Court case W176 2255954-1 – Court Ruling (Austria, 2023)

A company filed a complaint against an individual – the controller – that unlawfully processed personal data of its employees and shareholders. The Austrian DPA dismissed the complaint claiming that the company waited more than 1 year since the time it became aware of the unlawful processing before filing. Therefore, its right to lodge a complaint expired. The company appealed the decision before the Austrian Federal Administrative Court. According to the company, by refusing to examine the case in the merits the Austrian DPA violated Article 77 GDPR. The Austrian DPA argued that a legal person does not fall within the personal scope of the GDPR pursuant to Article 1(1) and (2) GDPR. Therefore, no discussion on the applicability of Article 77 GDPR was relevant in the case at issue. The court clarified that only data subjects within the meaning of Article 4(1) GDPR have a right to lodge a complaint with the competent supervisory authority pursuant to Article 77 GDPR. Legal persons are not included in the category of "data subjects", as the GDPR mentions only “an identified or identifiable natural person”. As a legal person does not fall within the scope of protection of the GDPR, but (potentially) only of national data protection law, the national legislator can establish time limitations in the exercise of the right to lodge a complaint. This was the case with Austrian law, which enables the DPA to reject a complaint when the latter was filed after one year since the relevant facts became known to the affected legal person. Therefore, the court upheld the DPA’s view and dismissed the appeal.