Court case 2021/04/0030-4 – Court Ruling (Austria, 2024)

A data subject, an entrepreneur, requested access to their personal data at a credit ranking agency (“controller”). The controller provided certain information, including that a specifically named company had carried out a query regarding the identity and creditworthiness of the data subject. The data subject lodged a complaint with the Austrian DPA (“Datenschutzbehörde”) against the controller for violating their right of access under Article 15 GDPR and for violating the principles of data minimisation (Article 5(1)(c) GDPR), confidentiality (Article 5(1)(f) GDPR) and the controller’s information obligation under Article 14 GDPR regarding the transfer of the data subject’s data to a third party. The data subject argued that the information that the controller provided was inadequate as it did not provide the origin of the data, storage period, processing purposes and a copy was missing. The DPA dismissed the complaint, stating that the controller provided sufficient information. The DPA held that the controller fulfilled the information obligations as the information was publicly accessible on a website. The data subject appealed this decision to the Federal Administrative Court (“Bundesverwaltungsgericht”). The Federal Administrative Court partially upheld the complaint against the controller, stating that the controller violated the data subject’s right of access by providing insufficient information on the storage period within the meaning of Article 15(1)(d) GDPR. At the same time, the court dismissed the data subject’s arguments concerning the information on the origin of the data and the processing purposes. Concerning transparency obligations, the court further held that the controller did not fulfil its duty to provide information on the recipients of data and thereby violated Article 14(1)(e) GDPR. Finally, the court rejected the complaint on the alleged violations of data minimisation and right to confidentiality. Both the DPA and the controller appe