Court case W252 2237416-1 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a mail services provider gave enough information about how it targeted political ads. The court found the company explained its data sources and decision-making process well. This case shows that companies must clearly explain their data use to customers.
What happened
A mail services provider was challenged for not fully explaining how it targeted political ads, but the court found their explanation sufficient.
Who was affected
A person who received political ads and questioned how their data was used to target them.
What the authority found
The court ruled that the mail services provider adequately explained the data sources and logic behind targeting political ads.
Why this matters
This decision highlights the importance of transparency in automated decision-making and data use. Companies should ensure their explanations of data processing are clear and comprehensive.
GDPR Articles Cited
The data subject made an access request with the controller – a mail services provider. The controller delivered targeted political advertisements and the data subject why they were assigned to certain political affinities. However, in the data subject's view, the controller’s reply was not complete. For example, it did not contain the sources of the data and how the data subject was associated with certain political preferences for the purpose of political advertising. The data subject lodged a complaint with the Austrian DPA. The Austrian DPA upheld the complaint and found a violation of Articles 12(1) and 15(1)(g) and (h) GDPR, as the controller did not provide information about the sources and about how the affinity between the data subject and certain political groups had been inferred. The controller appealed the decision, arguing that the information asked by the data subject was not personal data but only “marketing classifications” to which neither profiling within the meaning of the GDPR nor Article 22(1) GDPR applied. The court upheld the controller's appeal. First, according to the judges, the sources were duly disclosed in the answer to the access request. The disclosure was also transparent and comprehensible, complying with the requirements of Article 12(1) GDPR. Second, concerning the alleged violation of Article 15(1)(h) GDPR, the court found that the controller provided sufficient information to understand the logic behind the automated decision-making pursuant to Article 22(1) and (4) GDPR. As a matter of fact, data processed were address, age and sex of the data subject; the method used a “statistical” one; and the purpose of the processing was to avoid to deliver irrelevant advertisement to the data subject. The court did not concern itself with the problem whether the processing at issue was profiling, nor with the issue whether the “marketing classifications” were actually personal data. The court stated that the disclosure of the algorithm
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W252 2237416-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W252 2237416-1 - Austria (2023). Retrieved from cookiefines.eu
Last updated: