Court case Ro 2023/04/0045 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The operator of a loyalty program (the controller) provided customers (the data subjects) with the option to collect points in order to receive discounts. During registration, data subjects were asked to consent to their data being used for profiling. Having consent under Article 6(1)(a) GDPR as the legal basis, the controller performed automated analyses of purchasing behavior to personalize advertising. The Austrian DPA (DSB) initiated an ex-officio investigation, conducted an on-site inspection and found that the consent for profiling did not meet GDPR standards under Articles 4(11) and 7 GDPR. The information about profiling was not clearly visible or easy to understand, and the consent was bundled with registration and acceptance of terms instead of being given separately. The DSB declared the processing regarding profiling unlawful since there was no valid consent or other legal basis. The controller was ordered to stop processing data for profiling purposes until it had a valid legal basis and was granted a six-month period for compliance. The controller appealed to the Federal Administrative Court (BVwG), which upheld the appeal and overturned the DSB’s decision. The DSB then appealed to the Supreme Administrative Court (VwGH), which partially overturned the BVwG’s ruling, siding in part with the DSB. The case returned to the BVwG, which rejected the controller’s appeal but modified parts of the DSB’s decision. The controller subsequently appealed against this BVwG decision to the VwGH. The VwGH rejected the controller’s appeal and upheld the BVwG’s decision regarding the prohibition on profiling, confirming that the prohibition was not disproportionate. It only applied to unlawful profiling and did not affect any future processing based on valid consent. The court held that consent was invalid under Article 4 and Article 7 GDPR, because there was bundled with registration and acceptance of terms and the privacy policy, the visual design did not make the
GDPR Articles Cited
The operator of a loyalty program (the controller) provided customers (the data subjects) with the option to collect points in order to receive discounts. During registration, data subjects were asked to consent to their data being used for profiling. Having consent under Article 6(1)(a) GDPR as the legal basis, the controller performed automated analyses of purchasing behavior to personalize advertising. The Austrian DPA (DSB) initiated an ex-officio investigation, conducted an on-site inspection and found that the consent for profiling did not meet GDPR standards under Articles 4(11) and 7 GDPR. The information about profiling was not clearly visible or easy to understand, and the consent was bundled with registration and acceptance of terms instead of being given separately. The DSB declared the processing regarding profiling unlawful since there was no valid consent or other legal basis. The controller was ordered to stop processing data for profiling purposes until it had a valid legal basis and was granted a six-month period for compliance. The controller appealed to the Federal Administrative Court (BVwG), which upheld the appeal and overturned the DSB’s decision. The DSB then appealed to the Supreme Administrative Court (VwGH), which partially overturned the BVwG’s ruling, siding in part with the DSB. The case returned to the BVwG, which rejected the controller’s appeal but modified parts of the DSB’s decision. The controller subsequently appealed against this BVwG decision to the VwGH. The VwGH rejected the controller’s appeal and upheld the BVwG’s decision regarding the prohibition on profiling, confirming that the prohibition was not disproportionate. It only applied to unlawful profiling and did not affect any future processing based on valid consent. The court held that consent was invalid under Article 4 and Article 7 GDPR, because there was bundled with registration and acceptance of terms and the privacy policy, the visual design did not make the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ro 2023/04/0045 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ro 2023/04/0045 - Austria (2025). Retrieved from cookiefines.eu
Last updated: