Court case Ro 2023/04/0028 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In June 2021, the data subject lodged a complaint with the Austrian Data Protection Authority (DSB) under Article 77 GDPR, alleging a violation of his right to data secrecy. The data subject concerned the use of his professional email address by a bank employee (the controller) for a private matter in 2019. The DSB rejected the complaint on the basis of § [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 24(4) of the Austrian Data Protection Act (DSG)], which provides that the right to have a complaint examined expires one year after the data subject becomes aware of the alleged infringement and, in any event, three years after the event. The data subject had acknowledged that he became aware of the alleged breach no later than April 2019, meaning the one-year subjective limitation period had elapsed. The data subject appealed to the Federal Administrative Court (BVwG), but the court dismissed the appeal. The data subject then appealed to the Supreme Administrative Court of Austria (VwGH), arguing that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] was incompatible with Article 77 GDPR, which does not provide for any limitation period, and that national law could not restrict a directly applicable EU right. The Supreme Administrative Court dismissed the appeal as unfounded. It held that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] is compatible with Article 77 GDPR. The Court found that, in the absence of EU-level harmonization of procedural time limits, Member States retain procedural autonomy to regulate the modalities for exercising GDPR rights, including the introduction of limitation periods, provided that the principles of equivalence and effectiveness are respected. The one-year subjective limitation period under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001
GDPR Articles Cited
National Law Articles
In June 2021, the data subject lodged a complaint with the Austrian Data Protection Authority (DSB) under Article 77 GDPR, alleging a violation of his right to data secrecy. The data subject concerned the use of his professional email address by a bank employee (the controller) for a private matter in 2019. The DSB rejected the complaint on the basis of § [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 24(4) of the Austrian Data Protection Act (DSG)], which provides that the right to have a complaint examined expires one year after the data subject becomes aware of the alleged infringement and, in any event, three years after the event. The data subject had acknowledged that he became aware of the alleged breach no later than April 2019, meaning the one-year subjective limitation period had elapsed. The data subject appealed to the Federal Administrative Court (BVwG), but the court dismissed the appeal. The data subject then appealed to the Supreme Administrative Court of Austria (VwGH), arguing that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] was incompatible with Article 77 GDPR, which does not provide for any limitation period, and that national law could not restrict a directly applicable EU right. The Supreme Administrative Court dismissed the appeal as unfounded. It held that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] is compatible with Article 77 GDPR. The Court found that, in the absence of EU-level harmonization of procedural time limits, Member States retain procedural autonomy to regulate the modalities for exercising GDPR rights, including the introduction of limitation periods, provided that the principles of equivalence and effectiveness are respected. The one-year subjective limitation period under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ro 2023/04/0028 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ro 2023/04/0028 - Austria (2025). Retrieved from cookiefines.eu
Last updated: