Court case W214 2219800-3 – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a government agency must delete a person's old ID photo after the ID is no longer valid. This matters because it shows how long personal data can be kept and when it should be deleted. The decision helps clarify rules about storing personal data like photos.
What happened
An Austrian court decided that a government agency must delete a person's old ID photo after the ID is no longer valid.
Who was affected
Individuals who have had their identity card photos stored by the agency, even after the ID is no longer valid.
What the authority found
The court ruled that while photos can be stored during the ID's validity, they must be deleted once the ID expires.
Why this matters
This case highlights the importance of data retention limits and could guide other agencies on when to delete personal data. It underscores the need for clear policies on data storage duration.
GDPR Articles Cited
National Law Articles
The controller issues identity cards and passports. The data transmitted for this purpose are in any case stored for the duration of the validity of the identity documents. The data subject reported losing an identity card ("old ID"), which was subsequently blocked. He then applied for a new identity card ("new ID") using the same photograph, which was still valid at the time of the decision. The photograph relating to the new ID was still stored at the time of the decision. The same photograph was also stored in the data set of the old ID, even though it had been blocked for more than three years. In a complaint to the Austrian DPA (DSB), the data subject requested, among other things, the deletion of these photographs. The DSB did not follow the data subject in this respect. The data subject filed an appeal against this with the Austrian Federal Administrative Court (BVwG). The BVwG ruled, among other things, that the controller is obliged to delete the photograph relating to the old ID. However, during the period of validity of an identity document, photographs may be stored. = The court first dealt with the question of whether photographs are biometric data within the meaning of Article 4(14) GDPR. In this regard, it stated that photographs serve to uniquely identify the person to whom the identity document is issued. This does not change if queries from the identity document register are carried out according to other criteria. In the end, however, the court leaves the qualification as biometric data open, since their processing would in any case be lawful under Article 9(2)(g) GDPR. The processing of biometric data was provided for at the statutory level by the Austrian Passport Act 1992 (PassG) for reasons of substantial public interest. = The court stated that there was no obligation to delete the data concerning the new identity card. Such obligation cannot exist during the period of validity of the identity card. After the expiry of the validity, § 22
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W214 2219800-3 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W214 2219800-3 - Austria (2021). Retrieved from cookiefines.eu
Last updated: