Court case W258 2243523-1/9E – Court Ruling (Austria, 2024)

A real estate development company, the controller, contacted an owner of real estate, the data subject, asking her whether she would be interested in selling her property. The data subject claimed to have requested deletion of her personal data under Article 17 GDPR but kept receiving messages from the controller thereafter. Thus, on 26 April 2020, the data subject filed a complaint with the Austrian DPA (Datenschutzbehörde, DSB). In its submissions, the controller argued that it obtains data about real estate properties on sale by requesting access to the land registry of property addresses and it processes personal data according to Article 6(1)(f) GDPR. Further, the controller stated that it nonetheless complied with the deletion request as it pseudonymised the data of the data subject and added a note next to the address of her property that it should no longer be consulted in the land registry. The DSB held that the controller did violate the data subject’s right to deletion as it failed to fully erase her personal data. First, according to the DSB, the interests of the data subject outweighed those of the controller and that it was still possible to identify the data subject using the address of her property. The controller decided to appeal the DSB’s decision on 14 May 2021 to the Austrian Federal Administrative Court (Bundesverwaltungsgericht, BVwG), claiming that the DSB failed to properly assess the case. The controller submitted that it deleted the data of the data subject when she requested it and then her data mistakenly reappeared in her database, which is why she was contacted again by the controller. However, the controller remedied this by pseudonymising her data. Hence, the DSB should have differentiated between the two processing activities: the data subject only requested deletion of her data with respect to the first set of processing activities. As regards the second set of processing activities, the data subject never asked for erasure.