Austria

The Austrian Data Protection Authority (DSB) has issued a processing ban against credit agency KSV1870 for unlawful fully automated credit scoring practices, violating GDPR Article 22 on automated decision-making. This enforcement action, following a similar 2023 CJEU ruling, signals increased regulatory scrutiny of automated credit assessments and transparency obligations in financial services.

The Austrian Data Protection Authority (DSB) issued a decision finding Microsoft 365 Education in violation of GDPR for illegally tracking students without consent and failing to provide adequate data access. This enforcement action highlights Microsoft's primary responsibility for data processing decisions and has implications for millions of users across Europe, with German authorities raising similar concerns.

The Austrian Federal Administrative Court issued a contradictory decision that allows mobile providers to deny GDPR access requests for sensitive location data by requiring users to prove exclusive device usage with impossible standards. This enforcement action could undermine data subject rights for mobile, smartwatch, and health app users across the EU if upheld on appeal.

The Austrian data protection authority (DSB) issued its first decision on noyb's GDPR complaints against streaming services, rejecting the Flimmit case due to ex-post compliance during proceedings. This reveals a procedural loophole in Austrian law allowing companies to avoid fines by remedying violations after complaints are filed, potentially undermining GDPR's dissuasive penalties. The decision also highlights significant enforcement delays, taking over 18 months versus the legal 6-month deadline.

The Austrian Data Protection Authority (DSB) has approved DerStandard.at's 'Pay or Okay' subscription model, where users must either consent to data processing for personalized advertising or pay €6/month for privacy protection. This decision raises significant GDPR compliance concerns about voluntary consent and could set a precedent allowing companies to monetize privacy rights. Privacy activist Max Schrems is challenging the ruling, creating uncertainty for businesses using similar models.

The Austrian Data Protection Authority has ruled that Meta's tracking tools (Facebook Login and Meta Pixel) violate GDPR and the Schrems II decision due to US surveillance risks. This enforcement action affects nearly all EU websites using these tools for analytics and personalized ads, highlighting ongoing non-compliance with transatlantic data transfer requirements.

Severe budget cuts at the Austrian Data Protection Authority (DSB) are crippling its ability to enforce GDPR compliance, with only 62 fines issued from 3,813 complaints in 2024. NGOs have filed a complaint with the European Commission alleging Austria violates GDPR funding requirements, potentially triggering EU infringement proceedings. This undermines data protection rights and creates enforcement uncertainty for organizations operating in Austria.

The Austrian Federal Administrative Court upheld a Data Protection Authority decision finding that DerStandard newspaper's 'Pay or Okay' model violates GDPR consent requirements by not allowing selective consent to specific processing purposes. This enforcement action signals increased scrutiny of consent mechanisms and may set a precedent for similar models across the EU, potentially requiring businesses to revise their cookie banners and consent frameworks.

The privacy organization noyb is preparing a class action lawsuit against CRIF for potential GDPR violations in its credit scoring practices in Austria. The Austrian data protection authority has previously ruled parts of CRIF's database non-compliant, and this enforcement action signals increased regulatory scrutiny of automated decision-making and data processing in credit scoring.

An Austrian bank is appealing a Data Protection Authority ruling that enforced GDPR's free right to access personal data, arguing banking regulations allowing fees should take precedence. This case could set a precedent for how financial institutions balance data privacy compliance with sector-specific banking rules across the EU.

A GDPR complaint has been filed against A1 Telekom Austria for denying customers access to their traffic and location data, citing conflicting national laws. This enforcement action signals increased regulatory scrutiny of telecommunications providers' compliance with GDPR data access rights and transparency requirements.

A GDPR complaint has been filed against CRIF GmbH and AZ Direct in Austria for illegal data exchange violating purpose limitation principles. The Austrian Data Protection Authority could impose fines up to €20 million or 4% of annual turnover if the complaint is upheld, signaling increased enforcement scrutiny of data trading practices.

The Austrian Data Protection Authority issued a decision against credit reporting agency CRIF, ruling that its demographic-based credit scoring constitutes 'profiling' under GDPR and violates transparency requirements. CRIF must redesign credit reports to disclose the basis of scores and explain scoring logic to consumers, though the decision is non-binding and subject to appeal. This enforcement action signals increased scrutiny of automated decision-making in credit assessments under GDPR.

The Austrian Data Protection Authority (DSB) ruled that location and traffic data from mobile devices may not be considered 'personal' under GDPR if users cannot prove exclusive device use, limiting data access rights under Article 15. Privacy organization noyb has appealed to the Federal Administrative Court, arguing this creates impossible proof burdens and undermines GDPR protections. This enforcement action signals potential regulatory divergence in interpreting personal data scope, affecting companies handling mobile data in Austria.

The Austrian Data Protection Authority (DSB) ruled that credit reporting agency KSV 1870 violated GDPR by systematically collecting personal data from GDPR Article 15 access requests and repurposing it for credit scoring. This enforcement action reinforces the purpose limitation principle and sets a precedent for data brokers, ordering deletion of unlawfully processed data. Companies must ensure data collected for specific purposes like identity verification is not reused without compatibility assessments.

The Austrian data protection authority (DSB) has ruled that Clearview AI's biometric data processing violates GDPR, ordering the company to delete complainant data and appoint an EU representative. This enforcement action highlights GDPR's extraterritorial reach and ongoing scrutiny of biometric data practices, though no fine was issued in this specific case.

The Austrian data protection authority is investigating KSV1870 creditors' association for systematically violating GDPR Article 15 by charging fees for data access that must be free. This enforcement action signals increased scrutiny of organizations that monetize GDPR rights through deceptive practices, particularly targeting vulnerable populations like visa applicants. Companies must ensure their data subject request processes are genuinely free, accessible, and timely to avoid similar penalties.

The Austrian Data Protection Authority (DSB) ruled in August 2024 that media group Kurier unlawfully processed personal data by forcing users to consent to tracking cookies without a valid decline option, violating GDPR consent requirements. This enforcement action highlights increased regulatory scrutiny on consent bypass practices and underscores the need for compliant cookie consent mechanisms.