Court case W256 2246230-1 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a company running a customer loyalty program did not obtain proper consent from users to collect their personal data. The way consent was gathered did not meet legal requirements, which means the company cannot use that data for marketing. This ruling stresses the importance of clear and valid consent for data collection.
What happened
The company failed to obtain valid consent from customers for processing their personal data in a loyalty program.
Who was affected
Customers who participated in the loyalty program and had their data collected without proper consent.
What the authority found
The court found that the company's method of obtaining consent did not comply with GDPR requirements, violating Articles 5(1)(a) and 6(1)(a).
Why this matters
This decision serves as a warning to businesses about the importance of obtaining clear and valid consent for data processing. Companies should ensure their consent practices are transparent and comply with legal standards.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller was responsible for a multi-partner customer loyalty programme. Customers of participating retail shops could register as members, collect points based on their purchases and subsequently redeem them to receive various "exclusive" benefits and discounts. For participation in the programme, the controller collected personal data from the customers. Only the data of customers who gave consent during the registration process were processed to create profiles of the members about their purchasing behaviour for the purpose of personalised advertising. This was not mandatory for the conclusion of the contract. Consent was obtained by signing up via a physical brochure at the partner shops or on the website. The physical brochure obtained consent through a signature field at the end of the registration form, slightly separated from the text “declaration of consent”. To the left of this, at the same height, was the mandatory field "Date" required for registration. The field for the signature was not marked with a "*" meaning "mandatory field". The website obtained consent under the heading "Enjoy your own personal benefits" with a tick box yes and no to the processing of data to benefit from exclusive benefits and promotions. After the Supreme Administrative Court (“Verwaltungsgerichtshof – VwGH”) annulled part of the DPA’s decision against the controller, the DPA started anew the respective part of the procedure against the controller. In that decision, the DPA held that the way the controller obtained consent on its website and on their physical registration brochure did not meet the requirements under Article 5(1)(a) GDPR in conjunction with Article 7(2) GDPR. As a result of the lack of consent, the controller could not base its processing of personal data on consent under Article 6(1)(a). Thus, DPA held that the controller also violated Article 6(1) GDPR in conjunction with Article 5(1)(a) GDPR. The DPA fined the controller €2 million under Article 83(
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W256 2246230-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W256 2246230-1 - Austria (2024). Retrieved from cookiefines.eu
Last updated: