Österreichische Datenschutzbehörde (Austrian DPA) – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's data protection authority faced a court challenge after it dismissed a complaint about access to personal data. The court ruled that the authority couldn't simply reject complaints as excessive without clear evidence. This decision highlights the importance of handling user complaints properly.
What happened
The Austrian DPA dismissed a user's complaint about access to their personal data, claiming it was excessive.
Who was affected
A user who filed a complaint regarding their right to access personal data held by a company.
What the authority found
The court decided that the DPA must provide clear evidence to classify a complaint as excessive, which they failed to do.
Why this matters
This ruling emphasizes that authorities must take user complaints seriously and cannot dismiss them without justification. It serves as a reminder for companies to be prepared for user inquiries about their data.
GDPR Articles Cited
On 17 February 2020, a data subject (the complainant) lodged a data protection complaint under Article 77(1) GDPR for breach of the right of access under Article 15 GDPR by a company. By decision of 22 April 2020, the DPA refused to deal with the data protection complaint under Article 57(4) GDPR on the basis that between 28 August 2018 and 7 April 2020, the complainant had submitted 77 data protection complaints that were essentially the same and regularly contacted by phone the DPA. Thus, the complainant brought an action against the decision before the Austrian Administrative Court, which, on 22 December 2022, upheld the complaint and annulled the DPA decision because it could not be said with certainty from Article 57(4) GDPR when a request is ‘excessive’, but it could be derived that they had to be frequent but also ‘manifestly vexatious or abusive in nature’, which the DPA had not demonstrated. The DPA challenged this judgement before the Supreme Administrative Court (Supreme Court). On 6 July 2023, the Austrian DPA requested the Supreme Court to refer a question to the CJEU, namely, whether the concept of ‘request’ in Article 57(4) GDPR could be interpreted as also covering ‘complaints’ under Article 77(1) GDPR. The Supreme Court stated that the concept of ‘requests’ within the meaning of Article 57(4) GDPR is not defined more precisely in the GDPR. Nonetheless, Article 57(2) GDPR and Article 57(3) GDPR suggest that the concept also includes complaints under Article 77(1) GDPR since the handling of complaints is a primary task of any supervisory authority, which should facilitate their submission and provide services free of charge. Additionally, if the CJEU would answer affirmatively, the following questions were referred. Firstly, the Supreme Court noted that carrying out an extremely large number of complaints does not constitute an abusive assertion of rights. However, an abuse of the right conferred by Article 77(1) GDPR could be claimed if a data su
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Österreichische Datenschutzbehörde (Austrian DPA) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Österreichische Datenschutzbehörde (Austrian DPA) - Austria (2023). Retrieved from cookiefines.eu
Last updated: