Court case W256 2248861-1/8E – Court Ruling (Austria, 2024)

The data subject filed a complaint on the 25 March 2021 against the controller, her former partner’s lawyer, with the Austrian DPA (DSB). The data subject alleged that the controller had violated her right to privacy under [https://www.jusline.at/gesetz/dsg/paragraf/artikel1zu1 paragraph 1(1) of the Austrian Data Protection Act (Datenschutzgesetz – DSG]). Since 2020, the controller and the data subject’s lawyer have been engaged in settling the divorce proceedings. The data subject’s former partner demonstrated detailed knowledge of the data subject’s extramarital affair which made her conclude that he may still have access to the video surveillance cameras in her home. The data subject’s lawyer therefore requested the controller to submit the recorded video material through a data carrier. The controller responded to this request by sending an unsecured zip file in an email containing 41 files showing the data subject engaging in explicit actions. In her complaint, the data subject argued primarily that she did not expect the transmission of such explicit content and therefore had not consented to this processing of her data. Further, she argued that the unsecured transmission of the data via email as well as the disclosure of the material to employees of the controller was unnecessary. She further argued that the transmission of the highly sensitive data should have been carried out in person, directly by her ex-partner. The DSB held that the controller processed the data to give effect to a legitimate interest under Article 6(1)(f) GDPR and that under Article 32 GDPR a data subject is not entitled to select which security measures are implemented for the processing. The data subject appealed the decision to the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). The court recalled, that the data subject had alleged only a breach of [https://www.jusline.at/gesetz/dsg/paragraf/artikel1zu1 paragraph 1(1) of the Austrian Data Protection Act (§1(1)