Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In late 2021, vaccination reminder letters were sent to uninsured persons over 18 residing in Austria who had not yet received a COVID-19 vaccine. The letters were issued in the name of various health institutions and officials, including the COVID-19 project manager and a chief physician. Numerous recipients filed complaints with the Austrian DPA, alleging unlawful access to their data stored in the central vaccination register. Following an official investigation, the DPA determined that the complainant was responsible for the data processing and had unlawfully accessed and used health data for the mailing campaign. The complainant contested this decision, arguing that it was not the data controller and that the access to vaccination data was justified under pandemic management regulations. The case was subsequently referred to the Federal Administrative Court. The Court ruled that the complainant was not the data controller within the meaning of Article 4 GDPR#7. It found that the ultimate decision-making authority regarding the purpose and means of the data processing lay with the city’s health department and the responsible city councillor, rather than the complainant. The complainant had merely executed the data processing based on political and administrative directives. The Court also held that the DPA had failed to correctly identify the data controller and had erroneously directed its decision against the complainant. Given the misleading nature of the vaccination reminder letters, which bore multiple institutional logos and signatures, the complainants could not reasonably determine the responsible party. The Court further emphasized that under Austrian procedural law, complainants are not necessarily required to specify the exact data controller when filing a complaint. As a result, the Court annulled the DPA’s decision without replacement, leaving the original complaint unresolved. The ruling clarified that the determination of the correct data contro
GDPR Articles Cited
National Law Articles
In late 2021, vaccination reminder letters were sent to uninsured persons over 18 residing in Austria who had not yet received a COVID-19 vaccine. The letters were issued in the name of various health institutions and officials, including the COVID-19 project manager and a chief physician. Numerous recipients filed complaints with the Austrian DPA, alleging unlawful access to their data stored in the central vaccination register. Following an official investigation, the DPA determined that the complainant was responsible for the data processing and had unlawfully accessed and used health data for the mailing campaign. The complainant contested this decision, arguing that it was not the data controller and that the access to vaccination data was justified under pandemic management regulations. The case was subsequently referred to the Federal Administrative Court. The Court ruled that the complainant was not the data controller within the meaning of Article 4 GDPR#7. It found that the ultimate decision-making authority regarding the purpose and means of the data processing lay with the city’s health department and the responsible city councillor, rather than the complainant. The complainant had merely executed the data processing based on political and administrative directives. The Court also held that the DPA had failed to correctly identify the data controller and had erroneously directed its decision against the complainant. Given the misleading nature of the vaccination reminder letters, which bore multiple institutional logos and signatures, the complainants could not reasonably determine the responsible party. The Court further emphasized that under Austrian procedural law, complainants are not necessarily required to specify the exact data controller when filing a complaint. As a result, the Court annulled the DPA’s decision without replacement, leaving the original complaint unresolved. The ruling clarified that the determination of the correct data contro
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Complainant represented by Fellner Wratzfeld & Partner Rechtsanwälte GmbH (Plaintiff) - Austria (2025). Retrieved from cookiefines.eu
Last updated: