Court case W298 2252644-1 – Court Ruling (Austria, 2023)

The data subject was a judge working at the Austrian Federal Administrative Court. An internal judicial body – the controller – opened a disciplinary investigation concerning the data subject’s performance at work, including the latter’s mental health. The disciplinary body concluded the investigation with a final report and an evaluation of the data subject, which were subsequently notified to them. The data subject brought action against the controller for violation of Articles 5(1)(a) to (c), 6 and 9 GDPR. According to the data subject, the investigation would have been hampered by many inadequacies and investigative mistakes in the processing of their personal data. In particular, the controller would have picked and chosen pieces of evidence, deliberately ignoring fundamental elements. The Austrian Federal Administrative Court dismissed the data subject’s claim. According to the judges, data protection law cannot override the rules delimiting jurisdictions. A review of the investigation methods by the Federal Administrative Court would encroach upon the competence of the disciplinary body, which is a judicial body as well. In other words, a data subject cannot use data protection law to limit the investigative powers of a judicial body whose jurisdiction is subject to.