DSB (Austria) – 2025-0.813.131

10 February 2026

Mba: /* Facts */

{{DPAdecisionBOX

|Case_Number_Name=2025-0.813.131
|ECLI=DSBT_20251010_2025_0_813_131_00

|Original_Source_Name_1=RIS
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=71798ae9-5897-4ab1-893d-25b7443a8397&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=EinerWoche&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=DSBT_20251010_2025_0_813_131_00
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=§1 DSG
|National_Law_Link_1=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=xz
|
}}

The DPA held that an event organiser’s use of a data subject’s email address, provided for ticket purchase, to send a marketing email without consent and to disclose the address via an open CC field violated the subject’s right to secrecy

== English Summary ==

=== Facts ===
A data subject purchased tickets from an event organizer (the controller), and provided his email address for ticket delivery. The controller then sent a newsletter containing advertising for an upcoming event. The email included the data subject’s email address in the CC field, which resulted in disclosure of his address to a large, indefinite group of third parties.

The data subject had never consented to receiving marketing communications or to the disclosure of his email address to third parties. He subsequently filed a complaint with the Austrian Data Protection Authority (DSB), claiming that the controller had violated his right to secrecy under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht= § 1 DSG] and the GDPR.

=== Holding ===
The DSB upheld the complaint, finding that the controller unlawfully violated the complainant’s right to secrecy.

First, sending a marketing email without prior consent constituted an interference with the data subject’s right to secrecy under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht= § 1 DSG]. Second, disclosing the complainant’s email address in an open CC field to multiple recipients violated the principle of data minimization under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], as no legitimate interest or consent justified the disclosure.

The DPA therefore established both violations, holding the controller accountable for processing the data subject’s personal data in an unlawful manner.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.

<pre>
Text

File No.: 2025-0.813.131 of October 10, 2025 (Case No.: DSB-D124.3364/25)

[Note from the editor: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical data, etc., as well as their initials and abbreviations, may have been abbreviated and/or altered for pseudonymization purposes. Obvious spelling, grammar, and punctuation errors have been corrected.]

DECISION

RULING

The Data Protection Authority decides on the data protection complaint of Dieter A***, BA (complainant) of September 19, 2025, against Richard N*** e.U. (z*** events) (Respondent) for violation of the right to confidentiality as follows:

1. The complaint is granted and it is determined that the Respondent violated the complainant’s right to confidentiality by unlawfully processing the complainant’s email address when sending the email of September 2, 2025.

2. The complaint is granted and it is determined that the Respondent violated the complainant’s right to confidentiality by disclosing the complainant’s email address to third parties when sending the email of September 2, 2025.

Legal basis: Articles 4, 5(1), 51(1), 57(1)(f) and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016, p. 1; Sections 1, 18(1) and 24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 174 of the Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended. Legal basis: Articles 4, 5(1), 51(1), 57(1), letter f, and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, Session 1; Sections 1, 18(1), and 24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended. Section 174, Telecommunications Act 2021 (TKG 2021), Federal Law Gazette Part One, No. 190 of 2021, as amended.

REASONING

A. Submissions of the Parties and Procedural History

1. The proceedings were initiated following the appeal of September 19, 2025.

2. By letters dated September 30, 2025, and October 3, 2025, the respondent submitted a statement.

3. The complainant submitted a statement dated October 7, 2025, during the hearing granted by the Data Protection Authority.

B. Subject Matter of the Complaint

Based on the complainant’s submissions, the subject matter of the complaint is whether the respondent violated the complainant’s right to confidentiality by unlawfully using his email address for sending the newsletter (email dated September 2, 2025) and by disclosing the email address to unauthorized third parties in the email dated September 2, 2025.

C. Findings of the Facts

C.1. The respondent is a sole proprietor active in the event industry.

C.2. In August 2025, the complainant purchased tickets for the event “**** in V***,” which was organized by the respondent. In connection with this ticket purchase, the complainant provided his email address, “contact@dietera***.eu,” which was used for ticket delivery.

Evaluation of evidence: The findings are based on the respondent’s statements of September 30, 2025, and October 3, 2025, as well as the complainant’s statement of October 7, 2025.

C.3. On September 2, 2025, the respondent sent an email to the complainant using the email address “contact@dietera***.eu.” The email contained advertising for an upcoming event organized by the respondent. This email did not allow the complainant to opt out of receiving electronic contact information.

C.4. The email dated September 2, 2025, contained, in addition to the complainant’s email address, the CC field also included the addresses of numerous third parties unknown to the complainant, thus disclosing the complainant’s email address to them.

C.5. The complainant never consented to receiving advertising in the form of an email newsletter (or to disclosing his email address to third parties).

