Court case W274 2237071-1 – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a union wrongly asked a former member for extra ID proof to delete their personal data. The court found the union should not have doubted the member's identity without good reason. This case stresses the importance of respecting data deletion requests without unnecessary hurdles.
What happened
A union asked a former member for additional ID proof before deleting their personal data, which the court found unjustified.
Who was affected
The affected person was a former union member who requested the deletion of their personal data.
What the authority found
The court ruled that the union's request for extra ID proof was unjustified and that they should have processed the data deletion request without it.
Why this matters
This ruling underscores that organizations should not impose unnecessary identity verification steps when processing data deletion requests. It highlights the need for a balanced approach to verifying identity without creating barriers to exercising data rights.
GDPR Articles Cited
After multiple years as a member of a union the data subject decided to quit and sent the union a letter requesting termination of the membership and the deletion of personal data. Among other information the letter contained the membership number and the handwritten signature of the data subject. The union immediately terminated the membership of the data subject. In terms of the erasure request, however, the union asked for a copy of the ID of the data subject in order to progress with the deletion. Although the name and membership number were known to the union, it could not verify that also the signature on the letter was from the data subject. The union argued that although the data subject stated to be known to the union due to their long membership, the size of the union with over 1.2 million members and different administrative responsibilities did not constitute a personal relationship with the data subject. Moreover, the consequences of the data deletion would be severe compared to a resignation given that the data was necessary for a later re-entry in the union to continue the data subject’s membership. Therefore, and in accordance with Article 12(6) GDPR additional measures of identification were required. The data subject refused to provide a copy of the ID seeing a contradiction in providing even more data to achieve its deletion. The data subject argued that sending a copy of the ID does not mean any higher degree of reliability or proof of identity since it could be stolen, forged or used by another person. According to the GDPR additional information may only be requested if there are reasonable doubts about the identity of the natural person which does not allow for routine identity checks in all data subjects' rights. The BVwG ruled that the union unjustifiably requested proof of identity of the data subject and had not dealt with the latter's request for deletion. In this regard, it followed a previous position of the Austrian DPA according to
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W274 2237071-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W274 2237071-1 - Austria (2021). Retrieved from cookiefines.eu
Last updated: