VwGH – Ro 2023/04/0028

3 February 2026

Lde: Fixed Category

{{COURTdecisionBOX

|Case_Number_Name=Ro 2023/04/0028
|ECLI=ECLI:AT:VWGH:2025:RO2023040028. J00

|Original_Source_Name_1=RIS
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Vwgh&Entscheidungsart=Undefined&Sammlungsnummer=&Index=&SucheNachRechtssatz=False&SucheNachText=True&GZ=Ro+2023%252f04%252f0028&VonDatum=&BisDatum=03.02.2026&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Position=1&SkipToDocumentPage=true&ResultFunctionToken=4cef7b63-7828-4ba3-87d4-0fbb1dc1ad8c&Dokumentnummer=JWT_2023040028_20251217J00
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|Date_Decided=17.12.2025
|Date_Published=27.01.2026
|Year=2025

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Initial_Contributor=XZ
|
}}

The Supreme Administrative Court held that Member States may impose procedural time limits on GDPR complaints under their national procedural autonomy, as long as those limits respect the principles of effectiveness and equivalence, founding that the one-year limitation period under Austrian law did not undermine the right to lodge a complaint under [[Article 77 GDPR]].

== English Summary ==

=== Facts ===
In June 2021, the data subject lodged a complaint with the Austrian Data Protection Authority (DSB) under [[Article 77 GDPR]], alleging a violation of his right to data secrecy. The data subject concerned the use of his professional email address by a bank employee (the controller) for a private matter in 2019.

The DSB rejected the complaint on the basis of § [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 24(4) of the Austrian Data Protection Act (DSG)], which provides that the right to have a complaint examined expires one year after the data subject becomes aware of the alleged infringement and, in any event, three years after the event. The data subject had acknowledged that he became aware of the alleged breach no later than April 2019, meaning the one-year subjective limitation period had elapsed.

The data subject appealed to the Federal Administrative Court (BVwG), but the court dismissed the appeal.

The data subject then appealed to the Supreme Administrative Court of Austria (VwGH), arguing that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] was incompatible with [[Article 77 GDPR]], which does not provide for any limitation period, and that national law could not restrict a directly applicable EU right.

=== Holding ===
The Supreme Administrative Court dismissed the appeal as unfounded. It held that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] is compatible with [[Article 77 GDPR]].

The Court found that, in the absence of EU-level harmonization of procedural time limits, Member States retain procedural autonomy to regulate the modalities for exercising GDPR rights, including the introduction of limitation periods, provided that the principles of equivalence and effectiveness are respected. The one-year subjective limitation period under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 24(4) DSG] was deemed reasonable, proportionate, and justified by considerations of legal certainty, and it does not render the exercise of the right to lodge a complaint practically impossible or excessively difficult. Accordingly, the DSB lawfully rejected the complaint as time-barred in the first place.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.

<pre>
Subject

The Administrative Court, composed of Presiding Judge Dr. Pollak, Judges Dr. Lukasser and Dr. Mayr, Judge Mag. Hainz-Sator, and Judge Mag. Brandl, with Mag. Vonier as Clerk, has ruled on the appeal of Dr. M D, represented by Höhne, In der Maur & Partner Rechtsanwälte GmbH & Co KG in Vienna, against the decision of the Federal Administrative Court of June 12, 2023, file no. W252 2246883-1/4E, concerning a data protection matter (respondent authority before the Administrative Court: Data Protection Authority; other party: Federal Minister of Justice), as follows:

Ruling

The appeal is dismissed as unfounded.
… The appellant is ordered to reimburse the Federal Government for expenses in the amount of €553.20 within two weeks, failing which enforcement proceedings will be initiated.

Grounds

I. Roman numeral one.

1. On June 22, 2021, the appellant filed a data protection complaint with the respondent authority (Data Protection Authority, DPA) pursuant to Article 77 GDPR, alleging a violation of the right to confidentiality because a bank employee had used the appellant’s professional email address for a private matter in 2019, and this violated the specified provisions of the GDPR.

2. By decision dated August 26, 2021, the respondent authority rejected this data protection complaint pursuant to Section 24, paragraphs 1, 2, and 4 of the Data Protection Act.

3. In its reasoning, the Federal Administrative Court (BVwG) stated that the appellant himself had asserted that he had been aware of the alleged data protection breach no later than April 2019. It had not been argued that the alleged breach had continued for a longer period. The appellant had therefore been aware of the data protection breach for over a year at the time the appeal was filed. The relative preclusion period of one year from the date of knowledge of the aggravating event under Section 24(4) of the Data Protection Act (DSG) had therefore expired, and the appellant’s claim had lapsed.

4. 2. In the contested ruling, the Federal Administrative Court (BVwG) dismissed the appellant’s appeal against this decision. Among other things, it held that the appeal was admissible pursuant to Article 133(4) of the Federal Constitutional Law (B-VG).

5. 2.1. In its reasoning, the Federal Administrative Court (BVwG) first established that the subject of the appeal proceedings was the question of the lawfulness of the rejection of the data protection complaint. The right to lodge a complaint with a supervisory authority arises from Article 77 of the General Data Protection Regulation (GDPR). However, the GDPR does not contain any provisions regarding time limits for asserting claims; therefore, the exercise of the supervisory authority’s powers is governed by national procedural law pursuant to Article 58(4) GDPR.

6. The appellant had been aware of the alleged data protection breach for more than two years at the time the data protection complaint was filed. The subjective one-year period stipulated in Section 24(4) of the Data Protection Act (DSG) had therefore expired, and the filing of the data protection complaint was no longer admissible. It was not apparent that the time limit stipulated in Section 24 DSG disproportionately restricted the right to lodge a complaint under the GDPR. Nor was there any unequal treatment of complaints subject to Union law. The respondent authority was therefore correct in rejecting the data protection complaint.

7 2.2. The Federal Administrative Court (BVwG) justified the admissibility of the appeal on the grounds that there was no existing case law from the Administrative Court of Justice on the question of whether the time limit under Section 24(4) of the Data Protection Act (DSG) also applies to cases in which the data subject explicitly bases their complaint on Article 77 of the GDPR.

8 3. The present ordinary appeal is directed against this ruling.

9 The respondent authority filed a response to the appeal, requesting that the appeal be dismissed as unfounded with reimbursement of expenses.

II. Roman numeral II.

The Administrative Court of Justice considered the following:

10 1. The appeal is admissible with regard to the legal question raised by the Federal Administrative Court, which is addressed in the grounds for appeal. However, it proves to be unjustified for the following reasons.

11 2.1. Articles 58 and 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR]), read in part as follows:

“Article 58

Powers

[…]

(4) The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedies and due process, in accordance with Union law and the law of the Member State, and in compliance with the Charter.

[…]

Article 77

Right to lodge a complaint with a supervisory authority

(1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of business.” alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

[…]

12 2.2. Section 24 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 120/2017, reads in part:

Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if he or she considers that the processing of personal data relating to him or her infringes the GDPR or Section 1 or Article 2, Chapter 1.

Section 24, (1) Every data subject has the right to lodge a complaint with the data protection authority if he or she considers that the processing of personal data relating to him or her infringes the GDPR or Section 1 or Article 2, Chapter 1. (2) The complaint must contain:

1. the designation of the right allegedly infringed,

2. where reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent),

3. the facts from which the infringement is derived,

4. the grounds on which the claim of unlawfulness is based,

5. the request to establish the alleged infringement, and

6. the information necessary to assess whether the complaint was filed in a timely manner.

(3) Where appropriate, the underlying application and any response from the respondent must be attached to a complaint. The Data Protection Authority shall provide further assistance to the data subject upon request in the event of a complaint.

“` (4) The right to have a complaint considered expires if the complainant does not submit it within one year of becoming aware of the event giving rise to the complaint, but no later than three years after the event allegedly occurred. Complaints submitted after this deadline must be rejected.

[…]

13 3. In summary, the appellant argues that the provision of Section 24(4) of the Data Protection Act (DSG) is inconsistent with Article 77 of the GDPR. An EU regulation is directly applicable; the “implementation” of a regulation by national law is only permissible if the regulation so provides. This is not the case with regard to a time limitation of the data subject’s rights. Due to the primacy of EU law, the rejection by the respondent authority – based on Section 24(4) DSG – was therefore unlawful.

14. The respondent authority essentially argues in its response to the appeal that, due to the procedural autonomy of the Member States, the Austrian legislature has the option of establishing the procedural modalities for asserting rights arising from the GDPR and of setting time limits for doing so. Section 24(4) of the Data Protection Act (DSG) is also consistent with the relevant case law of the Court of Justice of the European Union (CJEU).

15. 4.1. Section 34(1) of the Data Protection Act 2000 (DSG 2000) – until its amendment by the Data Protection Adaptation Act 2018 – stipulated that the right to have a complaint addressed expires if the complainant does not submit it within one year of becoming aware of the event giving rise to the complaint, but no later than three years after the event allegedly occurred.

16. The explanatory notes to the original version of the Data Protection Act 2000 (Federal Law Gazette I No. 165/1999) point out in this context that the establishment of limitation periods for asserting the interests of data subjects under the Data Protection Act is objectively necessary. Experience has shown that investigating events that occurred long ago encounters considerable difficulties and prevents a reliable assessment of whether data protection breaches have occurred. Therefore, in their own interest, data subjects should be encouraged to report alleged data protection breaches to the Data Protection Commission or to a court as early as possible (see Bill 1613, Annex to the National Council Proceedings, 20th Legislative Period, p. 50).

… 17. Section 24(1) of the Data Protection Act (DSG), now in force, stipulates that every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data infringes the GDPR or Section 1 or Article 2, Chapter 1 of the DSG. According to paragraph 4 of the same section, the right to have a complaint addressed expires if the complainant does not submit it within one year of becoming aware of the event giving rise to the complaint, but no later than three years after the event allegedly occurred. Complaints submitted after this deadline must be rejected.

18. According to the explanatory notes to the Data Protection Adaptation Act 2018, the provisions contained in Chapter VIII of the GDPR (Remedies, Liability and Sanctions) require, for better understanding, at least partial transposition into national law. This primarily concerns Articles 77 to 79 GDPR, which govern complaints and remedies. Section 24 should, within the framework of implementing Article 77 GDPR, regulate the right to lodge a complaint with a supervisory authority and the principles of the procedure before the supervisory authority (see AB 1761 BlgNR 25. GP 15, or [regarding the provision originally provided for in Section 13 of the Data Protection Act] RV 1664 BlgNR 25. GP 9).

19. 4.2. Pursuant to Article 77(1) GDPR, without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR.

20. A time limit on the right to lodge a complaint—as provided for in Section 24(4) of the Austrian Data Protection Act (DSG)—is not provided for in Article 77 GDPR (see, for example, Jahnel, Commentary on the GDPR [2021], Article 77 GDPR, para. 25, or Feiler/Forgó, EU GDPR and DSG2 [2022], Section 24 DSG, para. 6).

21. Different conclusions are drawn from this fact in Austrian legal literature. Jahnel assumes that, due to the primacy of Article 77(1) GDPR, a complaint under Article 77 GDPR can be lodged even after the expiry of the time limits specified in Section 24(4) of the German Data Protection Act (DSG), and that these time limits are only relevant if a data protection complaint is based (exclusively) on Section 1 DSG (see Jahnel, Commentary on the GDPR [2021], Article 77 GDPR, para. 25). Feiler/Forgó, on the other hand, point out that the limitation period rule in Section 24(4) DSG is a provision of procedural law, which is generally not harmonized in the GDPR and is therefore subject to national law. Since Article 77 GDPR does not stipulate any time limits for asserting the right to lodge a complaint, Section 24(4) of the Data Protection Act (DSG) is compatible with the GDPR (see Feiler/Forgó, EU-DSGVO und DSG2 [2022], Section 24 DSG, para. 6). According to Schweiger, the time limit in Section 24(4) DSG should be considered incompatible with EU law if it leads to the enforcement of EU law being made more difficult or impossible. A time limit – provided for at the Member State level in procedural law – is permissible in principle, provided that it does not impair the enforcement of Union law (see Schweiger in Knyrim [ed.] DatKomm [2022], Art. 77, in particular paras. 14 and 15/3; by way of example, reference is made to the fact that the one-year time limit in Section 24(4) of the GDPR does not result in insufficient legal protection if the data subject is in dialogue with the controller and the controller fails to comply with a data subject right or does not comply sufficiently).

22. 5. In its case law – also expressly in connection with the GDPR – the CJEU has held that, in the absence of relevant EU legislation, the principle of procedural autonomy of the Member States means that it is for the individual Member States to regulate the modalities for administrative (and judicial) proceedings that are intended to guarantee a high level of protection for the rights conferred on individuals by EU law. These modalities must be no less favorable than those for corresponding national remedies (principle of equivalence) and must not render the exercise of rights conferred by EU law practically impossible or excessively difficult (principle of effectiveness) (see, for example, CJEU 12 January 2023, C-132/21, Nemzeti Adatvédelmi és Információszabadság Hatóság, paragraphs 45, 48).

[The final sentence appears to be incomplete and requires context to be translated accurately.] 23. It follows from this case law that the national time limit for the right to lodge a complaint under Article 77 GDPR – arising from Section 24(4) of the Data Protection Act – is permissible in the absence of a relevant Union provision and in accordance with the principle of procedural autonomy of the Member States, provided that the principles of equivalence and effectiveness are met.

“` 24. In its judgment of 16 January 2024, C-33/22, Austrian Data Protection Authority, the CJEU also pointed out that no national implementing measures are required for Article 77(1) GDPR and that this provision is sufficiently clear, precise and unconditional to be directly applicable (paragraph 62; referring also to this, Austrian Administrative Court [VwGH] 6 March 2024, Ro 2021/04/0030 to 0031, paragraph 48). However, the CJEU made this statement in the context of the preliminary question referred to it therein, namely whether the jurisdiction for complaints within the meaning of Article 77(1) in conjunction with Article 55(1) GDPR already derives directly from the GDPR if a Member State has established only a single supervisory authority pursuant to Article 51(1) GDPR. It cannot be inferred from this that the CJEU generally considers procedural rules of the Member States inadmissible in connection with the right of complaint under Article 77 GDPR.

The fact that the CJEU has ruled on the right of complaint under Article 77 GDPR does not imply that it considers procedural rules of the Member States to be generally inadmissible. 25. The prevailing legal literature also assumes (regardless of whether the specific time limit provided for in Section 24(4) of the GDPR is considered compliant with EU law) that more detailed procedural provisions regarding the possibility of lodging a complaint under Article 77 of the GDPR are not inadmissible in principle (see, for example, Jahnel, Commentary on the GDPR [2021], Article 77 GDPR, para. 2: “Accordingly, Section 24 of the GDPR is intended to regulate the right to lodge a complaint and the principles of the procedure before the Data Protection Authority in more detail, which should be permissible in principle given the very concise wording of Article 77(1)”; Boehm in Simitis/Hornung/Spiecker gen. Döhmann, [eds.], GDPR2 [2025], Article 77, para. 24: “While the substantive content of the right to lodge a complaint is bindingly regulated in the GDPR, the regulations concerning the procedure is subject to national regulations”; Schweiger in Knyrim [ed.] DatKomm [2022], Art. 77 para. 15/3: “The requirement of a time limit is in itself a permissible restriction”; Bergt in Kühling/Buchner [ed.], General Data Protection Regulation, BDSG3 [2020], Art. 77 para. 26: “The regulation of the complaint procedure is a matter for the national legislature”; Feiler/Forgó, EU-GDPR and DSG2 [2022], § 24 DSG para. 6: “The limitation rule of § 24 para. 4 DSG is a provision of procedural law, which is generally not harmonized in the GDPR and is therefore subject to national regulations.”

“` 26. The mere fact that Article 77 GDPR does not provide for a time limit for lodging a data protection complaint does not, in general, imply either the admissibility or the inadmissibility of the time limits stipulated in Section 24(4) of the German Data Protection Act (DSG). Rather, as explained above, the time limit provision proves to be permissible under EU law in light of the principle of procedural autonomy of the Member States, provided that the time limits are not less favorable than the procedures for corresponding national remedies and that the exercise of the rights conferred by EU law is not rendered practically impossible or unduly difficult.

27. It should also be noted that in the present case only the subjective time limit (within one year of becoming aware of the infringement) is at issue (the objective time limit [within three years of the event] will therefore not be discussed further).

28. 6. As a first step, in accordance with the principle of equivalence, it must be examined whether the procedural modalities for data protection complaints to protect the rights arising from the GDPR are not less favorable than the procedural modalities for corresponding national remedies.

29. According to Section 24(1) of the GDPR, every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data infringes the GDPR or Section 1 or Article 2, Chapter 1 of the GDPR. A data protection complaint can therefore allege a violation (exclusively) of the GDPR or (exclusively) of Section 1 of the Austrian Data Protection Act (DSG), as well as a violation of the GDPR and (in parallel) Section 1 of the DSG (see, in this sense, the Austrian Administrative Court decision of March 6, 2024, Ro 2021/04/0030 to 0031, paragraphs 51, 53).

30. The time limits stipulated in Section 24(4) of the DSG do not differentiate between whether a data protection complaint alleges a violation of the GDPR and/or the DSG. Since a data subject is thus bound by the time limits of Section 24(4) of the DSG regardless of whether a violation of the GDPR and/or the DSG is alleged, there is no disadvantage under national law for data protection complaints seeking to protect rights arising from Union law (the GDPR). The principle of equivalence therefore does not preclude the application of Section 24(4) of the Data Protection Act.

31 7. According to the principle of effectiveness, procedural modalities must not render the exercise of rights conferred by EU law practically impossible or excessively difficult (see again ECJ 12 January 2023, C-132/21, Nemzeti Adatvédelmi és Információszabadság Hatóság, paragraph 48). The principle of effectiveness is a crucial aspect of the principles of uniformity and maximum effectiveness of EU law, as it ensures, in a decisive way, that the effects of EU law are not undermined by the indirect enforcement by the Member States (see, for example, Austrian Administrative Court 14 September 2021, Ra 2020/07/0056 to 0057, paragraph 48, with further references).

32. Furthermore, the CJEU – in that case concerning the design of legal proceedings for the protection of the rights arising from Article 82 GDPR (right to compensation) – has stated that it is for the referring court to determine whether the (provided for) procedures render the exercise of the rights conferred by Union law, and in particular by the GDPR, practically impossible or excessively difficult (see CJEU 20 June 2024, C-182/22 et al., Scalable Capital, paragraph 34).

33 7.1. The provision of Section 24(4) of the Data Protection Act (DSG), which is at issue here, does not constitute a substantive restriction, but rather limits the period during which a data protection complaint can be lodged to (insofar as relevant here:) one year from the date on which the complainant becomes aware of the event giving rise to the complaint.

34 Regarding the principle of effectiveness, it should be noted that, according to the settled case law of the Court of Justice of the European Union (CJEU), every case in which the question arises as to whether a national procedural rule renders the application of EU law impossible or excessively difficult must be examined taking into account the position of that rule in the overall proceedings, the course of the proceedings, and the specific characteristics of the proceedings before the various national authorities. Where appropriate, consideration must be given to, among other things, the protection of the rights of the defence, the principle of legal certainty, and the proper conduct of the proceedings.

34 With regard to limitation periods in particular, the CJEU has ruled that it is for the Member States to set time limits for national regulations falling within the scope of EU law, which must correspond in particular to the importance of the decisions to be taken for the data subjects, the complexity of the procedures and the applicable legal provisions, the number of potentially affected parties and other public or private interests to be taken into account (see, for example, CJEU 22.2.2018, C-572/16, INEOS Köln, paragraphs 44 et seq., with further references). Cologne, para. 44 et seq., with further references).

35. The CJEU has also repeatedly stated in its case law that setting reasonable limitation periods for legal proceedings is compatible with EU law in the interest of legal certainty, which protects both the data subject and the authority. Such time limits are not likely to render the exercise of rights conferred by EU law practically impossible or excessively difficult (see, for example, CJEU 15 April 2010, C-542/08, Barth, para. 28, with further references).

36. The setting of appropriate limitation or preclusive periods is therefore, according to settled case law of the CJEU, in principle compatible with the requirement of effectiveness, because it is an application of the fundamental principle of legal certainty, which protects both the data subject and the authority, even if the expiry of such periods may, by its very nature, prevent the data subject wholly or partly from asserting their rights (see, for example, CJEU 14 December 2023, C-655/22, Hauptzollamt HZA, paragraph 44, with further references).

37. 7.2. With the introduction of the limitation period initially provided for in Section 34 Paragraph 1 of the Data Protection Act 2000 (DSG 2000), the legislator pursued an objective in the interest of legal certainty, particularly since the explanatory notes expressly point out that, based on experience, investigating facts that occurred long ago encounters considerable difficulties and prevents a reliable assessment of whether data protection breaches have occurred (see again Government Bill 1613, Annex to the National Council Proceedings, 20th Legislative Period, p. 50). This objective undoubtedly also underlies the limitation rule of (now) Section 24 Paragraph 4 of the DSG, especially since this provision largely corresponds to Section 34 Paragraph 1 of the DSG 2000 with regard to the time limits for the expiry of the right to have a complaint processed (see also Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG [2018], Section 24, marginal note 2).

(See also Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG [2018], Section 24, marginal note 2). 38 7.3. In the case of a specific national limitation period, the elements of that provision must be assessed in their entirety, including, inter alia, the point in time at which the limitation period begins to run, its duration, and the modalities of its suspension or interruption (see ECJ 21 January 2021, C-308/19, Whiteland Import Export, para. 50, with further references).

39 In this regard, it should first be noted that the one-year period under Section 24(4) of the Data Protection Act (relevant here) is not an objective period, but rather the commencement of this period is linked to knowledge of the adverse event. Even if the data subject becomes aware of the incident at a later date, they still have the option of filing a data protection complaint, provided it is submitted within one year of becoming aware of the incident (and – which is not relevant in the present case – the incident did not occur more than three years ago).

40. Furthermore, it should be noted that, according to Section 13 Paragraph 3 of the General Administrative Procedure Act (AVG), deficiencies in written submissions do not authorize the authority to reject them. Rather, the authority must, ex officio, promptly rectify the deficiency and may order the submitter to rectify it within a reasonable period, with the consequence that the submission will be rejected if this period expires without result. If the deficiency is rectified in a timely manner, however, the submission is deemed to have been submitted correctly from the outset.

40. 41. Furthermore, the one-year time limit in Section 24(4) of the Data Protection Act (DSG), which is based on knowledge of the aggravating event, is a procedural time limit (see, in this regard, the Austrian Administrative Court decision of September 24, 2025, Ra 2024/04/0322, in particular paragraphs 30 et seq., in connection with the comparable provision in Section 12a(3) of the Tyrolean Administrative Court Act (TLVwGG)). Since the General Administrative Procedure Act (AVG) applies to appeal proceedings before the Data Protection Authority (see, for example, Thiele/Wagner [eds.], Praxiskommentar zum Datenschutzgesetz² [2022], Section 24, paragraph 7), a data subject who misses this time limit has the possibility of reinstatement to their previous status (Section 71 AVG).

(See, for example, Thiele/Wagner [eds.], Praxiskommentar zum Datenschutzgesetz² [2022], Section 24, paragraph 7). 42 7.4. To assess the appropriateness of the time limit in question here, it is also necessary to consider the requirements for filing a data protection complaint. Article 77 GDPR does not specify exactly what information a data protection complaint must contain. Rather, this provision merely states that the data subject must believe that the processing of their personal data infringes the GDPR (see, in this context, also Schweiger in Knyrim [ed.], DatKomm [2022], Art. 77 para. 11/1; Bergt in Kühling/Buchner [eds.], Datenschutz-Grundverordnung, BDSG3 [2020], Art. 77 para. 10).

43. For the following reasons, the more detailed requirements of Section 24(2) and (3) of the Data Protection Act (DSG) regarding the necessary content of a complaint are not inconsistent with this:

44. It should first be noted that the Administrative Court has already ruled that the requirements of Section 24(2) DSG are free from any formalism (see Administrative Court, 3 September 2024, Ra 2023/04/0092, para. 26).

“` 45 This applies, for example, to Section 24(2)(1) of the Data Protection Act (according to which a data protection complaint must contain the designation of the right deemed to have been violated), because the law does not require a more detailed specification of this information and this provision is intended “only” to allow the data protection authority to refrain from substantively addressing complaints that do not even meet the aforementioned minimum requirements (see, for example, the Austrian Administrative Court decision of July 26, 2021, Ra 2018/04/0183, para. 18, with further references).

46 Regarding the requirement of Section 24(2)(2) of the Data Protection Act (designation of the respondent), the law already stipulates that this is only required to the extent that it is reasonable. In cases where it proves unreasonable, the supervisory authority must either correct the designation of the respondent or, after conducting appropriate investigations, identify the data controller itself (see Austrian Administrative Court [VwGH] 5 June 2025, Ra 2024/04/0008, para. 28, with further references). Furthermore, the Administrative Court has held that if the Federal Administrative Court (BVwG) has overturned the Data Protection Authority’s (DSB) decision because the DSB conducted the proceedings against a respondent who was not the controller of the underlying data processing, this overturning is to be considered “without substitution” only with regard to the proceedings against the “wrong” controller, and the data protection complaint is otherwise to be regarded as pending (see, for example, Austrian Administrative Court [VwGH] 5 June 2025, Ra 2024/04/0008, para. 24, with further references).

… 47. Regarding the requirement in Section 24(2)(4) of the Data Protection Act (DSG), according to which the complaint must contain the grounds on which the claim of illegality is based, excessive formalism should not be applied. It is sufficient if the complaint makes clear what the party is seeking and what arguments it believes it can use to support its position (cf. – regarding the comparable provision in Section 9(1)(3) of the Administrative Court Procedure Act (VwGVG) – Austrian Administrative Court (VwGH) 20 June 2024, Ra 2022/04/0152, para. 10 et seq., with further references).

48. In light of this, the Administrative Court does not see that the requirements set out in Section 24(2)(1), (2) and (4) of the Data Protection Act (DSG) make it practically impossible or excessively difficult for a data subject to file a data protection complaint with the Data Protection Authority within one year of becoming aware of the event giving rise to the complaint.

“` 49. The same applies to the other requirements mentioned in points 3, 5, and 6 of the aforementioned Act, which do not raise complex (legal) questions but merely require a statement of the facts, the request to establish the alleged infringement of law, and the information necessary to assess the timeliness of the complaint.

50. Since the documents mentioned in Section 24(3) of the Data Protection Act (the underlying application and any response from the respondent) are only to be attached “where applicable,” it cannot be inferred from this fact that the time limit at issue here is unreasonable (see also Jahnel, Commentary on the GDPR [2021], Art. 77 GDPR, para. 23, according to whom Section 24(3) of the Data Protection Act, through the use of the word “where applicable,” opens up a margin for discretion for application by the Data Protection Authority in conformity with EU law).

51 7.5. Finally, regarding the appropriateness of the relevant time limit provision in Section 24(4) of the Data Protection Act (DSG), it must be taken into account that, according to Article 57(2) of the GDPR, every supervisory authority must take measures to facilitate the filing of complaints, including providing an electronically fillable complaint form. Accordingly, the Data Protection Authority (DSB) also provides corresponding forms on its website.

52 7.6. As a result, the Administrative Court does not see that the requirement of Section 24(4) DSG, according to which the right to have a complaint processed expires if the complainant does not submit it within one year of becoming aware of the event giving rise to the complaint, makes it practically impossible or excessively difficult for a data subject to file a data protection complaint with the Data Protection Authority in accordance with Section 24 DSG.

53. Based on this, the respondent authority and subsequently the Federal Administrative Court (BVwG) correctly examined whether the data protection complaint was lodged by the appellant – within the meaning of Section 24(4) of the Data Protection Act (DSG) – within one year of becoming aware of the event giving rise to the complaint. The appeal does not assert that this was the case – contrary to the opinion of the respondent authority and the Federal Administrative Court, as detailed above.

54. 8. In view of the legal opinion set forth above – which is based in substantial part on the case law of the Court of Justice of the European Union (CJEU) – the Administrative Court also does not see itself as having reason to comply with the appellant’s suggestion to initiate a preliminary ruling procedure on the compatibility of Section 24(4) of the Data Protection Act (DSG) with the GDPR.

55. Insofar as the appellant suggests that the Administrative Court should request the Constitutional Court to annul the provision of Section 24(4) of the Data Protection Act (DSG) on the grounds of unconstitutionality, it must be noted that the appeal does not raise any constitutional concerns, but essentially the primacy of EU law. However, the compatibility of laws and regulations with European Union law is not, as such, subject to review by the Constitutional Court. Only the rights guaranteed by the Charter of Fundamental Rights of the European Union, which in their formulation and definiteness are similar to the constitutionally guaranteed rights of the Austrian Federal Constitution, can, within the scope of application of the Charter, constitute a standard of review in proceedings for general judicial review of legislation, in particular under Articles 139 and 140 of the Federal Constitutional Law (B-VG) (see, for example, VfGH 6 June 2025, G 17-18/2025, para. 45). However, the appellant has not raised any such grounds, nor are they apparent to the Administrative Court.

56 9. The appeal was therefore to be dismissed as unfounded pursuant to Section 42(1) of the Administrative Court Act.

57 The decision regarding the reimbursement of expenses is based on Sections 47 et seq. of the Administrative Court Act in conjunction with the Administrative Court Expenses Reimbursement Ordinance 2014.

Vienna, December 17, 2025
</pre>

Datatilsynet (Norway) – 20/02911-20