Court case W252 2249734-1 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that the local data protection authority could not declare a company’s data processing unlawful based on an investigation it started on its own. This matters because it limits the authority's power to act without a complaint. Companies should know that they can challenge such decisions if they feel the authority overstepped its boundaries.
What happened
The court decided that the Austrian data protection authority could not issue a ruling on the legality of data processing without a complaint.
Who was affected
The company whose data processing was investigated by the Austrian data protection authority.
What the authority found
The court held that the authority lacked a legal basis to issue a ruling based on its own investigation, as per Article 58 of GDPR.
Why this matters
This ruling clarifies the limits of data protection authorities' powers, emphasizing that they need a complaint to take action. Companies should ensure they understand their rights in such investigations.
GDPR Articles Cited
National Law Articles
On 15 June 2020, a USB-stick containing a set of documents, including internal information of a company, was anonymoulsy sent to the Austrian DPA (Datenschutzbehörde - DSB) . The DPA thus started an ex officio investigation and concluded, by decision of 6 November 2021, that the controller, as head of the company, failed to meet security requirements as it saved personal data on a private and unsafe device. Upon learning about the decision, the controller appealed the latter to the Austrian Federal Administrative Court (BVwG), stating, amongst other things, that the DPA was not allowed to start such a procedure against the controller and the decision lacked a reasonable motivation. The controller also submitted that the DPA failed to take into account the fact that the USB-stick had actually been stolen by an employee of the controller. On its part, the DPA claimed that the appeal should be rejected by the Court. The Court considered the appeal to be admissible and held that it cannot be inferred from Article 58 GDPR that competent supervisory authorities may adopt declaratory statements on the unlawfulness of processing activities on the basis of an ex officio investigation. In its decision, the Court referred to the a judgment by the Supreme Administrative Court of Austria (Verwaltungsgerichtshof – VwGH) in case Ro 2020/04/0032-8, and held that Article 58 GDPR does not contain an explicit legal basis for such decisions to be issued. In particular, the Court stressed the fact that according to [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 Article 24 of the Austrian Data Protection Law (Datenschutzgesetz - DSG]), the DPA is only specifically allowed to issue declaratory statements on the infringement of a data protection provision on the basis of a complaint. Consequently, this is not possible in the case of an ex officio investigation by the DPA. In light of this, the Court held that the appeal should be upheld sinc
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W252 2249734-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W252 2249734-1 - Austria (2023). Retrieved from cookiefines.eu
Last updated: