Court case W274 2251055-1/5E – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a bank recorded phone calls without giving clients a way to opt-out. This matters because it highlights the importance of user consent in handling personal data. Companies should ensure they provide clear options for customers regarding data processing.
What happened
A bank recorded phone calls without allowing clients to opt-out of this processing.
Who was affected
Clients of the bank whose phone calls were recorded without their consent.
What the authority found
The court confirmed that the bank lacked a valid legal basis for recording calls, violating GDPR's requirement for user consent.
Why this matters
This ruling emphasizes that companies must respect user privacy and consent when processing personal data. It serves as a reminder for businesses to review their data handling practices.
GDPR Articles Cited
National Law Articles
In the original case before the Austrian DPA, the data subject filed a complaint, claiming that the controller (a bank) recorded their phone calls and there was no possibility to opt-out from such a processing. Clients were informed about the recording by a tape announcement at the beginning of the call. The controller justified the processing as a legitimate interest pursuant to Article 6(1)(f) GDPR, stating that recording was necessary to ensure the best service quality for clients. The controller also referred to their obligations under EU law, especially [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014L0065 Directive 2014/65/EU (MiFID II)], and national banking laws, such as [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20010182 § 66(1) Payment Services Act] (Zahlungsdienstegesetz - ZaDiG) and [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20009943 § 33(2) and (3) Securities Supervision Act 2018] (Wertpapieraufsichtsgesetz 2018 - WAG). The DPA upheld the data subject's claim and issued a decision against the controller. The controller appealed this decision before the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG). To the arguments mentioned above, the controller added that that it was impossible not to record all incoming calls. Furthermore, the controller questioned the DPA's competence, as the case allegedly fell under the WAG and not the GDPR. The court rejected the controller's appeal. The court confirmed that the DPA was competent. The data subject's complaint was about their right to confidentiality of personal data. The infringement of Article 6(1) GDPR could lead to an infringement of [https://ris.bka.gv.at/geltendefassung.wxe?abfrage=bundesnormen&gesetzesnummer=10001597&tid=121676594&ShowPrintPreview=True § 1(1) Austrian Data Protection Act] (Datenschutzgesetz - DSG) which contains the fundamental right to data protection. The right t
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W274 2251055-1/5E in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W274 2251055-1/5E - Austria (2023). Retrieved from cookiefines.eu
Last updated: