Court case 2021/04/0030-4 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit ranking agency did not provide enough information to an entrepreneur about their personal data. The court found that the agency failed to fully inform the entrepreneur about the storage period of their data. This decision emphasizes the importance of transparency in how companies handle personal data.
What happened
A court found that a credit ranking agency did not adequately inform an entrepreneur about their personal data access request.
Who was affected
The entrepreneur who requested access to their personal data from the credit ranking agency was affected.
What the authority found
The court decided that the credit ranking agency violated the entrepreneur's right to access by not providing sufficient information on the storage period of their data.
Why this matters
This case underscores the need for companies to be transparent and thorough when responding to personal data requests. Businesses should review their data disclosure practices to ensure compliance with access rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject, an entrepreneur, requested access to their personal data at a credit ranking agency (“controller”). The controller provided certain information, including that a specifically named company had carried out a query regarding the identity and creditworthiness of the data subject. The data subject lodged a complaint with the Austrian DPA (“Datenschutzbehörde”) against the controller for violating their right of access under Article 15 GDPR and for violating the principles of data minimisation (Article 5(1)(c) GDPR), confidentiality (Article 5(1)(f) GDPR) and the controller’s information obligation under Article 14 GDPR regarding the transfer of the data subject’s data to a third party. The data subject argued that the information that the controller provided was inadequate as it did not provide the origin of the data, storage period, processing purposes and a copy was missing. The DPA dismissed the complaint, stating that the controller provided sufficient information. The DPA held that the controller fulfilled the information obligations as the information was publicly accessible on a website. The data subject appealed this decision to the Federal Administrative Court (“Bundesverwaltungsgericht”). The Federal Administrative Court partially upheld the complaint against the controller, stating that the controller violated the data subject’s right of access by providing insufficient information on the storage period within the meaning of Article 15(1)(d) GDPR. At the same time, the court dismissed the data subject’s arguments concerning the information on the origin of the data and the processing purposes. Concerning transparency obligations, the court further held that the controller did not fulfil its duty to provide information on the recipients of data and thereby violated Article 14(1)(e) GDPR. Finally, the court rejected the complaint on the alleged violations of data minimisation and right to confidentiality. Both the DPA and the controller appe
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 2021/04/0030-4 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 2021/04/0030-4 - Austria (2024). Retrieved from cookiefines.eu
Last updated: