Court case W137 2311069-1 – Court Ruling (Austria, 2025)

A national of India, the data subject, lodged an application for international protection with the responsible Austrian authority, the controller, which was dismissed and a return decision was issued. Consequently, the data subject’s data was entered into the Schengen Information System (SIS), a system used to track return decisions for third-country nationals unlawfully staying in the EU. The data subject remained in the Schengen area and did not leave. Furthermore, he requested that the Austrian authorities delete his SIS entry, claiming that Portugal had promised him a residence and work permit if the SIS entry was removed. The controller refused to delete the SIS record because the return decision was still valid, the data subject had not left the EU and Portugal had not officially notified Austria of any residence permit grant or consultation as required. The data subject further lodged a complaint with the Austrian Data Protection Authority (DSB) for an alleged violation in the right to erasure under Article 17 GDPR. The DSB dismissed the complaint, finding the SIS data processing lawful. Then, the data subject appealed the decision to the Federal Administrative Court (BVwG). The appeal was dismissed as unfounded. The court held that the SIS entry was lawful under the relevant legislation and there was no legal ground for deletion. Moreover, the right to erasure did not apply, because the SIS processing was required to fulfill a legal obligation under Article 6(1)(c) GDPR and was performed in the exercise of official authority under Article 6(1)(e) GDPR, falling under the exception of Article 17(3)(b) GDPR. The court also clarified that the processing also met the exception under Article 9(2)(g) GDPR for sensitive data.