Court case Ro 2023/04/0028 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a person's complaint about a bank employee using his work email for personal matters was too late. The court found that the person had waited too long to report the issue, which means he lost his chance to have it examined. This decision highlights the importance of acting quickly if you believe your privacy rights have been violated.
What happened
A person complained that a bank employee used his professional email for a private matter in 2019.
Who was affected
The individual whose work email was misused by a bank employee.
What the authority found
The court decided that the complaint was not valid because it was filed after the one-year time limit for reporting such issues.
Why this matters
This case shows that there are time limits for filing privacy complaints. Small business owners should be aware of these deadlines to protect their rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In June 2021, the data subject lodged a complaint with the Austrian Data Protection Authority (DSB) under Article 77 GDPR, alleging a violation of his right to data secrecy. The data subject concerned the use of his professional email address by a bank employee (the controller) for a private matter in 2019. The DSB rejected the complaint on the basis of § [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 24(4) of the Austrian Data Protection Act (DSG)], which provides that the right to have a complaint examined expires one year after the data subject becomes aware of the alleged infringement and, in any event, three years after the event. The data subject had acknowledged that he became aware of the alleged breach no later than April 2019, meaning the one-year subjective limitation period had elapsed. The data subject appealed to the Federal Administrative Court (BVwG), but the court dismissed the appeal. The data subject then appealed to the Supreme Administrative Court of Austria (VwGH), arguing that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] was incompatible with Article 77 GDPR, which does not provide for any limitation period, and that national law could not restrict a directly applicable EU right. The Supreme Administrative Court dismissed the appeal as unfounded. It held that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] is compatible with Article 77 GDPR. The Court found that, in the absence of EU-level harmonization of procedural time limits, Member States retain procedural autonomy to regulate the modalities for exercising GDPR rights, including the introduction of limitation periods, provided that the principles of equivalence and effectiveness are respected. The one-year subjective limitation period under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ro 2023/04/0028 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ro 2023/04/0028 - Austria (2025). Retrieved from cookiefines.eu
Last updated: