XXXX – Court Ruling (Austria, 2024)

The Austrian Data Protection Authority (DSB) fined a controller 500 000€ for failing to fulfil its obligations under Articles 12 and 15-22 of the GDPR. The controller collected information and marketing classifications on the party affiliations of the entire Austrian population. Data subjects filled out more than 30 000 requests. In response, the controller created a web contact form to enforce the three most frequently used data subject rights, thereby limiting other contact options. The controller did not adequately facilitate the exercise of data subject rights by limiting them to "the three most used". The three most used data subject rights were the right of access, the right to erasure and the right to object. Other data subject rights were not included in the contact form. Data subjects requested to exercise their rights under the GDPR. The controller failed to provide appropriate mechanisms or responses to these requests, leading to complaints from the data subjects. The DSB initiated an investigation into the controller's practices following these complaints. The investigation revealed that the controller had not sufficiently complied with the GDPR, particularly regarding the facilitation of data subject rights. The controller appealed. The Federal Administrative Court dismissed the appeal of the controller as unfounded. The Federal Administrative Court upheld the DSB's decision that the controller violated Article 12(2) GDPR by failing to facilitate the exercise of data subject rights in a transparent and accessible manner, as it restricted requests to only three data subject rights through a mandatory contact form: 1. right of access, 2. right to erasure, and 3. right to object. The Federal Administrative Court held that the requirement to provide a copy of an ID as a prerequisite for exercising these rights violated Article 12(6) GDPR, as it imposed an unnecessary burden on data subject.