The Austrian data protection authority has issued an order against a company based in Switzerland for breach of the GDPR (Decision dated August 22, 2019, PDF). The company concerned apparently operated a website with the country code domain .at, provided services in Austria and also operated hotels there. The complainant who had come to the attention of the authority was a resident of Austria (and a lawyer with a doctorate there). The starting point of the matter was apparently an advertising e‑mail, after contacts had not resulted in a booking.
The data protection authority considered Article 3 (2) (a) of the GDPR to be fulfilled (targeting). Next, the Swiss controller had “collected” personal data via a contact form, which is why Art. 13 GDPR was applicable. The information obligation was violated because the required information was available on a website, but the controller had not pointed this out to the data subject. Also, not all of the required information was subsequently provided until the conclusion of the proceedings. In particular, the indication of a “data protection officer” was insufficient because the GDPR does not know this term (internal contact point/DPO/EU representative?). The information was also insufficiently specific or missing in other respects.
The authority therefore ordered the missing information to be submitted within four weeks.