Evaluation of evidence: The findings are based on the undisputed contents of the file under case number D124.3364/25. The findings regarding the lack of an option to refuse the use of electronic contact information and the absence of consent are based on the respondent’s statement of October 3, 2025, the appellant’s initial submission of September 19, 2025, and the accompanying copy of the email in question, dated September 2, 2025. The respondent did not dispute until the very end that the appellant had not consented to the sending of the email.

D. The following legal conclusions can be drawn:

D.1. Regarding the sending of the email (Ruling 1)

The appellant argues, firstly, that the mere sending of the (advertising) email constitutes an unlawful infringement of his right to privacy.

According to Section 1 Paragraph 1 of the Data Protection Act (DSG), everyone has the right to the confidentiality of their personal data, particularly with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. According to Section 1 Paragraph 1 of the DSG, everyone has the right to the confidentiality of their personal data, particularly with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so.

In the case of the complainant, who was identifiable by an email address consisting of his (family) name, this undoubtedly constitutes personal data within the meaning of Article 4(1) of the GDPR. Sending an email qualifies as processing within the meaning of Article 4(2) of the GDPR. In the case of the complainant, who was identifiable by an email address consisting of his (family) name, this undoubtedly constitutes personal data within the meaning of Article 4(1) of the GDPR. Sending an email constitutes processing within the meaning of Article 4(2) of the GDPR.

Regarding the lawfulness of sending emails, it should be noted at the outset that the sending of electronic mail (email, SMS) for direct marketing purposes is not governed by the GDPR, but by Article 13(1) and (2) of Directive 2002/58/EC (the “ePrivacy Directive”), which takes precedence over the GDPR as a lex specialis (see Article 95 GDPR). Article 13 of the ePrivacy Directive was transposed into Austrian law by Section 107 of the Telecommunications Act 2003 (TKG 2003), now Section 174 of the Telecommunications Act 2021 (TKG 2021). Regarding the legality of sending such communications, it should be noted at the outset that the sending of electronic mail (email, SMS) for direct marketing purposes is not governed by the GDPR, but by Article 13, paragraphs 1 and 2 of Directive 2002/58/EC (“ePrivacy Directive”), which takes precedence over the GDPR as lex specialis (see Article 95 GDPR). Article 13 of the ePrivacy Directive was transposed into Austrian law by Section 107 of the Telecommunications Act 2003 (TKG 2003), now Section 174 of the Telecommunications Act 2021 (TKG 2021).

However, this does not mean that the complainant is not entitled to file a data protection complaint pursuant to Section 24(1) of the Data Protection Act (DSG) or Article 77(1) of the GDPR. While the permissibility of sending emails for direct marketing purposes is governed – as explained – exclusively by the provisions of the Austrian Telecommunications Act 2021 (TKG 2021), thus precluding an assessment of the lawfulness of the processing within the meaning of Article 6 GDPR, a violation of the TKG may simultaneously constitute an infringement of the right to confidentiality under Section 1(1) of the Austrian Data Protection Act (DSG) and also a violation of those provisions of the GDPR that do not impose additional obligations on the controller within the meaning of Article 95 GDPR (see the decision of the Austrian Data Protection Authority (DSB) of October 31, 2018, file number: DSB-D123.076/0003-DSB/2018, available in the Austrian Legal Information System (RIS)). However, this does not mean that the complainant is not entitled to lodge a data protection complaint under Section 24(1) DSG or Article 77(1) GDPR. While the permissibility of sending emails for direct marketing purposes is governed—as explained above—exclusively by the provisions of the Austrian Telecommunications Act 2021 (TKG 2021), thus precluding an assessment of the lawfulness of the processing within the meaning of Article 6 of the GDPR, a violation of the TKG may simultaneously constitute an infringement of the right to confidentiality under Section 1, Paragraph 1 of the Austrian Data Protection Act (DSG) and also a violation of those provisions of the GDPR that do not impose additional obligations on the controller within the meaning of Article 95 of the GDPR (see the decision of the Austrian Data Protection Authority (DSB) of October 31, 2018, file number DSB-D123.076/0003-DSB/2018, available in the Austrian Legal Information System (RIS)).

The term “direct marketing” is not defined in detail in either the GDPR or the TKG 2021. According to Austrian case law on Section 107 of the Telecommunications Act 2003 (prohibition of unsolicited messages, “spam clause”), which is applicable to Section 174 of the Telecommunications Act 2021, “direct marketing” is understood to mean any content that promotes a specific product, but also a specific idea, including specific political concerns, or provides arguments for it (see Austrian Administrative Court [VwGH] 2011/03/0198). The term “direct marketing” is not defined in more detail in either the GDPR or the Telecommunications Act 2021. According to Austrian case law on Section 107, TKG 2003 (prohibition of unsolicited messages, “spam paragraph”), which is applicable to Section 174, TKG 2021, “direct advertising” is understood to mean any content that promotes a specific product, but also a specific idea including specific political concerns, or provides arguments for it (compare VwGH 2011/03/0198).

In the present case, a newsletter was sent out that advertised and announced an upcoming event organized by the respondent, which constitutes direct marketing. The existence of consent or any other legal basis for such marketing must therefore be examined solely on the basis of the specific provision of the Telecommunications Act 2021 (TKG 2021), specifically Section 174 (“Unsolicited Communication”). Section 174, paragraph 3 of the German Telecommunications Act (TKG) 2021 establishes as a general rule that sending an electronic message without the recipient’s prior consent is inadmissible if the message is sent for direct marketing purposes.

Exceptions to this general rule are regulated in Section 174, paragraph 4 of the TKG 2021, the requirements for which must be met cumulatively. Since – as established – no consent exists, only Section 174, paragraph 4 of the TKG 2021 is applicable as a legal basis. Since, as established, no consent exists, the only possible legal basis is Section 174, Paragraph 4, of the Telecommunications Act 2021 (TKG 2021).

In the present case, the respondent did receive the complainant’s email address during an order process (Section 174, Paragraph 4, Item 1, TKG 2021) and used this email address for direct marketing purposes on September 2, 2025 (Section 174, Paragraph 4, Item 2, TKG 2021).

“ “ “` ““ ““ “` “` `Section 174, Paragraph 4, Item 1, TKG 2021)` `Section 174, Paragraph 4, Item 1, TKG 2021) `Section 174, Paragraph 4, Item 2, TKG 2021` `Section 174, Paragraph 4, Item 2, TKG 2021 … However, the findings indicate that the complainant was not given the opportunity to refuse the use of his electronic contact information free of charge and without difficulty (Section 174 Paragraph 4 Item 3 of the Telecommunications Act 2021). Linking the disclosure of contact information for the purpose of notifying the data subject with processing for direct marketing purposes without (at least) a clear and unambiguous “opt-out option” when the email address/contact information is collected does not comply with the requirements of Section 174 Paragraph 4 of the Telecommunications Act 2021. However, the findings indicate that the complainant was not given the opportunity to refuse the use of his electronic contact information free of charge and without difficulty (Section 174, Paragraph 4, Item 3, Telecommunications Act 2021). Linking the disclosure of contact information for the purpose of notifying the data subject with processing for direct marketing purposes without (at least) a clear and unambiguous “opt-out option” when the email address/contact information is collected does not comply with the requirements of Section 174, Paragraph 4, of the German Telecommunications Act (TKG) 2021.

The exception allowing for the waiver of the data subject’s consent if all the requirements of Section 174, Paragraph 4, of the TKG are met is therefore not applicable in this case.

The exception allowing for the waiver of the data subject’s consent if all the requirements of Section 174, Paragraph 4, of the TKG are met is therefore not applicable in this case. Against this background, the sending of the email in question was found to be unlawful, and a violation of the right to confidentiality was established due to a breach of Section 174, Paragraph 3 of the German Telecommunications Act (TKG) 2021 (Ruling 1).

Therefore, the decision was rendered accordingly.

D.2. Disclosure of the email address (“open email distribution list”) (Ruling 2)

In addition to the unlawfulness of the sending, the complainant also objected that his email address had been disclosed to an indefinite (large) group of people through the use of the “CC” function (so-called “open email distribution list”).

The decision was therefore rendered accordingly.

D.2. Disclosure of the email address (“open email distribution list”) (Ruling 2) As the findings show, no consent was obtained in this regard either, and in the opinion of the data protection authority, no reason and therefore no legitimate interest is apparent for the processing purpose pursued here as to why BCC delivery was not used as a data minimization method (cf. Art. 5 para. 1 lit. c GDPR). The respondent himself admitted in the proceedings that this was an oversight.

As the findings show, no consent was obtained in this regard either, and in the opinion of the data protection authority, no reason and therefore no legitimate interest is apparent for the processing purpose pursued here as to why BCC delivery was not used as a data minimization method (cf. Art. 5 para. 1 lit. c GDPR). The respondent himself admitted in the proceedings that this was an oversight.

The disclosure of the complainant’s email address was therefore unlawful, and the finding of a violation of the right to confidentiality pursuant to Section 1(1) of the GDPR (point 2 of the ruling) was thus also based on this.

The decision was therefore rendered accordingly.
</pre>

FTC Reminds Data Brokers of Their Obligations to Comply with PADFAA

Rb. Midden-Nederland – UTR 23/4785