BVwG - W252 2248630-1
From GDPRhub
| BVwG - W252 2248630-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(11) GDPR Article 7(4) GDPR |
| Decided: | 12.06.2023 |
| Published: | 20.07.2023 |
| Parties: | |
| National Case Number/Name: | W252 2248630-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2023:W252.2248630.1.00 |
| Appeal from: | DSB (Austria) |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | BVwG (Austria) (in German) |
| Initial Contributor: | mg |
An Austrian court held that the creation of a customer account for the online purchase of goods can be made dependent on consent to the processing of personal data for advertising purposes, provided that the controller also offers an option to purchase the same goods as a “guest” on the website.
English Summary
Facts
The data subject created an account with the controller in order to purchase goods online. In this context, they allegedly were forced to give consent to the processing of their personal data for the purpose of advertising. The data subject lodged a complaint with the Austrian DPA. The Austrian DPA declared the processing unlawful.
The controller appealed the decision, arguing that the data subject was not actually "forced" to create a customer account to purchase the goods. As a matter of fact, they could have ordered the goods by using a so-called “guest” option, which would not imply any processing for advertising purposes. To the contrary, the creation of a customer account implies that a user wants to have access to discounts and be informed about offers concerning the controller's products.
Holding
The court upheld the controller’s appeal.
Pursuant to Article 4(11) GDPR, consent must be freely given. In light of Article 7(4) GDPR, this is clearly not the case when the conclusion of a contract is made dependent on the data subject’s consent, unless consent is necessary for the performance of the contract.
Thus, the court checked the nature of the contract in the case at issue. The court found that it was not possible to separate the creation of an account with the controller from the purchase of goods online. Such an account did not exclusively serve the purpose of sharing offers and discounts with the data subject. The purchase of goods could rather be seen as the main object of the contract. For such a purpose consent to the processing of personal data for advertising was not necessary.
The court then checked whether the guest option could be a valid alternative to achieve the object of the agreement. The court rejected the DPA’s argument that the guest option was no valid alternative to the creation of an account with regard to the purchase of online goods. The court acknowledged that the use of a guest option entails an additional effort for the user, namely the effort of filling the fields that are auto-filled for the holder of a customer account. However, such an effort was not disproportionate.
In light of the above, the court overturned the DPA's decision and declared that consent to the processing was freely given.
Comment
The court is right when it states that the existence of a purchase option which does not entail consent for advertising purposes is sufficient to guarantee that consent is validly given under the GDPR. Nevertheless, it is questionable whether the only difference between the creation of a customer account and the use of a guest option can be framed in terms of advertising. As a matter of fact, a customer account does not necessarily serve only purchase and advertising purposes. One of the elements mentioned by the controller, for example - the possibility to have access to discounts - is not inextricably linked to advertising purposes. Rather, it may be argued that consent for advertising purposes is not necessary for the performance of a contract where to certain transactions correspond additional "points" for discounts or offers.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
decision date 06/12/2023 standard B-VG Art133 Para.4 DSG §1 DSGVO Art4 Z11 DSGVO Art6 Abs1 lita GDPR Art7 B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934 DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01.01.2014 last changed by Federal Law Gazette I No. 51/2012 DSG Art. 1 § 1 valid from 01.01.2000 to 31.12.2013 saying W252 2248630-1/7E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint of XXXX , represented by Knyrim Trieb Rechtsanwälte OG, 1060 Vienna, Mariahilfer Straße 89a, (participating party before the Administrative Court XXXX by LTRA Rechtsanwälte, 1070 Vienna, Lindengasse 38/3), against clause 1. of the decision of the data protection authority of October 8th, 2021, GZ XXXX, in a closed session in a data protection matter, rightly recognized: The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint of roman XXXX, represented by Knyrim Trieb Rechtsanwälte OG, 1060 Vienna, Mariahilfer Straße 89a, (participating party before the administrative court roman XXXX , represented by LTRA Rechtsanwälte, 1070 Vienna, Lindengasse 38/3), against point 1 of the decision of the data protection authority of October 8th, 2021, GZ roman XXXX, rightly recognized in a closed session in a data protection matter: A) The appeal is upheld and point 1 of the contested decision is amended so that it reads: "1. The data protection complaint is dismissed as unfounded with regard to the alleged violation of the right to secrecy.". B) The revision is allowed. text Reasons for decision: I. Procedure: 1. With a submission dated July 8th, 2020, the party involved (hereinafter "MP") lodged a data protection complaint with the relevant authority and summarized that the complainant (hereinafter "BF") had violated their right to secrecy. You have created a user account in the BF online shop for the purpose of ordering online. In doing so, she had to consent to data processing for advertising and marketing purposes. This consent violates the ban on coupling and was therefore not given voluntarily. In addition, the right to erasure was violated. 2. With a decision dated October 8, 2021, the relevant authority partially upheld the complaint and determined a violation of the right to secrecy, because the MP had to give mandatory consent to data processing for advertising and marketing purposes when registering for the online account, without this being necessary for the execution of the contract (point 1.). The competent authority rejected the complaint regarding a violation of the right to erasure (point 2). The responsible authority explained that the main performance obligations in the case of an online order were the delivery of the ordered items against payment of the purchase price. Data processing for advertising and marketing purposes is not required for the proper processing of a purchase contract as part of an online order to fulfill the contract. Ordering as a guest is not a reasonable alternative due to the not inconsiderable additional effort involved in entering data. 3. The present complaint by the BF of November 5th, 2021 is directed against clause 1 of the decision. In this, BF states that consent to data processing for advertising and marketing purposes was not a prerequisite for placing an order or purchasing goods in the online shop. The MP could make a guest order at any time. Contrary to the opinion of the authority concerned, only the contract for the use of a customer account is relevant with regard to the coupling. The specific characteristic of a customer account consists in making certain offers and granting discounts on certain items to the customer in return for the provision of name, address and other personal data, including for advertising purposes. In this case, a coupling is permissible. 4. The authority concerned submitted the complaint, following the administrative act, with a written statement dated November 22, 2021, received on November 25, 2021, and applied for the complaint to be dismissed - with reference to the reasoning of the decision. 5. In a letter dated May 9, 2023, the MP referred to what was put forward in the basic proceedings and to the contested decision and argued that the "auto-fill function" would mean a not inconsiderable amount of work for the user in the case of a guest order. Evidence was collected by inspecting the administrative and court records. II. The Federal Administrative Court considered: 1. Findings: 1.1. The BF operates an online shop. In the online shop, customers have the choice - insofar as this is relevant to the procedure - to order either with an XXXX account (hereinafter also "customer account"), or as a "guest".1.1. The BF operates an online shop. In the online shop, customers have the choice - insofar as this is relevant to the procedure - to order either with a Roman XXXX account (hereinafter also "customer account"), or as a "guest". When orders are placed via the customer account, the customer's data is processed for advertising and marketing purposes as well as for customer service. In the case of a guest order, there is no processing for advertising, marketing or customer service purposes. Saving billing and delivery addresses as well as shipping and payment information is only possible in connection with a customer account. In the case of a guest order, this data must be re-entered for each order. 1.2. On March 27, 2020, MP created a customer account in the BF online shop and ordered goods. As part of the registration for the customer account, the MP had to click on a check box that was not pre-filled, with which she consented to the processing for advertising, marketing and customer care purposes. Below this check box was the additional note that an order can also be placed as a "guest". 2. Evidence assessment: 2.1. The findings on the BF online shop, the selection options for the ordering process and the associated data processing result from the briefs submitted by the BF and the MP to the relevant authority and the associated screenshots (see the data protection complaint of July 8th, 2020, S 2; OZ 1, S 16; as well as the statement of the BF of 08/18/2021, S 5 f, Enclosure ./D; OZ 1, S 156 f,183; Statement of the MP of 09/07/2021, S 2; OZ 1, S 283) . The arguments of the BF and MP on the functioning of the online shop were already consistent in the pleadings before the relevant authority, and the screenshots provided made them comprehensible and credible (see also the statement by the BF of September 28th, 2021, S 2 f; OZ 1, S 311 f). In addition, the authority concerned has determined in detail how the online shop works and the associated data processing in the relevant notification (see the notification of October 8th, 2021, S 6-8; OZ 1, S 445-447). Neither the BF in its complaint (OZ 1, S 545 ff) nor the MP in its statement of May 9, 2023 (OZ 3) contradicted these findings of fact. In its complaint, the BF even expressly stated that the finding was that there was “a declaration of consent to data processing for “advertising, marketing and customer care” in the context of registering for a customer account until June 2020 (i.e. at the time the customer account was created by the party involved). , whereby the creation or creation of such a customer account was at no time a prerequisite for an order or a purchase of goods in the complainant's online shop" is not disputed (see administrative complaint, S 2; OZ 1, S 546). 2.2. The findings on the registration process and the appointment of the MP also result from the corresponding and credible submissions of the BF and MP in this regard (statement of the BF of September 28th, 2021, S 2; OZ 1, S 311; and in this regard the statement of the MP of October 4th .2021, p. 2; OZ 1, p. 421). In addition, the BF presented an excerpt from its systems showing the registration and appointment of the MP (see in particular the database excerpt sent with the BF's statement of August 18, 2021, enclosure ./C; OZ 1, S 173 ff). The authority concerned also made corresponding findings in this regard, which were not disputed by the parties to the proceedings. 3. Legal assessment: to A) The admissible complaint is not justified. 3.1. On the subject of the complaint: According to the ruling of the VwGH on Section 27 VwGVG 2014, the VwG's authority to examine is not unlimited. The ultimate framework for the authority to examine is the matter of the disputed decision, thus only that matter that formed the content of the verdict of the administrative authority prosecuted before the VwG. This framework is further restricted in cases where the official decision can be separated if - as here - only a part of several separable decisions is contested in the appeal. (cf. VwGH 16.11.2015, Ra 2015/12/0026; as well as VwGH 21.12.2016, Ra 2016/04/0127). According to the ruling of the VwGH on paragraph 27, VwGVG 2014, the VwG's examination authority is not unlimited. The ultimate framework for the authority to examine is the matter of the disputed decision, thus only that matter that formed the content of the verdict of the administrative authority prosecuted before the VwG. This framework is further restricted in cases where the official decision can be separated if - as here - only a part of several separable decisions is contested in the appeal. compare VwGH 16.11.2015, Ra 2015/12/0026; and VwGH 21.12.2016, Ra 2016/04/0127). Since the BF only contested point 1., the subject of the proceedings is only the violation of the right to secrecy due to the lack of voluntary consent to data processing for marketing and advertising purposes. 3.2. To consent to data processing: According to Art. 4 Z 11 GDPR, “consent” is any voluntary, informed and unequivocal expression of will in the specific case in the form of a declaration or other clear affirmative action, with which the data subject indicates that they consent to the processing of the personal data concerning them. According to Article 4, paragraph 11, GDPR, "consent" is any voluntarily given, informed and unequivocal expression of will in the specific case in the form of a declaration or other clear confirmatory action with which the data subject person indicates that they consent to the processing of their personal data. Only one (valid) consent is subsequently one of six possible legal grounds for processing according to Art 6 Para 1 GDPR (see Art 6 Para 1 lit a GDPR; as well as recital 43 GDPR). Only one (valid) consent is subsequently one of six possible legal grounds for processing under Article 6, paragraph one, GDPR (see Article 6, paragraph one, litera a, GDPR; and recital 43 GDPR). In particular, consent is not considered voluntary if the fulfillment of a contract is made dependent on the consent, although this consent is not required for the fulfillment of the contract (cf. Art. 7 Para. 4 GDPR; and Recital 43 GDPR). This provision is also referred to as the ban on coupling. Consent should therefore not be given voluntarily if the data subject has no choice but to consent to the data processing in order to benefit from another contractual service (cf. Kastelitz in Knyrim, DatKomm Art 7 GDPR, margin no. 33). Consent is to be assessed based on the criteria of imbalance, necessity, contractual performance, reasonable alternative and appropriate balance of interests (see Bucher/Kuhling in Kühling/Buchner, DS-GVO3 Art 7 margin no. 41 ff). Consent is not considered voluntary, in particular, if the performance of a contract is made dependent on consent, although this consent is not required for the performance of the contract, see Article 7, paragraph 4, GDPR; as well as recital 43 GDPR). This provision is also referred to as the ban on coupling. Consent should therefore not be given voluntarily if the data subject actually has no choice but to agree to the data processing in order to benefit from another contractual service (compare Kastelitz in Knyrim, DatKomm Article 7, GDPR, margin no. 33). Consent is to be assessed based on the criteria of imbalance, necessity, contractual performance, reasonable alternative and appropriate balance of interests (see Bucher/Kuhling in Kühling/Buchner, DS-GVO3 Article 7, margin no. 41 et seq.). The starting point of an examination in accordance with Art 7 Para 4 GDPR is first and foremost whether and if so which processing is required for the fulfillment of the contract (see Kastelitz in Knyrim, DatKomm Art 7 GDPR margin no. 35). For this purpose, the subject matter of the contract must be determined. The starting point of an examination in accordance with Article 7, paragraph 4, GDPR is first and foremost whether and, if so, which processing is required for the fulfillment of the contract (see Kastelitz in Knyrim, DatKomm Article 7, GDPR margin no. 35). To do this, the subject matter of the contract must be determined. 3.2.1. In this specific case, this means: In its data protection complaint, the MP asserted that the consent was given due to a violation of the so-called ban on coupling. The authority concerned agreed with the MP and found a violation in this regard. The view of the BF, according to which the subject matter of the contract for the use of the customer account is to be assessed separately and detached from any subsequent orders, cannot be followed (see the administrative complaint of November 5th, 2021, p. 4; OZ 1, p. 548). On the one hand, it would be insufficient to see the characteristics of a customer account in an online shop merely in the submission of offers and discounts as well as the possibility of storing shopping lists, billing, delivery and payment information, without taking into account any purchase contracts for the goods offered in the online shop . If later purchases were completely disregarded, neither the BF would have an interest in making offers for products without hoping to order these products, nor would the MP have an interest in disclosing their delivery or payment information without making a purchase in the planning an online shop. On the other hand, the MP criticized the voluntary nature of the consent in connection with a specific order in the BF online shop on March 27, 2020, i.e. a purchase made there. Thus, the main contractual obligations, as is usual with orders in an online shop, consist of the delivery of the ordered items against payment of the purchase price (see the notification of October 8th, 2021, S 12; OZ 1, S 451). For the main service characteristic of the contract (delivery of the ordered items against payment of the purchase price), the processing of MP's personal data for advertising and marketing purposes and for customer care is clearly not required. This results from the fact that orders are also possible without such processing (guest orders). According to Art. 7 Para. 4 GDPR, the fulfillment of the contract (e.g. ordering in the online shop) must not be made dependent on data processing that is not necessary – as is the case here. It is therefore questionable whether the guest order represents a reasonable, equivalent alternative. According to Article 7, paragraph 4, GDPR, the fulfillment of the contract (e.g. order in the online shop) must not be made dependent on data processing that is not necessary - as here. It is therefore questionable whether the guest order represents a reasonable, equivalent alternative. In the BF online shop, customers can choose between an order via a customer account or a guest order. The main performance obligations (goods for money) are therefore identical. The authority concerned and the MP argue with the additional effort of repeatedly entering the delivery and payment information and come to the conclusion that the guest order is not equivalent to a customer account order (see the decision of October 8th, 2021, S 13 f; OZ 1, p 452 f; as well as the MP's statement of May 9, 2023, p. 2 f; OZ 3, p. 2 f). This can not be followed. The equivalence itself can only depend on the main services (goods for money) and, as already explained, these are the same. The "additional effort" associated with a guest order is also reasonable for the MP. By entering billing, delivery and payment information, which is required for each new guest order, shopping in the online shop is neither made practically impossible nor made significantly more difficult. The MP can certainly agree that a guest order - especially if no so-called auto-fill function is used to automatically fill out forms in Internet browsers - will normally take a little more time than an order via a customer account where the necessary information is already stored. However, even with a customer account, user name and password must be entered and any delivery and payment information stored must be confirmed. The additional effort for a guest order is therefore limited and remains within reasonable limits. In addition, the possibility of storing order information in the customer account merely represents a "permissible incentive" (see EDSA Guidelines 05/2020 on consent in accordance with Regulation 2016/679, Version 1.1, adopted on May 4th, 2020 margin nos. 37, 50). The omission of these is therefore not a disadvantage, since the purchase is still possible via the reasonable alternative of guest ordering. Contrary to the opinion of the authority concerned, the designation as "guest" order is not misleading, since this designation is established in online trade and is also known to average customers as an order option without prior registration (see the decision of October 8th, 2021, S 13 f; OZ 1, p. 452f). As a result, BF has not made the possibility of ordering in its online shop dependent on consent to the processing of personal data for advertising and marketing purposes or for customer service. The other criteria for consent, such as a clearly confirming action and the information to which consent is given, appear unproblematic in the present case, especially since the MP had to actively click on a control field and described the data processing to which consent was given. No other objections to the consent were raised either in the application initiating the procedure or in any other part of the procedure. The MP always had the opportunity to order as a guest and was also explicitly informed of this. MP's consent to data processing for advertising and marketing purposes was therefore voluntary and valid. The violation of the right to secrecy determined by the authority concerned is therefore not present. As a result, the complaint about the administrative decision was to be granted and point 1 of the contested administrative decision (right to secrecy) was to be amended in accordance with the ruling. 3.3. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.3.3. According to paragraph 24, paragraph one, VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio. According to § 24 para. 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's application, refrain from a hearing if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and a Art. 6 para. 1 EMRK nor Art. 47 GRC stand in the way of the omission of the hearing. Pursuant to paragraph 24, paragraph 4, VwGVG - unless otherwise provided by federal or state law - the administrative court can refrain from a hearing, regardless of a party's application, if the files recognize that the oral discussion does not lead to the expectation of further clarification of the legal matter, and that neither Article 6, paragraph one, ECHR nor Article 47 CFR preclude the omission of the hearing. The requested oral hearing could be waived, since the facts that are essential for the legal assessment have already been fully collected by the administrative authority and in a proper investigation and at the time of the decision of the adjudicating court is still up to date and complete as required by law. The complaint also did not allege any facts that contradicted or went beyond the result of the official investigation (VwGH February 24, 2015, Ra 2014/19/0171). Furthermore, the administrative court was able to agree with the assessment of evidence by the authority concerned. The functioning of the online shop of the BF as well as the registration and ordering of the MP were fully determined by the authority concerned in the decision. Assessing whether consent is voluntary under the GDPR is a legal issue. The facts relevant to the decision, in particular which options are available for an order and how the consent was structured, are undisputed in the present proceedings. In the present case, the Federal Administrative Court therefore only has to rule on a legal issue (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34 et seq.). Neither Art. 6 Para. 1 of the ECHR nor Art. 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing. In the present case, the Federal Administrative Court therefore only has to decide on a legal issue, compare ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin no. 34 ff). Neither Article 6, Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing. 3.4. It had to be decided accordingly. Regarding B) Admissibility of the revision: Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or resolution whether the revision is admissible in accordance with Art. 133 Para. 4 B-VG. This statement must be briefly reasoned. According to paragraph 25 a, paragraph one, VwGG, the administrative court has to pronounce in its decision or decision whether the revision is permissible according to Article 133, paragraph 4, B-VG. This statement needs a brief justification. The revision is admissible because the decision depends on the solution of a legal question that is of fundamental importance. So far, there has been no case law from the Higher Administrative Court on the basis of which criteria the reasonableness and equivalence of an alternative in connection with the voluntariness of an unnecessary data protection consent is to be measured.
