Court case W292 2235791-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject lodged a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of its right of access under Article 15 GDPR. Specifically, the data subject requested information from the controller about the recipients and categories of recipients to whom its personal data had been disclosed. In response, the controller provided a general list of all potential recipients but did not specify individual recipients. The DSB held that the controller had violated Article 15 by providing incomplete information. The controller appealed this decision to the Federal Administrative Court. The Court upheld the controller’s appeal. Referring to CJEU case law, the Court confirmed that data subjects have a right to be informed of specific recipients under Article 15(1)(c) GDPR, unless identification is impossible or the request is manifestly unfounded, in which case only categories of recipients must be provided. Applying this standard, the Court found that the controller had fulfilled its obligation by naming all potential processors, explaining the purposes of data transfers, and identifying processors who had not received the data. Since the specific recipients could not be identified due to a lack of documentation, documentation that is not legally required, the Court concluded that the information provided was sufficient and complete.
GDPR Articles Cited
The data subject lodged a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of its right of access under Article 15 GDPR. Specifically, the data subject requested information from the controller about the recipients and categories of recipients to whom its personal data had been disclosed. In response, the controller provided a general list of all potential recipients but did not specify individual recipients. The DSB held that the controller had violated Article 15 by providing incomplete information. The controller appealed this decision to the Federal Administrative Court. The Court upheld the controller’s appeal. Referring to CJEU case law, the Court confirmed that data subjects have a right to be informed of specific recipients under Article 15(1)(c) GDPR, unless identification is impossible or the request is manifestly unfounded, in which case only categories of recipients must be provided. Applying this standard, the Court found that the controller had fulfilled its obligation by naming all potential processors, explaining the purposes of data transfers, and identifying processors who had not received the data. Since the specific recipients could not be identified due to a lack of documentation, documentation that is not legally required, the Court concluded that the information provided was sufficient and complete.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W292 2235791-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W292 2235791-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: