Datenschutzbehörde – Court Ruling (Austria, 2022)

A number of data subjects attended a festival, during which they were allegedly recorded by a surveillance system without a legal basis. The data subjects contested that their right to information had been restricted by the controllers and processors, since they requested to be sent a copy of their personal data and to restrict further processing in accordance with Article 18(1) GDPR, which was met with the reply that the recordings had been deleted and that the data was not of personal nature due to it only showing persons up to the waist. The data subjects filed a complaint with the Austrian DPA who investigated the case. The defendants and alleged controllers were in the business of event management, advertising and consultancy. Part of their activities included counting visitor numbers and filtering this information into categories of age and gender. They recorded the visitor numbers at the festival through, among others, surveillance cameras. The defending parties denied that they were controllers pursuant to Article 4(7) GDPR. They argued that they organised the festival and processed the data of the data subject's on behalf of a contract with the local municipality, who should be deemed the controller. The municipality, however, had terminated the contract with the defendants. The defendants were in the process of disputing the validity of the termination in separate civil law proceedings in front of a regional court. Consequently, the Austrian DPA decided to suspend its decision on a complaint according to § 38 AVG until the regional court had decided in a civil law suit on whether the defendants in the complaint proceedings had acted on behalf of a valid contract with the municipality. The DPA believed that the answer to the question whether a valid contract was in place was an essential preliminary question to establish who the controllers were pursuant to Article 4(7) GDPR. The data subjects brought in a complaint against this decision by the DPA at