DSB AT: Fine for dele­ti­on instead of information

The Austri­an Data Pro­tec­tion Aut­ho­ri­ty (DPA) has fined a com­pa­ny EUR 9,500 punis­hedbecau­se the com­pa­ny first left a request for infor­ma­ti­on lying around and then dele­ted the per­so­nal data instead of pro­vi­ding infor­ma­ti­on, appar­ent­ly not inten­tio­nal­ly but negligently.

This decis­i­on is based direct­ly on the Ger­man housing juris­dic­tion of the ECJ, accor­ding to which the mem­ber sta­tes can­not make a fine under the GDPR depen­dent on the inf­rin­ge­ment being attri­bu­ted to a spe­ci­fic per­son; rather, legal per­sons should be lia­ble for all inf­rin­ge­ments com­mit­ted in the cour­se of their busi­ness acti­vi­ties. § Sec­tion 30 of the Austri­an Data Pro­tec­tion Act sti­pu­la­tes that a fine against a legal enti­ty requi­res the attri­bu­ti­on of the inf­rin­ge­ment to a spe­ci­fic and named natu­ral per­son. Due to the ECJ ruling, the DPA no lon­ger applies this provision.

The fol­lo­wing fac­tors, among others, were rele­vant for the allo­ca­ti­on of the buses:

  • Group sales, here around EUR 98 million;
  • the­re were no pre­vious vio­la­ti­ons of the GDPR;
  • the com­pa­ny had coope­ra­ted with the DPO, “in par­ti­cu­lar by not denying the alle­ged facts, admit­ting its mis­con­duct and show­ing under­stan­ding after recei­ving the request for justi­fi­ca­ti­on. The defen­dant show­ed remor­se and the DPO assu­mes that it will not com­mit such a vio­la­ti­on of the rights of a data sub­ject in the future”;
  • the com­pa­ny had pro­vi­ded infor­ma­ti­on about the remai­ning data in the com­plaints procedure.

It is the­r­e­fo­re bet­ter late than never for com­pa­nies to com­ply with data sub­jects’ rights to mini­mi­ze risks or redu­ce fines, even if things have alre­a­dy gone wrong, and of cour­se it helps to coope­ra­te with the aut­ho­ri­ties within a rea­sonable framework.




Rela­ted articles