BVwG - W211 2222613-2/llE

From GDPRhub
BVwG - W211 2222613-2/llE
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 14 GDPR
Article 15 GDPR
Article 77 GDPR
Decided: 09.08.2021
Parties: CRIF
National Case Number/Name: W211 2222613-2/llE
European Case Law Identifier:
Appeal from:
Appeal to: Pending appeal
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court held that mere abstract information on the storage period and lacking information on recipients of personal data constitute a violation of the GDPR. It also held that Article 77 GDPR grants an independent right to lodge a complaint with a DPA, irrespective of Member State law.

English Summary


In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit reference agency operating in Austria. After receiving the response of the agency, the complainant stated a violation of their right to access due to its insufficiency. According to the complainant, the agency failed to precisely name data sources, purposes and the storage period for the personal data. In this regard, the complainant has not been informed on new recipients of their personal data as well. Furthermore, the agency did not provide a full copy of the personal data processed on the complainant. Accordingly, it also breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data.

The respondent indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, providing more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant.

The Austrian DPA dismissed the complaint, arguing that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient and a copy of the personal data does not include entire documents, exact copies or a facsimile of such, but it is in the choice of the controller on what and how exactly data is delivered. Moreover, Article 77 GDPR is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements.


The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period and purposes as well as the principles of minimization and confidentiality of the data. Further objections concerning the access to a copy of personal data were referred to the CJEU for a preliminary ruling (see also here).

Regarding the information on the data sources involved, the Court held, that the disclosure of several public sources and companies, in particular regarding the origin of the complainant's address data, may be considered complete and therefore in line with Article 15(1)(g) GDPR.

In terms of the storage period, however, the general information provided by the respondent (risk minimisation, identification, combating fraud, money laundering, terrorist financing) do not allow the complainant to assess how long his data will be stored. The missing possibility to assess when the data is, in the opinion of the agency,no longer necessary to process is therefore in breach of Article 15(1)(d) GDPR.

Furthermore, the respondent failed to inform the complainant on the disclosure of their personal data to new recipients. The lack of such information prevented the complainant to become aware of the transmission of their personal data to other parties and therefore violates Article 14 GDPR.

The Court also stated that Article 77 GDPR allows data subjects to contact the data protection authority directly to lodge a complaint with a supervisory authority. It formulates an independent right to complaint, which is not linked to formal or substantive requirements or the provision of evidence of national law. In this regard, already violations on basic principles such as Article 5(c)(f) GDPR may concern the processing of the complainant's personal data and grant them that particular right. Any rejections of the complained violations based on a different assumption by the DPA may therefore be considered invalid and must be rectified.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.