DSB (Austria) - D130.206/0006-DSB/2019

DSB - DSB-D130.206/0006-DSB/2019
Authority:	DSB (Austria)
Jurisdiction:	Austria
Relevant Law:	Article 3(2)(a) GDPR Article 3(3) GDPR Article 4(7) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 13(1)(a) GDPR Article 13(2) GDPR Article 13(3) GDPR Article 15(1)(e) GDPR Article 15(1)(f) GDPR Article 15(3) GDPR Article 27(1) GDPR Article 27(5) GDPR Article 57(1)(f) GDPR Article 58(1)(b) GDPR Article 58(2)(c) GDPR Article 58(2)(d) GDPR § 24(1) DSG § 24(5) DSG § 24(6) DSG
Type:	Complaint
Outcome:	Partly Upheld
Started:
Decided:	20.03.2020
Published:	02.12.2019
Fine:	None
Parties:	Dr. Ludwig A*** N***Group AG
National Case Number/Name:	DSB-D130.206/0006-DSB/2019
European Case Law Identifier:	ECLI:AT:DSB:2019:DSB.D130.206.0006.DSB.2019
Appeal:	Not appealed
Original Language(s):	German
Original Source:	Rechtsinformationssystem des Bundes - RIS (in DE)
Initial Contributor:	n/a

DSB holds that controller violated Article 13 GDPR because it failed to provide all information upon obtaining data from the data subject and in the further course failed to provide this information until the end of the proceedings before the DSB. According to DSB, § 24(6) Austrian Data Protection Act (DSG) applies - per analogiam - on Article 13 and 14 GDPR .

English Summary

Facts

The data subject, an Austrian resident, filed a complaint under Article 77 GDPR against the controller, a Swiss based company that offers its services (including hotels) i.a. in Austria under http://www.alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement for the controller's newsletter including a subscription link. The data subject did not receive any information on Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as representative under Article 27 GDPR and sent a reply to the data subject's complaint stating that any violation of Article 13 GDPR has been rectified under § 24(6) DSG by the information given in that reply. The data subject replied that § 24(6) DSG does not apply on violations of Article 13 GDPR and that - even if it would apply - the controller had still failed to provide all information required under Article 13 GDPR.

Dispute

In essence, the DSD had to decide whether or not §24(6) DSG that allows a controller to rectify data protection violations until the end of the proceedings before the DSB also applies on violations of Article 13 (and 14) GDPR.

Holding

According to the DSB, § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore rectify any data protection violation until the end of the proceedings before the DSB. If a controller does so, the DSB stops proceedings and no formal decision is issued. Nevertheless, as the controller failed to provide information under Article 13(1)(a) to (f) GDPR even until the end of proceedings, the DSD held that the controller is under the obligation to provide this information within four weeks. Also the controller was put under the obligation to adapt its data protection notice accordingly within a period of four weeks and to submit the adapted notice to the DSB.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.