DSB (Austria) - D130.1170: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie banner in violation of the GDPR and to inform third party providers of the erasure according to Article 17 GDPR and Article 19 GDPR. | The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie via a banner in violation of the GDPR and to inform third party providers of the erasure according to Article 17 GDPR and Article 19 GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 22 October 2021, the complainant, represented in the proceedings by ''noyb'' – European Centre for Digital Rights, visited a website operated by the American company Briggs & Stratton LLC (the controller). Upon opening the website, a cookie banner popped up showing only the options “cookie settings” or “accept all cookies”. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data. The controller never provided information regarding the erasure of the personal data | On 22 October 2021, the complainant, represented in the proceedings by ''noyb'' – European Centre for Digital Rights, visited a website operated by the American company Briggs & Stratton LLC (the controller). | ||
Upon opening the website, a cookie banner popped up showing only the options “cookie settings” or “accept all cookies”. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data. The controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller never answered to the question whether third party providers had been informed about the complainant's request for erasure of his personal data either. | |||
The data subject thus filed a complaint with the Austrian DPA to have his right to erasure according to [[Article 17 GDPR]] enforced, as well as to order the controller to suspend all processing activities of his personal data and informing the third party providers of the erasure of the personal data transmitted to them by virtue of [[Article 19 GDPR]]. | The data subject thus filed a complaint with the Austrian DPA to have his right to erasure according to [[Article 17 GDPR]] enforced, as well as to order the controller to suspend all processing activities of his personal data and informing the third party providers of the erasure of the personal data transmitted to them by virtue of [[Article 19 GDPR]]. | ||
Line 77: | Line 79: | ||
=== Holding === | === Holding === | ||
As regards the cookie banner displayed on the controller’s website on 22 October 2021, the Austrian DPA held that given the absence of a “reject” option that cookie banner constituted a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]] and it also failed to comply with the requirements set out in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. Accordingly, the DPA held that there could be no valid consent according to [[Article 7 GDPR|Article 7 GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]]. On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of [[ | As regards the cookie banner displayed on the controller’s website on 22 October 2021, the Austrian DPA held that given the absence of a “reject” option that cookie banner constituted a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]] and it also failed to comply with the requirements set out in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. Accordingly, the DPA held that there could be no valid consent according to [[Article 7 GDPR|Article 7 GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]]. | ||
On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of [[Article 17 GDPR]] and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to [[Article 19 GDPR]], within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics. | |||
With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]]. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with the GDPR requirements within 8 weeks from the decision. | With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]]. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with the GDPR requirements within 8 weeks from the decision. |
Revision as of 08:02, 27 September 2023
DSB - D130.1170 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 7(3) GDPR Article 17 GDPR Article 19 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 09.08.2022 |
Decided: | 19.09.2023 |
Published: | |
Fine: | n/a |
Parties: | Briggs & Stratton LLC |
National Case Number/Name: | D130.1170 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | German |
Original Source: | DSB (in DE) |
Initial Contributor: | co |
The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie via a banner in violation of the GDPR and to inform third party providers of the erasure according to Article 17 GDPR and Article 19 GDPR.
English Summary
Facts
On 22 October 2021, the complainant, represented in the proceedings by noyb – European Centre for Digital Rights, visited a website operated by the American company Briggs & Stratton LLC (the controller).
Upon opening the website, a cookie banner popped up showing only the options “cookie settings” or “accept all cookies”. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data. The controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller never answered to the question whether third party providers had been informed about the complainant's request for erasure of his personal data either.
The data subject thus filed a complaint with the Austrian DPA to have his right to erasure according to Article 17 GDPR enforced, as well as to order the controller to suspend all processing activities of his personal data and informing the third party providers of the erasure of the personal data transmitted to them by virtue of Article 19 GDPR.
In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still failed to meet GDPR requirements as it proved more burdensome to withdraw one’s consent than to grant it.
Holding
As regards the cookie banner displayed on the controller’s website on 22 October 2021, the Austrian DPA held that given the absence of a “reject” option that cookie banner constituted a violation of Article 7(3) GDPR and it also failed to comply with the requirements set out in Article 5(1)(a) GDPR and Article 25(1) GDPR. Accordingly, the DPA held that there could be no valid consent according to Article 7 GDPR and Article 4(11) GDPR.
On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of Article 17 GDPR and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to Article 19 GDPR, within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.
With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of Article 7(3) GDPR. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with the GDPR requirements within 8 weeks from the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
File history Click on a date/time to view the file as it appeared at that time. Date/TimeDimensionsUserComment current15:28, 26 September 2023 (849 KB)Co (talk | contribs) You cannot overwrite this file.File usage There are no pages that use this file.