CLOSE

close

CLOSE

EN

When GDPR doesn’t apply: What a train announcement can (and can’t) teach us about data protection

  • A recent judgment is a useful reminder of something privacy professionals sometimes forget. GDPR has limits

GDPR is often treated as a catch-all mechanism for resolving any dispute that feels “data-related”. But a recent judgment from the Austrian Federal Administrative Court (BVwG), read alongside developments in Poland, is a useful reminder of something privacy professionals sometimes forget. GDPR has limits. It does not regulate everything, and it is not designed to deliver system-wide social or organisational change.

A recent case illustrates what GDPR is not, what it does not cover, and where other legal frameworks, not data protection law, apply.

The case: No rectification without a rectification request

The case arose from a complaint by a non-binary train passenger against two railway companies, alleging a violation of the right to rectification under Article 16 GDPR. The claimant argued that being addressed as “Mr” or “Ms” constituted inaccurate personal data and that the companies had failed to correct it.

Both the Austrian Data Protection Authority and, on appeal, the Federal Administrative Court dismissed the complaint.

Why? Not because the issue was trivial but because GDPR was never properly engaged in the first place. The court reaffirmed a basic but often overlooked point that data subject rights under GDPR are application-based. Controllers are only obliged to act once they receive a sufficiently clear request.

In this case, no such request had been made.

  • A tweet sent under a pseudonym asking whether the company would “change this” could not objectively be understood as a rectification request.
  • Statements made before the Equal Treatment Commission were framed as demands for a system-level change (introducing a neutral form of address), not the correction of a specific personal data record.
  • At no point did the claimant clearly identify which personal data should be rectified in which record under GDPR.

From the controller’s perspective, there was no identifiable trigger, and therefore no breach. This matters, because GDPR does not impose a general obligation on organisations to intuit or infer rights requests. It requires clarity, not guesswork.

Does system change mean data rectification?

A central theme in the judgment is the distinction between changing a system and correcting personal data within an existing system. The claimant’s primary objective was the introduction of a neutral or blank form of address across the ticketing system. That is more of a design and equality issue, not a rectification issue.

The court was explicit that GDPR does not require controllers to redesign systems simply because a data subject is dissatisfied with the available options. A system change may enable future data corrections but it is not itself a rectification of personal data.

This is another example of what GDPR does not do. It does not mandate product redesign, policy reform, or organisational change beyond what is necessary to comply with its specific obligations.

Loudspeakers, staff and the outer limits of personal data

The judgment is particularly useful in clarifying when no personal data is being processed at all.

Public loudspeaker announcements

The court held that gendered announcements over a train loudspeaker are addressed to an indeterminate group of passengers. They do not identify a specific individual and therefore do not involve the processing of personal data under GDPR. No personal data means no GDPR.

Verbal address by staff

The complainant was also addressed as “Mr” or “Ms” directly by train staff. Here, the court relied on the CJEU’s ruling in another case, Endemol Shine Finland, which confirmed that oral communication can fall within GDPR but only where it is contained in, or intended to be contained in, a filing system.

In this case:

  • The form of address was based on a spontaneous visual assessment
  • It was not retrieved from, nor recorded in, a customer database

As a result, it fell outside the material scope of GDPR. Not everything that feels personal is legally “personal data processing”.

The Polish angle: When oral disclosure does fall under GDPR

The Austrian reasoning aligns neatly with developments in Poland but with an important nuance. In a recent case, the Polish Supreme Administrative Court set aside an earlier 2021 judgment and instructed the lower court to reassess the case on the basis that GDPR applies to oral disclosure where that disclosure is functionally linked to a filing system.

This is the key test, not whether data is spoken, but whether it is drawn from structured records.

In compliance with that instruction, the Warsaw Voivodeship Administrative Court delivered a new judgment in May that partially annulled the Polish DPA’s decision and held that, in the specific circumstances of the case, calling out and repeating a passenger’s surname during ticket verification was lawful under GDPR.

Why? Because the disclosure was directly linked to a passenger database and necessary for the performance of the transport contract. Significantly, the court did not say that all oral disclosures fall under GDPR, only those that are functionally connected to a filing system. That judgment has now been appealed to the Polish Supreme Administrative Court and is not yet final. But it gives a strong indication of how this issue is likely to be treated going forward.

GDPR is not a proxy for everything else

Taken together, the Austrian and Polish cases reinforce a message that regulators and courts are increasingly comfortable delivering:

  • GDPR does not replace equality law
  • GDPR does not mandate system redesign
  • GDPR does not regulate every interpersonal interaction
  • GDPR does not apply unless its scope and triggers are actually met

That doesn’t mean the underlying concerns raised by individuals are illegitimate. It means they may need to be addressed through other legal regimes, organisational policy, or social change and not by stretching GDPR beyond its design.

For organisations, this is a reminder to be precise:

  • Know when GDPR does apply
  • Be confident about when it does not
  • Resist the temptation to treat data protection law as a universal compliance safety net

Sometimes, the most important compliance insight is recognising when GDPR is simply the wrong tool for the job.

Our 10-step guide to data protection outlines the essential actions organisations should take to build and maintain a robust data protection framework. It turns complex legal requirements into a clear, practical roadmap you can use to assess your current approach and strengthen your policies, controls and practices. Get it here.

Recommended
When GDPR doesn’t apply: What a train announcement can (and can’t) teach us about data protection

When GDPR doesn’t apply: What a train announcement can (and can’t) teach us about data protection
How Ruja Ignatova built a $4b fraud and why it matters for crypto and AML

How Ruja Ignatova built a $4b fraud and why it matters for crypto and AML
10 priorities for cyber security experts in 2026

10 priorities for cyber security experts in 2026