Court case W254 2313142-1 – Court Ruling (Austria, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that an electricity network operator unlawfully processed a user's email address after promising to delete it. The company had assured the user that his email would be removed, but it continued to use it for notifications. This case shows that companies must honor deletion requests to comply with data protection laws.
What happened
The electricity network operator continued to use a user's email address despite a deletion request.
Who was affected
A user who requested the deletion of his email address from the electricity network operator's systems was affected.
What the authority found
The court found that the operator violated GDPR by retaining and using the email address without a valid legal basis.
Why this matters
This ruling highlights the importance of respecting user requests for data deletion. Companies must ensure they have proper systems in place to manage such requests to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject had initially requested that a electricity network operator (the controller) delete his email address from its systems. In March 2022, the controller confirmed that the deletion had been carried out. Nevertheless, in January 2024 the controller again contacted the data subject via the same email address to send a notification regarding a reading of the electricity meter. The data subject subsequently filed a complaint with the Austrian Data Protection Authority (DSB), arguing that the controller continued to process his personal data despite assuring him that it had been deleted. After the DSB failed to issue a decision within the six-month deadline, the data subject brought an inactivity complaint before the Federal Administrative Court on 23 February 2025, requesting that the court decide the case itself. During the proceedings, the controller initially argued that the email might have been collected again elsewhere due to human error. However, after a further internal review, the controller acknowledged that the email address had in fact not been deleted in 2022 as previously stated and had remained stored in its system until April 2024, when it was finally deleted. The court partially upheld the complaint. Because the controller retained the email address and used it to send a notification to the data subject, the court found that the processing lacked any valid legal basis under Article 6(1) GDPR. As a result, the court concluded that the processing was unlawful and therefore violated the principle of lawfulness under Article 5(1)(a) GDPR. The continued retention and use of the email address after a deletion request also contravened the principles of purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, since the data were used again despite the data subject’s request that they no longer be stored. Furthermore, the controller breached the accountability principle under Article 5(2) GDPR by initially claiming that the da
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W254 2313142-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W254 2313142-1 - Austria (2026). Retrieved from cookiefines.eu
Last updated: