Court case W211 2261980-1 – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a woman could not get her training data from a discontinued health app because the data was no longer stored on the company's servers. The court found that the app operator did not process her data after the app was discontinued, which is important for users to understand their rights regarding data access. This case highlights the need for clear communication from companies about data handling.
What happened
A woman requested her training data from a discontinued health app, but the app operator refused because the data was no longer stored on their servers.
Who was affected
The woman who used the health and fitness app and wanted her training data.
What the authority found
The court decided that the app operator did not process the woman's data after the app was discontinued, so her request for data transfer under GDPR could not be fulfilled.
Why this matters
This ruling emphasizes the importance of companies clearly informing users about how and where their data is stored. It also shows that users should be aware of the limitations of data access when using discontinued services.
GDPR Articles Cited
National Law Articles
The data subject concluded a contract with an app operator (the controller) in 2017 for the use of a health and fitness app, which she used until 2021. The data subject submitted a request for a transfer of her training data from 2020 in a structured, commonly used and machine-readable format by virtue of Article 20 GDPR. The controller refused to do so because her request referred to an outdated version of the app which had been discontinued in the meantime, that is, the data were no longer synchronised to the servers of the controller and were only locally saved and processed on the data subject's device. Yet, the old app could still be used locally, hence, data processing only took place on the users' devices but the controller did not have access to the data and could thus not process them. Furthermore, users could access and download all of their training and health data from the website of the controlller, which the data subject did. The users were notified of this change in a sufficient way. However, the data subject argued that she had not been properly informed of the changes regarding the processing and, as a layperson, she could not have known the difference. Furthermore, she pointed out that the "raw data" provided was not useable for the average user and that the controller kept processing her personal data because her contract with the controller had never been amended nor terminated. The Austrian DPA (DSB) dismissed the complaint based on the fact that essentially no data was processed by the controller between 2020 and 2021 and thus Article 20 GDPR could not apply. Dissatisfied with the DSB's decision, the data subject filed an appeal with the BVwG, restating the arguments she had broguht before the DSB. The BVwG held that after the date of the discontinuation, the data subject's training data was no longer saved and processed on the servers of the controller and data processing only continued on the device of the data subject through her own acti
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W211 2261980-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W211 2261980-1 - Austria (2023). Retrieved from cookiefines.eu
Last updated: