17.08.2021
The interaction of administrative and judicial procedures in connection with the General Data Protection Regulation (and the Austrian Data Protection Act) is quite complicated. For “supervisory procedures“ (in Austria, the data protection authority is responsible, then the Federal Administrative Court and finally the courts of public law), Art. 55 GDPR provides that each supervisory authority is responsible in the territory of its own member state. In general, it can be concluded from this that for data subjects living in Austria, the Austrian data protection authority is primarily responsible (regardless of the member state or third country in which a controller is based). In certain cases, the supervisory authority of the controller’s country of residence must be involved; if necessary, this authority can then also decide on the matter. However, the supervisory authority that the data subject has legitimately turned to in his or her home country is always the contact person for the data subject. Legal protection may also be sought in this member state, i.e. a complaint may be lodged, if a decision is made that the data subject does not want to accept.
As is well known, the GDPR's legal protection system is a two-track one - in addition to the possibility of complaining to a supervisory authority, a data subject also has the right to a judicial and effective remedy under Art. 79 GDPR. In this case, although legal action must generally be taken at the registered office of the data controller, a data subject can also take legal action before the courts of his or her own member state.
In the proceedings relating to 6 Nc 19/21b, the Austrian Supreme Court, the Supreme Court, ruled on August 3, 2021 that not only international jurisdiction under the General Data Protection Regulation is located in the country. In addition, it also applies in favor of the person concerned that from a local point of view, an action can be brought before the regional court (Section 29 (2) DSG) in whose district the plaintiff has his habitual residence, registered office or branch. Even if Article 79 (2) GDPR does not regulate local jurisdiction, a so-called ordination pursuant to Section 28 JN would not be necessary (this is an interim procedure with which a plaintiff can turn to the Supreme Court if the local jurisdiction of an Austrian court is unclear and asks the Supreme Court to determine jurisdiction from a local point of view). To put it simply, an action can be brought at the plaintiff's place of residence without such an interim procedure.
This decision is a clarification of the decision on 6 Ob 91/19d, where it was determined that the respective local regional court is not only responsible for damages in the narrow sense, but must also decide on other civil law claims under the GDPR or the DSG. This "autonomous jurisdiction of the respective regional court" is particularly relevant for proceedings conducted before the Viennese courts, since in Vienna (and only in Vienna) an independent district court for commercial matters and an independent commercial court have been established. This dual jurisdiction is also a significant innovation of the GDPR, since the old legal situation (Section 31 Paragraph 2 DSG 2000) did not provide for parallel jurisdiction. At that time, the data protection authority only recognized a right to confidentiality, correction or deletion in complaints about the violation if the claim could not be asserted before an ordinary court in accordance with Section 32 Paragraph 1 DSG 2000.
The clarification by the Supreme Court is essential. It can be assumed that parallel to a supervisory authority complaint procedure, a court procedure can also be conducted at the place of residence of the person concerned.