Court case W256 2227693-1 – Court Ruling (Austria, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian company running a loyalty program processed customer data without proper consent. The Austrian Data Protection Authority found the company didn't clearly explain how it used personal data for profiling, making the consent invalid. This case highlights the importance of clear communication about data use to ensure valid consent.
What happened
The company processed loyalty program participants' data without obtaining valid consent.
Who was affected
Participants in the company's loyalty program whose data was analyzed for personalized advertising.
What the authority found
The court upheld the decision that the company lacked a valid legal basis for processing data, as the consent obtained was not clear or accessible.
Why this matters
This ruling emphasizes the necessity for companies to provide clear and accessible information about data use to obtain valid consent. It serves as a reminder for businesses to review their consent practices to comply with GDPR requirements.
GDPR Articles Cited
The appellant is a company which ran a loyalty programme for which it collected and processed data subjects’ personal data. More precisely, it “combined and [analysed their] participation data and purchase data in order to send [them] individualised information on [the] programme that is relevant to me and tailored to my interests (…) in order to send [out] advertising with personalised offers about products and services of the operator and [its] partners.” It claimed this data would be deleted if individuals revoked their consent to such processing. The Austrian DPA, following an ex officio investigation into the company's data practices, found that it unlawfully processed the programme’s participants’ personal data because it failed to obtain their valid consent. In particular, the information on profiling was neither available in an easily accessible form nor formulated in clear and simple language, and could therefore not be used as a legal basis under Article 6(1)(a) GDPR. It is noteworthy that the company "had at no time relied on legitimate interests within the meaning of Article 6(1)(f) GDPR as a legal basis for processing for the purpose of profiling", and the DPA originally found that such a balancing of interests would in any case turn out against it. The company filed a first appeal against this decision. The DPA therefore had to issue a preliminary ruling on its original decision, which it ultimately upheld. The company then appealed this ruling to the Austrian Federal Administrative Court. (Please note: The Federal Administrative Court can only consider an appeal of this preliminary ruling). The appeal was deemed permissible because “[there was] no case law of the highest courts on the question of whether, in order to assess the lawfulness of data processing in the case of invalid consent pursuant to Article 6(1)(a) GDPR, it is permissible to have recourse to other permissible elements of Article 6 GDPR.” As such, this was the key issue in this case. I
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W256 2227693-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W256 2227693-1 - Austria (2021). Retrieved from cookiefines.eu
Last updated: