Court case 13R3/24t – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a company did not properly notify individuals about a data breach affecting their personal information. This ruling stresses the need for companies to communicate clearly with users when their data might be at risk. It serves as a reminder for businesses to prioritize transparency in data handling.
What happened
The company failed to individually notify users about a data breach involving their personal data.
Who was affected
Individuals whose personal data was potentially compromised in the data breach.
What the authority found
The court found that the company did not meet its legal obligation to notify affected individuals about the data breach.
Why this matters
This ruling reinforces the necessity for companies to inform users about data breaches promptly. Businesses should implement clear notification procedures to comply with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject is an individual whose personal data (name, address, date of birth) are stored in the Austrian Central Population Register. The controller is a company responsible for collecting broadcasting fees and is legally allowed to receive population-register data to identify liable fee payers. In May 2020, it became public that a hacker was offering large quantities of Austrian register data for sale. The controller issued a press release informing the public about the incident and clarifying that it was unclear whether the leaked data came from its systems. It also notified the Data Protection Authority (DSB) under Article 33 GDPR, but it did not individually notify potentially affected persons. The data subject did not know in 2020 whether he was affected. In 2023, he learned that his data had indeed appeared in the leaked dataset. To understand what data the controller was processing, he submitted an Article 15 GDPR access request on 4 March 2023. The controller warned of delays due to high workload and ultimately responded only on 24 May 2023. Believing that the controller had exceeded the legal response period, the data subject instructed a lawyer to file a complaint with the DSB. He paid the lawyer €200. He then brought a civil action claiming €200 in material damages for attorney’s fees and €200 in non-material damages arguing that he had to hire a lawyer and since DSB proceedings do not provide cost reimbursement, he considers these expenses a recoverable financial loss under Article 82 GDPR. He further claims that the defendant breached Article 34 GDPR by not notifying him of the 2020 data breach and as a result, he spent around 240 hours dealing with anger, worry, and efforts to obtain withheld information, justifying non-material harm. The first-instance civil court rejected the material-damages claim as inadmissible, holding that administrative procedure costs are normally borne by the parties. It dismissed the non-material-damages claim becaus
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Cases (0)
No other cases found for Court case 13R3/24t in AT
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Court case 13R3/24t - Austria (2025). Retrieved from cookiefines.eu
Last updated: