On January 4, 2024, the Austrian data protection authority (DSB) issued its decision no. 2023-0.592.319, in which it fined an unnamed company a total of €12,100, out of which €11,000 was for the violation of the General Data Protection Regulation (GDPR) and €1,100 as a contribution to the costs of the criminal proceedings under the Administrative Penal Code, following a complaint. 

Background to the decision

According to DSB, the company organizes football leagues and the personal data of players is available on the company's website, including names and photos of players. The complainant played their last match in October 2019 and then sent a request for deletion of their personal data to the company, however, the company stated that it could not comply with the request for statistical reasons.

Findings of the DSB

DSB found that the company violated Article 25(1) of the GDPR by failing to take appropriate technical and organizational measures to ensure that, in the event of a necessary deletion, either at the request of a data subject or on its own initiative, personal data of players who have participated in at least one game in the league organized by the company are completely deleted from the publicly accessible database. Furthermore, DSB held that the company also violated Article 17 of the GDPR by not complying with the complainant's request for deletion. DSB clarified that the only possible exception for the processing on which the company could rely would be the archiving purpose in the public interest, however, the exceptions did not apply in the specific case.

Outcome

In light of the above, DSB fined the company €12,100. 

You can read the press release, only available in German, here.