DSB (Austria) - D130.1170: Difference between revisions

From GDPRhub
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 65: Line 65:
}}
}}


The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie banner which it deemed to be in violation of the GDPR and to inform third party providers of the erasure.
The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie via a banner in violation of the GDPR and to inform third party providers of the erasure according to Article 17 GDPR and Article 19 GDPR.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 22 October 2021, the complainant, represented in the proceedings by ''noyb'' – European Centre for Digital Rights, visited a website operated by the American company Briggs & Stratton LLC (the controller). Upon opening the website, a cookie banner pops up showing only the options “cookie settings” or “accept all cookies”. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data. The controller never provided information regarding the erasure of the personal data of the complainant apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller never answered to the question whether third party providers had been informed about the complainant's request for erasure of his personal data either.  
On 22 October 2021, a data subject visited a website operated by the American company Briggs & Stratton LLC (the controller) and accepted cookies via a cookie banner showing only the options “accept all cookies” or “cookie settings”. As a consequence, unique IDs that allow for identification of the data subject had been saved on the controller’s server and were then transmitted to the servers of third party providers, including Amazon, Google and Microsoft. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data and to inform the third party providers thereof. However, the controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller also failed to provide an answer on whether third party providers had been informed about the complainant's request for erasure of his personal data.  


The data subject thus filed a complaint with the Austrian DPA to have his right to erasure according to [[Article 17 GDPR]] enforced, as well as to order the controller to suspend all processing activities of his personal data and informing the third party providers of the erasure of the personal data transmitted to them by virtue of [[Article 19 GDPR]].   
The data subject, represented in the proceedings by ''noyb'' – European Centre for Digital Rights, thus filed a complaint with the Austrian DPA to have his right to erasure according to [[Article 17 GDPR]] enforced, as well as to order the controller to suspend all processing activities of his personal data and to inform third party providers of the erasure of the personal data transmitted to them by virtue of [[Article 19 GDPR]].   


In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still proved more burdensome to withdraw one’s consent than to grant it.
In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still failed to meet GDPR requirements as it proved more burdensome to withdraw one’s consent than to grant it.


=== Holding ===
=== Holding ===
As regards the cookie banner displayed on the controller’s website on 22 October 2021, the DPA held that given the absence of a “reject” option that cookie banner constituted a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]] and it also failed to comply with the requirements set out in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. Accordingly, the DPA held that there could be no valid consent according to [[Article 7 GDPR|Article 7 GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]]. On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of [[Article 17 GDPR|Article 17 GDPR]] and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to [[Article 19 GDPR|Article 19 GDPR]], within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.
As regards the cookie banner displayed on the controller’s website on 22 October 2021, the Austrian DPA held that given the absence of a “reject” option that cookie banner constituted a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]] and it also failed to comply with the requirements set out in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. Accordingly, the DPA held that there could be no valid consent according to [[Article 7 GDPR|Article 7 GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]].


With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]]. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with the GDPR requirements within 8 weeks from the decision.
On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of [[Article 17 GDPR]] and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to [[Article 19 GDPR]], within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.
 
With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact that it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]]. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with GDPR requirements within 8 weeks from the decision.


== Comment ==
== Comment ==

Latest revision as of 08:56, 27 September 2023

DSB - D130.1170
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 7(3) GDPR
Article 17 GDPR
Article 19 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.08.2022
Decided: 19.09.2023
Published:
Fine: n/a
Parties: Briggs & Stratton LLC
National Case Number/Name: D130.1170
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: co

The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie via a banner in violation of the GDPR and to inform third party providers of the erasure according to Article 17 GDPR and Article 19 GDPR.

English Summary

Facts

On 22 October 2021, a data subject visited a website operated by the American company Briggs & Stratton LLC (the controller) and accepted cookies via a cookie banner showing only the options “accept all cookies” or “cookie settings”. As a consequence, unique IDs that allow for identification of the data subject had been saved on the controller’s server and were then transmitted to the servers of third party providers, including Amazon, Google and Microsoft. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data and to inform the third party providers thereof. However, the controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller also failed to provide an answer on whether third party providers had been informed about the complainant's request for erasure of his personal data.

The data subject, represented in the proceedings by noyb – European Centre for Digital Rights, thus filed a complaint with the Austrian DPA to have his right to erasure according to Article 17 GDPR enforced, as well as to order the controller to suspend all processing activities of his personal data and to inform third party providers of the erasure of the personal data transmitted to them by virtue of Article 19 GDPR.

In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still failed to meet GDPR requirements as it proved more burdensome to withdraw one’s consent than to grant it.

Holding

As regards the cookie banner displayed on the controller’s website on 22 October 2021, the Austrian DPA held that given the absence of a “reject” option that cookie banner constituted a violation of Article 7(3) GDPR and it also failed to comply with the requirements set out in Article 5(1)(a) GDPR and Article 25(1) GDPR. Accordingly, the DPA held that there could be no valid consent according to Article 7 GDPR and Article 4(11) GDPR.

On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of Article 17 GDPR and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to Article 19 GDPR, within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.

With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact that it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of Article 7(3) GDPR. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with GDPR requirements within 8 weeks from the decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current15:28, 26 September 2023 (849 KB)Co (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.