Back to the overview
01-09-2026 Article

Effects of the unlawfulness of initial processing of personal data on further processing by another controller

Update Data Protection No. 228

The question of what impact the unlawfulness of initial processing of personal data has on further processing by another controller is particularly relevant in relation to AI models. This is because if the initial unlawfulness of processing led to the unlawfulness of every subsequent processing step, an AI model developed in breach of the GDPR, for example, could never be used lawfully. 

Judgments of the Austrian Federal Administrative Court

In two rulings, the Austrian Federal Administrative Court dealt with the purchase and processing of personal data by credit agencies. The two rulings were based on a legal dispute between the initial complainant, an address publisher, and a credit agency. The credit agency had acquired personal data of the first complainant from the address publisher and subsequently processed it for credit assessment purposes. Consent pursuant to Art. 5 I a GDPR was not obtained. The court ruled that both the transfer of data and the subsequent processing by the recipient were in violation of data protection laws.

In previous decisions, the Austrian Administrative Court had already ruled that the unlawful collection of data by a client also results in the unlawfulness of the subsequent transfer of this data by the same client (VwGH ruling Ra 2017/04/0034 Rn. 43; VwGH ruling Ra 2019/04/0054, margin note 41). The data protection authority extends this to the effect that the unlawfulness of the original data collection generally results in the inadmissibility of data processing by the recipient (DSB Austria, decision of March 24, 2023 – D124.3816 2023-0.193.268 para. 43). This would mean that, in the vast majority of cases, data that has been collected unlawfully could not be further processed lawfully by third parties either.

The BVwG did not expressly follow this line of reasoning. Rather, it based its decision on the general principles according to which all processing must comply with Articles 5 and 6 GDPR. Since both the address publisher and the credit agency independently violated the principle of purpose limitation, the continued effect of the error was not relevant. In more recent decisions, the data protection authority itself and the Administrative Court have also shown themselves to be more open to the lawful further processing of unlawfully collected data. 

Assessment by the BfDI

On December 22, 2025, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) published a guide on data protection and AI in public authorities. Particularly with regard to AI models, the question arises as to the impact of the unlawfulness of data collection on subsequent further processing by third parties. The BfDI does not assume that an unlawfully developed AI model can never be used lawfully. Rather, the requirements for an obligation to investigate must be determined on a case-by-case basis based on the specific risk.

Assessment by the ESDA

The European Data Protection Board (EDPB) also does not assume that illegality has a blanket effect. In its Opinion 28/2024 on data protection aspects related to AI models, it advises supervisory authorities to examine on a case-by-case basis the impact of the unlawfulness of the initial processing on subsequent processing carried out by another controller. 

Conclusion

This means that the question of the extent to which the unlawfulness of the collection of data by one party alone results or may result in the unlawfulness of the processing by another party is subject to a case-by-case assessment. In view of the assessments of the BfDI and the EDSA, it is not possible to assume a blanket consequence of error. Rather, a GDPR violation can be counteracted by taking appropriate measures when acquiring potentially unlawfully collected data. A well-thought-out data protection concept is crucial in this regard. In particular, the careful selection and review of contractual partners, as well as the review of the legal basis for the receipt and further processing of received data, are of great importance. Care should also be taken to ensure that the GDPR compliance of the data provided is adequately safeguarded by contract. If there is no concept in place that is commensurate with the risk, the further processing of the data may be contrary to the GDPR and result in data protection claims.

Download as PDF
Download as PDF

Contact persons

Antje Münch, LL.M.
Stuttgart
Dr. Philip Kempermann, LL.M.
Düsseldorf

Contact persons

Antje Münch, LL.M.
Stuttgart
Dr. Philip Kempermann, LL.M.
Düsseldorf

Related articles

01-15-2026
New ruling from Luxembourg breaks with existing principles of platform liability
01-09-2026
Effects of the unlawfulness of initial processing of personal data on further processing by another controller
01-09-2026
CJEU denies hosting safe harbour for GDPR infringements: “Russmedia” increases obligations for platform operators
01-07-2026
EU Digital Law 2026: An overview of the most important changes
12-22-2025
AI ACT: How do companies need to label AI-generated content?
12-15-2025
EU Commission publishes FAQ on the EmpCo Directive
12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
12-02-2025
Competition authority files another lawsuit against Amazon – What impact could this have on platform liability?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-14-2025
A new facet of coaching law: Is the invalidity of coaching contracts unconstitutional?
11-13-2025
Digital Omnibus: EU Commission presents draft

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.