BVwG - W171 2302513-1
Austrian court upholds DPA decision on GDPR violations regarding data transfer to the US.
Summary
An Austrian data subject filed a complaint against a controller for failing to respond to an access request and transferring personal data to the US without a valid legal basis. The Austrian DPA partly upheld the complaint, finding violations of GDPR Articles 44 and 13. The controller appealed, arguing that Standard Contractual Clauses (SCCs) and additional safeguards were sufficient. However, the court agreed with the DPA, emphasizing that SCCs alone cannot bind third-country authorities and that the implemented measures did not adequately address concerns about US authority access and lack of judicial redress, thus upholding the GDPR infringement ruling.
Full text
Help BVwG - W171 2302513-1: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 13:55, 15 June 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators86 edits Tag: submission [1.0] Latest revision as of 14:00, 15 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators86 editsm Tag: Visual edit Line 83: Line 83: On 25 April 2022, the data subject lodged a complaint with the Austrian DPA. They argued that the controller had failed to properly respond to their access request, had not provided the required information under the GDPR and had apparently transferred personal data to the United States without a valid legal basis. On 25 April 2022, the data subject lodged a complaint with the Austrian DPA. They argued that the controller had failed to properly respond to their access request, had not provided the required information under the GDPR and had apparently transferred personal data to the United States without a valid legal basis. The controller alleged that the failure to respond happened because of an internal error. It argued that it had subsequently provided the data subject with the information required under [[Article 13 GDPR|Article 13 GDPR]], [[Article 14 GDPR|Article 14 GDPR]] and [[Article 15 GDPR|Article 15 GDPR]]. The controller further submitted that for the sending of informational emails, it used a marketing software provider, acting as a processor, which offered services for the mass sending of emails. According to the controller, only the data subject’s first name, surname and email address were shared for this purpose. It acknowledged that a transfer to third countries could not be ruled out, but argued that any such transfer was covered by Standard Contractual Clauses (SCCs) and additional technical, contractual and organisational measures. It also referred to amendments it made after the Schrems II to its data processing activities to comply with this decision and to the later migration of existing customer data to European data centres.The controller alleged that the failure to respond happened because of an internal error. It argued that it had subsequently provided the data subject with the information required under [[Article 13 GDPR]], [[Article 14 GDPR]] and [[Article 15 GDPR]]. The controller further submitted that for the sending of informational emails, it used a marketing software provider, acting as a processor, which offered services for the mass sending of emails. According to the controller, only the data subject’s first name, surname and email address were shared for this purpose. It acknowledged that a transfer to third countries could not be ruled out, but argued that any such transfer was covered by Standard Contractual Clauses (SCCs) and additional technical, contractual and organisational measures. It also referred to amendments it made after the Schrems II to its data processing activities to comply with this decision and to the later migration of existing customer data to European data centres. The DPA partly upheld the complaint. It found that the controller had infringed [[Article 44 GDPR|Article 44 GDPR]] because it had not complied with the requirements for transferring the data subject’s personal data to the USA. The DPA also found a violation of [[Article 13 GDPR|Article 13 GDPR]], because the controller had failed to provide the data subject with the required information at the time of data collection. However, the DPA rejected the complaint concerning [[Article 15 GDPR|Article 15 GDPR]] since the controller had subsequently provided the requested information. The DPA partly upheld the complaint. It found that the controller had infringed [[Article 44 GDPR]] because it had not complied with the requirements for transferring the data subject’s personal data to the USA. The DPA also found a violation of [[Article 13 GDPR]], because the controller had failed to provide the data subject with the required information at the time of data collection. However, the DPA rejected the complaint concerning [[Article 15 GDPR]] since the controller had subsequently provided the requested information. The controller appealed the DPA’s decision before the Austrian Federal Administrative Court. It further argued that the SCCs with the provider and the additional implemented safeguards ensured a level of data protection equivalent to that of the GDPR. It also alleged that there was a reference to this contractual relationship in its privacy policy.The controller appealed the DPA’s decision before the Austrian Federal Administrative Court. It further argued that the SCCs with the provider and the additional implemented safeguards ensured a level of data protection equivalent to that of the GDPR. It also alleged that there was a reference to this contractual relationship in its privacy policy. Line 92: Line 92: Regarding the transfer to third countries, the court agreed with the DPA that the processing involved a transfer of personal data to the USA by disclosing the data subject’s first name, surname and email address to the marketing software provider. It pointed out that the provider had used these data at least once for the sending of the email at issue.Regarding the transfer to third countries, the court agreed with the DPA that the processing involved a transfer of personal data to the USA by disclosing the data subject’s first name, surname and email address to the marketing software provider. It pointed out that the provider had used these data at least once for the sending of the email at issue. The Court then assessed the transfer under Chapter V GDPR which governs transfers of personal data to third countries or to international organizations. It noted that, at the relevant time, there was no adequacy decision under [[Article 45 GDPR|Article 45 GDPR]] for transfers to the United States. It found that the previous EU – US Privacy Shield was already declared invalid by the CJEU ruling in Case C-311/18 (Schrems II) and the later EU-US Data Privacy Framework was not relevant to the case, because it was adopted after the processing at issue. The Court then assessed the transfer under Chapter V GDPR which governs transfers of personal data to third countries or to international organizations. It noted that, at the relevant time, there was no adequacy decision under [[Article 45 GDPR]] for transfers to the United States. It found that the previous EU – US Privacy Shield was already declared invalid by the CJEU ruling in [https://infocuria.curia.europa.eu/tabs/affair?lang=en&sort=AFF_NUM-DESC&searchTerm=%22C-311%2F18%22&publishedId=C-311%2F18 Case C-311/18 (Schrems II)] and the later EU-US Data Privacy Framework was not relevant to the case, because it was adopted after the processing at issue. It relied heavily on Schrems II. It stated that Standard Contractual Clauses pursuant to [[Article 46 GDPR#2c|Article 46(2)(c) GDPR]] may constitute appropriate safeguards. Furthermore, it pointed out that the CJEU in this case held that due to the contractual nature of SCCs they cannot bind third-country public authorities. The court therefore determined that SCCs may need to be supplemented by additional safeguards, depending on the situation of the third country concerned. The court concluded that the transfer must ensure a level of protection essentially equivalent to that guaranteed within the EU.It relied heavily on Schrems II. It stated that Standard Contractual Clauses pursuant to [[Article 46 GDPR#2c|Article 46(2)(c) GDPR]] may constitute appropriate safeguards. Furthermore, it pointed out that the CJEU in this case held that due to the contractual nature of SCCs they cannot bind third-country public authorities. The court therefore determined that SCCs may need to be supplemented by additional safeguards, depending on the situation of the third country c