Court case W176 2248585-1 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a money transfer company mishandled a customer's request for personal data access. The company initially used an online platform that the customer was uncomfortable with and later failed to deliver the information by courier as promised. This case emphasizes the importance of respecting customer preferences in data access requests.
What happened
A money transfer company failed to provide requested personal data to a customer in the agreed manner.
Who was affected
The customer who requested access to their personal data from the money transfer company.
What the authority found
The Austrian DPA found the company violated GDPR Articles 12 and 15 by not fulfilling the data access request as agreed.
Why this matters
This ruling highlights the need for companies to honor customer preferences in data access requests and ensure compliance with GDPR requirements. It stresses the importance of clear communication and flexibility in handling such requests.
GDPR Articles Cited
National Law Articles
This case concerns an access request submitted by a data subject, under Article 15 GDPR, to a money transfer and payment services company which primarily offers consumer and digital money transfers, the controller. The access request was submitted on 24 July 2019. On 16 December 2019, the data subject filed a complaint with the relevant DPA. The controller responded on 21 February 2020 that it had complied with the access request “in full and good time”. At this point in proceedings, the data subject was able to see, from the controller’s statement, that the controller had used an online platform to comply with the access request. The data subject had previously received two emails through this online platform, but did not want to open them as the sender was not known to her at the time and the controller had not informed her that they would be using this system. According to their submissions to the DPA, the data subject had concerns over this platform, and did not want to use it, as it required her to create an account and provide an ID card. She therefore requested that the controller send a physical copy of the requested information via a trackable express courier service, the controller agreed to do so. The proceedings before the DPA continued and, in a submission dated 2 August 2021, the data subject asserted that the controller had not provided the information via courier as agreed. The DPA held in favour of the data subject, finding that the controller had violated Articles 12 and 15 GDPR, and ordered them to provide the information within 4 weeks. The controller appealed this decision to the Federal Administrative Court (BVwG), essentially alleging that the DPA had issued its decision unlawfully and on the basis of inadequate findings of fact. The controller submitted that the data subject had submitted the access request on 24 July 2019, then on 8 August 2019 the controller asked for proof of identity, which the data subject provided on 16 August 2019. Aft
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W176 2248585-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W176 2248585-1 - Austria (2023). Retrieved from cookiefines.eu
Last updated: