Court case W254 2313142-1 – Court Ruling (Austria, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject had initially requested that a network operator (the controller) delete his email address from its systems. In March 2022, the controller confirmed that the deletion had been carried out. Nevertheless, on 26 January 2024 the controller again contacted the data subject via the same email address to send a meter-reading notification. The data subject subsequently filed a complaint with the Austrian Data Protection Authority (DSB), arguing that the controller continued to process his personal data despite assuring him that it had been deleted. After the DSB failed to issue a decision within the six-month deadline, the data subject brought an inactivity complaint before the Federal Administrative Court on 23 February 2025, requesting that the court decide the case itself. During the proceedings, the controller initially argued that the email might have been collected again elsewhere due to human error. However, after a further internal review, the controller acknowledged that the email address had in fact not been deleted in 2022 as previously stated and had remained stored in its system until 2 April 2024, when it was finally deleted. The court partially upheld the complaint. Because the controller retained the email address and used it to send a meter-reading notification, the court found that the processing lacked any valid legal basis under Article 6(1) GDPR. As a result, the court concluded that the processing was unlawful and therefore violated the principle of lawfulness under Article 5(1)(a) GDPR. The continued retention and use of the email address after a deletion request also contravened the principles of purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, since the data were used again despite the data subject’s request that they no longer be stored. Furthermore, the controller breached the accountability principle under Article 5(2) GDPR by initially claiming that the data had been deleted and only later admitting
GDPR Articles Cited
National Law Articles
The data subject had initially requested that a network operator (the controller) delete his email address from its systems. In March 2022, the controller confirmed that the deletion had been carried out. Nevertheless, on 26 January 2024 the controller again contacted the data subject via the same email address to send a meter-reading notification. The data subject subsequently filed a complaint with the Austrian Data Protection Authority (DSB), arguing that the controller continued to process his personal data despite assuring him that it had been deleted. After the DSB failed to issue a decision within the six-month deadline, the data subject brought an inactivity complaint before the Federal Administrative Court on 23 February 2025, requesting that the court decide the case itself. During the proceedings, the controller initially argued that the email might have been collected again elsewhere due to human error. However, after a further internal review, the controller acknowledged that the email address had in fact not been deleted in 2022 as previously stated and had remained stored in its system until 2 April 2024, when it was finally deleted. The court partially upheld the complaint. Because the controller retained the email address and used it to send a meter-reading notification, the court found that the processing lacked any valid legal basis under Article 6(1) GDPR. As a result, the court concluded that the processing was unlawful and therefore violated the principle of lawfulness under Article 5(1)(a) GDPR. The continued retention and use of the email address after a deletion request also contravened the principles of purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, since the data were used again despite the data subject’s request that they no longer be stored. Furthermore, the controller breached the accountability principle under Article 5(2) GDPR by initially claiming that the data had been deleted and only later admitting
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W254 2313142-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W254 2313142-1 - Austria (2026). Retrieved from cookiefines.eu
Last updated: