Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Austria: Federal Administrative Court holds individual in organization liable as controller under GDPR
On July 10, 2024, the Federal Administrative Court issued its decision in case number W298 2293438-1/6E, in which it upheld the decision of the Austrian data protection authority (DSB) in relation to the unlawful processing of personal data by the representative of a homeowner's association under the General Data Protection Regulation (GDPR).
Background to the decision
According to the Court, the complainant filed a complaint against the DSB's decision. More specifically, an individual had complained of a violation of the right to confidentiality under Section 1(1) of the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (DSG) to the DSB and argued that the complainant was the property management company of the owners' association of their residential property. The complainant had publicly posted a letter from the Chamber of Labor to the individual concerned.
Findings of the Court
The Court found, among other things that the complainant was a controller within the meaning of the GDPR, reasoning that the controller is the person or institution that has to ensure that the data protection provisions of the GDPR are complied with. The Court further illustrated that lawyers are usually responsible for themselves when they process data for the purpose of representing their clients. They act under a power of attorney and are therefore authorized to make legally binding statements on behalf of their clients. However, the decision as to which third-party data is to be processed in order to fulfill the mandate is made by the lawyer without instructions from the client, unless there is proof to the contrary. In the present case, according to the Court, the complainant processed data without being instructed by the client, i.e., the homeowners' association.
Therefore, the Court found the complainant accountable as the controller under Article 24(1) of the GDPR and in compliance with the requirements of Article 5(1)(c) of the GDPR. Following this, the Court concluded that the complainant did not have sufficient legal basis for processing data under Article 6(1) of the GDPR.
Outcomes
In light of the above, the Court dismissed the complaint as inadmissible.
You can read the decision, only available in German, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
