OSCE – Dismissed (Austria, 2023)

Data subject one is an ambassador of a government and worked for the controller. Data subject two is married to data subject one. The controller is an international organisation, the Organization for Security and Co-operation in Europe (OSCE). The controller initiated an internal investigation against data subject one after a sexual harassment and discrimination complaint about them by a former employee of the controller. Data subject one argued the allegations were not true. During the internal investigation, Whatsapp and Telegram messages between the data subjects were disclosed, which did not reveal any harassing or discriminatory behaviour. The work phone of data subject one was also confiscated during the investigation without their consent. As part of the investigation, a large amount of content of the first complainant's work mobile phone was extracted and analysed. Content that had already been deleted had also been restored. Although the employee's allegations had not been confirmed, data subject one had been informed that the extracted or deleted and restored photos contained both nudity and pornographic content and that therefore proceedings would be initiated against them for violation of the controller’s code of conduct. The extracted data largely concerned the private and family life of data subject one. The health data of data subject one’s parents had also been revealed during the investigation. Therefore, data subject one requested the erasure of the unlawfully obtained data and to indicate which personal data had been obtained and which recipients the personal data was disclosed to. The controller replied that it would not comply with the two requests due to its immunity. The data subjects filed a complaint at the Austrian DPA (“Datenschutzbehörde”). The data subjects claimed there was a violation of their right to confidentiality as the controller analysed the work phone of data subject one on which (sensitive) personal data of the data subject