In its decision of January 27, 2022, the data protection authority dealt with the legality, the controller status and the concept of a control system when an employee of the respondent carries out Elga queries in her own interest.
In the case at hand, it was clear from the file that the complainant wanted to take action against the respondent itself. Against this background, however, the employee who carried out the queries in the Elga file is to be qualified as a controller within the meaning of Art. 4(7) of the GDPR, and a complaint would have had to be directed against this natural person himself.
Furthermore, taking into account the established case law of the VwGH (cf. 07.03.2016, Ra 2016/02/0030), it was stated that an effective control system does not require the constant supervision of the employee, so that there were no indications that the data accesses in question had been made possible by a lack of control measures on the part of the respondent. The complaint therefore had to be dismissed. The decision is not legally binding.
Source: DSB Austria