by Dr. Gerald Trieb and Viktoria Kovacs//
The Austrian Data Protection Authority (“Datenschutzbehörde”, hereinafter “DSB”) recently issued a significant decision in a long-running case brought by an individual against Google LLC, represented by NOYB – the European Center for Digital Rights. The dispute concerned the right of access under Article 15 GDPR and the modalities regulating the provision of the personal data and the related information contained in Article 12 GDPR. This decision not only clarifies the scope of the right of access but also sets out clear obligations for controllers when handling data subject access requests.
Case Background
The complainant submitted a data subject access request to Google LLC as the controller for the YouTube service at that time. In response, Google referred the complainant to various online tools and its privacy policy, and provided access to a download portal containing certain files, many of which were available in JSON and OPML format, only. However, essential categories of personal data, which Google’s own privacy policy listed as being processed, were missing from the individualized disclosure. These included, inter alia, tracking and advertising data, IP addresses, the specific sources of data, the recipients, the retention periods, and details of any transfers to third countries.
Procedural History
The complaint was filed in January 2019 with the Austrian DSB. Because Google’s European headquarters are in Ireland, the Austrian authority initially referred the matter to the Irish Data Protection Commission (DPC) under the GDPR’s one-stop-shop mechanism. This case then remained with the DPC for several years. In late 2022, the DPC declared itself not competent to handle the matter and returned the case to Austria. Although the DSB’s decision is silent on the reasons for the Irish DPC’s decision to return the case to Austria, it might be based on the controllership of Google LLC having it’s seat in the United States. For controllers in third countries, the “one stop shop”-mechanism of the GDPR does not apply. The Austrian DSB subsequently examined the complaint and issued its decision after five and a half years, in August 2025.
Key Findings
In its decision, the DSB identified several shortcomings in Google’s handling of the access request. First, the authority emphasized that providing data in JSON and OPML formats alone contradicts the transparency requirement under Article 12(1). These formats are designed primarily for machine processing and are not easily accessible or understandable for the average data subject. Since the GDPR requires that information be provided in a clear and intelligible manner, the obligation extends not only to the provision of the data but also to its comprehensible preparation. A controller cannot assume that a data subject has the necessary technical skills to interpret such files.
The DSB also criticized the fragmented and burdensome access process. Information must be complete and must comply with the requirements of Article 12, regardless of how it is transmitted. A portal where a data subject is required to compile personal data using several online tools and, in case of missing information, must contact customer support, is incompatible with Article 12(2). A data subject cannot reasonably be expected to identify the missing information themselves when they are not yet aware of the extent of the processing.
In addition, the complainant was referred to the respondent’s privacy policy with regard to the aspects of processing purposes, recipients, retention periods, data sources, appropriate safeguards for transfers to third countries, and tracking and advertising. The DSB held that this approach was insufficient. A privacy notice serves to fulfill the information obligations under Article 13 und 14 and therefore provides ex ante general information about the data processing activities of a controller, which may not necessarily apply to an individual (e.g. different storage periods depending on the data category). Therefore, it is necessary to clarify which of the complainant’s data were processed for which purposes and for how long. By failing to provide this information, Google violated the complainant’s right under Article 15(1)(a).
The same reasoning can also be applied to data sources, recipients, and appropriate safeguards for transfers to third countries (Article 15(1)(c) and (g) as well as (2)). The privacy policy referred only to possible categories of recipients. However, following the CJEU’s ruling in C-154/21, Österreichische Post, the controller is required to name the actual recipients where they are known. The DSB stressed that a global IT corporation like Google is certainly in a position to identify concrete recipients. In addition, incomplete information regarding the recipients of personal data necessarily indicates inadequate incomplete information about the safeguards for international transfer. If a data subject does not even know where their data is being transferred, a general statement in the privacy policy to compliance with “certain legal frameworks” cannot be considered lawful information within the meaning of Art 15(2).
Decision
The DSP upheld the complaint and ordered Google to provide a complete and comprehensible disclosure of all personal data relating to the complainant. This includes a proper copy of the data in a format that is not only machine-readable but also intelligible to an average user. Google was given four weeks to comply with the decision, but decided to appeal the decision before the Federal Administrative Court (“Bundesverwaltungsgericht”, BVwG) according to Art 78 GDRP. The appeal is currently pending.
This ruling has implications for users of other platforms as well. In its decision, the DSB once again made clear that companies must answer access requests in full and in an easily accessible form. At the same time, NOYB criticized the delay as undermining the effectiveness of the GDPR. They argued that such prolonged procedures weaken enforcement and may motivate controllers to engage in procedural tactics rather than prompt compliance.
Dr. Gerald Trieb is Partner at Knyrim Trieb Rechtsanwälte, Vienna (Austria)
Viktoria Kovacs is a Legal Intern at Knyrim Trieb Rechtsanwälte, Vienna (Austria)