A*** GmbH (Controller) – €870 Fine (Austria, 2025)

A marketing agency, the controller, operated a public website and also a separate development subdomain which stored personal data including names, emails, phone numbers, and company affiliations. In January 2025, the controller was first informed by email of a security vulnerability that left its file directory publicly accessible, exposing personal data. The message was mistakenly classified as spam by an employee and not escalated. Since no security measures were taken, on 16 February 2025, a third party again notified the controller of the breach and informed the Austrian Data Protection Authority (DSB), indicating that customer data could be accessed. The Controller eventually informed the authority of the incident on 2 May 2025 and closed the vulnerability, confirmed deletion of the downloaded data, arguing that it had considered the third-party’s email to the DSB as a sufficient form of notification. The DSB, having received the third-party email, opened ex officio proceedings. The DSB held that the Controller violated Article 33(1) GDPR by failing to notify the supervisory authority of the breach “without undue delay and, where feasible, within 72 hours.” It held that the third-party disclosure to the DSB did not relieve the controller of its own notification duty under Article 33 GDPR. The controller had acquired knowledge of the breach by 31 January 2025 and was thus obliged to notify by 3 February 2025 at the latest. Also the controller's employee’s misclassification of the initial warning as spam was attributable to the controller and these acts established negligence on part of the controller. Furthermore, the Article 33(1) exception (“no risk to data subjects”) did not apply given the nature of exposed data. Accordingly, a fine of € 870 plus € 87 procedural costs was imposed.