Court case W176 2249328-1/4Z – Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court case involved a company using customer data from a loyalty program without valid consent. The company was fined, but the case is on hold pending a decision from the European Court of Justice. This case could impact how consent is interpreted across Europe.
What happened
A company processed customer data from a loyalty program without valid consent, leading to a fine.
Who was affected
Participants in the loyalty program whose data was processed without valid consent.
What the authority found
The Austrian DPA fined the company for processing personal data without valid consent, but the case is paused awaiting a European Court of Justice decision.
Why this matters
This case could set a precedent for how consent is defined and enforced across Europe, affecting businesses that rely on customer data for loyalty programs.
GDPR Articles Cited
The controller was the parent company of a conglomeration that operated a cross-company and cross-sector customer loyalty programme. Customers at participating retail outlets could register as members, collect points on the basis of their purchases and subsequently redeem them to receive discouts and other perks. The controller processed personal data obtained from participants in the loyalty program to, among others, automatically generate consumer profiles to create targeted ads. The controller claimed consent as the legal basis for this processing pursuant to Article 6(1)(a) GDPR and in its privacy policy stated that this consent was voluntary and could be revoked at any time. The DPA initiated an official investigation and, based on the results of this investigation, also initiated administrative penal proceedings against a subsidiary of the controller. On 26.7.21, the DPA fined the subsidiary €2,000,000 for using legally invalid consent and thus unlawfully processing the personal data of participants in its loyalty program. The subsidiary appealed to the Federal Administrative Court (BVwG). The DPA also initiated administrative penal proceedings against the controller (the parent company), fining it €8,000,000 for the unlawful processing of personal data relating to the loyalty program. The controller also appealed this decision to the BVwG, arguing that, among others, there was not only a lack of the necessary elements of the offence but that the controller could not be found at fault for the violation. The Court stayed proceedings pending a ruling by the European Court of Justice (CJEU) in C-807/21 - Deutsche Wohnen SE. In that case the Higher Regional Court Berlin (KG Berlin) referred the following questions: 1) Is Article 83(4) to (6) 1 to be interpreted as incorporating into national law the functional concept of an undertaking and the principle of an economic entity, as defined in Articles 101 and 102 TFEU, as a result of which, by broadening the pr
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W176 2249328-1/4Z in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W176 2249328-1/4Z - Austria (2022). Retrieved from cookiefines.eu
Last updated: