DSB (Austria) - D130.206/0006-DSB/2019
DSB - DSB-D130.206/0006-DSB/2019 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 3(2)(a) GDPR Article 3(3) GDPR Article 4(7) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 13(1)(a) GDPR Article 13(2) GDPR Article 13(3) GDPR Article 15(1)(e) GDPR Article 15(1)(f) GDPR Article 15(3) GDPR Article 27(1) GDPR Article 27(5) GDPR Article 57(1)(f) GDPR Article 58(1)(b) GDPR Article 58(2)(c) GDPR Article 58(2)(d) GDPR § 24(1) DSG § 24(5) DSG § 24(6) DSG |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 20.03.2020 |
Published: | 02.12.2019 |
Fine: | None |
Parties: | Dr. Ludwig A*** N***Group AG |
National Case Number/Name: | DSB-D130.206/0006-DSB/2019 |
European Case Law Identifier: | ECLI:AT:DSB:2019:DSB.D130.206.0006.DSB.2019 |
Appeal: | Not appealed |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes - RIS (in DE) |
Initial Contributor: | n/a |
DSB holds that controller violated Article 13 GDPR because it failed to provide all information upon obtaining data from the data subject and in the further course failed to provide this information until the end of the proceedings before the DSB. According to DSB, § 24(6) Austrian Data Protection Act (DSG) applies - per analogiam - on Article 13 and 14 GDPR .
English Summary
Facts
The data subject, an Austrian resident, filed a complaint under Article 77 GDPR against the controller, a Swiss based company that offers its services (including hotels) i.a. in Austria under http://www.alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement for the controller's newsletter including a subscription link. The data subject did not receive any information on Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as representative under Article 27 GDPR and sent a reply to the data subject's complaint stating that any violation of Article 13 GDPR has been rectified under § 24(6) DSG by the information given in that reply. The data subject replied that § 24(6) DSG does not apply on violations of Article 13 GDPR and that - even if it would apply - the controller had still failed to provide all information required under Article 13 GDPR.
Dispute
In essence, the DSD had to decide whether or not §24(6) DSG that allows a controller to rectify data protection violations until the end of the proceedings before the DSB also applies on violations of Article 13 (and 14) GDPR.
Holding
According to the DSB, § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore rectify any data protection violation until the end of the proceedings before the DSB. If a controller does so, the DSB stops proceedings and no formal decision is issued. Nevertheless, as the controller failed to provide information under Article 13(1)(a) to (f) GDPR even until the end of proceedings, the DSD held that the controller is under the obligation to provide this information within four weeks. Also the controller was put under the obligation to adapt its data protection notice accordingly within a period of four weeks and to submit the adapted notice to the DSB.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
- DSB (Austria)
- Austria
- Article 3(2)(a) GDPR
- Article 3(3) GDPR
- Article 4(7) GDPR
- Article 5(1)(a) GDPR
- Article 5(2) GDPR
- Article 12(1) GDPR
- Article 12(2) GDPR
- Article 12(3) GDPR
- Article 13(1)(a) GDPR
- Article 13(2) GDPR
- Article 13(3) GDPR
- Article 15(1)(e) GDPR
- Article 15(1)(f) GDPR
- Article 15(3) GDPR
- Article 27(1) GDPR
- Article 27(5) GDPR
- Article 57(1)(f) GDPR
- Article 58(1)(b) GDPR
- Article 58(2)(c) GDPR
- Article 58(2)(d) GDPR
- 2020
- German