BVwG - W171 2302513-1

Summary

An Austrian court has ruled that a magazine publisher's use of Standard Contractual Clauses (SCCs) and additional technical measures was insufficient to ensure EU-level data protection equivalency for personal data transferred to the USA. The court also found the controller violated its information obligations under GDPR Article 13.

Full text

Help BVwG - W171 2302513-1: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 13:55, 15 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators86 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 13:55, 15 June 2026 BVwG - W171 2302513-1 Court: BVwG (Austria) Jurisdiction: Austria Relevant Law: Article 5(2) GDPR Article 13 GDPR Article 15 GDPR Article 44 GDPR Article 45 GDPR Article 46(2)(c) GDPR Decided: 18.05.2026 Published: 09.06.2026 Parties: National Case Number/Name: W171 2302513-1 European Case Law Identifier: ECLI:AT:BVWG:2026:W171.2302513.1.00 Appeal from: DSB (Austria) Appeal to: Not appealed Original Language(s): German Original Source: RIS (in German) Initial Contributor: ds A court determined that although a controller had used Standard Contractual Clauses and implemented additional measures for the transfer of a data subject’s personal data to the USA, these did not ensure EU-level data protection equivalency. It also found that the controller violated its information obligations. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller was an Austrian magazine publisher based in Vienna. Its business consisted in publishing and distributing weekly, monthly and other periodicals. The data subject was a long-standing customer of the controller. They held multiple subscriptions. On 7 March 2022, the data subject received an informational email with regard to one of their subscriptions. The email contained links allowing users to unsubscribe from further emails or manage their email settings. The unsubscribe link led to a website operated by the controller’s marketing software provider. The provider was a company specializing in mass email marketing solutions. Its parent company was headquartered in USA, while its subsidiary was based in Germany. The data subject complained to the controller and requested information regarding the receipt of this email. Additionally, they contended that the transfer of their data to the United States was unlawful. On 25 April 2022, the data subject lodged a complaint with the Austrian DPA. They argued that the controller had failed to properly respond to their access request, had not provided the required information under the GDPR and had apparently transferred personal data to the United States without a valid legal basis. The controller alleged that the failure to respond happened because of an internal error. It argued that it had subsequently provided the data subject with the information required under Article 13 GDPR, Article 14 GDPR and Article 15 GDPR. The controller further submitted that for the sending of informational emails, it used a marketing software provider, acting as a processor, which offered services for the mass sending of emails. According to the controller, only the data subject’s first name, surname and email address were shared for this purpose. It acknowledged that a transfer to third countries could not be ruled out, but argued that any such transfer was covered by Standard Contractual Clauses (SCCs) and additional technical, contractual and organisational measures. It also referred to amendments it made after the Schrems II to its data processing activities to comply with this decision and to the later migration of existing customer data to European data centres. The DPA partly upheld the complaint. It found that the controller had infringed Article 44 GDPR because it had not complied with the requirements for transferring the data subject’s personal data to the USA. The DPA also found a violation of Article 13 GDPR, because the controller had failed to provide the data subject with the required information at the time of data collection. However, the DPA rejected the complaint concerning Article 15 GDPR since the controller had subsequently provided the requested information. The controller appealed the DPA’s decision before the Austrian Federal Administrative Court. It further argued that the SCCs with the provider and the additional implemented safeguards ensured a level of data protection equivalent to that of the GDPR. It also alleged that there was a reference to this contractual relationship in its privacy policy. Holding Regarding the transfer to third countries, the court agreed with the DPA that the processing involved a transfer of personal data to the USA by disclosing the data subject’s first name, surname and email address to the marketing software provider. It pointed out that the provider had used these data at least once for the sending of the email at issue. The Court then assessed the transfer under Chapter V GDPR which governs transfers of personal data to third countries or to international organizations. It noted that, at the relevant time, there was no adequacy decision under Article 45 GDPR for transfers to the United States. It found that the previous EU – US Privacy Shield was already declared invalid by the CJEU ruling in Case C-311/18 (Schrems II) and the later EU-US Data Privacy Framework was not relevant to the case, because it was adopted after the processing at issue. It relied heavily on Schrems II. It stated that Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR may constitute appropriate safeguards. Furthermore, it pointed out that the CJEU in this case held that due to the contractual nature of SCCs they cannot bind third-country public authorities. The court therefore determined that SCCs may need to be supplemented by additional safeguards, depending on the situation of the third country concerned. The court concluded that the transfer must ensure a level of protection essentially equivalent to that guaranteed within the EU. The court accepted that the controller and the provider had used the European Commission’s Standard Contractual Clauses and had implemented certain technical, contractual and organisational measures, including encryption, terms of use and storage-management systems. However, it held that although these additional measures increased the level of data protection, they were not sufficient to remedy the core concerns identified by the CJEU in Schrems II, namely the potential access of US authorities to personal data and the lack of effective judicial redress. The court therefore upheld the DPA’s decision that the safeguards implemented by the controller were insufficient. It therefore ruled that the transfer infringed Article 44 GDPR. Regarding the information obligations, the court also upheld the DPA’s finding of a violation of Article 13 GDPR. It noted that the controller did not actively provide the required information to the data subject at the time of data collection. It also pointed out that it was not enough to argue that a privacy policy existed online. In addition, the court concluded that the controller had violated the accountability principle under Article 5(2) GDPR since it was not able to prove that the required information had been provided to the data subject in accordance with Article 13 GDPR. The court dismissed the controller’s appeal and upheld the DPA’s findings. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Decision Date May 18, 2026 Legal Norm Federal Constitutional Law (B-VG) Art. 133 para. 4 GDPR Art. 12 GDPR Art. 13 GDPR Art. 14 GDPR Art. 4 no. 1 GDPR Art. 4 no. 7 GDPR Art. 44 GDPR Art. 45 GDPR Art. 46 GDPR Art. 5 Federal Constitutional Law (B-VG) Art. 133 currently in force; Federal Constitutional Law (B-VG) Art. 133 valid from January 1, 2019 to May 24, 2018, last amended by Federal Law Gazette I No. 138/2017; Federal Constitutional

Entities