Back to Feed
GDPRJul 2, 2026

OLG Wien - 11R86/25k

Austrian court rules GDPR access requests are not abusive for litigation evidence.

Summary

An Austrian court has ruled that a data subject's GDPR Article 15 access request is not abusive, even if used to gather evidence for a legal dispute. The court cited CJEU judgments, emphasizing that such requests are legitimate when serving a proper purpose. It also rejected the controller's claim that the data subject's own personal data could be considered trade secrets.

Full text

Help OLG Wien - 11R86/25k: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 15:47, 2 July 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators117 edits Tag: submission [1.0] Latest revision as of 15:52, 2 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators117 editsm Tag: Visual edit Line 78: Line 78: === Holding ====== Holding === The court referred to the CJEU judgment in Case C-132/21 and ruled that it was permissible to pursue in parallel dual legal remedies, at least until a final decision has been issued.The court referred to the CJEU judgment in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62021CJ0132 Case C-132/21] and ruled that it was permissible to pursue in parallel dual legal remedies, at least until a final decision has been issued. The court confirmed that an access request under [[Article 15 GDPR|Article 15 GDPR]] is not abusive where it serves a legitimate purpose within the meaning of Recital 63 GDPR. It cited CJEU C-307/22 and held that an access request may legitimately be used to obtain evidence for litigation. The court confirmed that an access request under [[Article 15 GDPR]] is not abusive where it serves a legitimate purpose within the meaning of Recital 63 GDPR. It cited [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62022CJ0307 CJEU C-307/22] and held that an access request may legitimately be used to obtain evidence for litigation. Regarding trade secrets, the court stated that protected information must be secret, commercially valuable and subject to appropriate confidentiality obligations. It found that the controller had failed to explain how the data subject’s own personal data could qualify as trade secrets against themselves. Regarding trade secrets, the court stated that protected information must be secret, commercially valuable and subject to appropriate confidentiality obligations. It found that the controller had failed to explain how the data subject’s own personal data could qualify as trade secrets against themselves. Latest revision as of 15:52, 2 July 2026 OLG Wien - 11R86/25k Court: OLG Wien (Austria) Jurisdiction: Austria Relevant Law: Article 15 GDPR Decided: 09.07.2025 Published: 23.06.2026 Parties: National Case Number/Name: 11R86/25k European Case Law Identifier: ECLI:AT:OLG0009:2025:01100R00086.25K.0709.000 Appeal from: Appeal to: Not appealed Original Language(s): German Original Source: RIS (in German) Initial Contributor: ds A court held that a controller could not refuse an access request merely because of the data subject's intention to use the information in their legal dispute. It rejected the controller’s arguments that the request was an abusive and that the data subject’s own personal data could be withheld as trade secrets. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject was a tenant in an apartment owned by the controller. Termination proceedings were pending between the parties. During those proceedings, the data subject submitted photos and documents suggesting that the controller had been monitoring them. They subsequently submitted an access request, seeking access to personal data processed about them, including among other things, information concerning their heating and hot-water consumption. The controller refused to provide the requested information. The data subject claimed that the refusal had left them with a feeling of powerlessness, stress and uncertainty about the extent to which their private activities had been monitored and their personal data processed. They therefore filed a claim for damages. The controller argued that the data subject’s access request was an abusive exercise of rights because it had been submitted in the context of the termination proceedings. It claimed that their sole intention was to obtain evidence for that dispute. It alleged that the data subject had not shown any interest in this information prior to the court proceedings. The controller also argued that the requested information was protected as its trade secrets. It further requested that the proceedings in this case be stayed until the termination proceedings and the proceedings pending before the Austrian DPA had been finally resolved. The first-instance court rejected the motion for a stay and upheld the data subject’s claims. It found that the access request was not abusive, as the data subject pursued legitimate purposes under Recital 63. It held that the data subject sought to obtain information about the data concerning them and verifying the lawfulness of that processing. It further held that trade secrets could override the right of access only in special circumstances and that the controller’s purpose to avoid giving the data subject an advantage in the termination proceedings was not sufficient. The controller appealed to the Higher Regional Court of Vienna (OLG Wien). It maintained that the access request was abusive and that it was entitled to refuse access in order to protect its trade secrets. Holding The court referred to the CJEU judgment in Case C-132/21 and ruled that it was permissible to pursue in parallel dual legal remedies, at least until a final decision has been issued. The court confirmed that an access request under Article 15 GDPR is not abusive where it serves a legitimate purpose within the meaning of Recital 63 GDPR. It cited CJEU C-307/22 and held that an access request may legitimately be used to obtain evidence for litigation. Regarding trade secrets, the court stated that protected information must be secret, commercially valuable and subject to appropriate confidentiality obligations. It found that the controller had failed to explain how the data subject’s own personal data could qualify as trade secrets against themselves. The court emphasised that the controller’s primary concern was that the data subject could gain an advantage in the termination proceedings with this information. However, it pointed out that neither GDPR nor the Austrian Code of Civil Procedure permitted a party to tactically withhold information merely to strengthen its position in a legal dispute. The court therefore dismissed the controller’s appeal in its entirety and upheld the award of €1,000 in non-material damages to the data subject. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Head The Higher Regional Court of Vienna, acting as the court of appeal and appellate proceedings, through the presiding judge of the Higher Regional Court, Dr. Primus, and judges Mag. Fidler and Dr. Berka, in the case of the plaintiff Mag. A*, born on **, **, represented by JEANNEE Rechtsanwalt GmbH in Vienna, against the defendant B* GmbH, FN **, **, represented by Dr. Sascha Salomonowitz, LL.M., attorney-at-law in Vienna, concerning the disclosure of data (valued at EUR 6,000) and EUR 1,000 in damages, decided in a non-public session I. and II. as follows: The Higher Regional Court of Vienna, acting as the court of appeal and appellate proceedings, through the presiding judge of the Higher Regional Court, Dr. Primus, and judges Mag. Fidler and Dr. Berka, in the case of the plaintiff Mag. A*, born on **, **, represented by JEANNEE Rechtsanwalt GmbH in Vienna, against the defendant B* GmbH, FN **, **, represented by Dr. Sascha Salomonowitz, LL.M., attorney-at-law in Vienna, concerning the disclosure of data (valued at EUR 6,000) and EUR 1,000 in damages. Primus, presiding judge, and Judges Mag. Fidler and Dr. Berka of the Higher Regional Court, in the case of the plaintiff Mag. A*, b

Entities

Article 15 GDPR (product)