Osterreichische Post AG (controller) – Court Ruling (Austria, 2022)

The data subject submitted an access request to the controller, Osterreichische Post AG, and she received a letter in response dated 10.12.18. The data subject submitted a complaint to the Austrian DPA (DSB) on 18.02.20 alleging that the controller had no legal basis under which to process her data and that the response she received to her request was incomplete and thus violated her right to access her personal data. The DPA rejected the data subject's complaint on the grounds that her right to file a complaint had expired per § 24(4) DSG because more than a year had elapsed between the time she discovered the alleged violation and the time she filed her complaint. The data subject appealed on the grounds that the unlawful processing of her data had continued until 13.11.19 when her personal data were deleted by the controller. The controller admitted in a letter to the DPA that the last of its marketing data had been deleted on 13.11.19 but claimed the complainant data subject's personal data had been deleted almost a year earlier on 13.12.18. The Federal Adminstrative Court annulled the contested decision and remanded the matter back to the DPA. Whether the data subject had a right to file a complaint depended entirely on which party's timeline was correct. This was a factual question which was the competence of the DPA, not the Court. The DPA had relied on the controller's submission without verifying it independently, so the Court ordered the DPA to perform its own investigation.