Court case W258 2299744-1 – Court Ruling (Austria, 2025)

A company (the controller) was operating a video surveillance system, consisting of a total of nine external and indoor cameras. After an anonymous complaint, the DSB opened administrative criminal proceedings and found that the controller had unlawfully processed personal data in the period from March 2022 to at least May 2022 and data subjects located in the following reception areas were recorded, including during payment transactions and PIN code entries. In fact, approximately 637 PIN entries were estimated to have been recorded. The processing of personal data carried out by the video surveillance system considered from the DSB not to be proportionate to its intended purpose and to go beyond what was necessary for the intended purpose of the surveillance, without a relevant legal basis and in defiance of the principle of fairness and data minimization violating Article 6(1), Article 5(1)(a) and Article 5(1)(c) of the GDPR respectively. As a result, the appellant was fined €1.5 million with an additional €150,000 in procedural costs. The controller appealed, arguing that some footage did not contain identifiable personal data, that many customers used payment methods not requiring PIN entry or covered it during entry, and that surveillance was necessary for security purposes. It also claimed the fine was disproportionate, particularly because the turnover of the parent company was improperly considered in its calculation. It requested the penalty decision to be fully repealed and the proceedings discontinued, or alternatively, that the penalty be reduced to a warning, or at least that the fine be adjusted to a proportionate and appropriate amount. On 2024 the Appeal submitted further to the Federal Administrative Court. The Court partially upheld and partially dismissed the appeal. Specifically, it found that the video surveillance system violated 5(1)(a), 5(1)(c), and 6(1) GDPR due to the lack of a valid legal basis and excessive data collection. It argued