Data Pro­tec­tion Aut­ho­ri­ty Austria: Order against a com­pa­ny in Switzerland

The Austri­an data pro­tec­tion aut­ho­ri­ty has issued an order against a com­pa­ny based in Switz­er­land for breach of the GDPR (Decis­i­on dated August 22, 2019, PDF). The com­pa­ny con­cer­ned appar­ent­ly ope­ra­ted a web­site with the coun­try code domain .at, pro­vi­ded ser­vices in Austria and also ope­ra­ted hotels the­re. The com­plainant who had come to the atten­ti­on of the aut­ho­ri­ty was a resi­dent of Austria (and a lawy­er with a doc­to­ra­te the­re). The start­ing point of the mat­ter was appar­ent­ly an adver­ti­sing e‑mail, after cont­acts had not resul­ted in a booking.

The data pro­tec­tion aut­ho­ri­ty con­side­red Artic­le 3 (2) (a) of the GDPR to be ful­fil­led (tar­ge­ting). Next, the Swiss con­trol­ler had “coll­ec­ted” per­so­nal data via a cont­act form, which is why Art. 13 GDPR was appli­ca­ble. The infor­ma­ti­on obli­ga­ti­on was vio­la­ted becau­se the requi­red infor­ma­ti­on was available on a web­site, but the con­trol­ler had not poin­ted this out to the data sub­ject. Also, not all of the requi­red infor­ma­ti­on was sub­se­quent­ly pro­vi­ded until the con­clu­si­on of the pro­ce­e­dings. In par­ti­cu­lar, the indi­ca­ti­on of a “data pro­tec­tion offi­cer” was insuf­fi­ci­ent becau­se the GDPR does not know this term (inter­nal cont­act point/DPO/EU repre­sen­ta­ti­ve?). The infor­ma­ti­on was also insuf­fi­ci­ent­ly spe­ci­fic or miss­ing in other respects.

The aut­ho­ri­ty the­r­e­fo­re orde­red the miss­ing infor­ma­ti­on to be sub­mit­ted within four weeks.




Rela­ted articles