Court case W252 2247092-1 – Court Ruling (Austria, 2023)

The data subject filed a complaint against the controller for the unnecessary storage of payment data. The data subject claimed that data were outdated and no longer useful to check their creditworthiness. The Austrian DPA held that storage was excessive and contrary to the GDPR. The controller appealed the decision, pointing out to have meanwhile erased data. This was, according to the controller, not on the basis of a legal obligation, but as a spontaneous gesture of good will. The Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG) upheld the controller’s appeal. According to the court, in lack of a law stating the contrary, a judge should assess the existence of a violation with regard to the time of the adoption of their decision. The court pointed out that § 24(6) of the Austrian Data Protection Law (Datenschutzgesetz – DSG) enables controllers to remedy to violations during proceedings before the DPA. The court stressed that such a national provision is not contrary to the GDPR. As matter of fact, Article 58 GDPR does not provide the DPAs with any power to adopt declaratory binding decisions about the existence of certain violations. What Article 58(6) GDPR does is exclusively to enable Member States to confer additional powers to the DPAs under national law. Austria decided to implement this provision by giving its DPA the power to ascertain the existence of ongoing violations, not violations that occurred in the past. In light of the above, the court invalidated the DPA’s decision.