Enforcement of GDPR Infringements by Third Parties – First Decision of the Austrian Supreme Court


While the GDPR deals extensively with the rights and claims of data subjects, it mainly leaves the provisions for the assertion of such claims by third parties to the member states and their courts. In a recent decision, the Austrian Supreme Court now addressed this matter for the first time (OGH 26.11.2019, 4 Ob 84/19k): violations of data protection rights can only be asserted by the affected data subject.

Case facts: A lawsuit brought by an association

The decision was prompted by a lawsuit filed by the Austrian Psychotherapists Association against a psychotherapist registered in Austria and his company. The latter operated an online service and information website where a list of all psychotherapists registered in Austria was available. This list had been published by the Austrian Ministry of Health and was posted on the website by the defendant without the consent or prior information of the listed persons.

The complainant association did not assert an infringement of its own rights but applied – on its own behalf – for injunctive relief for violation of the data protection rights of its members. The association argued inter alia that, in addition to the infringement of Articles 6 and 14 GDPR, the defendants had thereby also gained an unfair competitive advantage according to section 1 of the Austrian Act against Unfair Competition.

Ruling of the Supreme Court:

The Supreme Court dismissed the complaint on the grounds, among others, that the association lacked the standing to sue:

While Article 28 of the Austrian Data Protection Act expressly regulates the representation of data subjects by a data protection association in proceedings before the data protection authority, the Austrian legislator has not made use of the possibility of Art. 80 (2) GDPR. Thus, Austrian law neither provides for a class action nor for a possibility for associations to assert an infringement of rights independently of any mandate from the data subject. A violation of Articles 6 and 14 GDPR can therefore only be asserted by the affected data subject or prosecuted by the data protection authority.

The claim for injunctive relief based on the unfair competitive advantage was also rejected: Referring to its case law, the Supreme Court stated, that violations of exclusive rights (such as trademarks, patents or copyrights) of third parties that do not entail official sanctions and do not concern protected interests of the general public, in principle cannot be asserted as an unfair business practice. According to the Supreme Court, the right to data protection is a personal right and thus an exclusive right only to be asserted personally by the data subject. Competitors like the complainant association cannot claim such rights because they are not generally binding standards of conduct for the general public. An infringement of data protection rights violates only individual interests of the affected data subject and therefore cannot lead to a claim for unfair competition by a third party.

Unanswered questions and what to expect:

In its decision, the Supreme Court left unanswered whether claims under the GDPR are enforceable at all under unfair competition law, or whether the GDPR contains a final regime regarding the enforcement of rights. In the latter case, the path to enforcement by way of unfair competition law would be barred. This question is currently being addressed in a number of court cases throughout the EU. In this respect, the final word on this matter has not yet been spoken.


Article provided by: Stephan Winklbauer (AHW Law, Austria)




Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.