Court case Ra 2020/04/0187 – Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An advertising company in Austria faced a legal challenge over a fine for allegedly selling personal data. The court ruled that the fine was invalid because the responsible individuals were not identified. This case raises questions about how companies can be held accountable for privacy violations.
What happened
An Austrian court overturned an €18 million fine against an advertising company due to lack of identification of responsible individuals.
Who was affected
Individuals whose personal data was allegedly sold by the advertising company.
What the authority found
The Austrian court ruled that the fine was unlawful because the responsible natural persons were not identified, which is necessary for attributing the infringement to the company.
Why this matters
This ruling highlights the complexity of holding companies accountable for data breaches and may influence how authorities attribute responsibility in future cases. It stresses the need for clear identification of individuals responsible for privacy violations.
GDPR Articles Cited
The controller is an address publisher and direct advertising company that operates a data application in order to provide advertisers with personal data for targeted marketing measures. In 2019, the Austrian Data Protection Authority (DSB) initiated an ex officio investigation against the controller, following media reports about the alleged sale of personal data, in particular information about the political affinity of individual persons. Based on the findings, the DSB issued a fine of €18,000,000. The natural persons responsible for the infringements belonged to the economic unit formed by the controller as a legal person. Therefore the infringement was attributed to the controller. The controller appealed to the Federal Administrative Court (BVwG), arguing that it was not sufficient for a legal person to have committed a criminal offence for a fine to be imposed on it under the GDPR. As a legal person that cannot act on its own, the actions of a natural person must also be attributed to it but the DSB had omitted this attribution. The BVwG agreed with the controller's reasoning. Since the DSB had not named the natural person whose breach of the GDPR was to be attributed to the controller, the DSB's decision proved to be unlawful. The DSB filed an extraordinary official appeal against this decision with the Austrian Supreme Administrative Court (VwGH). It referred to the pending case of the Higher Regional Court of Berlin (KG Berlin) before the Court of Justice of the European Union (CJEU) (Case C-807/21) where the question at issue - as in the case at hand - is whether the supervisory authority must record and name those natural persons who are responsible for the infringement in order to enable attribution to the legal person, or whether this is not necessary. The DSB therefore requested to refer the question of the direct criminal liability of a legal person under Article 83 GDPR and the question of the compatibility of § 30 Datenschutzgesetz (Austrian Data
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ra 2020/04/0187 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ra 2020/04/0187 - Austria (2022). Retrieved from cookiefines.eu
Last updated: