Court case W137 2255764-1 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled against a company for transferring personal data to the US without a valid legal basis. The court found that the standard contracts used did not provide enough protection against US government access to the data. This case reinforces the need for companies to ensure strong safeguards when transferring data outside the EU.
What happened
A company unlawfully transferred personal data to the US using Google Analytics without proper legal protection.
Who was affected
Individuals whose personal data was transferred to the US when visiting the company's website.
What the authority found
The court ruled that the standard contracts used by the company did not guarantee adequate protection for personal data, violating GDPR requirements.
Why this matters
This ruling underscores the importance of having robust data protection measures in place for international data transfers. Businesses must evaluate their compliance with data protection laws to avoid similar issues.
GDPR Articles Cited
This judgement stems from one of the 101 complaints filed by the NGO noyb in the context of data transfers to the US. The data subject lamented a violation of Chapter V GDPR due to the unlawful transfer of their personal data in lack of a valid legal basis. The controller made use of analytical tools by Google on their website. When visiting such a website, the data subject triggered a transfer of personal data to the US, where Google processes personal data imported from Europe. Data transfers between US and EU were originally based on an Adequacy Decision by the Commision, in turn based on the transatlantic legal framework known as 'Privacy Shield'. Nevertheless, after C-311/18 (“Schrems II”), the Commission’s adequacy decision concerning was invalidated by the CJEU. Consequently, controllers could export data only on the basis of alternative tools guaranteeing an adequate level of protection, such as Standard Contractual Clauses (SSCs). The Austrian DPA held that SSCs implemented by the controller – the “data exporter” – could not guarantee an adequate level of protection, mainly due to their inability to limit the power of US intelligence agencies to access personal data stored by Google. The controller appealed the decision. The controller claimed that data transferred were not personal data and that in any case Chapter V GDPR envisages a risk-based approach, which was taken into account by the controller. Finally, the controller also argued that the data subject had no legitimation to bring action, as at the time of the events they were working for the NGO that represented them in the procedure before the DPA. The Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) rejected the appeal. First, the court denied that the fact that the data subject worked with the NGO representing them pursuant to Article 80 GDPR could exclude their legitimation to file a complaint against the controller. About the qualification of the information transferre
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W137 2255764-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W137 2255764-1 - Austria (2023). Retrieved from cookiefines.eu
Last updated: