The Austrian Federal Administrative Court (VwGH) has upheld the decision of the Austrian Data Protection Authority (Datenschutzbehörde, DSB) on a data protection breach by a local company. The decision sets an important precedent related to compliance under the GDPR.
The case concerned a breach of personal data processing rules by a company that failed to comply with its information obligations to customers under the GDPR. The company failed to provide adequate information on the purposes of the data processing, the legal basis and the retention period of the data, in breach of the right to information.
Following a complaint by a customer, the DSB fined the company and ordered it to take measures to ensure compliance with data protection legislation. The company appealed the DSB’s decision to the VwGH, claiming that the breach was not serious enough to warrant a financial penalty.
The VwGH, hearing the case, found that the DSB had correctly assessed the breach and the need to impose a penalty. The court emphasised that information obligations are a key element of personal data protection and that failure to comply with them constitutes a serious violation of individuals’ rights. In addition, the VwGH pointed out that companies must be aware of their obligations under data protection legislation and take appropriate measures to ensure compliance.
The VwGH’s decision sets an important precedent, confirming the importance of complying with data protection laws, as well as strengthening the role of supervisory authorities, such as the DSB, in enforcing these laws. Businesses should take note of this judgment and ensure that their operations comply with the requirements of the GDPR to avoid similar legal and financial consequences.