Court case Ro 2023/04/0045 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruling in Austria found that a loyalty program operator did not obtain valid consent for profiling customers. The consent was bundled with other terms, making it unclear for users. This case serves as a reminder for businesses to ensure that consent is clear and separate from other agreements.
What happened
The court ruled that the loyalty program operator's consent for profiling customers was invalid due to unclear presentation.
Who was affected
Customers participating in the loyalty program who were subjected to profiling were affected.
What the authority found
The court decided that the consent provided did not meet GDPR standards, as it was not clearly visible or understandable.
Why this matters
This case illustrates the need for clear consent mechanisms in data processing. Companies should ensure that users can easily understand and separately agree to data use.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The operator of a loyalty program (the controller) provided customers (the data subjects) with the option to collect points in order to receive discounts. During registration, data subjects were asked to consent to their data being used for profiling. Having consent under Article 6(1)(a) GDPR as the legal basis, the controller performed automated analyses of purchasing behavior to personalize advertising. The Austrian DPA (DSB) initiated an ex-officio investigation, conducted an on-site inspection and found that the consent for profiling did not meet GDPR standards under Articles 4(11) and 7 GDPR. The information about profiling was not clearly visible or easy to understand, and the consent was bundled with registration and acceptance of terms instead of being given separately. The DSB declared the processing regarding profiling unlawful since there was no valid consent or other legal basis. The controller was ordered to stop processing data for profiling purposes until it had a valid legal basis and was granted a six-month period for compliance. The controller appealed to the Federal Administrative Court (BVwG), which upheld the appeal and overturned the DSB’s decision. The DSB then appealed to the Supreme Administrative Court (VwGH), which partially overturned the BVwG’s ruling, siding in part with the DSB. The case returned to the BVwG, which rejected the controller’s appeal but modified parts of the DSB’s decision. The controller subsequently appealed against this BVwG decision to the VwGH. The VwGH rejected the controller’s appeal and upheld the BVwG’s decision regarding the prohibition on profiling, confirming that the prohibition was not disproportionate. It only applied to unlawful profiling and did not affect any future processing based on valid consent. The court held that consent was invalid under Article 4 and Article 7 GDPR, because there was bundled with registration and acceptance of terms and the privacy policy, the visual design did not make the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ro 2023/04/0045 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ro 2023/04/0045 - Austria (2025). Retrieved from cookiefines.eu
Last updated: