Court case W176 2259543-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that an address publisher violated data protection rules by transferring data collected for marketing to a credit agency. This ruling is significant as it reinforces the principle that data should only be used for the purpose it was collected.
What happened
An address publisher shared personal data with a credit information agency for a different purpose than it was originally collected.
Who was affected
A person whose data was collected by the address publisher without their consent for credit rating purposes.
What the authority found
The court found that the address publisher violated the principle of purpose limitation by using the data for a different purpose than intended.
Why this matters
This decision emphasizes the importance of using personal data only for its intended purpose. Companies should review their data processing practices to ensure compliance with purpose limitation rules.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In March 2021, a data subject (represented by noyb) filed a complaint to the DPA against an address publisher and direct marketing company (referred to as the address publisher or the controller) and a credit information agency. The data subject submitted a request for information (Article 15 GDPR) to the address publisher and several credit information agencies in Austria. The address publisher was named as the source of the data; it had collected it for the purposes of exercising the trade of address publisher, however, it also transferred data as part of a contractual agreement with the credit information agency. This agency processed data (name, date of birth and (partially historical) addresses) for the purpose of assessing the data subject’s creditworthiness. The credit information agency has an additional business license for address publishing and direct marketing. In the complaint the data subject argued that this processing violated the principle of purpose limitation (Article 5(1)(b) GDPR in conjunction with Article 6(4) GDPR). The data subject had not provided data to the controller and was not informed of the changes in the purpose of data processing. Furthermore, the way in which the credit score was calculated was unclear to the data subject. The address publisher argued that its business license allowed it to process personal data and disclose it to third parties. In its decision, the DPA stated the controller had violated the principle of purpose limitation because it collected data for marketing purposes, but transferred data to the credit information agency for the purposes of credit rating. The DPA also stated that the data subject had no subjective right for the DPA to impose a processing ban. The data subject appealed the second point of the decision, arguing that a processing ban is the only way to effectively prevent future unlawful data processing. The controller appealed the first point of the decision, arguing that it amended the agreem
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W176 2259543-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W176 2259543-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: