Court case W176 2259543-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In March 2021, a data subject (represented by noyb) filed a complaint to the DPA against an address publisher and direct marketing company (referred to as the address publisher or the controller) and a credit information agency. The data subject submitted a request for information (Article 15 GDPR) to the address publisher and several credit information agencies in Austria. The address publisher was named as the source of the data; it had collected it for the purposes of exercising the trade of address publisher, however, it also transferred data as part of a contractual agreement with the credit information agency. This agency processed data (name, date of birth and (partially historical) addresses) for the purpose of assessing the data subject’s creditworthiness. The credit information agency has an additional business license for address publishing and direct marketing. In the complaint the data subject argued that this processing violated the principle of purpose limitation (Article 5(1)(b) GDPR in conjunction with Article 6(4) GDPR). The data subject had not provided data to the controller and was not informed of the changes in the purpose of data processing. Furthermore, the way in which the credit score was calculated was unclear to the data subject. The address publisher argued that its business license allowed it to process personal data and disclose it to third parties. In its decision, the DPA stated the controller had violated the principle of purpose limitation because it collected data for marketing purposes, but transferred data to the credit information agency for the purposes of credit rating. The DPA also stated that the data subject had no subjective right for the DPA to impose a processing ban. The data subject appealed the second point of the decision, arguing that a processing ban is the only way to effectively prevent future unlawful data processing. The controller appealed the first point of the decision, arguing that it amended the agreem
GDPR Articles Cited
In March 2021, a data subject (represented by noyb) filed a complaint to the DPA against an address publisher and direct marketing company (referred to as the address publisher or the controller) and a credit information agency. The data subject submitted a request for information (Article 15 GDPR) to the address publisher and several credit information agencies in Austria. The address publisher was named as the source of the data; it had collected it for the purposes of exercising the trade of address publisher, however, it also transferred data as part of a contractual agreement with the credit information agency. This agency processed data (name, date of birth and (partially historical) addresses) for the purpose of assessing the data subject’s creditworthiness. The credit information agency has an additional business license for address publishing and direct marketing. In the complaint the data subject argued that this processing violated the principle of purpose limitation (Article 5(1)(b) GDPR in conjunction with Article 6(4) GDPR). The data subject had not provided data to the controller and was not informed of the changes in the purpose of data processing. Furthermore, the way in which the credit score was calculated was unclear to the data subject. The address publisher argued that its business license allowed it to process personal data and disclose it to third parties. In its decision, the DPA stated the controller had violated the principle of purpose limitation because it collected data for marketing purposes, but transferred data to the credit information agency for the purposes of credit rating. The DPA also stated that the data subject had no subjective right for the DPA to impose a processing ban. The data subject appealed the second point of the decision, arguing that a processing ban is the only way to effectively prevent future unlawful data processing. The controller appealed the first point of the decision, arguing that it amended the agreem
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W176 2259543-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W176 2259543-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: