The Austrian Data Protection Authority (DPA) has fined a company EUR 9,500 punishedbecause the company first left a request for information lying around and then deleted the personal data instead of providing information, apparently not intentionally but negligently.
This decision is based directly on the German housing jurisdiction of the ECJ, according to which the member states cannot make a fine under the GDPR dependent on the infringement being attributed to a specific person; rather, legal persons should be liable for all infringements committed in the course of their business activities. § Section 30 of the Austrian Data Protection Act stipulates that a fine against a legal entity requires the attribution of the infringement to a specific and named natural person. Due to the ECJ ruling, the DPA no longer applies this provision.
The following factors, among others, were relevant for the allocation of the buses:
- Group sales, here around EUR 98 million;
- there were no previous violations of the GDPR;
- the company had cooperated with the DPO, “in particular by not denying the alleged facts, admitting its misconduct and showing understanding after receiving the request for justification. The defendant showed remorse and the DPO assumes that it will not commit such a violation of the rights of a data subject in the future”;
- the company had provided information about the remaining data in the complaints procedure.
It is therefore better late than never for companies to comply with data subjects’ rights to minimize risks or reduce fines, even if things have already gone wrong, and of course it helps to cooperate with the authorities within a reasonable framework.