J*Club โ Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that J*Club's customer loyalty program did not violate data protection rules. The court found that the Austrian Data Protection Authority's decision was flawed because it focused only on consent and didn't consider other legal bases. This decision highlights the importance of considering all legal grounds for data processing.
What happened
J*Club's customer loyalty program was found not to violate data protection rules after a court review.
Who was affected
Customers of retail outlets participating in J*Club's loyalty program who registered and shared their data.
What the authority found
The court held that the Austrian Data Protection Authority's decision was incorrect because it only considered consent and not other legal bases for data processing.
Why this matters
This case underscores the need for authorities to consider all potential legal bases for data processing, not just consent. Businesses should ensure they evaluate all possible legal grounds when processing personal data.
GDPR Articles Cited
The controller operates a cross-company and cross-sector customer loyalty programme called "J*Club". Customers of participating retail outlets can register as members, collect points based on their purchases and subsequently redeem these points to receive discounts, etc. According to the privacy policy, the legal basis for the processing is consent pursuant to Article 6(1)(a) GDPR which is voluntary and can be revoked at any time. In October 2019, the Austrian Data Protection Authority (DSB) conducted ex officio investigations and found that the controller's procedure did not fulfill the requirements of consent, therefore Article 6(1)(a) GDPR could not be used as a legal basis for processing. Since the controller had not made use of other legal bases, the processing was unlawful. The controller appealed that decision before the Federal Administrative Court (BVwG). It argued that it had used legitimate interest, Article 6(1)(f) GDPR, beside consent as a legal basis. Subsequently, in December 2019, the DSB amended its decision. It held that 1) the request for consent by the controller does not meet the requirements pursuant to Article 4(11) GDPR and Article 7 GDPR and that no other legal basis can be considered and the aforementioned processing is therefore unlawful. 2) the controller shall be prohibited from processing personal data for the purpose of profiling within the scope of Clause 1 and 3. 3) the complainant shall be granted a period of six months to implement point 2. The BVwG granted the controller's appeal and annuled the decision in its entirety without replacement. It held that the DSB had incorrectly only based its decision on the lack of consent and not on other possible legal bases, thus not performed an exhaustive investigation. According to the BVwG, the sole examination of the legal basis of consent could not necessarily establish a violation of the principle of lawfulness and thus also no entitlement to the remedial power under Article 58(2)(d
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for J*Club in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. J*Club - Austria (2022). Retrieved from cookiefines.eu
Last updated: