Court case W258 2299744-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian company was found to have improperly recorded personal data through its video surveillance system. The court ruled that the amount of data collected was excessive and lacked a valid legal basis, which is important because it highlights the need for businesses to ensure their surveillance practices comply with privacy laws.
What happened
The company recorded personal data from customers during payment transactions without a valid legal basis.
Who was affected
Customers who entered PIN codes and were captured by the company's video cameras were affected.
What the authority found
The court decided that the company's video surveillance violated GDPR rules by collecting more data than necessary and without proper justification.
Why this matters
This case serves as a warning for businesses using surveillance systems to ensure they are not overstepping privacy boundaries. Companies should review their data collection practices to align with legal requirements.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A company (the controller) was operating a video surveillance system, consisting of a total of nine external and indoor cameras. After an anonymous complaint, the DSB opened administrative criminal proceedings and found that the controller had unlawfully processed personal data in the period from March 2022 to at least May 2022 and data subjects located in the following reception areas were recorded, including during payment transactions and PIN code entries. In fact, approximately 637 PIN entries were estimated to have been recorded. The processing of personal data carried out by the video surveillance system considered from the DSB not to be proportionate to its intended purpose and to go beyond what was necessary for the intended purpose of the surveillance, without a relevant legal basis and in defiance of the principle of fairness and data minimization violating Article 6(1), Article 5(1)(a) and Article 5(1)(c) of the GDPR respectively. As a result, the appellant was fined €1.5 million with an additional €150,000 in procedural costs. The controller appealed, arguing that some footage did not contain identifiable personal data, that many customers used payment methods not requiring PIN entry or covered it during entry, and that surveillance was necessary for security purposes. It also claimed the fine was disproportionate, particularly because the turnover of the parent company was improperly considered in its calculation. It requested the penalty decision to be fully repealed and the proceedings discontinued, or alternatively, that the penalty be reduced to a warning, or at least that the fine be adjusted to a proportionate and appropriate amount. On 2024 the Appeal submitted further to the Federal Administrative Court. The Court partially upheld and partially dismissed the appeal. Specifically, it found that the video surveillance system violated 5(1)(a), 5(1)(c), and 6(1) GDPR due to the lack of a valid legal basis and excessive data collection. It argued
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W258 2299744-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W258 2299744-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: