Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a complainant was not responsible for unlawfully accessing health data for vaccination reminder letters. The actual data controller was determined to be the city's health department. This case clarifies who is accountable for data processing in public health initiatives.
What happened
The court found that the complainant did not have control over the data processing related to vaccination reminders.
Who was affected
Individuals who received vaccination reminder letters in Austria and filed complaints about their data being accessed.
What the authority found
The court decided that the complainant was not the data controller, as the health department held the ultimate authority over the data processing.
Why this matters
This ruling highlights the importance of clearly identifying data controllers in public health campaigns. It reminds organizations to ensure transparency in their data handling practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In late 2021, vaccination reminder letters were sent to uninsured persons over 18 residing in Austria who had not yet received a COVID-19 vaccine. The letters were issued in the name of various health institutions and officials, including the COVID-19 project manager and a chief physician. Numerous recipients filed complaints with the Austrian DPA, alleging unlawful access to their data stored in the central vaccination register. Following an official investigation, the DPA determined that the complainant was responsible for the data processing and had unlawfully accessed and used health data for the mailing campaign. The complainant contested this decision, arguing that it was not the data controller and that the access to vaccination data was justified under pandemic management regulations. The case was subsequently referred to the Federal Administrative Court. The Court ruled that the complainant was not the data controller within the meaning of Article 4 GDPR#7. It found that the ultimate decision-making authority regarding the purpose and means of the data processing lay with the city’s health department and the responsible city councillor, rather than the complainant. The complainant had merely executed the data processing based on political and administrative directives. The Court also held that the DPA had failed to correctly identify the data controller and had erroneously directed its decision against the complainant. Given the misleading nature of the vaccination reminder letters, which bore multiple institutional logos and signatures, the complainants could not reasonably determine the responsible party. The Court further emphasized that under Austrian procedural law, complainants are not necessarily required to specify the exact data controller when filing a complaint. As a result, the Court annulled the DPA’s decision without replacement, leaving the original complaint unresolved. The ruling clarified that the determination of the correct data contro
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) - Austria (2025). Retrieved from cookiefines.eu
Last updated: