSCE – Dismissed (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court dismissed a complaint from two individuals against the Organization for Security and Co-operation in Europe (OSCE) regarding the handling of personal data during an internal investigation. The court found that the OSCE's actions were justified due to its immunity. This case highlights the challenges individuals face when dealing with international organizations.
What happened
The complaint against OSCE regarding the unlawful handling of personal data during an internal investigation was dismissed.
Who was affected
An ambassador and their spouse, whose private messages and data were analyzed during the investigation.
What the authority found
The court ruled that the OSCE's actions were protected by its immunity, thus dismissing the complaint.
Why this matters
This case underscores the difficulties individuals may encounter when seeking accountability from international organizations. It serves as a reminder for organizations to handle personal data responsibly, even under immunity.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Data subject one is an ambassador of a government and worked for the controller. Data subject two is married to data subject one. The controller is an international organisation, the Organization for Security and Co-operation in Europe (OSCE). The controller initiated an internal investigation against data subject one after a sexual harassment and discrimination complaint about them by a former employee of the controller. Data subject one argued the allegations were not true. During the internal investigation, Whatsapp and Telegram messages between the data subjects were disclosed, which did not reveal any harassing or discriminatory behaviour. The work phone of data subject one was also confiscated during the investigation without their consent. As part of the investigation, a large amount of content of the first complainant's work mobile phone was extracted and analysed. Content that had already been deleted had also been restored. Although the employee's allegations had not been confirmed, data subject one had been informed that the extracted or deleted and restored photos contained both nudity and pornographic content and that therefore proceedings would be initiated against them for violation of the controller’s code of conduct. The extracted data largely concerned the private and family life of data subject one. The health data of data subject one’s parents had also been revealed during the investigation. Therefore, data subject one requested the erasure of the unlawfully obtained data and to indicate which personal data had been obtained and which recipients the personal data was disclosed to. The controller replied that it would not comply with the two requests due to its immunity. The data subjects filed a complaint at the Austrian DPA (“Datenschutzbehörde”). The data subjects claimed there was a violation of their right to confidentiality as the controller analysed the work phone of data subject one on which (sensitive) personal data of the data subject
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for OSCE in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. OSCE - Austria (2023). Retrieved from cookiefines.eu
Last updated: