Can a non-functioning email address for data-protection requests lead to a hefty fine? The Federal Administrative Court (BVerwG) in Austria has answered this with a clear “yes” and upheld a penalty of €15,000. The judgment of March 28, 2025 (ref. W298 2285480-1/10E) is an urgent wake-up call for all companies to take basic GDPR duties seriously.
The Case: Unreachable for Customers and Authorities
A company listed a dedicated email address for privacy inquiries on its website. When a customer used this address to request erasure of their data, the message never arrived—the mailbox wasn’t functional. Only after repeated reminders and the intervention of the data-protection authority did the company react and delete the data. Worse still, the firm ignored further letters from the authority and failed to update its privacy notice. The authority then imposed a €15,000 fine.
The Court’s Decision: Intentional Violation and Lack of Cooperation
Austria’s Federal Administrative Court deemed the fine lawful and appropriate. The company violated several core GDPR duties:
• Breach of Article 12(2) GDPR: The company failed to make it easy for the customer to exercise their rights (here: the right to erasure).
• Breach of Article 12(3) and Article 17 GDPR: The request was not handled within the prescribed one‑month period.
• Breach of Article 31 GDPR: The company refused to cooperate with the supervisory authority.
What particularly weighed against the company: the court found intent in the form of conditional intent (dolus eventualis). The company considered the violation possible and accepted it. At no point—neither before the authority nor before the court—did it show willingness to cooperate or remedy the deficiencies.
What Does This Ruling Mean for Your Company?
• Functional contact points are mandatory: An email address or contact form for privacy requests is not a “nice to have” but a critical, operational requirement. Technical reachability must be ensured at all times and checked regularly.
• Ignoring is the most expensive option: Ignoring data‑subject requests or letters from supervisory authorities is an independent and serious GDPR violation that significantly increases fines.
• Cooperation duty is non‑negotiable: Cooperation with data-protection authorities (Art. 31 GDPR) is a central obligation. Lack of cooperation is a strong indicator of intent and increases penalties.
• Fine level applies to smaller companies, too: Because the company refused to provide turnover figures, the court estimated them. The €15,000 fine was deemed necessary to underline the “wrongfulness of the act” and to compel future compliance—even though it was a first offense.
FAQ: GDPR Duties & Communication—What You Need to Know
Do I need a separate “privacy@ …” email address?
Not necessarily, but you must name a clear, easily accessible point of contact for data‑subject requests (e.g., in the imprint and privacy notice) that reliably works and is monitored.
Within what period must I respond to a GDPR request?
Without delay, but at the latest within one month of receiving the request (Art. 12(3) GDPR).
What if I believe a request is unfounded?
You must still respond within the deadline and inform the person of your reasons for refusal and their rights to appeal.
How does lack of cooperation affect a fine?
It is an explicit factor considered when assessing fines (Art. 83(2)(f) GDPR) and typically leads to a significant increase.
Conclusion: Technical and Organizational Basics Are the Foundation of GDPR Compliance
GDPR violations don’t start only with complex data breaches—they often begin with the absolute basics. A broken email inbox and refusal to communicate with authorities are not minor issues but costly mistakes that every company can and must avoid.
