Court case W256 2246230-1 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller was responsible for a multi-partner customer loyalty programme. Customers of participating retail shops could register as members, collect points based on their purchases and subsequently redeem them to receive various "exclusive" benefits and discounts. For participation in the programme, the controller collected personal data from the customers. Only the data of customers who gave consent during the registration process were processed to create profiles of the members about their purchasing behaviour for the purpose of personalised advertising. This was not mandatory for the conclusion of the contract. Consent was obtained by signing up via a physical brochure at the partner shops or on the website. The physical brochure obtained consent through a signature field at the end of the registration form, slightly separated from the text “declaration of consent”. To the left of this, at the same height, was the mandatory field "Date" required for registration. The field for the signature was not marked with a "*" meaning "mandatory field". The website obtained consent under the heading "Enjoy your own personal benefits" with a tick box yes and no to the processing of data to benefit from exclusive benefits and promotions. After the Supreme Administrative Court (“Verwaltungsgerichtshof – VwGH”) annulled part of the DPA’s decision against the controller, the DPA started anew the respective part of the procedure against the controller. In that decision, the DPA held that the way the controller obtained consent on its website and on their physical registration brochure did not meet the requirements under Article 5(1)(a) GDPR in conjunction with Article 7(2) GDPR. As a result of the lack of consent, the controller could not base its processing of personal data on consent under Article 6(1)(a). Thus, DPA held that the controller also violated Article 6(1) GDPR in conjunction with Article 5(1)(a) GDPR. The DPA fined the controller €2 million under Article 83(
GDPR Articles Cited
The controller was responsible for a multi-partner customer loyalty programme. Customers of participating retail shops could register as members, collect points based on their purchases and subsequently redeem them to receive various "exclusive" benefits and discounts. For participation in the programme, the controller collected personal data from the customers. Only the data of customers who gave consent during the registration process were processed to create profiles of the members about their purchasing behaviour for the purpose of personalised advertising. This was not mandatory for the conclusion of the contract. Consent was obtained by signing up via a physical brochure at the partner shops or on the website. The physical brochure obtained consent through a signature field at the end of the registration form, slightly separated from the text “declaration of consent”. To the left of this, at the same height, was the mandatory field "Date" required for registration. The field for the signature was not marked with a "*" meaning "mandatory field". The website obtained consent under the heading "Enjoy your own personal benefits" with a tick box yes and no to the processing of data to benefit from exclusive benefits and promotions. After the Supreme Administrative Court (“Verwaltungsgerichtshof – VwGH”) annulled part of the DPA’s decision against the controller, the DPA started anew the respective part of the procedure against the controller. In that decision, the DPA held that the way the controller obtained consent on its website and on their physical registration brochure did not meet the requirements under Article 5(1)(a) GDPR in conjunction with Article 7(2) GDPR. As a result of the lack of consent, the controller could not base its processing of personal data on consent under Article 6(1)(a). Thus, DPA held that the controller also violated Article 6(1) GDPR in conjunction with Article 5(1)(a) GDPR. The DPA fined the controller €2 million under Article 83(
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W256 2246230-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W256 2246230-1 - Austria (2024). Retrieved from cookiefines.eu
Last updated: