Controller (subsidiary of parent company) – Court Ruling (Austria, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a parent company was not liable for GDPR violations related to its subsidiary's customer loyalty program. This is important because it clarifies how companies can be held responsible for data processing activities.
What happened
The court annulled a fine against the parent company for its subsidiary's handling of personal data.
Who was affected
Customers registered in the loyalty program managed by the subsidiary.
What the authority found
The court decided that the parent company did not qualify as a controller since it did not influence the data processing activities.
Why this matters
This case sets a precedent for how companies are viewed in terms of responsibility for data processing. It highlights the need for clear roles and responsibilities in data management.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The parent company operated a customer loyalty programme through its subsidiary, the controller, starting 2 May 2019. The controller managed the operational business and processed personal data of registered customers, including profiling activities based on customer data. The controller designed the profiling consent forms, determined the data processing activities, prepared the privacy documentation, implemented technical and organisational measures, and established GDPR compliance processes. The parent company only financed the controller. On 12 October 2021, the Austrian DPA fined the parent company €8,000,000. The DPA considered the parent company and the subsidiary to be joint controllers under Article 26 GDPR. It held that the consent forms used for profiling did not meet the requirements for valid consent under Article 4(11) and Article 7 GDPR. It further held that the profiling lacked a valid legal basis under Article 6(1) GDPR because the consent was invalid. The parent company appealed. The Federal Administrative Court annulled the fine and terminated the proceedings. The DPA then appealed to the Austrian Supreme Administrative Court. First, the court referred to the case law of the Court of Justice of the European Union on the concept of controller under Article 4(7) GDPR and joint controllership under Article 26 GDPR. The court noted that a party qualifies as a controller only if it actually influences the purposes and means of the relevant processing operations. Merely establishing and financing a subsidiary did not automatically create joint controllership, as the parent company didn't exercise actual influence over the specific processing activities. As a result, the parent company was not a joint controller under Article 26 GDPR. Second, the court also rejected the DPA’s reliance on CJEU judgments such as Jehovan todistajat, Fashion ID and others, as those cases involved direct influence over concrete processing operations, which was absent here.
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Controller (subsidiary of parent company) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Controller (subsidiary of parent company) - Austria (2026). Retrieved from cookiefines.eu
Last updated: