Court case W214 2275073-1 – Court Ruling (Austria, 2023)

On 15 May 2023, a data subject filed an access request via e-mail to a controller, the operator of a gambling website, in accordance with Article 15 GDPR. Unsatisfied with the response by the controller, the data subject filed a complaint with the Austrian DPA (DSB). The DSB, however, issued a decision stating that it suspended proceedings against the controller until the lead supervisory authority in the case had decided. According to the DSB, the object of the complaint referred to a matter of competence of the authority in which the controller had its main establishment under Article 56(1) GDPR, which, in the case was the Maltese DPA. The DSB held that in such circumstances it is obliged under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 Article 24 of the Austrian Data Protection Law (Datenschutzgesetz - DSG)] to suspend the complaint procedure. The data subject instead was of the opinion that the DSB should have dealt with the case as the requirement of Article 56(2) GDPR was met. In fact, the complaint in this case substantially affected only data subjects in Austria. Also, the data subject argued that neither [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 Article 24(10) DSG] nor [https://ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10005768&FassungVom=2017-07-12&Artikel=&Paragraf=38&Anlage=&Uebergangsrecht= Article 38 of the General Administrative Procedures Act (AVG)] provided for a legal basis for suspending proceedings. For these reasons, the data subject appealed the decision of the DSB before the Federal Administrative Court of Austria (Bundesverwaltungsgericht - BVwG). First of all, the BVwG clarified that the case clearly dealt with cross-border processing activities. The BVwG then reiterated that the handling of cross-border complaints involves three main steps: first, the roles of different authorities as concerned or lead supervisor