In the decision of December 15, 2022, the data protection authority had to deal with the question of the extent to which an infringement of rights by an embassy of a third country located in Vienna can be asserted before the Austrian data protection authority.
In its assessment, the data protection authority considered its jurisdiction on the territory of the Republic of Austria pursuant to Art. 55 par. 1 GDPR taking into account that, under modern international law, embassies are not exclaves of another state, but are territorially assigned to the receiving state. However, it already results from the exception of the Art. 55 par. 2 GDPR the lack of competence of the Austrian data protection authority with regard to data processing by public authorities or private bodies of other Member States on the basis of Art. 6 par. 1 lit. c or e GDPR. Consequently, this must also apply to public authorities or private bodies whose data processing operations are attributable to a third country.
Moreover, the Vienna Convention on Diplomatic Relations, which was ratified by both the Republic of Austria and the third country concerned, had to be observed. According to its Art. 31 par. 1 diplomats enjoy, among other things, immunity from the administrative jurisdiction of the receiving state, even if, pursuant to Art. 41 par. 1 are obliged to observe the laws and other legal provisions of the receiving state – thus also the GDPR, which as a directly applicable legal act of the European Union is equivalent to national laws. By virtue of this provision of international law, the ambassador sent by the third country or the mission under his authority can therefore not be prosecuted by the Austrian data protection authority.
As a result, the complaint had to be rejected. The decision is legally binding.
Source: DSB Austria