Court case Ro 2019/04/0232 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit ranking agency did not violate GDPR when it completely erased a person's data after they requested deletion. The court found that deleting all data did not harm the person's rights under GDPR. This case shows that companies can fully delete data without breaching privacy rules if requested by the user.
What happened
A court ruled that a credit ranking agency's complete deletion of a person's data did not violate GDPR rights.
Who was affected
A person who requested data deletion from a credit ranking agency.
What the authority found
The court held that the complete deletion of data did not violate the right to erasure under GDPR, as no processing occurred after the data was erased.
Why this matters
This ruling clarifies that companies can fully erase personal data without violating GDPR if requested, reinforcing the importance of understanding data deletion rights. It reassures businesses that honoring complete deletion requests is compliant with privacy laws.
GDPR Articles Cited
The data subject made an erasure and a rectification request to the controller – a credit ranking agency. The controller deleted all the data concerning the data subject. The data subject lodged a complaint with the Austrian DPA for excessive erasure and violation of the right to data rectification. The Austrian DPA upheld the complaint with regard to the excessive erasure and rejected the part concerning data rectification. In particular, rectification was no longer possible after the controller deleted all the data subject’s personal data. The data subject appealed the decision before the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). The court rejected the appeal and overturned the DPA decision also in the part concerning the alleged excessive erasure. According to the court, the data subject’s claim that the erasure was excessive was based on the fact that the complete lack of information on the data subject in the databases of the controller could be interpreted by a third party as lack of creditworthiness. The court rejected this argument and stated that due to the complete lack of personal data following the erasure no processing could take place: mere assumptions by third parties that are based on non-existence of certain data do not constitute processing and are therefore not subject to the GDPR. Therefore, right to erasure pursuant to Article 17 GDPR was not violated. Again due to the lack of information after the deletion, the right to rectification pursuant to Article 16 GDPR did not come into play at all. The data subject appealed the decision before the Supreme Administrative Court. The Supreme Administrative Court dismissed the appeal. The court acknowledged that a data subject has in principle the right to a partial deletion pursuant to Article 17 GDPR. However, this does not entail that a complete deletion of data by the controller violates the right to erasure. As a matter of fact, the controller – at least in this case – was u
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ro 2019/04/0232 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ro 2019/04/0232 - Austria (2023). Retrieved from cookiefines.eu
Last updated: