Court case W108 2263948-1/4E – Court Ruling (Austria, 2023)

A data subject installed at the front door of his house a camera provided by a telecommunications service provider, the controller. After noticing that he no longer received e-mail notifications from the front door camera he contacted the controller and received different and contradictory information about the causes of system's malfunctioning in different occasions. On this basis, he suspected that his personal data had been leaked due to a ransomware attack and again contacted the controller about this. The data subject later found out that his account had been automatically blocked and the controller replied that this occurred because the account had been improperly used. The data subject was thus certain that he had been subject to a personal data breach, which the controller should have informed him about under Article 12 GDPR in a transparent manner. As a consequence, he believed that this violated his rights under several GDPR provisions, including Article 22 GDPR and filed a complaint with the Austrian DPA (DSB). However, due to a delay in the procedure, the data subject filed an appeal before the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) as he claimed that the DSB failed to take a decision within the prescribed time limit. On the basis of the submissions of the parties, the BVwG first of all ascertained that there had been no unauthorised access to the data subject's data and that the controller had credibly demonstrated that there had been no hacker attack, hence there had been no violation of Article 12 GDPR, Article 5 GDPR and Article 34 GDPR. The BVwG instead determined that the blocking of the complainant's email account was set by an algorithm due to unusually high activity as an anti-spam measure. Effectively, the controller had submitted that it noticed a high number of e-mails were being sent from the data subject's account within a short period of time, and suspected a misuse of his account. As regards the s