Court case Ro 2019/04/0229 – Court Ruling (Austria, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian company appealed a fine for GDPR violations related to CCTV use, and the court overturned the fine. This case highlights the need for clear accountability when enforcing data protection laws.
What happened
An Austrian court overturned a EUR 4,800 fine against a company for GDPR violations involving CCTV, due to procedural issues.
Who was affected
The company fined for GDPR violations related to its use of CCTV systems.
What the authority found
The court found that the fine was improperly issued because the authority did not accuse specific individuals responsible for the company's actions.
Why this matters
This ruling emphasizes the importance of identifying specific individuals responsible for data protection violations within a company. It suggests that enforcement actions must clearly attribute responsibility to avoid procedural errors.
GDPR Articles Cited
National Law Articles
The Austrian Data Protection Authority (DSB) had issued a fine of EUR 4,800 under Article 83 GDPR against a legal person based in Austria ("the company"). The reason for this fine were four violations of the GDPR and the DSG (Austrian Data Protection Act) in connection with a CCTV (closed circuit television). The company filed an appeal against this fine with the BVwG (Austrian Federal Administrative Court). On 19 August 2019 the BVwG repealed the fine and suspended the administrative penal procedure. It held that the DSB had failed to make an accusation pursuant to § 30(1) and (2) DSG (Austrian Data Protection Act) against specific persons who have a decisive influence on the accused company's business (managers) and whose own culpable actions (own actions, own omissions or lack of supervision of subordinate employees) can be attributed to the accused company. In its reasoning, the BVwG also referred to a VwGH (Austrian Supreme Administrative Court) decison regarding violations of the BWG (Austrian Banking Act). This is because § 30 DSG, that establishes rules for data protection liability of legal persons, has a very similar wording to § 99d BWG. The DSB filed an appeal against this decision with the VwGH requesting it to repeal the BVwG's decision and to reinstate the decision of the DSB. A) Is the VwGH case law on § 99d BWG relevant with regard to § 30 DSG and Article 83 GDPR? (§ 99d BWG requires culpable conduct on the part of a natural person who is entitled to decision-making or asserting control within the legal person.) B) Or rather, is the CJEU case law on fines under competition law relevant with regard to § 30 DSG and Article 83 GDPR? (EU competition law allows the European Commission to impose a fine against a legal person without having to specifically accuse a natural person of culpable conduct.) C) Is § 30 DSG even applicable or is there a lack of a corresponding opening-clause in the GDPR? (§ 30 DSG requires the same culpable conduct of a natural
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ro 2019/04/0229 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ro 2019/04/0229 - Austria (2020). Retrieved from cookiefines.eu
Last updated: