BVwG - W256 2246230-1

From GDPRhub
BVwG - W256 2246230-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7(2) GDPR
Article 83 GDPR
Decided: 07.06.2024
Published: 11.07.2024
Parties:
National Case Number/Name: W256 2246230-1
European Case Law Identifier:
Appeal from: DPA
D550.248 (2021-0.267.590)
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationsystem des Bundes (in German)
Initial Contributor: ec

A court reduced a fine against a controller to €500,000 for not clearly distinguishing the declaration of consent with other matters in the same document.

English Summary

Facts

The controller was responsible for a multi-partner customer loyalty programme. Customers of participating retail shops could register as members, collect points based on their purchases and subsequently redeem them to receive various "exclusive" benefits and discounts. For participation in the programme, the controller collected personal data from the customers. Only the data of customers who gave consent during the registration process were processed to create profiles of the members about their purchasing behaviour for the purpose of personalised advertising. This was not mandatory for the conclusion of the contract.

Consent was obtained by signing up via a physical brochure at the partner shops or on the website.

The physical brochure obtained consent through a signature field at the end of the registration form, slightly separated from the text “declaration of consent”. To the left of this, at the same height, was the mandatory field "Date" required for registration. The field for the signature was not marked with a "*" meaning "mandatory field".

The website obtained consent under the heading "Enjoy your own personal benefits" with a tick box yes and no to the processing of data to benefit from exclusive benefits and promotions.

After the Supreme Administrative Court (“Verwaltungsgerichtshof – VwGH”) annulled part of the DPA’s decision against the controller, the DPA started anew the respective part of the procedure against the controller.

In that decision, the DPA held that the way the controller obtained consent on its website and on their physical registration brochure did not meet the requirements under Article 5(1)(a) GDPR in conjunction with Article 7(2) GDPR. As a result of the lack of consent, the controller could not base its processing of personal data on consent under Article 6(1)(a). Thus, DPA held that the controller also violated Article 6(1) GDPR in conjunction with Article 5(1)(a) GDPR. The DPA fined the controller €2 million under Article 83(5)(a) GDPR.

The controller appealed this decision at the Federal Administrative Court (“Bundesverwaltungsgericht – BVwG”). The controller argued that only the punishment of the controller for unauthorised processing of personal data is allowed under Article 83 GDPR. A violation of the requirements of consent under Article 7 GDPR could not be penalised according to the controller. Moreover, the DPA only accused the controller of a violation of Article 7(2) GDPR in the penalty notice, before the controller could even reply. The statute of limitations had already expired at that time. The controller also claimed that there was no negligence. Therefore, the controller argued that the decision should be annulled.

Holding

On the objections by the controller

The court dismissed the controller’s argument that Article 83 GDPR only penalises the unauthorised processing of personal data and held that under Article 83(5) GDPR, a violation under Articles 5, 6, 7 and 9 GDPR may justify the imposition of a fine. The court clarified that a violation under the GDPR cannot be considered in isolation from the processing of personal data, however, the violation does not need to be based on the (unauthorised) processing itself. Several provisions of the GDPR may be violated even in the case of the same processing operation.

The court did agree with the controller that the DPA only mentioned a violation of Article 7(2) GDPR in the penalty notice, and that the statute of limitation for prosecution on this had already expired. Moreover, the court found that the merely general accusation by the DPA that all conditions of Article 7 GDPR had been violated could not enable the controller to recognise which of the conditions had been violated and to what extent the controller was accused of a violation. Without knowledge of the specific violation, the controller was therefore unable to react accordingly.

On the legal basis

The court held that by obtaining consent together with the registration of the loyality program and confirmation of the general terms and conditions and the privacy policy on both the website and physical form, the controller did not comply with the requirement of the request for consent being clearly distinguishable from the other matters under Article 7(2) GDPR.

Regarding the physical brochure, the court held that by placing the signature field at the end of the physical form, it gave the impression that the signature was for the participation of the customer programme and not for consent. This was reinforced by the fact that the date field, designed as a mandatory field for registration, was placed directly next to the signature field. The court agreed with the DPA that customers would not have actively realised that they have actually signed a declaration of consent to profiling due to the visual design of the declaration of consent. The consent obtained by means of a brochure therefore did not fulfil the criteria of Article 7(2) GDPR.

Regarding the website, the court agreed with the DPA that an average consumer would not assume from the bold heading of the declaration of consent "Enjoy your own personal benefits" that this was actually about obtaining consent to carry out profiling. The tick boxes with yes and no did not contain any information on consent either but only about “exclusive benefits”. The court found the wording misleading as the people who do not consent to the profiling should also receive "exclusive" benefits upon registration. The fact that data subjects were only informed that the consent relates to the profiling in the General Terms and Conditions and in the privacy policy, which was not sufficient according to the court. Thus, the court held that the controller also did not fulfil the requirements of Article 7(2) GDPR for their website.

Since the controller did not obtain valid declarations of consent under Article 7(2) GDPR, the requirements of Article 6(1)(a) GDPR were therefore also not met.

The court dismissed the DPA’s argument that an invalid declaration of consent always results in unlawful processing and other legal bases cannot be accepted as the controller argued that the processing in question could also be based on legitimate interests under Article 6(1)(f) GDPR.

The court then looked into whether the controller could rely on Article 6(1)(f) GDPR. The court held that the controller relied exclusively on consent under Article 6(1)(a) GDPR. The controller’s General Terms and Conditions also stated that processing would only be carried out “if the member consents”. The court therefore held that since the data subjects not only did not expect the processing, but even explicitly excluded it in view of the controller's statements in its general terms and conditions, the confidentiality interests of the data subjects outweigh the legitimate interests of the controller in an overall assessment. The court found that the controller could therefore not rely on Article 6(1)(f) GDPR.

On negligence

The court took into account the CJEU decision in case C-807/21 and C-683/21 and held that a fine may only be imposed if it is proven that the controller, which is a legal person and at the same time an undertaking, has intentionally or negligently committed an infringement referred to in Article 83(4) to (6) GDPR.

The court then looked into the negligence of the controller. The court found that the controller or the DPO as well as the managing directors should have realised that the process chosen for the declarations of consent was misleading and that any data processing based on it was therefore unlawful. The court therefore held that the controller was at least at fault in the form of negligence.

On the fine amount

The court took into account the EDPB Guidelines 04/2022 for the starting amount of the fine and the newly added ground for mitigation whereby the negligent offence was already taken into account in the classification of the gravity of the offence and reduced the fine to €500,000.00.

The court therefore upheld the appeal to the extent that the fine was reduced. The court ordered the controller to pay the reduced fine within two weeks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision date

07.06.2024

Standard

B-VG Art133 Para.4
GDPR Art13
GDPR Art17
GDPR Art21
GDPR Art22
GDPR Art4
GDPR Art5 Para.1 lita
GDPR Art6
GDPR Art7
GDPR Art83
VStG 1950 §45 Para.1 Z1
VStG 1950 §64
VwGVG §52 Para.8

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from May 25, 2018 to December 31, 2018, last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from August 1, 2014 to May 24, 2018, last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from January 1, 2014 to July 31, 2014, last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from January 1, 2004 to December 31, 2013, last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from January 1, 1975 to December 31, 2003, last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from December 25th, 1946 to December 31st, 1974, last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19th, 1945 to December 24th, 1946, last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934

VStG 1950 § 45 valid from July 1, 1988 to January 31, 1991 republished by BGBl. No. 52/1991 VStG 1950 § 45 valid from September 1, 1950 to June 30, 1988

VStG 1950 § 64 valid from January 1, 1991 to January 31, 1991 republished by BGBl. No. 52/1991 VStG 1950 § 64 valid from July 1, 1988 to December 31, 1990 last amended by BGBl. No. 516/1987 VStG 1950 § 64 valid from 01.01.1965 to 30.06.1988 last amended by BGBl. No. 275/1964

VwGVG § 52 today VwGVG § 52 valid from 01.09.2018 last amended by BGBl. I No. 57/2018 VwGVG § 52 valid from 01.01.2014 to 31.08.2018

Ruling

W256 2246230-1/49E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, with Judge Mag. Caroline Kimm as chair and the expert lay judges Dr. Claudia Rosenmayr-Klemenz and Mag. Adriana Mandl as assessors on the complaint of XXXX GmbH, represented by XXXX Rechtsanwälte GmbH, against the penal decision of the Data Protection Authority of July 26, 2021, file number D550.248 (2021-0.267.590) after conducting an oral hearing, rightly ruled:The Federal Administrative Court, represented by Judge Mag. Caroline Kimm as chair and the expert lay judges Dr. Claudia Rosenmayr-Klemenz and Mag. Adriana Mandl as assessors on the complaint of roman 40 GmbH, represented by roman 40 Rechtsanwälte GmbH, against the penal decision of the data protection authority of July 26, 2021, No. D550.248 (2021-0.267.590) after conducting an oral hearing, rightly ruled:

A)       I. The complaint is upheld with regard to point I of the judgment, the penal decision with regard to point I is remedied and the proceedings with regard to point I are discontinued in accordance with Section 45, Paragraph 1, Item 1 of the Criminal Procedure Act. A)       I. The complaint is upheld with regard to point roman one, the penal decision with regard to point roman one is remedied and the proceedings with regard to point roman one are discontinued in accordance with Paragraph 45, Paragraph one, Item one of the Criminal Procedure Act.

II. The appeal against point II of the penal decision is partially upheld and the penal decision is amended so that it should read as a whole: Roman II. The appeal against point II of the penal decision is partially upheld and the penal decision is amended so that it should read as a whole:

"Accused legal person: XXXX GmbH (FN XXXX m)"Accused legal person: Roman 40 GmbH (FN Roman 40 m)

The XXXX GmbH, with its registered office in XXXX (also the scene of the crime), is the controller within the meaning of Art. 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR"), OJ No. L 119 of 4 May 2016, p. 1, by the factual, unlawful and culpable conduct committed the following administrative offence:Roman 40 GmbH, with its registered office in Roman 40 (also the scene of the crime), as the controller within the meaning of Article 4, paragraph 7, of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119 of 4 May 2016, session 1, has committed the following administrative offence through the factual, unlawful and culpable conduct:

The accused has committed the following administrative offence through the automated processing of participation and purchase data from “ XXXX ” from 2 May 2019 to 31 January 2021 using the “website” method (used until 3 March 2020) www. XXXX at and the “Flyer” registration brochure method (used until February 3, 2020) (unlawful data processing was carried out on the data subjects registered at “Roman 40” for the purpose of creating profiles of their purchasing behavior because this could not be based on a legally valid declaration of consent or on any other legal basis in accordance with Art. 6 (1) GDPR. The accused has carried out an unlawful data processing of the participation and purchasing data of the “Roman 40” from May 2, 2019 to January 31, 2021 using the “website” method (used until March 3, 2020) www. roman 40 at and the registration brochure “Flyer” method (used until February 3, 2020) for the purpose of creating profiles of their purchasing behavior, because this could not be based on a legally valid declaration of consent or on any other legal basis in accordance with Article 6, Paragraph 1, GDPR.

As a result, the accused has

        violated the principles for the processing of personal data in a lawful manner, in good faith and in a manner that is comprehensible to the data subject (“lawfulness, processing in good faith, transparency”) and

        processed personal data without there being a suitable basis for permission under Article 6, Paragraph 1, GDPR.        processed personal data without there being a suitable basis for permission under Article 6, Paragraph 1, GDPR.

Administrative offence according to: Art. 5 Para. 1 lit. a in conjunction with Art. 6 Para. 1 in conjunction with Art. 83 Para. 5 lit. a GDPRAdministrative offence according to: Article 5, Paragraph one, Letter a, in conjunction with Article 6, Paragraph one, in conjunction with Article 83, Paragraph 5, Letter a, GDPR

The following penalty is imposed for this administrative offence:

Fine of     according to

EUR 500,000 (in words:   Art. 83 Para. 5 lit. a GDPREuro 500,000 (in words:   Art. 83 Para. 5, Letter a, GDPR

Five hundred thousand euros)  

Furthermore, you must pay pursuant to Section 64 of the Administrative Penal Code 1991 – VStG:Furthermore, you must pay pursuant to Section 64 of the Administrative Penal Code 1991 – VStG pay:

50,000 euros as a contribution to the costs of the criminal proceedings, which is 10% of the penalty.

The total amount to be paid (penalty/costs/cash expenses) is therefore

550,000 euros (in words: five hundred and fifty thousand euros)."

III. The complainant is not required to bear any costs of the administrative court proceedings pursuant to Section 52, Paragraph 8, VwGVG. Roman III. The complainant is not required to bear any costs of the administrative court proceedings pursuant to Paragraph 52, Paragraph 8, VwGVG.

B)       The appeal is admissible pursuant to Article 133, Paragraph 4, B-VG. B)       The appeal is admissible pursuant to Article 133, Paragraph 4, B-VG.

Text

Reasons for the decision:

I.       Procedure: Roman one.       Procedure:

on the preliminary proceedings:

In a letter dated September 5, 2019, the authority concerned informed the complainant that it was initiating an ex officio investigation procedure against her, recorded under number D213.895/0003, and the complainant was asked to answer a list of questions.

The complainant complied with this request in letters dated September 16, 2019 and October 7, 2019, simultaneously submitting various documents.

In the decision dated October 23, 2019, GZ: DSB-D213.895/0003-DSB/2019 (hereinafter: initial decision), the authority concerned decided in the ex officio investigation procedure against the complainant as follows:

"1. The official investigation was justified and it is found that the request for consent to the processing of personal data of the data subjects registered on “ XXXX ” for the purpose of profiling by XXXX GmbH with the wording “1. The official review procedure was justified and it is determined that the request for consent to the processing of personal data from the data subjects registered on “roman 40” for the purpose of profiling by roman 40 GmbH with the wording

“Declaration of consent: I agree [..] that XXXX GmbH and the XXXX partners with whom I have used my XXXX card (1) combine and analyze my participation data and purchase data in order to provide me with relevant, individualized information on the XXXX program tailored to my interests and to adapt offers for collecting and redeeming XXXX to my needs (so-called “profiling” [..]), in order to (2) send me advertising with personalized offers about products and services of the operator and the XXXX partners [..], and (3) that my personal data obtained in this way will be deleted if I withdraw my consent, at the latest after the end of my membership. [..].“ “Declaration of consent: I agree [..] that roman 40 GmbH and the roman 40 partners with whom I have used my roman 40 card (1) combine and analyze my participation data and purchase data in order to provide me with individualized information about the roman 40 program that is relevant to me and tailored to my interests and to adapt offers for collecting and redeeming roman 40 to my needs (so-called “profiling” [..]), in order to (2) send me advertising with personalized offers about products and services from the operator and the roman 40 partners [..], and (3) that my personal data obtained in this way will be deleted upon withdrawal of my consent, at the latest after the end of my membership. [..].“

using the following methods:

i) Website www. XXXX .ati) Website www. roman 40 .at

ii)       XXXX App ii)       roman 40 App

iii)     XXXX in a partner’s branch and iii)     roman 40 in a partner’s branch and

iv)      Registration brochure (“flyer”)

does not meet the requirements for consent pursuant to Art. 4, Paragraph 11, GDPR and Art. 7 GDPR and that, consequently, the processing of personal data of the data subjects registered at “ XXXX ” for the purpose of profiling by XXXX GmbH is inadmissible due to a lack of valid consent.does not meet the requirements for consent pursuant to Article 4, Paragraph 11, GDPR and Article 7, GDPR and that, consequently, the processing of personal data of the data subjects registered at “ roman 40 ” for the purpose of profiling by roman 40 GmbH is inadmissible due to a lack of valid consent.

2.       XXXX GmbH is instructed to adapt the request for consent mentioned in point 1 of the ruling using the methods mentioned in point 1 of the ruling i) to iv) in accordance with Art. 4 No. 11 GDPR and Art. 7 GDPR within a period of three months, otherwise the order will be executed. 2.       Roman 40 GmbH is instructed to adapt the request for consent mentioned in point 1 of the ruling using the methods mentioned in point 1 of the ruling i) to iv) in accordance with Article 4 No. 11 GDPR and Article 7 GDPR within a period of three months, otherwise the order will be executed.

3.       XXXX GmbH is prohibited and XXXX GmbH is instructed to no longer use the consents obtained in accordance with point 1 of the ruling for the purpose of profiling from May 1, 2020. This does not apply if valid consent is obtained from the data subjects within the same period, in compliance with the requirements for consent under point 2. 3. roman 40 GmbH is prohibited and roman 40 GmbH is instructed to no longer use the consents obtained under point 1 for the purpose of profiling from May 1, 2020. This does not apply if valid consent is obtained from the data subjects within the same period, in compliance with the requirements for consent under point 2.

Legal basis: Art. 4 Z 4 and Z 11, Art. 5 Para. 1 lit. a., Art. 6 Para. 1 lit. a, Art. 7 Para. 1 and Para. 2, Art. 12 Para. 1, Art. 13 Para. 1 lit. c, Art. 57 Para. 1 lit. a and lit. h, Art 58 Para. 1 lit. b and Para. 2 lit. d and lit. f [..] GDPR [..]“Legal basis: Article 4, paragraph 4 and paragraph 11,, Article 5, paragraph one, letter a,, Article 6, paragraph one, letter a,, Article 7, paragraph one and paragraph 2,, Article 12, paragraph one,, Article 13, paragraph one, letter c,, Article 57, paragraph one, letter a and letter h,, Article 58, paragraph one, letter b and Paragraph 2, Letter d and Letter f, [..] GDPR [..]"

The authority concerned stated, among other things, that the complainant was the operator of the XXXX. This XXXX is a cross-company and cross-industry customer loyalty program. Various companies participate in it. To this end, the complainant, as operator, concludes a contract with the companies. Customers who purchase and buy products in the participating partner's stores can register as members of the XXXX. The members can show the XXXX card with each purchase, which is scanned by the respective partner before payment. As part of the customer loyalty program, the members collect points. These can be used, among other things, to receive discounts. The complainant points out in its data protection declaration in point 3 that it processes member master data and purchase data, which are described in more detail. In point 4.4. In the data protection declaration, under the heading "automation-supported processing and analysis (profiling for target group selection, [...]"), it is pointed out that only if the member consents, the operator as the sole controller will continue to use and analyze the member's master data and purchasing data processed by the operator and partners for the automated personalization of advertising and marketing measures and thus obtain new marketing profiling data. According to point 4.4.5, the legal basis for the processing is consent in accordance with Art. 6 Paragraph 1 Letter a of GDPR. According to point 4.4.6, the consent is voluntary and can be revoked at any time. The authority concerned stated, among other things, that the complainant is the operator of the Roman 40. This Roman 40 is a cross-company and cross-industry customer loyalty program. Various companies participate in it. To this end, the complainant, as operator, concludes a contract with the companies. Customers who purchase products and buy in the participating partner's stores can register as a member of the roman 40. The members can show the roman 40 card with each purchase, which is scanned by the respective partner before payment. As part of the customer loyalty program, the members collect points. These can be used, among other things, to receive discounts. The complainant points out in its data protection declaration in point 3 that it processes the member master data and purchase data described in more detail. In point 4.4. In the data protection declaration, under the heading "automation-supported processing and analysis (profiling for target group selection, [...]), it is pointed out that only if the member consents, the operator, as the sole responsible party, will continue to use and analyze the member's master data and purchasing data processed by the operator and its partners for the automated personalization of advertising and marketing measures and thus obtain new marketing profiling data. According to point 4.4.5., the legal basis for the processing is the consent in accordance with Article 6, paragraph one, letter a, GDPR. According to point 4.4.6., the consent is voluntary and can be revoked at any time.

The authority concerned also determined that the consent to profiling in question according to point 4.4. of the data protection declaration was obtained using the methods described in point 1 i) to iv). Essentially, with all methods, albeit in different forms, the data protection declaration is first brought to the attention of the data subject and then, with regard to the online versions under the heading "Enjoy your personal benefits", the data subject is asked for the consent set out in the ruling for the profiling described in point 4.4 of the data protection declaration. The subject of the review is now the question of whether this request for consent complies with the requirements standardized in the GDPR. If this is answered in the negative, it must also be examined what effects this has on the admissibility of the processing of personal data for the purpose of profiling and whether, in the event of inadmissibility, a ban on data processing should be issued. The data protection authority has already stated in a similar case that consent must be given in accordance with the requirements of Art. 4 Z 11 GDPR and Art. 7 GDPR and, in particular, in an intelligible form. The present consent does not meet these requirements for any of the four registration types. In relation to the key methods used here, the authority in question stated that when the person concerned registers for XXXX using the website www.XXXX.at, under the section entitled “Enjoy your personal benefits”, they initially receive no visible information that “personal benefit” means the processing of personal data for the purpose of profiling. The box embedded in this section also initially only refers to the General Terms and Conditions and the Privacy Policy (“I hereby declare that in accordance with points 5.5 and 5.6 of the General Terms and Conditions [as well as points 4.4 and 4.5 of the Privacy Policy], I agree that…”). Only after the box has been scrolled down accordingly is there a reference to the processing of personal data for the purpose of profiling; the information on profiling is therefore not available in an “easily accessible form” or in a “clear and concise form”. Furthermore, it should be noted that, based on general life experience, a data subject does not associate the options “Yes” and “No” that are visible at first glance and which merely refer generally to the receipt or non-receipt of “exclusive benefits and promotions” with profiling and therefore does not constitute “clear and simple language” and therefore does not constitute legally valid consent. The European legislator has standardized explicit requirements for a request for consent in Art. 7 GDPR, which must be complied with in addition to and independently of the General Terms and Conditions and the Privacy Policy. If a contract therefore deals with several aspects (as is the case with the registration for XXXX ), the request for consent must be clearly distinguished. With regard to the registration brochure (“flyer”), the “Signature” field is specified at the end of the registration form. Below the “Signature” field there is the note “This signature only applies to the declaration of consent and is voluntary. Your registration for XXXX is also valid without a signature.” The “declaration of consent” itself, however, is placed above the “signature” field. Based on this, it can be stated that the registration form refers in general to registration for XXXX. However, since the “signature” field is placed at the end of the registration form, the impression is given that this is the signature confirming registration for XXXX. General experience would lead us to assume that an average user who registers for XXXX (and thus concludes a contract) would expect this to be the signature confirming registration – and not the submission of consent to profiling under data protection law. The note placed below that this signature only applies to the declaration of consent cannot change this: Firstly, this is offset to the left so that it is below the “date” field and not directly below the “signature” field. What makes matters worse in both cases is that there is no clearly visible indication of the possibility of revoking consent in accordance with the last sentence of Article 7 paragraph 3 of the GDPR, although the GDPR attaches great importance to this. Consent cannot therefore be used as a legal basis in accordance with Article 7 paragraph 3 of the GDPR.6 Paragraph 1 Letter a of GDPR can be used. Furthermore, the authority concerned found that the consent to profiling in question according to Point 4.4 of the data protection declaration was obtained using the methods described in points 1 i) to iv of the ruling. Essentially, with all methods, albeit in different forms, the data protection declaration is first brought to the attention of the data subject and then, with regard to the online versions under the heading “Enjoy your personal benefits”, the data subject is asked for the consent set out in the ruling for the profiling described in Point 4.4 of the data protection declaration. The subject of the review is now the question of whether this request for consent meets the requirements standardized in the GDPR. If this is not the case, it must also be examined what effects this has on the admissibility of the processing of personal data for the purpose of profiling and whether, in the event of inadmissibility, a ban on data processing should be issued. The data protection authority had already stated in a similar case that consent must be given in accordance with the requirements of Article 4, paragraph 11, GDPR and Article 7, GDPR and, in particular, in an intelligible form. The present consent does not meet these requirements for any of the four registration types. In relation to the key methods here, the authority in question stated that when registering for the roman 40 using the website www.roman 40.at, under the section entitled “Enjoy your personal benefits”, the person concerned initially receives no visible information that “personal benefit” means the processing of personal data for the purpose of profiling. The box embedded in this section also initially only refers to the general terms and conditions and the data protection declaration (“I declare in accordance with points 5.5. and 5.6. of the general terms and conditions [also points 4.4. and 4.5. of the data protection declaration] that …”). Only after the box has been scrolled down is reference made to the processing of personal data for the purpose of profiling; the information on profiling is therefore not available in an "easily accessible form" or in a "clear and concise form". It should also be noted that, based on general life experience, a data subject does not associate the options "Yes" and "No" that are visible at first glance, which merely refer generally to the receipt or non-receipt of "exclusive benefits and promotions", with profiling and therefore this is not "clear and simple language" and therefore does not constitute legally valid consent. The European legislator has set out explicit requirements for a request for consent in Article 7 of the GDPR, which must be complied with in addition to and independently of the general terms and conditions and the data protection declaration. If a contract (as in this case the registration for the Roman 40) deals with several aspects, the request for consent must be clearly differentiated. With regard to the registration brochure (“flyer”), the “Signature” field is specified at the end of the registration form. Below the “Signature” field is the note “This signature only applies to the declaration of consent and is voluntary. Your registration for the Roman 40 is also valid without a signature”. The “Declaration of Consent” itself, however, is placed above the “Signature” field. Based on this, it should be noted that the registration form refers in general to registration for the Roman 40. However, since the “Signature” field is placed at the end of the registration form, the impression is given that this is the signature as confirmation of registration for the Roman 40. In this regard, it can also be assumed based on general life experience that an average user who registers for the Roman 40 (and thus concludes a contract) expects this to be the signature to confirm registration – and not to give consent to profiling in accordance with data protection law. The note placed underneath that this signature only applies to the declaration of consent cannot change these statements: Firstly, this is offset to the left so that it is located under the "Date" field and not directly under the "Signature" field. In both cases, the situation is made more difficult by the fact that there is no clearly visible reference to the possibility of revocation in accordance with Article 7, Paragraph 3, last sentence of the GDPR, although the GDPR attaches great importance to this. The consent cannot therefore be used as a legal basis in accordance with Article 6, Paragraph 1, Letter a, of the GDPR.

The complainant lodged an appeal against this decision with the Federal Administrative Court.

With the preliminary decision of the authority concerned on December 11, 2019, the complainant's appeal was partially upheld and the ruling was amended so that it should read as a whole:

"1. The official investigation procedure was justified and it is established that

a) the request for consent to the processing of personal data of the data subjects registered on “ XXXX ” for the purpose of profiling by the complainant with the wording […]a) the request for consent to the processing of personal data of the data subjects registered on “ roman 40 ” for the purpose of profiling by the complainant with the wording […]

using the methods i) website XXXX and ii) registration brochure (“flyer”) does not meet the requirements for consent pursuant to Art 4 Z 11 GDPR and Art 7 GDPR and that using the methods i) website roman 40 and ii) registration brochure (“flyer”) does not meet the requirements for consent pursuant to Article 4, Paragraph 11, GDPR and Article 7 GDPR and that

b) for the previous processing of personal data of the data subjects registered on “ XXXX ” for the purpose of profiling by XXXX GmbH in addition to the Consent obtained using the methods i) website XXXX and ii) registration brochure (“flyer”), no other legal basis under Art. 6 GDPR comes into consideration and the aforementioned previous processing was therefore unlawful. b) for the previous processing of personal data of the data subjects registered with roman 40 “ for the purpose of profiling by roman 40 GmbH in addition to the consent obtained using the methods i) website roman 40 and ii) registration brochure (“flyer”), no other legal basis under Article 6 GDPR comes into consideration and the aforementioned previous processing was therefore unlawful.

2) XXXX GmbH is prohibited from processing personal data of data subjects registered on “XXXX” for the purpose of profiling within the scope of paragraph 1.2) Römische 40 GmbH is prohibited from processing personal data of data subjects registered on “roman 40” for the purpose of profiling within the scope of paragraph 1.

3) The complainant is granted a period of six months to implement paragraph 2.

Legal basis: [..] Art. 4 Z 4 and Z 11, Art. 5 Para. 1 lit. a. Art. 6 Para. 1 lit. a, Art. 7, Art. 12 Para. 1, Art. 13 Para. 1 lit. c, Art. 57 Para. 1 lit. a, lit. d and lit. h, Art. 58 Para. 1 lit. b and lit. d and Para. 2 lit. d and lit. f [..] GDPR [..]“Legal basis: [..] Article 4, No. 4 and No. 11,, Article 5, Paragraph One, Letter a, Article 6, Paragraph One, Letter a,, Article 7,, Article 12, Paragraph One,, Article 13, Paragraph One, Letter c,, Article 57, Paragraph One, Letter a,, Letter d and Letter h,, Article 58, Paragraph One, Letter b and Letter d, and Paragraph 2, Letter d and Letter f, [..] GDPR [..]”

In its justification, the authority concerned stated that the complaint showed that the registration process for the “XXXX App” and “XXXX” methods was a screen-by-screen registration process, thus ensuring that the request for consent was clearly separated from the rest of the registration process. This meant that the full attention of the person concerned was focused on the current registration step. It was therefore assumed that there was a sufficient level of transparency and thus sufficient consent, which is why the ruling had to be adjusted accordingly. However, as already stated in the initial decision, the consent for the “website” and “flyer” methods still did not meet the requirements for transparent consent. It was also noted that this was a “double” consent because the declaration not only obtained consent for data processing for the purpose of profiling for the complainant, but also for the 14 other partners. This was not clearly indicated. An average user cannot expect to give a declaration of consent to 15 controllers with regard to the processing of his data for the purpose of profiling. This is a further indication that the present declaration of consent is not designed in a sufficiently comprehensible manner. The present consents cannot therefore be used as a valid legal basis for processing in accordance with Art. 6 Paragraph 1 Letter a of GDPR. In its justification, the authority concerned stated that the complaint showed that the registration process for the "Roman 40 App" and "Roman 40" methods is a screen-by-screen registration process, thus ensuring that the request for consent is clearly separated from the rest of the registration process. This means that the data subject's full attention is focused on the current registration step. It can therefore be assumed that there is a sufficient level of transparency and thus sufficient consent, which is why the ruling had to be adjusted accordingly. However, as already stated in the initial decision, the consent for the “website” and “flyer” methods still does not meet the requirements for transparent consent. It is also stated that this is a “double” consent because the declaration not only obtains consent for data processing for the purpose of profiling for the complainant, but also for the 14 other partners. This is not clearly indicated. An average user cannot expect to give a declaration of consent to 15 controllers with regard to the processing of his data for the purpose of profiling. This is a further indication that the present declaration of consent is not designed in a sufficiently comprehensible manner. The present consents cannot therefore be used as a valid legal basis for processing in accordance with Article 6, paragraph one, letter a, GDPR.

In a letter dated December 27, 2019, the complainant submitted a request for a referral.

In a ruling dated August 31, 2021, Ref. W256 2227693-1/10E, the Federal Administrative Court granted the complainant's appeal and annulled the preliminary decision on the appeal in its entirety without replacement. The main reasoning was that in its initial decision, the authority concerned had limited the subject matter of the review to the review of the declarations of consent as the legal basis for the data processing in question.

The authority concerned filed an appeal against this with the Administrative Court, which annulled the Federal Administrative Court's ruling of August 31, 2021, Ref. W256 2227693-1/10E to the extent that points 2 and 3 of the preliminary decision on the appeal were removed without replacement due to the illegality of the content. With regard to the removal of point 1 of the preliminary decision on the appeal without replacement, the appeal was dismissed as unfounded.

By decision of the Federal Administrative Court of September 28, 2023, W256 2227693-1/44E, the appeal was dismissed with the proviso that points 2 and 3 of the preliminary decision on the appeal must read as follows:

"2) XXXX GmbH is prohibited from automatically processing the participation and purchasing data of data subjects registered at the " XXXX Club" using the "website" method www. XXXX at (as of October 23, 2019) and the registration brochure "Flyer" for the purpose of creating profiles of their purchasing behavior. "2) Römische 40 GmbH is prohibited from automatically processing the participation and purchasing data of data subjects registered at the " Römische 40 Club" using the "website" method www. Roman 40 at (as amended on October 23, 2019) and the registration brochure "Flyer" are prohibited from using the data subjects registered for the purpose of creating profiles about their purchasing behavior.

3) The complainant is granted a period of six months from the date the decision becomes final to implement point 2."

Regarding the administrative penal proceedings at issue here:

On January 29, 2020, the complainant was served with a summons from the authority concerned dated January 22, 2020. The complainant was accused of having committed the following administrative offenses:

"XXXX GmbH (FN XXXX m), with registered office in XXXX (also the crime scene), is responsible within the meaning of Art. 4 Z 7 of the General Data Protection Regulation, OJ No. L 119 of 4 May 2016, p. 1 (hereinafter: GDPR) for any actual processing of personal data in connection with the operation of a customer loyalty program called "XXXX", whereby this XXXX is a cross-company and cross-industry customer loyalty program. The data protection authority has initiated an official review procedure (“data protection review”) under GZ: DSB-D213.895 against the accused here as operator of “ XXXX ”, which was completed by decision of 23 October 2019 under GZ: DSB-D213.895/0003-DSB/2019 (amended by the preliminary decision of the data protection authority of 11 December 2019 under GZ: DSB-D062.297/0001-DSB/2019). Based on the results of the investigation in the official review procedure conducted in the matter, with regard to the present administrative penal proceedings against the accused, there is now a suspicion since 2 May 2019 at least that a) the request for consent to the processing of personal data of the data subjects registered on “XXXX” for the purpose of profiling by the complainant with the wording: “Declaration of consent: I declare in accordance with points 5.5 and 5.6. T&Cs (also points 4.4. and 4.5. of the privacy policy) agree that XXXX GmbH and the XXXX partners with whom I have used my XXXX card (1) merge and analyze my participation data and purchase data in order to provide me with individualized information about the XXXX program that is relevant to me and tailored to my interests and to adapt offers for collecting and redeeming XXXX to my needs (so-called “profiling” for target group selections, advertising measures and aggregated evaluations for product range optimization as well as tracking to measure the success of advertising measures), in order to (2) send me advertising with personalized offers about products and services of the operator and the XXXX partners by post, e-mail, SMS, MMS, push messages, messages via apps and messengers, and (3) that my personal data obtained in this way will be deleted upon revocation of my consent, at the latest after the end of my membership. My consent is not mandatory for the conclusion of the contract and I can revoke it at any time with effect for the future by sending a request to XXXX GmbH (XXXX by post, by email to datenschutz@ XXXX .at or by telephone (XXXX).” using the methods i) website www XXXX at and ii) registration form (“flyer”) does not meet the requirements for consent pursuant to Art. 4 Z 11 GDPR and Art. 7 GDPR and that b) for the previous processing of personal data of the data subjects registered on “ XXXX ” for the purpose of profiling by XXXX GmbH, no other legal basis pursuant to Art. 6 GDPR comes into consideration apart from the consent obtained using the methods i) website www. XXXX and ii) registration form (“flyer”) and that the aforementioned previous processing was therefore unlawful. There is therefore a suspicion that XXXX GmbH has violated the principles and permitted grounds of the GDPR through the processing operations described above and has not fulfilled its obligations as the controller, all of this at least without exercising the required care. With regard to the administrative criminal liability of the accused legal person - within the meaning of the association liability model of Art. 83 GDPR - there is a suspicion in the present context that there is a sufficient connection between the natural persons acting and the legal person, which allows the unlawful and culpable conduct to be attributed to it. "Roman 40 GmbH (FN Roman 40 m), with its registered office in Roman 40 (also the scene of the crime), is responsible within the meaning of Article 4, paragraph 7, of the General Data Protection Regulation, OJ No. L 119 of 4 May 2016, Session 1 (hereinafter: GDPR) for any processing of personal data actually carried out in connection with the operation of a customer loyalty program called "Roman 40", whereby Roman 40 is a cross-company and cross-sector customer loyalty program. The data protection authority has initiated an official review procedure (“data protection review”) under GZ: DSB-D213.895 against the accused here as operator of “Roman 40”, which was settled by decision of October 23, 2019 under GZ: DSB-D213.895/0003-DSB/2019 (amended by the preliminary decision of the data protection authority of December 11, 2019 under GZ: DSB-D062.297/0001-DSB/2019). Based on the results of the investigation into the matter in its own discretion, and with regard to the current administrative criminal proceedings against the accused, there is now a suspicion since 2 May 2019 at least that a) the request for consent to the processing of personal data of the data subjects registered at “Roman 40” for the purpose of profiling by the complainant with the wording: “Declaration of consent: I declare my consent in accordance with points 5.5 and 5.6. T&Cs (also points 4.4. and 4.5. of the privacy policy) agree that roman 40 GmbH and the roman 40 partners with whom I have used my roman 40 card (1) combine and analyze my participation data and purchase data in order to provide me with individualized information about the roman 40 program that is relevant to me and tailored to my interests and to adapt offers for collecting and redeeming roman 40 to my needs (so-called "profiling" for target group selections, advertising measures and aggregated evaluations for product range optimization as well as tracking to measure the success of advertising measures), in order to (2) send me advertising with personalized offers about products and services of the operator and the roman 40 partners by post, e-mail, SMS, MMS, push messages, messages via apps and messengers, and (3) that my personal data obtained in this way will be deleted upon revocation of my consent, at the latest after the end of my membership. My consent is not mandatory for the conclusion of the contract and I can revoke it at any time with effect for the future vis-à-vis roman 40 GmbH (roman 40 by post, by email to datenschutz@roman 40 .at or by telephone (roman 40 ).” using the methods i) website www roman 40 at and ii) registration form (“flyer”) does not meet the requirements for consent pursuant to Article 4, Paragraph 11, GDPR and Article 7, GDPR and that b) for the previous processing of personal data of the data subjects registered at “roman 40” for the purpose of profiling by roman 40 GmbH, apart from the consent obtained using the methods i) website www.roman 40 and ii) registration form (“flyer”), no other legal basis pursuant to Article 6, GDPR comes into consideration and the aforementioned previous processing was therefore unlawful. There is therefore a suspicion that roman 40 GmbH has violated the principles and the legal provisions of the GDPR through the processing operations described above and has not fulfilled its obligations as the controller, all of this at least by disregarding the required level of care. With regard to the administrative criminal liability of the accused legal entity - in the sense of the corporate liability model of Article 83 of the GDPR - there is a suspicion in the present context that there is a sufficient connection between the natural persons acting and the legal entity, which allows the unlawful and culpable conduct to be attributed to it.

Administrative offenses: Art. 5 para. 1 lit. a, Art. 6 para. 1, Art. 7, Art. 12 para. 1, Art. 13 para. 1 in conjunction with Art. 83 para. 5 lit. a and lit. b GDPR "Administrative offenses: Article 5, paragraph one, letter a,, Article 6, paragraph one,, Article 7,, Article 12, paragraph one,, Article 13, paragraph one, in conjunction with Article 83, paragraph 5, letters a and b, GDPR"

On February 26, 2020, the two managing directors of the complainant were questioned by the authority concerned. The accusation already mentioned in the summons was repeated by the authority concerned.

In its statement of May 29, 2020, the complainant essentially stated that the sole shareholder of the complainant was XXXX m.b.H. and the sole shareholder of this in turn was XXXX AG. However, the complainant was solely responsible for data processing relating to XXXX from a data protection perspective. In the past, XXXX AG had considered setting up a cross-company customer loyalty program and in 2016 made the strategic decision not to join the XXXX multi-partner customer loyalty program, but to set up such a multi-partner customer loyalty program within the XXXX Group itself. For this purpose, a project team was set up in the XXXX Group under the leadership of the responsible board member of XXXX AG, which developed the essential principles of the design of this customer loyalty program. During this conception phase, 14-day project steering committees were held with the board member and data protection considerations for the implementation of such a program were already made. For this purpose, an information network system was registered with the DSB on the basis of the legal situation before the GDPR came into force. The conception phase ended towards the end of 2017 because the key points of the program had been determined by this time. This also marked the end of the project steering committee meetings with the board member. Implementation of the program was placed in the hands of the complainant and thus in those of its managing directors. For this purpose, the complainant’s name was changed and the object of its business was changed in December 2017, and its management was reappointed. The complainant developed the concrete implementation and design of the customer loyalty program under the sole responsibility of the complainant’s managing directors. The complainant used external and internal consultants for this purpose, i.e. consultants who are employed by companies in the XXXX Group and those who are not, in particular lawyers. The key internal consultants included the data protection officer and head of XXXX’s internal data protection department, XXXX. He is employed by XXXX m.b.H. In one, the complainant submitted screenshots or copies of the respective registration processes as well as the (similar) registration brochure of the aforementioned customer loyalty program XXXX and made a more detailed statement. Registration using a registration brochure has no longer been possible since February 3, 2020, although profiling is still carried out on the basis of the declarations of consent given via the paper flyers and the website. As of February 3, 2020, 682,071 registrations had been made via the website (of which 574,232 people had given their consent for the purpose of personalized communication) and 1,948,181 via the registration brochure (of which 1,710,789 people had given their consent for the purpose of personalized communication). In addition, the complainant stated that the three online registration processes are very similar in structure, which is why the authority concerned was right to come to the conclusion in the preliminary decision on the complaint that consent to profiling via the XXXX app and the XXXX was lawful. However, the consent to profiling when registering for XXXX via the XXXX app or the XXXX does not differ in content from the website and the registration brochure. For this reason, it is not understandable why the authority concerned assumes in point 1) of the summons that the request for consent for the registration types "website" and "registration brochure" does not meet the requirements for consent under Art. 4 Z 11 GDPR. Furthermore, the complainant can fall back on the alternative legal bases of Art. 6 Para. 1 lit. f and Art. 6 Para. 4 GDPR for more specific reasons. Apart from that, however, the necessary fault for punishment is lacking anyway. The complainant had dealt extensively and intensively with the design of the registration process in advance, both internally and externally through lawyers. In its statement of May 29, 2020, the complainant essentially stated that the sole shareholder of the complainant was roman 40 m.b.H. and the sole shareholder of this in turn was roman 40 AG. However, the complainant was solely responsible for data processing relating to roman 40 from a data protection perspective. In the past, roman 40 AG had considered setting up a cross-company customer loyalty program and in 2016 made the strategic decision not to join the roman 40 multi-partner customer loyalty program, but to set up such a multi-partner customer loyalty program within the roman 40 Group itself. For this purpose, a project team was set up in the roman 40 Group under the leadership of the responsible board member of roman 40 AG, which developed the essential principles of the design of this customer loyalty program. During this conception phase, 14-day project steering committee meetings were held with the board member, and data protection considerations for the implementation of such a program were already made. For this purpose, an information network system was registered with the DSB on the basis of the legal situation before the GDPR came into force. The conception phase ended towards the end of 2017 because the key points of the program had been determined by this time. This also ended the project steering committee meetings with the board member. The implementation of the program was placed in the hands of the complainant and thus in those of its managing directors. For this purpose, the complainant's name and purpose were changed in December 2017, and its management was reappointed. The complainant developed the concrete implementation and design of the customer loyalty program under the sole responsibility of the complainant's managing directors. The complainant used external and internal consultants for this purpose, that is, consultants who are employed by companies in the roman 40 group and those for whom this is not the case, in particular lawyers. The key internal consultants included the data protection officer and head of the roman 40 internal data protection department, roman 40. He is employed by roman 40 m.b.H. In one, the complainant submitted screenshots or copies of the respective registration processes as well as the (similar) registration brochure of the aforementioned roman 40 customer loyalty program and made a more detailed statement on this. Registration using a registration brochure has no longer been possible since February 3, 2020, although profiling is still carried out on the basis of the declarations of consent given via the paper flyers and the website. As of February 3, 2020, 682,071 registrations had been made via the website (of which 574,232 people had given their consent for the purpose of personalized communication) and 1,948,181 via the registration brochure (of which 1,710,789 people had given their consent for the purpose of personalized communication). In addition, the complainant stated that the three online registration processes were very similar in structure, which is why the authority concerned was right to come to the conclusion in the preliminary decision on the complaint that consent to profiling via the roman 40 app and the roman 40 was lawful. However, the consent to profiling when registering for the roman 40 via the roman 40 app or the roman 40 does not differ in content from the website and the registration brochure. For this reason, it is not understandable why the authority concerned assumes in the summons in point 1) that the request for consent for the registration types "website" and "registration brochure" does not meet the requirements for consent under Article 4, paragraph 11, GDPR. Furthermore, the complainant can, for more detailed reasons, fall back on the alternative legal bases of Article 6, paragraph one, letter f and Article 6, paragraph 4, GDPR. Apart from that, however, the necessary fault for punishment is lacking anyway. The complainant had dealt extensively and intensively with the design of the registration process in advance, both internally and externally through lawyers.

On July 21, 2020, the authority concerned sent the complainant a request for justification, in which - as far as relevant here - she was again accused of the offence set out in the summons. In addition, she was informed, among other things, that the accusation was supplemented on the basis of the case law of the Administrative Court to the effect that the managing directors of the complainant were responsible for the alleged administrative offenses due to a lack of control and monitoring. This was particularly because the managing directors had not sufficiently ensured compliance with the data protection provisions in connection with the operational operation of the customer loyalty program, in particular with regard to the legal design of the declarations of consent and the associated information obligations. The unlawful and culpable behavior of the persons named was attributed to XXXX GmbH as the accused legal entity. On July 21, 2020, the authority concerned sent the complainant a request for justification, in which she was again confronted with the accusation set out in the summons - as far as relevant here. In addition, she was informed, among other things, that the accusation was amended based on the case law of the Administrative Court to the effect that the managing directors of the complainant were responsible for the alleged administrative offenses due to a lack of control and monitoring. This was particularly because the managing directors had not adequately ensured compliance with the data protection regulations in connection with the operational operation of the customer loyalty program, in particular with regard to the legal design of the declarations of consent and the associated information obligations. The unlawful and culpable behavior of the persons mentioned was attributed to the accused legal entity, Römische 40 GmbH.

The complainant submitted a justification on September 15, 2020. In it, it essentially repeated its previous submissions. In addition, it was argued that the managing directors of the complainant had carefully examined the information obtained (from lawyers) on the design of the consent obtaining via the individual channels in order to ensure that the request for consent met the requirements for effective consent under Art. 4 Z 1 GDPR for all methods used. After the information obtained had shown that effective consent under the aforementioned legal provision was in any case available due to the registration process, the managing directors trusted the accuracy of the aforementioned convincing information and decided on the design of the individual registration methods in question. The two managing directors had taken all necessary steps from the outset to make the data processing processes GDPR-compliant. In particular, they had arranged for the implementation of a compliance management system that permeated the entire organization and thus also the data processing of XXXX and had made the necessary inquiries from consultants and lawyers for this purpose. The managing directors made their decisions regarding the registration processes on the basis of the consistent results of the aforementioned inquiries. The managing directors or the complainant cannot therefore be accused of neglecting the required level of care, even if a different type of control or monitoring would have led to a different result with regard to the decisions regarding the registration process on the website and the registration form. The decisions criticized by the authority in question were the result of legal assessments of whether consent had been given in accordance with the law. Even the authority in question initially took a stricter interpretation of these standards in the review process than in the current administrative penal proceedings with regard to registration via the XXXX app and XXXX . Against this background, the complainant or the managing directors cannot be subjectively held responsible for the administrative offenses accused due to a lack of control and monitoring, especially since they had obtained information from several lawyers who had come to the conclusion that, based on the registration process described and assessed by them, legally valid consent to profiling had been given. The managing directors made the decisions in question by relying on the consistent enquiries and after carefully considering the information obtained. In doing so, the managing directors also obtained information from the data protection officer responsible for the XXXX Group, which was consistent with the above information. These were correct and at least justifiable legal opinions. If the opinion of the authority concerned were correct, managing directors would always be liable if the authority concerned took a different legal view, despite the existence of compliance management systems and despite trust in (external) legal advice. It should also be noted that the managing directors were aware that data processing had to be based on a legal basis. For this reason, consent was drawn up and checked by external lawyers. The fact that the authority concerned does not agree with the justifiable legal opinion regarding consent in the two registration methods mentioned above, "website" and "registration form", does not mean that the managing directors can be subjectively accused of neglecting the required care due to a lack of control and monitoring. Quite the opposite, the managing directors have properly fulfilled their control and monitoring obligations by obtaining the numerous pieces of information and carefully weighing them up on this basis. In particular, it should be emphasized that the authority concerned itself does not criticize the content of the consent text in the criticized usage methods, but merely criticizes how the consent text is embedded in the context of the website and the registration form. The managing directors have worked with lawyers to ensure that the consent is correctly worded. The fact that the corresponding consideration of the legal advice obtained by the managing directors led to a different result than the opinion of the authority concerned cannot be attributed to the managing directors as a negligence attributable to them, which is why the subjective accusation can be ruled out for these reasons alone. Moreover, the administrative offense at issue in the proceedings was (if at all) only a one-off, minor and not blameworthy - but at least excusable - oversight, which is why the conditions for waiving a penalty under Section 11 DSG and Section 45 Paragraph 1 Item 4 VStG - at most with a mere warning or caution - were met.The complainant submitted a justification on September 15, 2020. In it, she essentially repeated her previous submissions. In addition, it was argued that the managing directors of the complainant had carefully examined the information obtained (from lawyers) on the design of the consent gathering via the individual channels in order to ensure that the request for consent met the requirements for effective consent under Article 4, paragraph 1, GDPR for all methods used. After the information obtained had shown that effective consent under the aforementioned legal provision had in any case been obtained due to the registration process, the managing directors had trusted the accuracy of the aforementioned convincing information and had decided on the design of the individual registration methods in question. From the outset, the two managing directors had taken all the necessary steps to design the data processing processes in accordance with the GDPR. In particular, they had arranged for the implementation of a compliance management system that permeated the entire organization and thus also the data processing of the Roman 40, and had made the necessary inquiries with consultants and lawyers for this purpose. The managing directors had made the decisions regarding the registration processes on the basis of the consistent results of the aforementioned inquiries. The managing directors or the complainant cannot therefore be accused of neglecting the required level of care, even if a different type of control or monitoring would have led to a different result with regard to the decisions regarding the registration process on the website and the registration form. The decisions criticized by the authority in question were the result of legal assessments of whether consent had been given in accordance with the law. Even the authority in question initially took a stricter interpretation of these norms in the review procedure than in the administrative penal proceedings at hand with regard to registration via the Roman 40 app and Roman 40 . Against this background, the complainant or the managing directors cannot be subjectively held responsible for the administrative offenses accused due to a lack of control and monitoring, especially since they had obtained information from several lawyers who had come to the conclusion that, on the basis of the registration process described and assessed by them, legally valid consent to profiling had been given. The managing directors made the decisions in question by relying on the consistent inquiries and after carefully considering the information obtained. The managing directors also obtained information from the data protection officer responsible for the Roman 40 Group, which was consistent with the above information. These were correct and at least justifiable legal opinions. If the opinion of the authority concerned were correct, managing directors would always be liable if the authority concerned took a different legal view, despite the existence of compliance management systems and despite trusting in (external) legal advice. It should also be noted that the managing directors were aware that data processing had to be based on a legal basis. For this reason, consent was also drawn up and checked by external lawyers. The fact that the authority concerned does not agree with the justifiable legal opinion regarding consent in the two registration methods mentioned above, "website" and "registration form", does not mean that the managing directors can be subjectively accused of neglecting the required care due to a lack of control and monitoring. Quite the opposite, the managing directors have properly fulfilled their control and monitoring obligations by obtaining the numerous pieces of information and carefully weighing them up on this basis. In particular, it should be emphasized that the authority concerned itself does not criticize the content of the consent text in the criticized usage methods, but merely criticizes how the consent text is embedded in the context of the website and the registration form. The managing directors have worked with lawyers to ensure that the consent is correctly worded. The fact that the relevant considerations of the legal advice obtained by the managing directors led to a different result than the opinion of the authority concerned cannot be blamed on the managing directors as a negligence attributable to them, which is why the subjective accusation can be ruled out for these reasons alone. Furthermore, the administrative offence at issue in the proceedings (if at all) was only a one-off, minor and not blameworthy - but at least excusable - oversight, which is why the conditions for waiving a penalty under paragraph 11, DSG and paragraph 45, paragraph one, item 4, VStG - at most with a mere warning or caution - are met.

The authority concerned requested the complainant in a letter dated March 8, 2021 to submit documents (e.g. legal opinions, text suggestions, etc.) from which it can be deduced on which legal basis the management ultimately made the decision, as well as the declarations of consent that are the subject of the proceedings - using the methods i) website www. XXXX .at and ii) registration form ("flyer") - to be released and used for operational operations.The authority concerned requested the complainant in a letter dated March 8, 2021 to submit documents (e.g. legal opinions, text suggestions, etc.) from which it can be deduced on which legal basis the management ultimately made the decision, as well as the declarations of consent that are the subject of the proceedings - using the methods i) website www. roman 40 .at and ii) registration form ("flyer") - to be released and used for operational operations.

The complainant then submitted a letter from the law firm XXXX Rechtsanwälte GmbH (hereinafter: XXXX ) dated 12 April 2021 in a written submission dated 12 April 2021 as confirmation that the development of the registration process had been carried out in close coordination with the lawyers. The complainant then submitted a letter from the law firm Römische 40 Rechtsanwälte GmbH (hereinafter: Römische 40 ) dated 12 April 2021 in a written submission dated 12 April 2021 as confirmation that the development of the registration process had been carried out in close coordination with the lawyers.

In its statement dated 30 April 2021, the complainant essentially repeated its previous submissions.

By order dated 1 June 2021, the modified registration process, which had been determined on the basis of an official survey, was sent to the complainant on the complainant's website for the parties to hear.

In a statement dated June 22, 2021, the complainant informed the authority concerned that the registration process on the complainant's website had been changed and released for live operation on March 5, 2020. Since then, registration has only been possible via the changed registration process on the website. Registration via the physical registration form has no longer been possible since February 3, 2020. In addition, the complainant informed the authority concerned that the managing director who had previously been in charge of the company had resigned on January 31, 2021.

With the criminal judgment under appeal, the authority concerned stated that the complainant, as the person responsible, had committed the following administrative offenses through the criminal, unlawful and culpable conduct of the bodies authorized to represent the company during the period of the offense:

"I. The forms used from May 2nd, 2019 to obtain declarations of consent to the processing of personal data from the data subjects registered at “ XXXX ” for the purpose of profiling by the accused [...] with the wording [..] “I. The forms used from May 2nd, 2019 to obtain declarations of consent to the processing of personal data from the data subjects registered at “ roman 40 ” for the purpose of profiling by the accused [...] with the wording [..]

a) website www. XXXX at (used in the form determined here from May 2nd, 2019 to March 5th, 2020 – period of the offense I.a.), and a) website www. Roman 40 at (used in the form determined here from May 2, 2019 to March 5, 2020 - period of the offense Roman one a.), and

b) registration form "Flyer" (used in the form determined here from May 2, 2019 to February 3, 2020 - period of the offense I.b.), b) registration form "Flyer" (used in the form determined here from May 2, 2019 to February 3, 2020 - period of the offense Roman one b.),

did not meet the data protection requirements for effective consent in accordance with Art. 4 Z 11 in conjunction with Art. 5 Para. 1 lit. a and Art. 7 GDPR.did not meet the data protection requirements for effective consent in accordance with Article 4, Paragraph 11, in conjunction with Article 5, Paragraph one, Letter a and Article 7, GDPR.

As a result, those affected were prompted to consent to the processing of their personal data for the purpose of profiling by the accused [..] without the conditions for legally valid consent being met.

[..]

II. As a result of the legally invalid consent, the processing of personal data of the persons registered on " XXXX " for the purpose of profiling by the accused from May 2nd, 2019 to January 31st, 2021 [..] could not be based on a legally valid declaration of consent, nor on one of the otherwise conclusive legal grounds for permission stipulated in Art. 6 Para. 1 GDPR. [..]"Roman II. As a result of the legally ineffective consent, the processing of personal data of the data subjects registered at "Roman 40" for the purpose of profiling by the accused from May 2, 2019 to January 31, 2021 [...] could not be based on a legally effective declaration of consent, nor on one of the otherwise conclusively regulated legal grounds under Article 6, paragraph one, GDPR. [..]"

The complainant therefore violated the principle of processing personal data lawfully, in good faith and in a manner that is comprehensible to the data subject ("lawfulness, processing in good faith, transparency") and processed personal data without there being a suitable legal basis for this under Art. 6 GDPR. This was made possible by the fact that the [named] managing directors, who were appointed to represent the company externally during the period of the offence and were internally responsible for controlling and monitoring all data protection matters, were jointly responsible as representative bodies within the meaning of Section 30 Paragraph 1 and Paragraph 2 of the Data Protection Act for the administrative offences described above by disregarding the required care due to a lack of control and monitoring. The complainant therefore violated the principle of processing personal data lawfully, in good faith and in a manner that is comprehensible to the data subject ("lawfulness, processing in good faith, transparency") and processed personal data without there being a suitable legal basis for this under Article 6 of the GDPR. This was made possible by the fact that the [named] managing directors, who were appointed to represent the company externally during the period of the offence and were internally responsible for controlling and monitoring all data protection matters, were jointly responsible for the administrative offences described above as authorized bodies within the meaning of paragraph 30, paragraph one and paragraph 2, DSG by ignoring the required care due to a lack of control and monitoring.

The factual, unlawful and culpable conduct of the named managing directors is attributed to the complainant as the accused legal person and data protection officer within the meaning of Art. 4 Z 7 GDPR in view of paragraph 30, paragraph one and paragraph 2, DSG.

The factual, unlawful and culpable conduct of the named managing directors is attributed to the complainant as the accused legal person and data protection officer within the meaning of Art. 4 Z 7 GDPR in view of paragraph 30, paragraph one and paragraph 2, DSG.

The complainant is therefore to be charged with administrative offenses under I. Art. 5 Para. 1 lit. a in conjunction with Art. 7 Para. 2 in conjunction with Art. 83 Para. 5 lit. a GDPR and under II. Art. 5 Para. 1 lit. a in conjunction with Art. 6 Para. 1 in conjunction with Art. 83 Para. 5 lit. a GDPR and a fine of EUR 2,000,000.00 is to be imposed on the complainant for these violations under Art. 83 Para. 5 lit. a GDPR in conjunction with Section 30 DSG. In addition, the complainant must make a contribution of 10% of the fine, i.e. EUR 200,000.00, towards the costs of the criminal proceedings under Section 64 VStG. The complainant is therefore to be charged with administrative offenses under Roman numeral one. pursuant to Article 5, paragraph one, letter a, in conjunction with Article 7, paragraph 2, in conjunction with Article 83, paragraph 5, letter a, GDPR and Roman II pursuant to Article 5, paragraph one, letter a, in conjunction with Article 6, paragraph one, in conjunction with Article 83, paragraph 5, letter a, GDPR and a fine of EUR 2,000,000.00 is imposed on the complainant for these violations pursuant to Article 83, paragraph 5, letter a, GDPR in conjunction with Paragraph 30, DSG. In addition, the complainant must contribute 10% of the fine, i.e. EUR 200,000.00, to the costs of the criminal proceedings pursuant to Paragraph 64, VStG.

From a legal perspective, the authority concerned essentially found that the complainant had based the processing of the personal data of the data subjects participating in the XXXX for the purpose of profiling on the legal basis of consent pursuant to Art. 6 Paragraph 1 Letter a of GDPR. A high standard must be applied to the criteria of Art. 4 Paragraph 11 and Art. 7 GDPR, and according to the case law of the Supreme Court, the content and scope of pre-conceived contractual clauses must be "transparent" for the consumer. When registering for XXXX using the website www. XXXX, under the section entitled "Enjoy your personal benefits", the data subject initially receives no visible information that "personal benefit" means the processing of personal data for the purpose of profiling.The box embedded in this section also initially only refers to the general terms and conditions and the privacy policy (“I declare in accordance with points 5.5. and 5.6. of the general terms and conditions [as well as points 4.4. and 4.5. of the privacy policy] that …”). Only after the box has been scrolled down accordingly is reference made to the processing of personal data for the purpose of profiling; the information on profiling is therefore not available in an “easily accessible form” or in a “clear and concise form”. It should also be noted that, based on general life experience, a data subject does not associate the options “Yes” and “No” that are visible at first glance, which merely refer generally to the receipt or non-receipt of “exclusive benefits and promotions”, with profiling and therefore this is not “clear and simple language” and therefore not legally valid consent. The European legislator has standardized explicit requirements for a request for consent in Art. 7 GDPR, which must be observed in addition to and independently of the General Terms and Conditions and the data protection declaration. Therefore, if a contract (as is the case with the registration for XXXX) deals with several aspects, the request for consent must be clearly distinguished. With regard to the registration brochure (“flyer”), the “signature” field is specified at the end of the registration form. Below the “signature” field there is the note “This signature only applies to the declaration of consent and is voluntary. Your registration for XXXX is also valid without a signature”. The “declaration of consent” itself, however, is placed above the “signature” field. Based on this, it should be noted that the registration form refers in general to registration for XXXX. However, since the “signature” field is placed at the end of the registration form, the impression is given that this is the signature as confirmation of registration for XXXX. In this regard, it can also be assumed, based on general experience, that an average user who registers for XXXX (and thus concludes a contract) expects this to be a signature confirming registration – and not to provide consent to profiling under data protection law. The note underneath that this signature only applies to the declaration of consent cannot change this: Firstly, this signature is offset to the left so that it is located under the “Date” field and not directly under the “Signature” field. Based on the actual design of the request for consent, an average user will not assume that they are providing consent under data protection law with regard to the processing of their personal data for the purpose of profiling. Against this background, it can be assumed that the requests for consent using a) the website and b) the registration form (“flyer”) did not meet the requirements set out in Art. 4 Z 11 GDPR and Art. 7 Para. 2 in conjunction with Art. 5 Para. 1 lit. a and Art. 6 Para. 1 lit. a GDPR. According to the explicit wording of Art. 7 Para. 2 GDPR, parts of a declaration of consent are not binding if they constitute a violation of this regulation. Since the request for consent for the purpose of profiling using the methods i) website www.XXXX at and ii) registration form (“flyer”) does not meet the requirements of Art. 4 Z 11 GDPR and Art. 7 Para. 2 GDPR, it is an invalid declaration of consent and consequently cannot be used as a legal basis in accordance with Art. 6 Para. 1 lit. a GDPR. Therefore, all processing operations in connection with profiling by the controller were carried out in an unlawful manner, as they were not legitimized by any of the (finally standardized) permissions under Art. 6 Para. 1 GDPR. The use of an alternative permission as a substitute is therefore not an option, as the complainant had to decide on a legal basis from the outset. But even if one does not follow all of these considerations and assumes that the controller can rely on an alternative permission for the first time at a later point in time - for example in the context of proceedings before the supervisory authority - it should be noted that a balancing of interests would tip against it and (permissible) further processing would not be an option. The complainant had therefore violated the objective aspect of Article 5(1)(a) in conjunction with Article 7(2) in conjunction with Article 83(5)(a) GDPR (judgment point I), as well as Article 5(1)(a) in conjunction with Article 6(1) in conjunction with Article 83(5)(a) GDPR (judgment point II). With regard to the subjective aspect of the offense, the authority concerned essentially stated that the managing directors should have recognized from the clear wording of the provisions of the GDPR that the declarations of consent in question here most likely did not meet the requirements of the GDPR. There was therefore fault in the form of negligence on the subjective side of the offense. With regard to waiving punishment under Section 11 DSG or Section 45 VStG, it should be noted that the Federal Administrative Court has already confirmed with final and binding effect that Section 11 DSG does not give priority to a warning. It cannot be assumed that the importance of the legal interest protected under criminal law here is low; in any case, there is a high abstract interest. Whether the intensity of the impairment of the interest by the act and the fault of the accused is low is therefore not relevant and cannot therefore lead to the discontinuation of the proceedings under Section 45 Paragraph 1 Item 4 VStG. In legal terms, the authority concerned essentially held that the complainant had based the processing of the personal data of the data subjects participating in the roman 40 for the purpose of profiling on the legal basis of consent under Article 6 Paragraph 1 Letter a of GDPR. A high standard must be applied to the criteria of Article 4 Paragraph 11 and Article 7 of the GDPR; according to the case law of the Supreme Court, the content and scope of pre-conceived contractual clauses must be "transparent" for the consumer. When registering for the roman 40 using the website www. Roman 40 under the section entitled "Enjoy your personal benefits" initially contains no visible information that "personal benefit" means the processing of personal data for the purpose of profiling. The box embedded in this section also initially merely refers to the General Terms and Conditions and the Privacy Policy ("I declare that in accordance with points 5.5. and 5.6. General Terms and Conditions [as well as points 4.4. and 4.5. of the Privacy Policy], I agree that..."). Only after the box has been scrolled down accordingly is there a reference to the processing of personal data for the purpose of profiling; the information on profiling is therefore not available in an "easily accessible form" or in a "clear and concise form". Furthermore, it should be noted that, based on general life experience, a data subject does not associate the options “Yes” and “No” that are visible at first glance and that merely refer generally to the receipt or non-receipt of “exclusive benefits and promotions” with profiling, and therefore this does not constitute “clear and simple language” and therefore does not constitute legally valid consent. The European legislator has set out explicit requirements for a request for consent in Article 7 of the GDPR, which must be complied with in addition to and independently of the General Terms and Conditions and the Privacy Policy. If a contract (such as the registration for the Roman 40 in this case) deals with several aspects, the request for consent must be clearly distinguished. With regard to the registration brochure (“flyer”), the “Signature” field is specified at the end of the registration form. Below the “Signature” field there is the note “This signature only applies to the declaration of consent and is voluntary. Your registration for the Roman 40 is also valid without a signature.” The “declaration of consent” itself, however, is placed above the “signature” field. Based on this, it can be stated that the registration form refers in general terms to registration for the Roman 40. However, since the “signature” field is placed at the end of the registration form, the impression is given that this is the signature confirming registration for the Roman 40. In this case, it can be assumed based on general life experience that an average user who registers for the Roman 40 (and thus concludes a contract) expects this to be the signature confirming registration – and not the submission of consent to profiling under data protection law. The note placed below that this signature only applies to the declaration of consent cannot change this statement: Firstly, this is offset to the left so that it is located under the “date” field and not directly under the “signature” field. Based on the actual design of the request for consent, an average user would not assume that he or she is giving consent under data protection law with regard to the processing of his or her personal data for the purpose of profiling. Against this background, it can be assumed that the requests for consent using a) the website and b) the registration form ("flyer") did not meet the requirements set out in Article 4, paragraph 11, GDPR and Article 7, paragraph 2, in conjunction with Article 5, paragraph one, letter a, and Article 6, paragraph one, letter a, GDPR.According to the express wording of Article 7, Paragraph 2, GDPR, parts of a declaration of consent are not binding if they constitute a violation of this regulation. Since the request for consent for the purpose of profiling using the methods i) website www.roman 40 at and ii) registration form (“flyer”) does not meet the requirements of Article 4, Paragraph 11, GDPR and Article 7, Paragraph 2, GDPR, it is an invalid declaration of consent and consequently cannot be used as a legal basis in accordance with Article 6, Paragraph 1, Letter a, GDPR. Therefore, all processing operations in connection with profiling by the controller were carried out in an unlawful manner, as they are not legitimized by any of the (finally standardized) permissible grounds of Article 6, Paragraph 1, GDPR. The use of an alternative ground as a substitute is therefore not an option, as the complainant had to decide on a legal basis from the outset. However, even if one does not follow all of these considerations and assumes that the controller could rely on an alternative authorization for the first time at a later date - for example in the context of proceedings before the supervisory authority - it should be noted that a balancing of interests would tip the balance against it and (permissible) further processing would not be an option. The complainant has therefore violated the objective aspect of Article 5, paragraph one, letter a, in conjunction with Article 7, paragraph 2, in conjunction with Article 83, paragraph 5, letter a, GDPR (Roman Scripture point one), as well as Article 5, paragraph one, letter a, in conjunction with Article 6, paragraph one, in conjunction with Article 83, paragraph 5, letter a, GDPR (Roman Scripture point II). With regard to the subjective aspect of the offense, the authority concerned essentially stated that the managing directors should have recognized from the clear wording of the provisions of the GDPR that the declarations of consent in question here most likely did not meet the requirements of the GDPR. There was therefore culpability in the form of negligence on the subjective side of the offense. With regard to waiving punishment under paragraph 11, DSG or paragraph 45, VStG, it should be noted that the Federal Administrative Court has already confirmed with final and binding effect that paragraph 11, DSG does not give priority to a warning. It cannot be assumed that the importance of the legal interest protected by criminal law here is low; in any case, there is a high abstract interest. Whether the intensity of its impairment by the offense and the accused's culpability are low is therefore not relevant and therefore cannot lead to the discontinuance of the proceedings under paragraph 45, paragraph one, number 4, VStG.

With regard to sentencing, the penalty range of up to EUR 20,000,000 should be used due to the complainant's annual turnover and Art. 83 Paragraph 3 GDPR also applies, according to which in the event of a violation of several provisions of the GDPR, the total amount of the fine may not exceed the amount for the most serious violation. An aggravating factor was that the complainant had obtained invalid consent from around 2,285,021 natural persons in Austria and had to date processed the personal data of these data subjects for the purpose of personalized communication based on invalid consent. The processing was therefore unlawful throughout the entire period of the offense (since May 2, 2019). Mitigating factors included the fact that the authority concerned did not assume that the violations punished in the ruling were committed intentionally but negligently, that the authority concerned had no previous relevant violations of the GDPR against the complainant, that the complainant had cooperated in the investigation proceedings before the authority concerned and had thereby contributed to finding the truth, that the complainant had incurred a balance sheet loss, that the complainant and its managing directors had decided in February and March 2020, respectively, in response to the decision of the authority concerned in the ex officio review proceedings, to a) no longer use the paper form "Flyer" that was the subject of the proceedings to obtain declarations of consent and b) to adapt the digital registration process for obtaining the declaration of consent via the website, as well as the current COVID-19 pandemic and all the necessary restructuring measures in the company that resulted from it. With regard to sentencing, the penalty range of up to EUR 20,000,000 should be used due to the complainant's annual turnover and Article 83, paragraph 3, GDPR also applies, according to which in the event of a violation of several provisions of the GDPR, the total amount of the fine may not exceed the amount for the most serious violation. An aggravating factor was that the complainant had obtained invalid consent from around 2,285,021 natural persons in Austria and had to date processed the personal data of these data subjects for the purpose of personalized communication based on invalid consent. The processing was therefore unlawful throughout the entire period of the offense (since May 2, 2019). The mitigating factors taken into account were that the authority concerned did not assume that the violations punished in the ruling were committed intentionally but negligently, that the authority concerned had no relevant previous violations of the GDPR against the complainant, that the complainant had cooperated in the investigation proceedings before the authority concerned and had thereby contributed to finding the truth, that the complainant had incurred a balance sheet loss, that the complainant and its managing director had decided in February and March 2020, respectively, in response to the decision of the authority concerned in the official review procedure, to a) no longer use the paper form "Flyer" to obtain declarations of consent and b) to adapt the digital registration process for obtaining the declaration of consent via the website, as well as the current COVID-19 pandemic and all the resulting necessary restructuring measures in the company.

The specific penalty imposed in the amount of EUR 2,000,000.00 therefore appears to be appropriate to the crime and the guilt in view of the actual value of the crime, measured against the available penalty range under Article 83, Paragraph 5 of the GDPR (in this case up to EUR 20,000,000), and is at the lowest end of the available penalty range due to the mitigating circumstances. The specific penalty imposed in the amount of EUR 2,000,000.00 therefore appears to be appropriate to the crime and the guilt in view of the actual value of the crime, measured against the available penalty range under Article 83, Paragraph 5 of the GDPR (in this case up to EUR 20,000,000), and is at the lowest end of the available penalty range due to the mitigating circumstances.

This complaint is directed against this. After describing the course of the proceedings, including in relation to the official (preliminary) proceedings, for which the acquisition of the underlying file W256 2227693-1 was requested as evidence, it was argued in summary that with regard to point I of the judgment, the criminal judgment should be set aside and the proceedings discontinued. According to Art. 83 GDPR, only the person responsible for the unlawful processing of personal data can be punished. The mere use of the forms which the authority concerned considers unlawful is a non-punishable predicate offense. This follows in particular from the wording of Art. 83 (2) and (3) GDPR and, most recently, from the subject matter and aim of the GDPR, which relates to the protection of natural persons when personal data is processed. Apart from that, the authority concerned had first specifically accused the complainant of the violation of Art. 7 (2) GDPR alleged in point I of the judgment in the criminal judgment and the statute of limitations had already expired at that time. Contrary to the opinion of the data protection authority, the requirements for effective consent are met and the processing is carried out in accordance with the GDPR and the managing directors cannot be blamed in any way for neglecting the required care or for a lack of control and monitoring in this context. On the objective side of the case, it should be noted that there is no violation of the GDPR. The requests for consent used by the complainant each comply with the relevant requirements; in particular, the intended design ensures unambiguously for users that they are giving a declaration of consent in accordance with data protection law when signing or pressing a button. The online registration processes are essentially structured in the same way. The purposes of data processing - including profiling - are already highlighted in bold in the terms and conditions. In particular, the word "profiling" is highlighted several times in bold. In the data protection declaration, the purposes of data processing - such as profiling - are also highlighted in bold. With regard to granting consent to the terms and conditions and confirming the data protection declaration, the person concerned must actively click on a checkbox that is not preselected. In all three forms of registration, he has the opportunity to read the General Terms and Conditions and the Privacy Policy in full before submitting his declaration in this regard.When declaring profiling, the data subject has two alternative, non-preselected checkboxes available to them. The declaration of consent to profiling begins with a reference to specific provisions in the General Terms and Conditions (points 5.5. and 5.6.) and the data protection declaration (points 4.4. and 4.5.) and explicitly contains the word "profiling". As explained, the General Terms and Conditions and the data protection declaration also contain this word explicitly and in bold in the referenced provisions. The text placed directly next to the checkbox for consent to profiling reads: "YES, I consent to the processing of my data in accordance with the consent declaration below and would therefore like to benefit from exclusive advantages and promotions." The text placed directly next to the checkbox for rejecting profiling reads: "NO, I do not consent to the processing of my data in accordance with the consent declaration below and would therefore not like to benefit from exclusive advantages and promotions." When registering via the website, the declarations described above are not obtained screen by screen, but are obtained one after the other on one screen. The person concerned can determine the order in which the declarations are submitted themselves. The declaration of consent to profiling is in a scroll box, but at the end of the screen immediately above the "Register now" button there is an overview of the personal information entered and a reference to the declarations submitted. The last line reads in bold "Profiling: Consent granted" or "Profiling: Consent not granted", provided that a corresponding declaration has been submitted. If no declaration has been submitted, the text "Profiling: Please select an answer for profiling to continue with registration" is found there. Next to this is a pencil symbol. If the person concerned clicks on this, they are automatically scrolled directly to the declaration of consent. Registration can only be completed (with the "Register now" button) after (among other things) a declaration ("yes" or "no") regarding profiling has been submitted. The person concerned can see the following information in connection with the declaration of consent at first glance (without having to scroll): "I declare in accordance with point 5.5. and 5.6. General Terms and Conditions (also points 4.4. and 4.5. of the Privacy Policy) I agree that XXXX GmbH and the XXXX partners with whom I used my XXXX card (l) merge and analyse my participation data and purchase data in order to show me relevant offers and offers tailored to my interests (…)”. This information makes it clear to the person concerned at first glance that their participation data and purchase data are being merged and analysed on the basis of their consent to profiling. It should also be emphasised that registration via the website is optimised for display on mobile phones compared to display on a conventional computer (web version). In the mobile version, which is predominantly used by those affected, the "Register now" button is placed even closer to the last line "Profiling: Consent granted" or "Profiling: Consent not granted", so that the attention of the person affected is drawn even more intensively to the consent given or not given to profiling. Furthermore, the authority concerned overlooked the fact that directly next to the options to be checked ("Yes", "No") for profiling there is an explicit reference to the "declaration of consent below", in which the purpose of the processing is expressly stated. This information is directly below the reference and is short and concise in content. It is also immediately clear to the person affected which data processing, namely the merging and analysis of the participation and purchase data, will take place on the basis of the consent. The opinion of the authority concerned that the text "Exclusive advantages and promotions" is highlighted and the information on "profiling" is dealt with as a side issue is therefore incorrect. Even in the context of physical registration using a “flyer”, the registration form contains several clear references to profiling, particularly in the terms and conditions printed in full therein. Consent is obtained on the last page of the registration brochure. There are three main sections: terms and conditions/privacy policy/declaration of consent. By filling out and submitting the registration form, the participant agrees to the terms and conditions. The declaration of consent consists of the clearly visible word “declaration of consent”, followed by the consent text. Below the declaration of consent there is a mandatory field for the date, marked with an asterisk, and to the right of it the optional field “signature”. Directly below this field is the consent text, according to which the signature only applies to the declaration of consent and is voluntary, and registration for XXXX is also valid without a signature. In view of this information alone, the statements by the authority concerned that the customer assumes that the signature is for registration cannot be followed. In addition, the signature field is not marked with an asterisk. This complaint is directed against this. After describing the course of the proceedings, including in relation to the ex officio (preliminary) proceedings, for which the acquisition of the underlying file W256 2227693-1 was requested as evidence, it was summarized that with regard to point Roman 1, the criminal judgment should be set aside and the proceedings discontinued. According to Article 83 of the GDPR, only the controller can be punished for unlawful processing of personal data. The mere use of forms which the authority concerned considers to be unlawful is a non-punishable predicate offense. This follows in particular from the wording of Article 83, paragraphs 2 and 3 of the GDPR and, most recently, from the subject matter and aim of the GDPR, which relates to the protection of natural persons with regard to the processing of personal data. Apart from that, the authority concerned had granted the complainant the protection set out in point Roman 1. The alleged violation of Article 7, Paragraph 2, GDPR was first specifically accused in the criminal judgment and the statute of limitations had already expired at that time. Contrary to the opinion of the data protection authority, the requirements for effective consent were met and the processing was carried out in accordance with the GDPR and the managing directors could not be blamed in any way for neglecting the required care or for a lack of control and monitoring in this context. With regard to the objective side of the offense, it should be noted that there was no violation of the GDPR. The requests for consent used by the complainant each correspond to the relevant requirements; in particular, the intended design ensures unambiguously for users that they are giving a declaration of consent in accordance with data protection law when signing or pressing a button. The online registration processes are essentially structured in the same way. The purposes of data processing - including profiling - are already highlighted in bold in the general terms and conditions. In particular, the word "profiling" is highlighted in bold several times. In the data protection declaration, the purposes of data processing - such as profiling - are also highlighted in bold. In order to give consent to the General Terms and Conditions and to confirm the data protection declaration, the data subject must actively click on a non-preselected checkbox. In all three registration forms, the data subject has the option of reading the General Terms and Conditions and the data protection declaration in full before making his declaration in this regard. When making the declaration regarding profiling, the data subject has two alternative, non-preselected checkboxes available to him. The declaration of consent to profiling begins with a reference to specific provisions in the General Terms and Conditions (points 5.5. and 5.6.) and the data protection declaration (points 4.4. and 4.5.) and explicitly contains the word "profiling". As stated, the General Terms and Conditions and the data protection declaration also explicitly contain this word in bold in the referenced provisions. The text placed directly next to the checkbox for consent to profiling reads: "YES, I agree to the processing of my data in accordance with the consent declaration below and would therefore like to benefit from exclusive advantages and promotions." The text placed directly next to the checkbox for rejecting profiling reads: "NO, I do not agree to the processing of my data in accordance with the consent declaration below and would therefore not like to benefit from exclusive advantages and promotions." When registering via the website, the declarations described above are not obtained screen by screen, but rather they are obtained one after the other on one screen. The person concerned can determine the order in which the declarations are submitted themselves. The declaration of consent to profiling is in a scroll box here, but at the end of the screen immediately above the "Register now" button there is an overview of the personal information entered and a reference to the declarations made. The last line reads in bold "Profiling: Consent granted" or "Profiling: Consent not granted", provided a corresponding declaration has been made. If no declaration has been made, the text will appear: “Profiling: Please select an answer for profiling to continue with registration.” Next to it is a pencil symbol.If the person concerned clicks on it, they are automatically scrolled directly to the declaration of consent. Registration can only be completed (with the "Register now" button) after (among other things) a declaration ("yes" or "no") regarding profiling has been made. The following information is already apparent to the person concerned at first glance (without having to scroll) in connection with the declaration of consent: "I declare my consent in accordance with points 5.5. and 5.6. of the General Terms and Conditions (also points 4.4. and 4.5. of the Data Protection Declaration) that roman 40 GmbH and the roman 40 partners with whom I have used my roman 40 card (l) combine and analyze my participation data and purchase data in order to send me relevant and tailored (...) offers". This information makes it clear to the person concerned at first glance that their participation data and purchase data are being combined and analyzed on the basis of their consent to profiling. Furthermore, it should be emphasized that registration via the website is optimized for display on mobile phones compared to display on a conventional computer (web version). In the mobile version, which is predominantly used by those affected, the "Register now" button is placed even closer to the last line "Profiling: Consent granted" or "Profiling: Consent not granted", so that the attention of the person affected is drawn even more intensively to the consent given or not given to profiling. Furthermore, the authority concerned overlooked the fact that directly next to the options to be checked ("Yes", "No") for profiling there is an explicit reference to the "declaration of consent below", in which the purpose of the processing is expressly stated. This information is directly below the reference and is short and concise in content. It is also immediately clear to the person affected which data processing, namely the merging and analysis of the participation and purchase data, will take place on the basis of the consent. The opinion of the authority concerned that the text "Exclusive advantages and promotions" is highlighted and the information on "profiling" is dealt with as a side issue is therefore incorrect. Even in the context of physical registration using a "flyer", the registration form contains several clear references to profiling, particularly in the terms and conditions printed in full. Consent is obtained on the last page of the registration brochure. There are three main sections: terms and conditions/privacy policy/declaration of consent. By filling out and submitting the registration form, the participant agrees to the terms and conditions. The declaration of consent consists of the clearly visible word "declaration of consent" followed by the consent text. Below the declaration of consent there is a mandatory field for the date, marked with an asterisk, and to the right of it the optional field "signature". Directly below this field is the consent text, according to which the signature only applies to the declaration of consent and is voluntary, and registration for the Roman 40 is also valid without a signature. In view of this information alone, the statements of the authority concerned that the customer assumes that the signature is for registration cannot be followed. In addition, the signature field is not marked with an asterisk.

There was no fault on the subjective side of the crime. The authority concerned assumed that there was fault, but had not carried out any appropriate investigations. In general, the authority concerned failed to recognise that the authority had to prove fault. The complainant had provided sufficient information as part of its duty to cooperate and had described the steps taken in detail; the authority concerned had therefore wrongly confirmed fault and assumed negligence - without making any findings on this. The fact that the authority concerned accused the complainant of the fact that the managing directors followed the findings of the lawyers who were called in and specialized in data protection law and did not deviate from them is illogical: Managing directors cannot be required, on the one hand, to call in lawyers who have a proven focus of activity in the respective legal field and, on the other hand, to deviate from their findings without having the relevant specialist knowledge themselves, unless there are obvious contradictions that are obvious to everyone. The complainant stated that the documents were created with the involvement of the law firm, which in the process had shown the legal framework, and thus the options from a legal point of view. This was an intensive process between the lawyers consulted and the complainant, with the direct involvement of the named managing directors themselves, which extended over a longer period of time. The lawyers also examined the final documents and coordinated them with the named managing directors. There had also been an intensive internal debate on this topic since 2016. There had therefore been an intensive debate lasting several years both internally and externally. The allegation that the design of the declarations of consent clearly contradicted the wording of Art. 7 Para. 2 GDPR and that the managing directors could have recognized that the declarations of consent would most likely not meet the requirements of the GDPR was also incorrect. This is already evident from the fact that when the declarations were first used on May 2, 2019, there was hardly any reliable case law on the GDPR. Precisely because Article 7(2) GDPR contains vague legal terms, there is considerable scope for interpretation in this area, which is only specified in a way that creates legal certainty through (supreme court) case law. The question of whether there is unlawful consent to the processing of personal data for the purpose of profiling is, in any case in the present case, clearly a question of interpretation of vague legal terms. This is clearly shown by the results of the examination procedure described. While the authority concerned was of the opinion in the initial decision that the consent obtained in the context of all types of registration was not legally effective, it restricted this in the preliminary decision on the appeal to the two types of registration that are also the subject of this case. It is clear from the reasoning in the preliminary decision on the appeal that the placement of the word "profiling" in the registration process was the deciding factor as to whether - from the point of view of the authority concerned - effective or ineffective consent for the purposes of profiling had been given. But even if an administrative offence were to be assumed and reprehensible conduct in the sense of fault on the part of the complainant could be considered to have occurred, punishment should still have been dispensed with, since a warning in accordance with Art. 58 Para. 2 lit. b GDPR or Section 11 DSG or a warning in accordance with Section 45 Para. 1 No. 4 VStG would have been sufficient. Apart from that, the penalty imposed was also too high and would have been significantly lower if all circumstances had been fully and legally taken into account. In addition, the authority concerned considered the large number of people to be the only aggravating circumstance; it offset this with numerous mitigating circumstances of considerable weight. For this reason alone, the amount of the fine imposed contradicts Art. 83 Para. 5 GDPR. In addition, the complainant is to be accused, if at all, of an error of prohibition that is not reprehensible. The authority concerned did not take this mitigating factor into account, although Article 83(2) of the GDPR also requires the degree of responsibility to be taken into account. The imposition of a contribution to procedural costs is also contrary to EU law. The Administrative Penalty Act is only applicable to the extent that the GDPR does not contain any specific provisions. The GDPR (Article 83f) conclusively regulates possible sanctions, including fines, for violations of the GDPR. Even if the administrative penalty is not considered a sanction under national law, this term is to be interpreted autonomously within the scope of the GDPR. Since the administrative penalty has the same material effect as an additional fine, it is to be seen as a sanction within the meaning of the GDPR. However, Article 84 of the GDPR does not leave any domestic regulatory authority for such an additional fine; rather, the fines are conclusively regulated under Article 83 of the GDPR. Section 64 of the Administrative Penalty Act must therefore remain inapplicable in administrative penal proceedings pursuant to Article 83 of the GDPR. This also follows from the principle of proportionality according to Art. 49 GRC and Art. 83 Para. 1 GDPR. Ultimately, it was noted that the authority concerned had wrongly used the results of the investigation of the official review procedure for GZ DSB-D213.895/0003-DSB/2019 in the administrative penal proceedings. There was no fault on the subjective side of the offense. The authority concerned assumed fault, but had not carried out any corresponding investigations. In general, the authority concerned had failed to recognize that fault had to be proven by the authority. The complainant had provided sufficient information as part of its duty to cooperate and had described the steps taken in detail; the authority concerned had therefore wrongly confirmed fault and - without making any findings on this - assumed negligence. The fact that the authority concerned accuses the complainant of having followed the results of the lawyers specialising in data protection law who had been consulted and not deviating from them is completely illogical: Managing directors cannot be required, on the one hand, to consult lawyers with a proven focus of activity in the respective legal field and, on the other hand, to deviate from their results without having the relevant specialist knowledge themselves, unless there are obvious contradictions that are apparent to everyone.The complainant stated that the documents were created with the involvement of the law firm, which in the process had shown the legal framework, and thus the options from a legal point of view. This was an intensive process between the lawyers consulted and the complainant, with the direct involvement of the named managing directors themselves, which extended over a longer period of time. The lawyers also examined the final documents and coordinated them with the named managing directors. There had also been an intensive internal debate on this topic since 2016. There had therefore been an intensive debate lasting several years both internally and externally. The allegation that the design of the declarations of consent clearly contradicted the wording of Article 7, Paragraph 2, GDPR and that the managing directors could have recognized that the declarations of consent would most likely not meet the requirements of the GDPR was also incorrect. This is already evident from the fact that when the declarations were first used on May 2, 2019, there was hardly any reliable case law on the GDPR. Precisely because Article 7, Paragraph 2, GDPR contains vague legal terms, there is considerable scope for interpretation in this area, which is only made more specific by (supreme court) case law in a way that creates legal certainty. The question of whether there is unlawful consent to the processing of personal data for the purpose of profiling is, in any case in the present case, clearly a question of interpretation of vague legal terms. This is clearly shown by the results of the examination procedure described. While the authority concerned was of the opinion in the initial decision that the consent obtained in the context of all types of registration was not legally effective, it restricted this in the preliminary decision on the appeal to the two types of registration that are also the subject of this case. From the reasoning in the preliminary decision on the appeal, it is clear that the placement of the word "profiling" in the registration process was the deciding factor as to whether - from the point of view of the authority concerned - effective or ineffective consent for the purposes of profiling had been given. But even if an administrative offence were to be assumed and reprehensible conduct in the sense of fault on the part of the complainant could be considered to have occurred, punishment should nevertheless have been dispensed with, since a warning in accordance with Article 58, Paragraph 2, Letter b, GDPR or Paragraph 11, DSG or a reprimand in accordance with Paragraph 45, Paragraph 1, Item 4, VStG would have been sufficient. Apart from that, the penalty imposed was also too high and would have been significantly lower had all circumstances been fully and legally taken into account. In addition, the authority concerned considered the large number of people to be the only aggravating circumstance; it offset this with numerous mitigating circumstances of considerable weight. For this reason alone, the amount of the fine imposed contradicts Article 83, Paragraph 5, GDPR. Furthermore, if at all, the complainant is to be accused of an error of prohibition that is not reprehensible. The authority concerned did not take this mitigating factor into account, although Article 83, Paragraph 2, GDPR also requires the degree of responsibility to be taken into account. The imposition of a contribution to procedural costs is also contrary to EU law. The Administrative Penalty Act is only applicable to the extent that the GDPR does not contain any specific provisions. The GDPR (Article 83 f) conclusively regulates possible sanctions, including fines, for violations of the GDPR. Even if the administrative penalty is not considered a sanction under national law, this term is to be interpreted autonomously within the scope of the GDPR. Since the administrative penalty has the same material effect as an additional fine, it is to be seen as a sanction within the meaning of the GDPR. However, Article 84, GDPR does not leave any domestic regulatory authority for such an additional fine; rather, the fines are conclusively regulated under Article 83, GDPR. Paragraph 64, VStG must therefore remain inapplicable in administrative penal proceedings under Article 83, GDPR. This also follows from the principle of proportionality according to Article 49, Charter of Fundamental Rights and Article 83, paragraph one, GDPR. Ultimately, it was noted that the authority concerned had wrongly used the results of the investigation of the official review procedure for GZ DSB-D213.895/0003-DSB/2019 in the administrative penal proceedings.

The authority concerned submitted the complaint to the Federal Administrative Court along with the administrative files and submitted a counter-statement. In it, it pointed out, among other things, with regard to the asserted statute of limitations for prosecution under point I, that the wording of the prosecution clearly shows that the declarations of consent in question did not meet all the requirements stipulated by the GDPR. The request for justification of July 17, 2021, clearly states that the declarations of consent did not meet the "requirements for consent in accordance with Art. 4 Z 11 GDPR and Art. 7 GDPR." Both the definition of Art. 4 Z 11 and Art. 7 GDPR give rise to far-reaching requirements with regard to the requirements for an effective declaration of consent. The wording of the request for justification of July 17, 2021, specifically the reference to the requirements of Art. 4 Z 11 in conjunction with Art. 7 GDPR, shows that the alleged act includes non-compliance with all the requirements of the GDPR with regard to a legally effective declaration of consent. The authority concerned submitted the complaint to the Federal Administrative Court, including the administrative files, and submitted a counter-statement. In it, it referred, among other things, to point Roman 1 with regard to the asserted statute of limitations. that the wording of the prosecution clearly shows that the declarations of consent in question did not meet all the requirements stipulated by the GDPR. The request for justification dated July 17, 2021 clearly states that the declarations of consent did not meet the "requirements for consent in accordance with Article 4, paragraph 11, GDPR and Article 7, GDPR." Both the definition of the term in Article 4, paragraph 11, and Article 7, GDPR provide far-reaching requirements with regard to the requirements for an effective declaration of consent. The wording of the request for justification dated July 17, 2021, specifically by referring to the requirements of Article 4, paragraph 11, in conjunction with Article 7, GDPR, shows that the alleged act includes non-compliance with all the requirements of the GDPR with regard to a legally effective declaration of consent.

In a supplementary statement dated January 4, 2022, the authority concerned requested that the ECJ, pursuant to Article 267 TFEU, address the question of the direct criminal liability of a legal person pursuant to Article 83 GDPR and the question of the compatibility of Section 30 DSG with Article 83 GDPR; in the event, the proceedings be suspended until the ECJ decides in case C-807/21 pursuant to Section 38 AVG in conjunction with Sections 17 and 38 VwGVG. In a supplementary statement dated January 4, 2022, the authority concerned requested that the ECJ be referred to the Court of Justice pursuant to Article 267, TFEU, with the question of the direct criminal liability of a legal person pursuant to Article 83, GDPR and with the question of the compatibility of Paragraph 30, DSG with Article 83, GDPR; in the event, the proceedings be suspended until the ECJ has decided in case C-807/21 pursuant to Paragraph 38, AVG in conjunction with Paragraphs 17 and 38 VwGVG.

In this regard, the respondent authority argued that the Berlin Higher Regional Court, by decision of 6 December 2021, GZ 2 Ws 250/21, had referred the following questions to the ECJ on the interpretation of Article 83 GDPR for a preliminary ruling under Article 267 TFEU: In this regard, the respondent authority argued that the Berlin Higher Regional Court, by decision of 6 December 2021, GZ 2 Ws 250/21, had referred the following questions to the ECJ on the interpretation of Article 83 GDPR for a preliminary ruling under Article 267 TFEU:

“1. Is Article 83(4) to (6) GDPR to be interpreted as incorporating the functional concept of an undertaking as defined in Articles 101 and 102 TFEU and the functionary principle into domestic law, with the result that, by extending the legal entity principle underlying Section 30 of the OWiG, administrative fine proceedings can be conducted directly against an undertaking and the fine does not require the determination of an administrative offence committed by a natural and identified person, possibly in a fully criminal manner? "1. Is Article 83, paragraphs 4 to 6 of the GDPR to be interpreted as incorporating the functional concept of a company and the functionary principle assigned to Articles 101 and 102 TFEU into domestic law, with the result that, by extending the legal entity principle underlying paragraph 30 of the OWiG, a fine procedure can be conducted directly against a company and the fine does not require the determination of an administrative offence committed by a natural and identified person, possibly a full criminal offence? 2. If the answer to question 1 is in the affirmative: Is Article 83, paragraphs 4 to 6 of the GDPR to be interpreted as meaning that the company must have committed the infringement mediated by an employee through negligence (cf. Article 23 of Council Regulation (EC) No. 1/2003 of 16 December 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company in principle sufficient for a fine to be imposed on it (“strict liability”)?” 2. If the answer to question 1 is in the affirmative: Is Article 83, paragraphs 4 to 6 of the GDPR to be interpreted as meaning that the company must have committed the infringement mediated by an employee through negligence (cf. Article 23 of Council Regulation (EC) No. 1/2003 of 16 December 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty)? Treaty), or is an objective breach of duty attributable to the company sufficient in principle for it to be fined (“strict liability”)?”

By order of the Federal Administrative Court of March 31, 2022, W256 2246230-1/12E, the proceedings pursuant to Section 17 VwGVG in conjunction with Section 38 AVG were suspended until the ECJ has given a preliminary ruling on the questions submitted by the Berlin Higher Regional Court of December 6, 2021, No. 3 Ws 250/21 (pending before the ECJ under C-807/21). By order of the Federal Administrative Court of March 31, 2022, W256 2246230-1/12E, the proceedings were suspended pursuant to paragraph 17, VwGVG in conjunction with paragraph 38, AVG, pending a preliminary ruling by the ECJ on the questions submitted by order of the Berlin Higher Regional Court of December 6, 2021, no. 3 Ws 250/21 (pending before the ECJ under C-807/21).

In its judgment of December 5, 2023, No. C-807/21, the ECJ ruled on the questions reproduced above as follows:

"1. Article 58(2)(i) and Article 83(1) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) are to be interpreted as precluding a national provision according to which a fine for an infringement referred to in Article 83(4) to (6) GDPR can only be imposed on a legal person in its capacity as controller if that infringement was previously attributed to an identified natural person. "1. Article 58, paragraph 2, letter i and Article 83, paragraphs one to six of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as precluding a national provision according to which a fine for an infringement referred to in Article 83, paragraphs 4 to 6 of the GDPR can only be imposed on a legal person in its capacity as controller if that infringement was previously attributed to an identified natural person.

2. Article 83 of Regulation 2016/679 is to be interpreted as meaning that, under this provision, a fine may only be imposed if it is proven that the controller, which is a legal person and at the same time an undertaking, has intentionally or negligently committed an infringement referred to in Article 83(4) to (6) of the GDPR."2. Article 83 of Regulation 2016/679 is to be interpreted as meaning that, under this provision, a fine may only be imposed if it is proven that the controller, which is a legal person and at the same time an undertaking, has intentionally or negligently committed an infringement referred to in Article 83(4) to (6) of the GDPR."

The complainant submitted a statement on 23 January 2024. In it, the latter stated that, due to the ECJ ruling of December 5, 2023, it is now clear for the present proceedings that the imposition of a fine under Art. 83 GDPR on the complainant depends on - at least - the following conditions, which must be met cumulatively: the determination of the acts charged in the contested criminal judgment, the legal classification of these acts under one of the offenses listed in Art. 83 (2) GDPR, the determination of the attributability of these acts to the complainant and the determination of culpable commission of these acts. It should be emphasized that, according to the aforementioned ECJ ruling, culpability is not only a condition for the assessment of a fine, but is already a condition for criminal liability. The complainant is requesting that the proceedings be suspended until the ECJ has decided in case GZ: C-383/23, because the ECJ may clarify the concept of an undertaking in its judgment of 5 December 2023, despite its comments on the relevant annual turnover. The complainant submitted a statement on 23 January 2024. In it, the latter stated that, due to the ECJ ruling of December 5, 2023, it is now clear for the present proceedings that the imposition of a fine under Article 83, GDPR on the complainant depends on - at least - the following conditions, which must be met cumulatively: the determination of the acts charged in the contested criminal judgment, the legal classification of these acts under one of the offenses listed in Article 83, paragraph 2, GDPR, the determination of the attributability of these acts to the complainant and the determination of culpable commission of these acts. It should be emphasized that, according to the aforementioned ECJ ruling, culpability is not only a condition for the assessment of a fine, but is already a condition for criminal liability. The complainant is requesting that the proceedings be suspended until the ECJ has decided in the case GZ: C-383/23, because the ECJ may clarify the concept of an undertaking in its judgment of December 5, 2023, despite its comments on the relevant annual turnover.

In its statement of January 30, 2024, the authority concerned essentially stated that in the contested penalty notice, the authority concerned had expressly examined and justified the subjective aspect of the offense in more detail in the light of the facts assumed to be proven. Due to the ECJ's judgment, it must now be taken into account that the requirement of fault for the imposition of a fine under Art. 83 GDPR must be interpreted autonomously within the Union and assessed in particular in the light of the ECJ's case law. The error of prohibition relied on by the complainant is not permitted by the ECJ's case law. For example, in the “Schenker” case, the ECJ made unambiguous statements with regard to the error of prohibition and the ECJ expressly referred to this in its judgment “Deutsche Wohnen SE (C-807/21)”. When determining the penalty for a fine in each individual case, the supervisory authority must ensure that the respective fine complies with the criteria of Art. 83 GDPR. In order for a fine to be deterrent and effective, the actual performance of the accused must always be taken into account. In the present case, too, the court must review the amount of the fine imposed on the basis of the criteria of Art. 83 (1) and (2) GDPR as part of its legal assessment and, in this context, must first determine the actual performance of the complainant. If the complainant belongs to an undertaking within the meaning of Art. 101 and 102 AUEV, the entire annual turnover of the undertaking must be used for the assessment. On the question of whether and under what conditions the turnover of the economic unit should be used, the ECJ refers to its established case law in competition law. The question of whether several persons form an economic unit depends essentially on whether the individual unit (the unit concerned in the proceedings) is free in its decision or whether the parent company exercises a decisive influence on the subsidiary. A decisive influence exists "if the subsidiary, despite having its own legal personality, does not determine its market conduct autonomously, but essentially follows instructions from the parent company, primarily because of the economic, organizational and legal ties that link the two legal entities." In such a case, the companies are part of the same economic unit. According to the extract from the commercial register dated January 30, 2024, XXXX m.b.H. is the sole shareholder of the complainant (100% shareholding). In turn, XXXX AG is the sole shareholder of this company (100% shareholding). In turn, XXXX Gesellschaft mit beschränkter Haftung is the sole shareholder of this company (100% shareholding). Therefore, the so-called "Akzo presumption" can be applied to the specific case based on the ECJ's case law cited above and it can thus be assumed that the parent companies exert a decisive influence on the complainant. It is incumbent on the complainant to refute this presumption by means of appropriate evidence or to prove that its subsidiary operates independently on the market. In the opinion of the data protection authority, the legal entities mentioned would therefore form an economic unit. In its statement of January 30, 2024, the authority concerned essentially stated that in the contested penalty notice, the authority concerned had expressly examined and justified the subjective aspect of the offense in more detail in the light of the facts assumed to be proven. Due to the ECJ's ruling, it must now be taken into account that the requirement of fault for the imposition of a fine under Article 83, GDPR, is to be interpreted autonomously within the Union and, in particular, to be assessed in the light of the ECJ's case law. The error of prohibition relied on by the complainant is not permitted by the case law of the ECJ. For example, in the "Schenker" case, the ECJ made unambiguous statements regarding the error of prohibition and the ECJ expressly referred to this in its judgment "Deutsche Wohnen SE (C-807/21)". Whenever a fine is imposed on an individual basis, the supervisory authority must ensure that the fine in question complies with the criteria of Article 83 of the GDPR. In order for a fine to be deterrent and effective, the actual ability of the accused to pay must always be taken into account. In the present case, too, the court must review the amount of the fine imposed on the basis of the criteria of Article 83, paragraphs one and two of the GDPR as part of its legal assessment and, in this context, must first determine the actual ability of the complainant to pay. If the complainant belongs to an undertaking within the meaning of Articles 101 and 102 of the TFEU, the company's entire annual turnover must be used for the examination. On the question of whether and under what conditions the turnover of the economic unit should be used, the ECJ refers to its established case law in competition law. The question of whether several persons form an economic unit depends essentially on whether the individual unit (affected in the proceedings) is free in its decision or whether the parent company exercises decisive influence on the subsidiary. A decisive influence exists "if the subsidiary, despite having its own legal personality, does not determine its market conduct autonomously, but essentially follows instructions from the parent company, primarily because of the economic, organizational and legal ties that link the two legal entities." In such a case, the companies are part of the same economic unit. According to the extract from the commercial register dated January 30, 2024, Römische 40 m.b.H. Sole shareholder of the complainant (100% shareholding). Of this, in turn, roman 40 AG is the sole shareholder (100% shareholding). Of this, in turn, roman 40 Gesellschaft mit beschränkter Haftung is the sole shareholder (100% shareholding). Therefore, the so-called "Akzo presumption" can be applied to the specific case based on the above-mentioned case law of the ECJ and it can thus be presumed that the parent companies exercise a decisive influence on the complainant. It is the complainant's responsibility to refute this presumption by means of appropriate evidence or to prove that its subsidiary operates independently on the market. In the opinion of the data protection authority, the legal entities mentioned therefore form an economic unit.

In this regard, the complainant stated in her statement of February 23, 2024, during the hearing of the parties that the ECJ had indeed stated in its judgment that the Member States may not provide for any substantive requirements that go beyond these procedural requirements in addition to those regulated in Art. 83 (1) to (6) GDPR. However, Section 5 VStG also has a procedural component. The prima facie evidence required under paragraph 1 sentence 2 leg. cit. that the complainant was not at fault for violating the administrative regulation (here: the GDPR) does not apply due to the penalty range under Art. 83 (5) GDPR (Section 5 (1a) VStG). Furthermore, the authority concerned had made findings in the penal decision (the specific natural persons, the organizational fault) that should not have been made in the light of the ECJ case law. Specifically, it had (summarized) formulated the ruling in such a way that the complainant was responsible for two violations of the GDPR due to the failure to exercise due diligence and due to a lack of control and monitoring of its managing directors appointed at the time of the offense. It is irrelevant whether the authority concerned could have described the accusation differently due to the primacy of Union law. Since it did not do so, the offense specifically described in the contested penal judgment is the one on which the assessment by the administrative court is to be based. However, if the offense is incorrectly described in the contested penal judgment due to the primacy of Union law because no natural person could have been named as the perpetrator, then according to the case law of the Administrative Court, this inevitably leads to the annulment of the penal judgment and the discontinuance of the administrative penal proceedings by the administrative court (VwGH 13.12.2019, Ra 2019/02/0184). The principle of personal responsibility under EU law also means that the administrative court must examine whether the alleged infringement (if it is established) 1) was committed by the actions of a person authorised to work for the complainant's company and 2) was committed intentionally or negligently. As Advocate General Campos Sánchez-Bordona correctly stated in his Opinion in the Deutsche Wohnen case, "the assessment of whether [the obligations laid down in the GDPR] have been complied with requires a complex evaluation and assessment process that goes beyond the mere establishment of a formal infringement". The complexity of this evaluation and assessment process must therefore be taken into account when assessing whether an objectively criminal conduct attributable to the legal person was committed intentionally or negligently. If this standard of fault is applied when interpreting Art. 83 GDPR, the assessment of the subjective side of the offense depends on whether the persons acting on behalf of the complainant "a) knew that the declarations of consent on the website and the registration form flyer did not meet the data protection requirements for effective consent pursuant to Art. 4 Z 11 in conjunction with Art. 5 Para. 1 lit. a and Art. 7 GDPR; or b) could not have been unaware of this or should have known this." Only if such a degree of fault can be established can a sanction be imposed under Art. 83 GDPR. The ECJ's statements in its Schenker ruling should also be viewed against the background of this standard of fault. Since the ECJ had already confirmed fault in the Schenker ruling because the companies concerned "could not have been unaware of the anti-competitive nature of their conduct," there was naturally no protection of legitimate expectations as a result of legal advice. Only if the administrative court comes to the conclusion that the complainant "could not have been in the dark" that the forms of the declaration of consent sanctioned by the authority concerned violate the GDPR is there any scope for a sanction under Art. 83 GDPR. However, this means, conversely, that even according to the ECJ's competition law case law, a legal error excluding guilt is not absolutely excluded; rather, this only applies if the person concerned could not have been in the dark about the anti-competitive nature of his conduct.In this regard, the complainant stated in her statement of February 23, 2024, during the hearing of the parties that the ECJ had indeed stated in its judgment that the Member States may not provide for any substantive requirements that go beyond these procedural requirements in addition to those regulated in Article 83, paragraphs one to six of the GDPR. However, Paragraph 5 of the VStG also has a procedural component. The prima facie evidence required under paragraph one, sentence 2 leg. cit. that the complainant was not at fault for violating the administrative regulation (here: the GDPR) does not apply due to the penalty range under Article 83, paragraph 5, GDPR (paragraph 5, paragraph one a, VStG). Furthermore, the authority concerned made findings in the penal decision (the specific natural persons, the organizational fault) that should not have been made in the light of the ECJ case law. Specifically, it formulated the ruling (in summary) in such a way that the complainant was responsible for two violations of the GDPR due to the failure to exercise due care and due to a lack of control and supervision of its managing directors appointed at the time of the offense. It is irrelevant whether the authority concerned could have described the accusation differently due to the primacy of Union law. Since she did not do so, the act specifically described in the contested penal decision is the one on which the administrative court's assessment is to be based. However, if the act in the contested penal decision is incorrectly described due to the priority of application of EU law because no natural person could have been named as the perpetrator, then according to the case law of the VwGH this inevitably leads to the annulment of the penal decision and the discontinuance of the administrative penal proceedings by the administrative court (VwGH 13.12.2019, Ra 2019/02/0184). The principle of personal responsibility under EU law also means that the administrative court must examine whether the alleged violation (if it is established) 1.) was committed by actions of a person authorized to work for the complainant's company and 2.) was committed intentionally or negligently. As Advocate General Campos Sánchez-Bordona correctly stated in his opinion in the case of Deutsche Wohnen, "the assessment of whether [the obligations provided for in the GDPR] have been complied with requires a complex evaluation and assessment process that goes beyond the mere finding of a formal violation." The complexity of this evaluation and assessment process must therefore be taken into account when assessing whether an objectively criminal conduct attributable to the legal person was committed intentionally or negligently. If this standard of fault is applied when interpreting Article 83 of the GDPR, the assessment of the subjective aspect of the offense depends on whether the persons acting on behalf of the complainant "a) knew that the declarations of consent on the website and the registration form flyer did not meet the data protection requirements for effective consent pursuant to Article 4, paragraph 11, in conjunction with Article 5, paragraph one, letter a, and Article 7 of the GDPR; or b) could not have been unaware of it or should have known it." Only if such a degree of fault can be established can a sanction under Article 83 of the GDPR be imposed at all. The statements of the ECJ in its judgment in Schenker should also be seen against the background of this standard of fault. Since the ECJ had already affirmed fault in the Schenker judgment because the companies concerned "could not have been unaware of the anti-competitive nature of their conduct", there was naturally no protection of legitimate expectations as a result of legal advice. Only if the administrative court comes to the conclusion that the complainant "could not have been unaware" that the forms of the declaration of consent sanctioned by the authority concerned violated the GDPR is there any scope for a sanction under Article 83 of the GDPR. However, this means, conversely, that even according to the ECJ's competition law case law, a legal error excluding guilt is not absolutely excluded; rather, this only applies if the person concerned could not have been unaware of the anti-competitive nature of his conduct.

When requested by the Federal Administrative Court to provide concrete evidence (e.g. notes, emails, consultation results, etc.) that a well-founded legal dispute had taken place on the basis of complete factual information to ensure the legal conformity of the data processing in question ("profiling") with the involvement of lawyers with a proven focus of activity in this area of law, the complainant again submitted a letter from the law firm XXXX dated March 5, 2024. In response to the Federal Administrative Court's request to provide concrete evidence (e.g. notes, emails, consultation results, etc.) that a well-founded legal dispute had taken place on the basis of complete factual information to ensure the legal conformity of the data processing in question ("profiling") with the involvement of lawyers with a proven focus of activity in this area of law, the complainant again submitted a letter from the law firm roman 40 dated March 5, 2024.

The complainant also announced the annual turnover of the complainant (EUR 27,239,998.36), XXXX m.b.H. (EUR 196,862,538.14) and XXXX AG (EUR 41,261,501.20) for the year 2020 at the request of the Federal Administrative Court. The complainant also announced the annual turnover of the complainant (EUR 27,239,998.36), roman 40 m.b.H. (EUR 196,862,538.14) and roman 40 AG (EUR 41,261,501.20) for the year 2020 at the request of the Federal Administrative Court.

On March 20, 2024, an oral hearing was held before the Federal Administrative Court, in which the complainant and the two managing directors appointed at the time of the offense as well as their legal representatives participated. Furthermore, the complainant's data protection officer, XXXX , was heard as a witness. On March 20, 2024, an oral hearing was held before the Federal Administrative Court, in which the complainant and the two managing directors appointed at the time of the offense as well as their legal representatives participated. Furthermore, the complainant's data protection officer, Roman 40 , was heard as a witness.

By letters dated 3 April 2024 and 27 May 2024, the complainant submitted various documents (including fee notes for legal advice from the law firms XXXX and XXXX GmbH as well as a written order to the law firm XXXX ) as well as, among other things, the complainant's balance sheet for the year 2020 as well as the balance sheet and profit and loss statement for the year 2020 of the XXXX limited liability company.By letters dated 3 April 2024 and 27 May 2024, the complainant submitted various documents (including fee notes for legal advice from the law firms roman 40 and roman 40 GmbH as well as a written order to the law firm roman 40 ) as well as, among other things, the complainant's balance sheet for the year 2020 as well as the balance sheet and profit and loss statement for the year 2020 of the roman 40 limited liability company. Liability submitted.

The authority concerned was granted the right to be heard.

II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:

1. Findings:

The complainant has been operating a cross-company and cross-industry customer loyalty program under the name " XXXX " since May 2019. Customers of the participating retail stores can register as members, collect points based on their purchases and then redeem them to receive various "exclusive" benefits or discounts. The complainant has been operating a cross-company and cross-industry customer loyalty program under the name " Roman 40 " since May 2019. Customers of the participating retail stores can register as members, collect points based on their purchases and then redeem them to receive various "exclusive" benefits or discounts.

As the operator of XXXX, the complainant is responsible for managing membership and the customer loyalty program, as well as advertising products, goods and services and providing the XXXX service.As the operator of roman 40, the complainant is responsible for managing membership and the customer loyalty program, as well as advertising products, goods and services and providing the roman 40 service.

The sole shareholder of the complainant is XXXX m.b.H., the sole shareholder of which is XXXX AG, the sole shareholder of which is in turn the XXXX limited liability company. The sole shareholder of the complainant is roman 40 m.b.H., the sole shareholder of which is roman 40 AG, the sole shareholder of which is in turn the roman 40 limited liability company.

The complainant achieved an annual turnover of EUR 27,239,998.36 in 2020. In the 2020 financial year, the complainant incurred a balance sheet loss of EUR 21,907,118.11.

XXXX m.b.H. achieved an annual turnover of EUR 196,862,538.14 in 2020. XXXX AG achieved an annual turnover of EUR 41,261,501.20 in 2020. XXXX Gesellschaft mit beschränkter Haftung did not generate any sales revenue in 2020. Römische 40 m.b.H. achieved an annual turnover of EUR 196,862,538.14 in 2020. Römische 40 AG achieved an annual turnover of EUR 41,261,501.20 in 2020. Römische 40 Gesellschaft mit beschränkter Haftung did not generate any sales revenue in 2020.

At the time of the offence, the situation was as follows:

For participation in XXXX and accordingly for the administration of membership, the complainant recorded participation data of the respective member, in particular via the registration forms filled out by the member. This was (according to the data protection declaration) the following data: For participation in Roman 40 and accordingly for the administration of membership, the complainant recorded participation data of the respective member, in particular via the registration forms filled out by the member. This was (according to the privacy policy) the following data:

"Member master data":

Personal data (customer number, title, gender, first name/last name, date of birth; optional: title before/after)

- Address and contact details (address; optional: telephone number, email address) with geolocation (X coordinate, Y coordinate, meter district number of the address, quality of geocoding)

- Permitted contact type (telephone, email, post)

- Permissibility of profiling (yes/no) and change date profiling

- Data on the available XXXX (total, previous month, current month)

"Participation data": - Data on the available Roman 40 (total, previous month, current month)

"Participation data":

- Member master data [see above]

- Analytical customer number

- Customer status and customer status information

- Access number

- Creation and Registration date

- Registration channel

- Point of sale and cash register of registration

- IP address at registration (for online registration)

- Partner at registration (ID of XXXX partner) - Partner at registration (ID of roman 40 partner)

- Number of XXXX cards - Number of roman 40 cards

- Date of change of permission for postal mail, email and telephone contact

- IP address permission for email

- Geolocation status and date of address verification

- Agreement to the terms and conditions

- Date of last change to the terms and conditions

- Permission for master data access of the respective XXXX partner - Permission for master data access of the respective roman 40 partner

- Form ID when registering using a paper form and date of digitization

- Available card types (plastic card, iOS, Android, Print@Home)

In addition, the complainant was provided with the data (so-called purchase data) generated using the XXXX card during a transaction by the member with an XXXX partner for the purpose of processing of the program by this partner and recorded by the complainant, namely (according to the privacy policy):In addition, the data generated when the member used the Roman 40 card to make a transaction with a Roman 40 partner (so-called purchasing data) was transmitted to the complainant by this partner for the purpose of processing the program and recorded by the complainant, namely (according to the privacy policy):

- Data generated when making purchases in sales outlets and within the framework of other sales channels (e.g. B. Webshop) (place/time of purchase, cash register, goods/services purchased, purchase frequency, product category, discounts and promotions used, voucher ID, granted and redeemed XXXX and price paid) - Data generated during purchases in sales outlets and within other sales channels (e.g. Webshop) (place/time of purchase, cash register, goods/services purchased, purchase frequency, product category, discounts and promotions used, voucher ID, granted and redeemed Roman 40 and price paid)

- Transaction ID, date, partner, point of sale, cash register number, collected/redeemed XXXX , sales, non-discountable sales, POS ID, promotion, ID, VAT - Transaction ID, date, partner, point of sale, cash register number, collected/redeemed Roman 40 , sales, non-discountable sales, POS ID, promotion, ID, VAT

- Payment method (cash or card type).

Only if the respective member gave their consent to this during registration, these participation and purchase data were automatically combined and analyzed by the complainant, thereby creating profiles of the members on their purchasing behavior for the purpose of personalized advertising (so-called marketing profiling data). This consent could be revoked at any time and was not (was) mandatory for the conclusion of the contract.

Registration for the program was possible for any natural person who had reached the age of 16 and had their main residence in the EEA/Switzerland and was possible (as far as relevant to the proceedings) using a physical registration form ("flyer") or online on the website.

Obtaining consent using "flyers" was carried out in such a way that a registration brochure ("flyer") was displayed in branches of the XXXX partners. When paying at the checkout in such branches, this registration brochure was given to customers who were not yet registered with XXXX but were interested in participating. This registration brochure contained general information on the complainant's business model described above, followed by the complainant's general terms and conditions. It also referred to the privacy policy and how to find it. Consent was obtained using a "flyer" in such a way that a registration brochure ("flyer") was displayed in branches of the roman 40 partners. When paying at the checkout in such branches, this registration brochure was given to customers who were not yet registered with roman 40 but were interested in participating. This registration brochure contained general information on the complainant's business model described above, followed by the complainant's general terms and conditions. It also referred to the privacy policy and how to find it.

In point 4 of the General Terms and Conditions, the customer was informed about the scope of services provided by the complainant. Among other things, the customer was informed that when using the XXXX, he collects XXXX points when purchasing a product or service from an XXXX partner, which he can redeem with the XXXX partner and receive various special offers in return (4.4.1.). In point 4.3.1, it was explained in more detail that the member receives information about the respective benefits from the respective XXXX partners, but that the complainant will also inform the customer about this at regular intervals by post or email - by email if the member has opted for this option. In point 5.4 of the General Terms and Conditions, the customer was made aware that his personal data will be used for the purposes of managing the membership, handling the customer loyalty program, advertising (without profiling) and personalized advertising with profiling. Point 5.5. of the General Terms and Conditions (identical to point 4.4 of the data protection declaration) read in part as follows: “[..] 5.5.1. Only if the member consents will the operator, as the sole controller, continue to use and analyze the member’s member master data and purchasing data processed by the operator and the XXXX partners for the automated personalization of advertising and marketing measures [..] and thus obtain new marketing profiling data. The member’s consent to the processing of his or her data in accordance with this sub-point is not mandatory for the conclusion or implementation of the contract. [..] 5.5.3. This type of data processing is profiling in accordance with Art. 4 Z 4 GDPR. Profiles are created about the member which allow conclusions to be drawn about the likelihood of future purchases, target group selections and aggregated evaluations for product ranges, shelf and branch optimization are carried out, and individualized advertising and marketing measures are developed. The member receives messages from the operator by post, email, SMS, MMS, push messages, messages via the app or messenger that are tailored to his or her shopping behavior about special offers and to promote products and competitions from the operator and also from XXXX partners. [..] 5.5.5. The legal basis for the processing of personal data in accordance with this sub-section is Art. 6 Paragraph 1 Letter a of GDPR (consent). Consent is given on the participation form in the stores of the XXXX partners, the website XXXX at or in the XXXX app. 5.5.6. Consent is voluntary and the member also has the right to revoke consent at any time. If the member does not give consent or revokes it, his or her personal data will no longer be processed and analyzed using automated means (no profiling [..]) and the member will no longer receive (profiled) newsletters and advertising from the operator. The member can still participate in XXXX and collect and redeem XXXX. The legality of the data processing carried out on the basis of the consent up to the time of revocation is not affected by the revocation.” In point 4 of the T&Cs, the customer was informed of the scope of services provided by the complainant. Among other things, the customer was informed that when using the roman 40 when purchasing a product or service from a roman 40 partner, he collects roman 40 which he can redeem with the roman 40 partners and receive various special offers in return (4.4.1). In point 4.3.1, it was explained in more detail that the member receives information about the respective advantages from the respective roman 40 partners, but that the complainant will also inform customers about this at regular intervals by post or email - by email if the member has opted for this option. In point 5.4 of the T&Cs, the customer was made aware that his personal data will be used for the purposes of managing membership, running the customer loyalty program, advertising (without profiling) and personalized advertising with profiling. Point 5.5. of the General Terms and Conditions (identical to point 4.4 of the data protection declaration) read in part as follows: “[..] 5.5.1. Only if the member consents will the operator, as the sole controller, continue to use and analyze the member’s member master data and purchasing data processed by the operator and the Roman 40 partners for the automated personalization of advertising and marketing measures [..] and thus obtain new marketing profiling data. The member’s consent to the processing of his or her data in accordance with this sub-point is not mandatory for the conclusion or implementation of the contract. [..] 5.5.3. This type of data processing is profiling in accordance with Article 4, Section 4, GDPR. Profiles are created about the member which indicate the likelihood of future purchases, target group selections and aggregated evaluations for product ranges, shelf and branch optimization are carried out, and individualized advertising and marketing measures are developed. The member receives messages from the operator by post, email, SMS, MMS, push messages, messages via the app or messenger that are tailored to his or her shopping behavior about special offers and to promote products and competitions from the operator and also from the roman 40 partners. [..] 5.5.5. The legal basis for the processing of personal data in accordance with this subsection is Article 6, paragraph one, letter a, GDPR (consent). Consent is given on the participation form in the shops of the roman 40 partners, on the roman 40 at website or in the roman 40 app. 5.5.6. Consent is voluntary and the member also has the right to revoke consent at any time. If the member does not give consent or revokes it, his or her personal data will no longer be processed and analyzed using automated means (no profiling [..]) and the member will no longer receive (profiled) newsletters and advertising from the operator. The member can still participate in the roman 40 and collect and redeem roman 40. The legality of the data processing carried out on the basis of the consent until the revocation is not affected by the revocation."

Points 3 and 4 of the data protection declaration contained a precise list of the categories of data processed by the complainant and an explanation of the purposes for which such processing takes place. In particular, point 4.3.1 explained that for the purposes of advertising (without profiling) the member's more detailed participant data (including name, address) will be used on the basis of Art. 6 paragraph 1 letter a of the GDPR. Points 3 and 4 of the data protection declaration contained a precise list of the categories of data processed by the complainant and an explanation of the purposes for which such processing takes place. In particular, point 4.3.1 explained that for the purposes of advertising (without profiling) the member's more detailed participant data (including name, address) will be used on the basis of Article 6, paragraph one, letter a of the GDPR.

At the end of the registration brochure there was a detachable registration form, which – in the event of registration – had to be handed in at the cash desk.

The registration form again contained a reference to the general terms and conditions and the data protection declaration, as well as the fact that the customer agrees to the general terms and conditions by submitting the registration.

The customer's personal data was then collected (title, first name, last name, date of birth, street including house number/staircase/door number, postcode, city and country). If available, a title could be given. A mobile phone number and an email address (“for personal benefits and communication”) could also be given – if desired.

Below this, the customer agreed that legally significant declarations could be sent to the email address provided. Specifically, this notice was placed below the field for the email address in such a way that the word “Email” printed in red and bold and the subsequent note about it in black and not bold were preceded by a white circle for ticking. Below this was the declaration of consent shown in point 5.5 of the General Terms and Conditions and 4.4 of the Privacy Policy.

The word “Declaration of Consent” was printed in bold and black. The subsequent text of the declaration of consent was printed in black and not bold. There was no preceding tick option as with the email, but the customer could provide a signature.

The field for the signature was right-aligned at the end of the registration form, slightly separated from the declaration of consent. To the left of this, at the same height, was the mandatory field “Date”, which is required for registration. The field for the signature was not marked with an asterisk (“mandatory field”).

Below these two fields was the following text: “This signature only applies to the declaration of consent and is voluntary. Your registration for XXXX is valid even without a signature.” This text was not printed in bold. Below these two fields was the following text: “This signature is only valid for the declaration of consent and is voluntary. Your registration for Roman 40 is valid even without a signature.” This text was not printed in bold.

Essentially, it looked like this:

“[Circle] Email [in red]: [..]

Declaration of consent: I declare in accordance with points 5.5. and 5.6.T&Cs (also points 4.4. and 4.5. of the privacy policy) agree that XXXX GmbH and the XXXX partners with whom I have used my XXXX card (1) combine and analyze my participation data and purchase data in order to provide me with individualized information about the XXXX program that is relevant to me and tailored to my interests and to adapt offers for collecting and redeeming XXXX to my needs (so-called “profiling” [..]), in order to (2) send me advertising with personalized offers about products and services of the operator and the XXXX partners by post, e-mail, SMS, MMS, push messages, messages via apps and messengers, and (3) that my personal data obtained in this way will be deleted upon revocation of my consent, at the latest after the end of my membership. My consent is not mandatory for the conclusion of the contract and I can revoke it at any time with future effect by sending a letter to XXXX GmbH XXXX, an email to XXXX or a telephone call to XXXX.” Declaration of consent: I hereby declare my consent in accordance with points 5.5 and 5.6. T&Cs (also points 4.4. and 4.5. of the privacy policy) agree that roman 40 GmbH and the roman 40 partners with whom I have used my roman 40 card (1) combine and analyze my participation data and purchase data in order to provide me with individualized information about the roman 40 program that is relevant to me and tailored to my interests and to adapt offers for collecting and redeeming roman 40 to my needs (so-called “profiling” [..]), in order to (2) send me advertising with personalized offers about products and services of the operator and the roman 40 partners by post, e-mail, SMS, MMS, push messages, messages via apps and messengers, and (3) that my personal data obtained in this way will be deleted upon revocation of my consent, at the latest after the end of my membership. My consent is not mandatory for the conclusion of the contract and I can revoke it at any time with future effect to roman 40 GmbH roman 40 by post, by email to roman 40 or by telephone to roman 40."

Date*     Signature

[][][][][][] [ ] [][][][][][]

Day Month Year

This signature is only valid for the declaration of consent and is voluntary. Your registration for XXXX is also valid without a signature. "This signature is only valid for the declaration of consent and is voluntary. Your registration for roman 40 is also valid without a signature."

The consent was obtained online on the website in such a way that in a first step ("Register now") the person had to tick whether they had a card or not ("Yes" or "No"). In a second step, the person's personal data was requested, namely title, first name, last name, date of birth, street including house number/staircase/door number, postcode, city and country as well as email address. In a third step, the person was first provided with the General Terms and Conditions in a field to scroll down and was asked to confirm the General Terms and Conditions by clicking on a box (marked as a mandatory field). Then, under the heading “Data protection is important to us,” the privacy policy was made available in a field to scroll down and was also asked to confirm this by clicking on a box (marked as a mandatory field). In a fourth step, under the heading “Enjoy your very own personal benefits,” the person was given the option of pressing a white button in front of the box to tick either “Yes, I agree to the processing of my data in accordance with the consent declaration below and would therefore like to benefit from exclusive benefits and promotions” or “No, I do not agree to the processing of my data in accordance with the consent declaration below and would therefore not like to benefit from exclusive benefits and promotions.” The person was then provided with the consent declaration (identical and already reproduced in the flyer) in a field to scroll down. At first glance, the following text was visible: "I declare that in accordance with points 5.5. and 5.6. of the General Terms and Conditions (as well as points 4.4. and 4.5. of the Privacy Policy), I agree that XXXX GmbH and the XXXX partners with whom I have used my XXXX card (l) may combine and analyze my participation data and purchase data in order to provide me with relevant offers tailored to my interests." In a final step, the person was shown a table of headings under the heading "Check your entry" to see whether the entry was complete. The items salutation, date of birth, address, telephone, access number, General Terms and Conditions, Privacy Policy and profiling were displayed one below the other and each provided with notes. There was a pencil symbol at the end of each line. If, for example, the date of birth was incomplete, the note "Your date of birth is incomplete" was displayed to the right of the Date of Birth item. If the General Terms and Conditions were not accepted, the note "Please accept the General Terms and Conditions" was displayed to the right of it. If no answer was clicked during profiling, the note "Please select an answer during profiling to continue with registration" was displayed to the right of it. By clicking on the respective pencil symbol at the end of the line, the person was automatically (re)directed to the corresponding input field on the website. Obtaining consent online on the website was carried out in such a way that the person had to tick in a first step ("Register now") whether or not they had a card ("Yes" or "No"). In a second step, the person's personal data was requested, namely title, first name, last name, date of birth, street including house number/staircase/door number, postcode, town and country, and email address. In a third step, the person was first made available to the terms and conditions in a field to scroll down and was asked to confirm the terms and conditions by clicking on a box (marked as a mandatory field). Subsequently, under the heading “Data protection is important to us”, the data protection declaration was made available in a field to scroll down and confirmation was also requested by clicking on a box (marked as a mandatory field). In a fourth step, under the heading “Enjoy your very own personal benefits”, the person was given the opportunity to press a white button in front of the box to tick either “Yes, I agree to the processing of my data in accordance with the declaration of consent below and would therefore like to benefit from exclusive benefits and promotions” or “No, I do not agree to the processing of my data in accordance with the declaration of consent below and would therefore not like to benefit from exclusive benefits and promotions.” The person was then provided with the declaration of consent (already reproduced in the flyer and identical) in a field to scroll down. At first glance, the following text was visible: “I declare in accordance with points 5.5 and 5.6. T&Cs (also points 4.4. and 4.5. of the privacy policy) I agree that roman 40 GmbH and the roman 40 partners with whom I used my roman 40 card (l) may combine and analyse my participation data and purchase data in order to provide me with relevant offers and offers tailored to my interests”. In a final step, the person was shown in a heading table under the heading “Check your entry” whether the entry was complete. For this purpose, the items salutation, date of birth, address, telephone, access number, T&Cs, data protection declaration, profiling were displayed one below the other and each one was provided with notes. There was a pencil symbol at the end of each line. If, for example, the date of birth was incomplete, the note “Your date of birth is incomplete” was displayed to the right of the date of birth item. If the T&Cs were not accepted, the note “Please accept the T&Cs” was displayed to the right of it. If no answer was clicked during profiling, the message "Please select an answer during profiling to continue with registration" was displayed to the right of it. By clicking on the respective pencil symbol at the end of the line, the person was automatically (re)directed to the corresponding input field on the website.

The registration process could be completed by pressing a gray button "Register now" located below on the right. The display of this final registration process depended on the version used (web version (PC)/mobile version (mobile phone)). In the mobile version, the last line "Register now" was closer to the last line "Profiling: consent granted or consent not granted".

Essentially, the collection of consent declarations in the PC version was as follows:

"Data protection is important to us

Here you can find the data protection declaration of XXXX Here you can find the data protection declaration of roman 40

[Field with the data protection declaration to scroll down]

[Field to click on] Yes, I have read and acknowledged the data protection declaration*

Enjoy your very own personal benefits

O YES, I agree to the processing of my data in accordance with the consent declaration below and would therefore like to benefit from exclusive advantages and promotions.

O NO, I do not agree to the processing of my data in accordance with the consent declaration below and would therefore not like to benefit from exclusive advantages and promotions.

[Field with the following text to scroll down]:

I declare in accordance with points 5.5. and 5.6. General Terms and Conditions (also points 4.4.and 4.5. of the privacy policy) that XXXX GmbH and XXXX, with whom I used my XXXX card, I declare my consent in accordance with points 5.5. and 5.6. T&Cs (also points 4.4. and 4.5. of the privacy policy) agree that roman 40 GmbH and roman 40, where I used my roman 40 card,

(1) combine and analyze my participation data and purchase data in order to provide me with relevant, individualized information on the XXXX program tailored to my interests and to adapt offers for collecting and redeeming XXXX to my needs (so-called “profiling” [..]), in order to (1) combine and analyze my participation data and purchase data in order to provide me with relevant, individualized information on the roman 40 program tailored to my interests and to adapt offers for collecting and redeeming roman 40 to my needs (so-called “profiling” [..]), in order to

(2) send me advertising with personalized offers about products and services of the operator and the XXXX partners by post, email, SMS, MMS, push messages, messages via apps and messengers and (2) to send me advertising with personalized offers about products and services of the operator and the roman 40 partners by post, email, SMS, MMS, push messages, messages via apps and messengers, and

(3) that my personal data obtained in this way will be deleted upon revocation of my consent, at the latest upon termination of my membership. My consent is not mandatory for the conclusion of the contract and I can revoke it at any time with effect for the future to XXXX GmbH ( XXXX by post, by email to XXXX at or by telephone ( XXXX ). (3) that my personal data obtained in this way will be deleted if I revoke my consent, at the latest after the end of my membership. My consent is not mandatory for the conclusion of the contract and I can revoke it at any time with effect for the future to roman 40 GmbH ( roman 40 by post, by email to roman 40 at or by telephone ( roman 40 ).

*Mandatory field"

The "Flyer" registration form has not been in use since March 3, 2020. The registration option on the website in the version shown above has also not been in use since March 5, 2020 or has been adapted.

On the situation after receiving the criminal conviction

The complainant has the profiles created on the basis of the automated processing of the participation and purchase data about the purchasing behavior of on " XXXX “ using the “website” method www. XXXX at (in the version valid until March 5, 2020) and the “Flyer” registration brochure were deleted in response to the criminal judgment in August 2021. In relation to persons registered in this way, no such profiles will be created using automated profiling (any more). The complainant has deleted the profiles created on the basis of the automated processing of the participation and purchasing data on the purchasing behavior of persons registered at “ roman 40 ” using the “website” method www. roman 40 at (in the version valid until March 5, 2020) and the “Flyer” registration brochure in response to the criminal judgment in August 2021. In relation to persons registered in this way, no such profiles will be created using automated profiling (any more).

on the situation before May 2019:

In the past, XXXX AG considered setting up a cross-company customer loyalty program and in 2016 made the strategic decision not to join the XXXX multi-partner customer loyalty program, but to set up such a multi-partner customer loyalty program within the XXXX Group itself. For this purpose, a project team was set up under the leadership of the responsible board member of XXXX AG, which developed the essential principles of the design of this customer loyalty program. This project team included the data protection officer of the XXXX Group, XXXX , and the two managing directors of the complainant appointed at the time of the offense. During this conception phase, 14-day project steering committees were held with the board member. In the past, roman 40 AG considered setting up a cross-company customer loyalty program and in 2016 made the strategic decision not to join the roman 40 multi-partner customer loyalty program, but to set up such a multi-partner customer loyalty program within the roman 40 Group itself. For this purpose, a project team was set up under the leadership of the responsible board member of roman 40 AG, which developed the essential principles of the design of this customer loyalty program. This project team included the data protection officer of the roman 40 Group, roman 40, and the two managing directors of the complainant who were appointed at the time of the offense. During this conception phase, 14-day project steering committees were held with the board member.

In January 2017, the official XXXX project was launched by order of the board of XXXX AG and the project team was formed to establish this customer loyalty program. During the conception phase, data protection considerations for the implementation of such a program were also made. For this purpose, an information network system was registered with the DSB on the basis of the legal situation before the GDPR came into force.In January 2017, the official roman 40 project was launched by order of the board of roman 40 AG and the project team was formed to establish this customer loyalty program. During the conception phase, data protection considerations were already being considered for the implementation of such a program. For this purpose, an information network system was registered with the DSB on the basis of the legal situation before the GDPR came into force.

Towards the end of 2017, the conception phase was terminated because the key points of the program had been determined by this time. This also ended the project steering committee meetings with the board member. The implementation of the program was placed in the hands of the complainant and thus in those of its managing directors. This included, among other things, the preparation of the necessary documents and the establishment of the necessary processes to meet the data protection requirements.

The XXXX Group has data protection guidelines that are made available to each individual company. The complainant has drawn up its own data protection guidelines based on the XXXX Group's guidelines. The guidelines of the XXXX Group are a framework that defines a minimum standard, which is then adapted and specified by individual companies and ultimately put into effect. The Roman 40 Group has data protection guidelines that are made available to each individual company. The complainant has drawn up its own data protection guidelines on the basis of the Roman 40 Group guidelines. The guidelines of the Roman 40 Group are a framework that defines a minimum standard, which is then adapted and specified by individual companies and ultimately put into effect.

To meet the data protection requirements, the complainant used external and internal consultants, i.e. consultants who are employed by companies in the XXXX Group and those who are not, in particular lawyers. The key internal consultants included the data protection officer of the complainant and XXXX AG, XXXX, who works for XXXX m.b.H. is employed. The complainant used external and internal consultants to meet the data protection requirements, i.e. consultants who are employed by companies in the roman 40 group and those for whom this is not the case, in particular lawyers. The main internal consultants included the data protection officer of the complainant and roman 40 AG, roman 40, who is employed by roman 40 m.b.H.

The external consultants initially included the XXXX law firm and, from the beginning of 2018, the XXXX GmbH law firm, which in a first step prepared the declarations of consent for profiling and presented them to the complainant's management. The complainant's management then decided, together with the data protection officer, to obtain a second opinion and, as of August 2019, the law firm XXXX was commissioned to carry out an overall audit of XXXX, also from a data protection perspective, in particular to draw up the declarations of consent in question, which are to be used in the various channels (including website and flyers). In a further step, the law firm revised the drafts of the declarations of consent used in the aforementioned channels in cooperation with the complainant, in particular the two managing directors and the data protection officer. This resulted in regular telephone conferences and numerous physical meetings in which the drafts were discussed in detail with the management and the data protection officer. In total, the XXXX law firm spent over 100 working hours on these declarations of consent alone and ultimately the declarations of consent in the various usage methods were deemed to be GDPR compliant by the law firm. The external consultants initially included the roman 40 law firm and, from the beginning of 2018, the law firm roman 40 GmbH, which in a first step drew up the declarations of consent for profiling and presented them to the complainant's management. The complainant's management then decided together with the data protection officer to obtain a second opinion and subsequently, from August 2019, the law firm roman 40 was also commissioned to carry out an overall audit of roman 40, also from a data protection perspective, in particular the drafting of the declarations of consent in question, which are to be used in the various channels (including website and flyers). In a further step, the law firm revised the drafts of the declarations of consent used in the aforementioned channels in cooperation with the complainant, in particular the two managing directors and the data protection officer. There were regular telephone conferences as well as numerous physical meetings in which the drafts were discussed in detail with the management and the data protection officer. In total, the Roman 40 law firm spent over 100 working hours on these consent declarations alone and ultimately the consent declarations in the various usage methods were deemed by the law firm to be GDPR compliant.The managing directors had no legal concerns with regard to the final design of the consent forms and approved them. The managing directors trusted in particular that the declarations of consent drawn up jointly with the law firm were designed in accordance with the requirements of the GDPR and that the data processing based on them was GDPR compliant. II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered: 1. Assessment of evidence: The procedure and facts reproduced above are derived from the administrative and court file, in particular from the record of the oral hearing before the Federal Administrative Court. The procedure for the ex officio review procedure is derived from the administrative act on W256 2227693-1, which was introduced into the procedure at the request of the complainant. The fact that the complainant based the data processing in question on the declarations of consent drawn up jointly with the law firm is already apparent from the note in the data protection declaration and the general terms and conditions, according to which the data processing will only be carried out if the member consents. This also corresponds to the complainant's own statements throughout the proceedings in accordance with the information provided by the data protection officer during the oral hearing (narrative, page 30ff: "VR: Was it clear from the outset that the profiling would be based on the declarations of consent or were other legal bases also discussed? Z: Good question. The other legal bases came a little later. My favorite is always declarations of consent. VR: Who decided that data processing should be based on obtaining declarations of consent? Z: The management together with me. VR: Was legal advice sought on this? Z: Yes. VR: Were other legal bases also discussed with the law firms? Z: Pretty sure, yes. I'm having a hard time not confusing anything. As I said: I always ask for a declaration of consent. That is also a recommendation I made to the management, which was followed and it was fine. [..])".

The fact that the complainant had previously dealt intensively with the requirements of the GDPR in relation to the design of the consent declarations in question, both internally and externally, is evident from the complainant's submissions in conjunction with the documents submitted by her, in particular the letters from the law firm XXXX . The fact that the complainant had previously dealt intensively with the requirements of the GDPR in relation to the design of the consent declarations in question, both internally and externally, is evident from the complainant's submissions in conjunction with the documents submitted by her, in particular the letters from the law firm roman 40 .

The annual turnover and the balance sheet loss of the complainant mentioned in the findings were announced or presented by the complainant.

3. Legal assessment:

The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119 of 4 May 2016, hereinafter: GDPR, are as follows:

"Article 4 Definitions

For the purposes of this Regulation, the following terms shall apply:

[..]

4. "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

[..]

Article 5 Principles for the processing of personal dataArticle 5, Principles for the processing of personal data

(1) Personal data must

a) be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

[..]

Article 6 Lawfulness of processingArticle 6, Lawfulness of processing

(1) Processing shall only be lawful if at least one of the following conditions is met:

a) the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;

[..]

f) the processing is necessary to protect the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail, in particular where the data subject is a child.

[..]

(4) Where processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to protect the objectives referred to in Article 23(1), the controller shall, in order to determine whether processing for another purpose is compatible with that for which the personal data were initially collected, take into account, inter alia:

a)

any link between the purposes for which the personal data were collected and the purposes of the intended further processing;

b)

the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;

c)

the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data concerning criminal convictions and offences are processed pursuant to Article 10;

d)

the possible consequences the intended further processing for the data subjects,

e)

the existence of appropriate safeguards, which may include encryption or pseudonymisation.

[..]

Article 7 Conditions for consentArticle 7, Conditions for consent

(1) Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.

(2) Where the consent of the data subject is given by a written statement which also covers other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it can be clearly distinguished from the other matters. Parts of the statement shall not be binding if they constitute an infringement of this Regulation.

(3) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of the consent until its withdrawal. The data subject shall be informed of this before consent is given. Withdrawing consent must be as easy as giving consent.

(4) In assessing whether consent is freely given, utmost account must be taken of whether, inter alia, the performance of a contract, including the provision of a service, depends on consent to processing of personal data which are not necessary for the performance of the contract.

Article 13 Obligation to provide information when personal data are collected from the data subjectArticle 13, Obligation to provide information when personal data are collected from the data subject

(1) Where personal data are collected from the data subject, the controller shall communicate to the data subject at the time of collecting those data:

a)

the name and contact details of the controller and, where applicable, of his representative;

b)

where applicable, the contact details of the data protection officer;

c)

the purposes for which the personal data are to be processed and the legal basis for the processing;

d)

where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following further information at the time of collecting the data, which is necessary to ensure fair and transparent processing:

[..]

f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

[..]

Article 17 Right to erasure [..]Article 17, Right to erasure [..]

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies:

a)

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

b)

The data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a), and there is no other legal ground for the processing.

[..]

Article 21 Right of objectionArticle 21, Right of objection

(1) The data subject shall have the right to object at any time to processing of personal data concerning him or her based on Article 6(1)(e) or (f), for reasons related to his or her particular situation; this also applies to profiling based on these provisions. The controller shall no longer process the personal data unless he or she can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

(2) If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for the purposes of such advertising; this also applies to profiling insofar as it is related to such direct marketing.

[..]

Article 22 Automated decisions in individual cases, including profilingArticle 22, Automated decisions in individual cases, including profiling

(1) The data subject shall have the right not to be subjected to a decision based exclusively on automated processing - including profiling - which produces legal effects concerning him or her or significantly affects him or her in a similar way.

(2) Paragraph 1 shall not apply where the decision

(a) is necessary for entering into, or the performance of, a contract between the data subject and the controller,

(b) is authorized by Union or Member State law to which the controller is subject and that law lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or

(c) is based on the data subject's explicit consent.

[..]

Art. 83 Article 83,

General conditions for the imposition of administrative fines

(1) Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case.

(2) Administrative fines shall be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2), depending on the circumstances of the individual case. In deciding on the imposition of a fine and on the amount thereof, due account shall be taken in each individual case of:

a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected by the processing and the extent of the damage suffered by them;

b) the intentional or negligent nature of the infringement;

c) any measures taken by the controller or processor to mitigate the damage caused to data subjects;

d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32;

e) any relevant previous infringements by the controller or processor;

f) the level of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects;

g) the categories of personal data affected by the infringement;

(h) how the infringement came to the knowledge of the supervisory authority, in particular whether and, if so, to what extent the controller or processor communicated the infringement;

(i) compliance with measures previously ordered pursuant to Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;

(j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating circumstances specific to the case, such as financial advantages gained or losses avoided directly or indirectly as a result of the infringement.

(3) Where a controller or processor intentionally or negligently infringes several provisions of this Regulation in the case of the same or related processing operations, the total amount of the fine shall not exceed the amount for the most serious infringement.

[..]

(5) Infringements of the following provisions shall be subject to administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher, in accordance with paragraph 2:

(a) the principles for processing, including the conditions for consent, set out in Articles 5, 6, 7 and 9;

[..]”

Recital 148 of the GDPR reads as follows:

“In the interests of more consistent enforcement of the provisions of this Regulation, infringements of this Regulation should be subject to sanctions, including fines, in addition to or instead of appropriate measures imposed by the supervisory authority under this Regulation. In the case of a minor infringement or where a fine is likely to impose a disproportionate burden on a natural person, a warning may be issued instead of a fine. However, due account should be taken of the nature, gravity and duration of the infringement, the intentional nature of the infringement, the measures taken to mitigate the damage caused, the degree of responsibility or of any previous infringement, the manner in which the infringement came to the knowledge of the supervisory authority, compliance with the measures ordered against the controller or processor, compliance with codes of conduct and any other aggravating or mitigating circumstances. There should be appropriate procedural safeguards for the imposition of sanctions, including fines, which are consistent with the general principles of Union law and the Charter, including the right to effective legal protection and a fair trial.”

From a legal perspective, this leads to the following:

First of all, it should be noted that the Federal Administrative Court does not share the complainant’s argument that the results of the proceedings concerning the ex officio decision should not have been used by the authority concerned:

It is correct that the Constitutional Court and – following this – part of the doctrine (Öhlinger, Thienel; see also Berka/Binder/Kneihs para. 1611 ff) derive from Article 90 para. 2 B-VG a constitutionally guaranteed, subjective right, which consists in the fact that no one may be required to accuse themselves of a criminal offence in criminal proceedings or at a stage prior to the initiation of such proceedings. (constitutional prohibition of coercion to self-incrimination). This should apply not only to judicial criminal proceedings, but also to administrative criminal proceedings (“substantive principle of prosecution”; Mayer, ecolex 2014, 745; VfSlg 9950, 11.829, 11.923, 12.454, 14.988, 15.858). It is correct that the Constitutional Court and – following this – part of the doctrine (Öhlinger, Thienel; see also Berka/Binder/Kneihs Rn. 1611 ff) derive a constitutionally guaranteed, subjective right from Article 90, Paragraph 2, B-VG, which consists in the fact that no one may be forced, under penalty of punishment, to accuse themselves of a criminal act in criminal proceedings or at a stage before such proceedings are initiated (constitutional prohibition of coercion to self-incriminate). This should apply not only to judicial criminal proceedings, but also to administrative criminal proceedings (“substantive principle of prosecution”; Mayer, ecolex 2014, 745; VfSlg 9950, 11.829, 11.923, 12.454, 14.988, 15.858).

The right not to incriminate oneself belongs personally to the person obliged to provide information, but not to a legal person such as the complainant, which means that the appeal to this right is ruled out in the present case (Zavadil in Knyrim, DatKomm Art 58 GDPR Rn. 12 [as of 1.3.2021, rdb.at] with reference to Nguyen in Gola, DS-GVO2 Art 58 Rn. 5). The right not to incriminate oneself belongs personally to the person obliged to provide information, but not to a legal person such as the complainant, which means that the appeal to this right is ruled out in the present case (Zavadil in Knyrim, DatKomm Article 58, GDPR Rn. 12 [as of 1.3.2021, rdb.at] with reference to Nguyen in Gola, DS-GVO2 Article 58, Rn. 5).

Even if the constitutional prohibition of coercion to incriminate oneself were also to be applied to legal persons, statutory obligations to provide information are only unconstitutional if they serve to provide an authority with information about the criminal conduct of the person obliged to provide information (VfSlg 14.987 - restrictive interpretation of a reporting obligation; VfSlg 15.600; VwGH 29.11.2000, 98/09/0242; 27.6.2001, 98/09/0363). However, reporting or information obligations that are not intentionally aimed at obtaining information for the purpose of criminal prosecution of the person obliged to provide information are permissible (VfSlg 5235, 5295, 11.549) (see Muzak, B-VG6 Art 90 [as of 1.10.2020, rdb.at]). Even if the constitutional prohibition of coercion to self-incrimination were also to be applied to legal persons, statutory obligations to provide information are only unconstitutional if they serve to provide an authority with information about criminal conduct of the person obliged to provide information (VfSlg 14.987 – restrictive interpretation of a reporting obligation; VfSlg 15.600; VwGH 29.11.2000, 98/09/0242; 27.6.2001, 98/09/0363). However, reporting or information obligations that are not intentionally aimed at obtaining information for the purpose of criminal prosecution of the obligated party are permissible (VfSlg 5235, 5295, 11.549) (see Muzak, B-VG6 Article 90, [as of 1 October 2020, rdb.at]).

Such a case exists here, especially since in the present case the cooperation of the complainant in the administrative procedure demanded by the authority concerned did not reach a level that can no longer be described as a "fair procedure" within the meaning of Article 6 of the ECHR. The Administrative Court also assumes that Article 90 paragraph 2 of the Federal Constitutional Court Act does not exclude the accused's duty to cooperate in administrative penal proceedings (VwSlgNF 5007 A; VwGH 18.5.1988, 88/02/0050; 11.5.1990, 90/18/0022). Such a case exists here, especially since in the present case the cooperation of the complainant in the administrative procedure demanded by the authority concerned did not reach a level that can no longer be described as a "fair procedure" within the meaning of Article 6 of the ECHR. The Administrative Court also assumes that Article 90, paragraph 2, B-VG does not exclude the accused's obligation to cooperate in administrative criminal proceedings (VwSlgNF 5007 A; VwGH 18.5.1988, 88/02/0050; 11.5.1990, 90/18/0022).

The submission of investigation results from the official review procedure by the authority concerned cannot therefore be objected to in this case (see BVwG, 27.03.2024, W214 2243436-1/39E).

For the sake of completeness, it should be noted that in her complaint to the Federal Administrative Court, the complainant herself requested the provision of the procedural file W256 2227693-1 on which the official investigation procedure was based and also referred to the results of the investigation there during the oral hearing.

Regarding the allegations:

In the present case, the authority concerned accused the complainant of two violations of the GDPR in the contested penal decision.

On the one hand, in point I of the judgment, she was accused of using and (also) obtaining declarations of consent for the processing of personal data from data subjects registered on “XXXX” for the purpose of profiling on the website from May 2, 2019 to March 5, 2020 and in the context of the registration brochure “Flyer” from May 2, 2019 to February 3, 2020, in their form not meeting the requirements of an effective declaration of consent, thereby violating Art. 5 (1) (a) in conjunction with Art. 7 (2) in conjunction with Art. 83 (5) (a) GDPR (alleged offense I).On the one hand, in point I of the judgment, she was given a fine of one thousand five hundred and fifty euros. accused that the declarations of consent used and (also) obtained by it on the website from May 2, 2019 to March 5, 2020 and in the context of the registration brochure "Flyer" from May 2, 2019 to February 3, 2020 for the processing of personal data from the data subjects registered at "Roman 40" for the purpose of profiling did not meet the requirements for an effective declaration of consent, thereby violating Article 5, paragraph one, letter a, in conjunction with Article 7, paragraph 2, in conjunction with Article 83, paragraph 5, letter a, GDPR (allegation Roman one).

On the other hand, in point II of the judgment, it was alleged that, as a result of the legally ineffective declarations of consent, the processing of personal data of the data subjects registered at “XXXX” for the purpose of profiling by the complainant from 2 May 2019 to 31 January 2021 could not be based on a legally effective declaration of consent or on one of the otherwise conclusively regulated permissions provided for in Art. 6 Para. 1 GDPR, thereby violating Art. 5 Para. 1 lit. a in conjunction with Art. 6 Para. 1 in conjunction with Art. 83 Para. 5 lit. a GDPR (alleged offense II). On the other hand, in Roman II, it was alleged that, as a result of the legally ineffective declarations of consent, the processing of personal data of the data subjects registered at "Roman 40" for the purpose of profiling by the complainant from May 2, 2019 to January 31, 2021 could not be based on a legally effective declaration of consent or on one of the otherwise conclusively regulated permissions provided for in Article 6, paragraph one, GDPR, whereby it violated Article 5, paragraph one, letter a, in conjunction with Article 6, paragraph one, in conjunction with Article 83, paragraph 5, letter a, GDPR (Roman II allegation).

on allegation I. (Roman II allegation).: on allegation Roman one. (Roman II allegation).:

Article 83, paragraphs 4 to 6 of the GDPR contains an extensive catalogue of offenses that are subject to sanctions in the event of violations. According to paragraph 5(a) of the GDPR, which is relevant here, a violation of the principles for processing, including the conditions for consent, is punishable under Articles 5, 6, 7 and 9. This makes it sufficiently clear that a violation of each of these provisions, and explicitly also (“including”) the provision of Art. 7 of the GDPR and the conditions for consent set out therein, can justify the imposition of a fine. Article 83, paragraphs 4 to 6 of the GDPR contains an extensive catalogue of offenses that are punishable by sanctions in the event of violations. According to paragraph 5(a) of the GDPR, which is relevant here, a violation of the principles for processing, including the conditions for consent, is punishable under Articles 5, 6, 7 and 9. This makes it sufficiently clear that a violation of each of these provisions, and explicitly also (“including”) the provision of Article 7 of the GDPR and the conditions for consent set out therein, can justify the imposition of a fine.

If, on the other hand, the complainant states in her complaint that the sanction standard of Article 83 GDPR only punishes the unlawful processing of personal data, but not a violation of the conditions for consent set out in Article 7 GDPR, this cannot be reconciled with the clear wording of paragraph 5(a) GDPR. If, on the other hand, the complainant states in her complaint that the sanction standard of Article 83 GDPR only punishes the unlawful processing of personal data, but not a violation of the conditions for consent set out in Article 7 GDPR, this cannot be reconciled with the clear wording of paragraph 5(a) GDPR.

The complainant's reference to Article 83, paragraph 2, letter a, GDPR does not change this, because the provision of Article 83, paragraph 2, GDPR merely sets out the criteria for determining a penalty in the event of an infringement, but does not - as in paragraphs 4 to 6 - make a statement about the existence of a criminal offense per se. The complainant's reference to Article 83, paragraph 2, letter a, GDPR does not change this, because the provision of Article 83, paragraph 2, GDPR merely sets out the criteria for determining a penalty in the event of an infringement, but does not - as in paragraphs 4 to 6 - make a statement about the existence of a criminal offense per se.

According to Article 83(2) GDPR, when deciding on the imposition of a fine and on its amount, the following shall be taken into account in each individual case, including under letter a, the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, as well as the number of persons affected by the processing and the extent of the damage suffered by them. According to Article 83(2) GDPR, when deciding on the imposition of a fine and on its amount, the following shall be taken into account in each individual case, including under letter a, the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, as well as the number of persons affected by the processing and the extent of the damage suffered by them.

This makes it clear, in line with the protective purpose of the GDPR, that (when determining the penalty) a violation of the GDPR cannot be considered in isolation from data processing (“the processing in question”), but not that the violation must be based on the (unlawful) data processing itself. This view also clearly follows from Article 83, Paragraph 3 of the GDPR, which the complainant itself cited in this context, according to which several provisions of the GDPR can be violated in the case of one (“identical”) processing operation. This makes it clear, in line with the protective purpose of the GDPR, that (when determining the penalty) a violation of the GDPR cannot be considered in isolation from data processing (“the processing in question”), but not that the violation must be based on the (unlawful) data processing itself. This view also clearly follows from Article 83, Paragraph 3 of the GDPR, which the complainant itself cited in this context, according to which several provisions of the GDPR can be violated in the case of one (“identical”) processing operation.

The significance of Article 7 of the GDPR should also be noted. Article 7 of the GDPR, in its paragraphs 1 to 4, sets out – as the authority concerned itself has acknowledged – a series of conditions which, on the one hand, apply to consent so that this can legitimize the processing of personal data in accordance with Article 6, paragraph 1, letter a of the GDPR. On the other hand, it also contains the controller’s comprehensive obligations due to the requirement of fairness and transparency inherent in the GDPR, which the controller must fulfill and, moreover, demonstrate in accordance with paragraph 1. The significance of Article 7 of the GDPR should also be noted. Article 7 of the GDPR, in its paragraphs 1 to 4, sets out – as the authority concerned itself has acknowledged – a series of conditions which, on the one hand, apply to consent so that this can legitimize the processing of personal data in accordance with Article 6, paragraph one, letter a of the GDPR. On the other hand, it also contains comprehensive obligations of the controller due to the fairness and transparency requirements inherent in the GDPR, which he must fulfil and, moreover, prove in accordance with paragraph 1.

While Article 7 (1) GDPR states that the controller is obliged to be able to prove consent, Article 7 (2) GDPR requires the controller to provide a transparent visual and linguistic design of a written declaration of consent in the sense of the data subject's being informed in the event that the declaration also concerns other matters. Article 7 (3) GDPR again contains the requirement that consent can be freely revoked and the associated obligation of the controller to inform the data subject transparently about such a revocation. Art. 7, paragraph 4 of the GDPR ultimately contains the condition that consent must be given voluntarily, which – as in the case of Art. 7, paragraph 3 of the GDPR – highlights the self-determination of the person concerned. While Article 7, paragraph 1 of the GDPR states that the person responsible must be able to prove consent, Article 7, paragraph 2 of the GDPR requires the person responsible to provide a transparent visual and linguistic design of a written declaration of consent in the sense of the person concerned being informed in the event that the declaration also concerns other matters. Article 7, paragraph 3 of the GDPR again contains the requirement that consent can be freely revoked and the associated obligation of the person responsible to inform the person concerned transparently about such a revocation. Article 7, paragraph 4 of the GDPR ultimately contains the condition that consent must be given voluntarily, which – as in the case of Article 7, paragraph 3 of the GDPR – highlights the self-determination of the person concerned.

Paragraphs 1 to 4 of Article 7 of the GDPR accordingly concern different facts (“conditions”) aimed at different objectives, each of which can be implemented in different ways and thus can each be violated on its own (cf. Klement in Simitis et al. [ed.], Data Protection Law [2019] Art. 7, marginal no. 97, according to which Art. 83 para. 5 lit. a of the GDPR refers to the official title of Art. 7, and therefore to all the legal obligations listed there).Paragraphs 1 to 4 of Article 7 of the GDPR accordingly concern different facts (“conditions”) aimed at different objectives, each of which can be implemented in different ways and thus can each be violated on its own (cf. Klement in Simitis et al. [ed.], Data Protection Law [2019] Article 7, marginal no. 97, according to which Article 83, paragraph 5, letter a, GDPR refers to the official title of Article 7, and thus to all legal obligations listed therein).

Finally, not every violation of the conditions stipulated in Article 7 GDPR necessarily results in unlawful data processing and thus a violation of Article 6 paragraph 1 GDPR. Cases in which a controller could already base data processing on a permission under Article 6 paragraph 1 GDPR are conceivable, for example, but which, as a precautionary measure, also obtains consent from the data subject. As is clear from Article 17 paragraph 1 letter b GDPR, the legal permission does not cease to apply just because consent was also obtained. This is all the more true if the consent turns out to be ineffective (see Klement in Simitis et al. [ed.], Datenschutzrecht [2019] Art. 7, para. 34; also ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537 para. 92). Likewise, a violation of the obligation to provide evidence of a declaration of consent as stipulated in Art. 7 para. 1 GDPR does not necessarily have to be accompanied by unlawful data processing (see again Klement, op. cit., para. 45, according to which the legal basis of Art. 6 para. 1 lit. a only refers to the existence of effective consent, but not to the fulfillment of the obligation to provide evidence). It is precisely those cases in which the controller does not fulfill the obligations imposed on him in Art. 7 GDPR, but there is nevertheless legally valid data processing, that clearly demonstrate the independent significance of Art. 7 GDPR. Finally, not every violation of the conditions set out in Article 7 of the GDPR necessarily results in unlawful data processing and thus a violation of Article 6, paragraph one of the GDPR. Cases in which a controller could already base data processing on a legal basis under Article 6, paragraph one of the GDPR, but which, as a precautionary measure, obtains consent from the data subject, are conceivable. As is clear from Article 17, paragraph one, letter b of the GDPR, the legal legal basis does not cease to apply simply because consent was also obtained. This is all the more true if the consent turns out to be ineffective (see Klement in Simitis et al. [ed.], Data Protection Law [2019] Article 7,, para. 34; also ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537 para. 92). Likewise, a violation of the obligation to provide evidence of a consent declaration as stipulated in Article 7, paragraph 1, GDPR does not necessarily have to be accompanied by unlawful data processing (see again Klement, op. cit., para. 45, according to which the permission requirement in Article 6, paragraph 1, letter a, only refers to the existence of effective consent, but not to the fulfillment of the obligation to provide evidence). It is precisely those cases in which the controller does not fulfill the obligations imposed on him in Article 7, GDPR, but there is nevertheless legally valid data processing, that clearly show the independent significance of Article 7, GDPR.

In the present case, the authority concerned was therefore right to assume that the mere obtaining of a consent declaration for data processing that does not meet the requirements of Article 7, GDPR can be punishable under Article 83, paragraph 5, letter a, GDPR. In the present case, the authority concerned was therefore right to assume that the fact that a declaration of consent was obtained for data processing that did not meet the requirements of Article 7, GDPR, could be punishable under Article 83, Paragraph 5, Letter a, GDPR.

Specifically, the complainant was accused of violating Article 7, Paragraph 2, GDPR in the present penal decision in judgment point I. In her complaint, the complainant objects that this accusation had not been raised against her by the authority concerned so far and that it had now also already expired. Specifically, the complainant was accused of violating Article 7, Paragraph 2, GDPR in the present penal decision in judgment point Roman one. In her complaint, the complainant objects that this accusation had not been raised against her by the authority concerned so far and that it had now also already expired.

According to Section 31 Paragraph 1 of the Criminal Prosecution Act, the prosecution of a person is inadmissible if no prosecution action (Section 32 Paragraph 2) has been taken against them within a period of one year. This period is to be calculated from the time at which the criminal activity was completed or the criminal conduct ceased; if the result of the offence only occurred later, the period only begins to run from this time.According to Section 31, Paragraph 1 of the Criminal Prosecution Act, the prosecution of a person is inadmissible if no prosecution action (Section 32 Paragraph 2) has been taken against them within a period of one year. This period is to be calculated from the time at which the criminal activity was completed or the criminal conduct ceased; if the result of the offence only occurred later, the period only begins to run from this time.

According to Section 32, Paragraph 2 of the Criminal Procedure Act, an act of prosecution is any official act directed by an authority against a specific person as the accused (summons, warrant for appearance, questioning, request for questioning, penal order, etc.), even if the authority was not competent to carry out this official act, the official act did not achieve its goal or the accused was not aware of it.According to Section 32, Paragraph 2 of the Criminal Procedure Act, an act of prosecution is any official act directed by an authority against a specific person as the accused (summons, warrant for appearance, questioning, request for questioning, penal order, etc.), even if the authority was not competent to carry out this official act, the official act did not achieve its goal or the accused was not aware of it.

According to the established case law of the Administrative Court, the same requirements apply to acts of persecution within the meaning of Section 32 Paragraph 2 of the Criminal Code with regard to the description of the offence charged as to the description of the offence in the verdict of the penal decision under Section 44a Item 1 of the Criminal Code. The description of the offence must be so precise that the accused can protect his rights of defence and is not exposed to the risk of double punishment. These legal protection considerations must also be taken into account when examining the question of whether a suitable act of persecution within the meaning of Section 32 Paragraph 2 of the Criminal Code has been committed. This means that the offence the accused person is accused of must (only) be specified in an unmistakable manner so that he or she is able to respond to the accusation accordingly and thus protect his or her interest in legal protection (cf. VwGH, April 30, 2021, Ra 2020/05/0043, mwN). According to the consistent case law of the Administrative Court, acts of persecution within the meaning of Section 32, Paragraph 2, VStG must meet the same requirements with regard to the description of the offence charged as the description of the offence in the verdict of the penal decision under Section 44a, Number 1, VStG. The description of the offence must be so precise that the accused can protect his or her rights of defence and is not exposed to the risk of double punishment. These legal protection considerations must also be taken into account when examining the question of whether a suitable act of persecution within the meaning of Section 32, Paragraph 2, VStG has been committed. This means that the offence with which the accused person is accused must (only) be specified in an unmistakable manner so that he or she is able to respond to the accusation accordingly and thus protect his or her interest in legal protection (cf. VwGH, 30.04.2021, Ra 2020/05/0043, mwN).

In the case at hand, the complainant was accused both in the summons of January 22, 2020, during the interrogation of February 26, 2020, and in the request for justification of July 17, 2020 with regard to the charge I contained in the criminal conviction of having used declarations of consent with a specific (verbatim) wording for data processing for the purpose of profiling, which did not meet the requirements of Art. 7 GDPR. This gives rise to the suspicion that the complainant violated the principles and the permissions of the GDPR and did not fulfill her duties as a controller. In the case at hand, the complainant was accused, both in the summons of January 22, 2020, during the hearing of February 26, 2020, and in the request for justification of July 17, 2020, with regard to the charge contained in the criminal conviction, of using declarations of consent with a specific (verbatim) wording for data processing for the purpose of profiling, which did not meet the requirements of Article 7 of the GDPR. This raises the suspicion that the complainant violated the principles and the permissions of the GDPR and did not fulfill her duties as a controller.

The authority concerned stated in its reply that its allegation of non-compliance with all the requirements of the GDPR with regard to a legally effective declaration of consent was sufficiently specified and, above all, the punishment in the penal decision under Article 7, Paragraph 2 of the GDPR was (was) included in this.The authority concerned stated in its reply that its allegation of non-compliance with all the requirements of the GDPR with regard to a legally effective declaration of consent was sufficiently specified and, above all, the punishment in the penal decision under Article 7, Paragraph 2 of the GDPR was (was) included in this.

However, this argument by the authority concerned cannot be accepted in light of the case law of the Administrative Court presented above.

Due to the diverse requirements for a declaration of consent already set out in Article 7 GDPR and set out separately in paragraphs 1 to 4, it would have been necessary to specifically and unambiguously accuse the complainant of a violation of Article 7 paragraph 2 GDPR, in particular of the elements of the offence contained therein. Due to the diverse requirements for a declaration of consent already set out in Article 7 GDPR and set out separately in paragraphs 1 to 4, it would have been necessary to specifically and unambiguously accuse the complainant of a violation of Article 7 paragraph 2 GDPR, in particular of the elements of the offence contained therein.

The merely general accusation that there was a violation of all the conditions of Article 7 GDPR could not in any case put the complainant in a position to recognise which of the conditions set out in paragraphs 1 to 4 had been violated in the present case on the basis of which conduct and to what extent she was accused of a violation in this respect. Without knowledge of the specific offense she is accused of, the complainant was therefore unable to respond accordingly. The merely general accusation that there was a violation of all the conditions of Article 7 of the GDPR could not in any case enable the complainant to identify which of the conditions set out in paragraphs 1 to 4 had been violated in the present case and on the basis of which conduct, and to what extent she was accused of a violation. Without knowledge of the specific offense she is accused of, the complainant was therefore unable to respond accordingly.

The reference to the official review procedure contained in the prosecution measures does not change this, because the authority concerned also only dealt with Art. 7 GDPR in general terms and, as a result, also considered several violations of data protection provisions based on different behaviors, such as the lack of a visible revocation option under Art. 7 Para. 3 GDPR, the lack of a distinction between the present data protection declaration and the registration process and the data protection declaration of other partners, each under Art. 7 Para. 2 GDPR and, according to the ruling, also under Art. 7 Para. 1 GDPR without further justification. However, it cannot be deduced from this which disregard of which provision by which behavior ultimately gave rise to the present administrative penal proceedings with regard to allegation I., and this was not made clear in any way by the general allegation in the prosecution measures mentioned. The reference to the official review procedure contained in the prosecution measures does not change this, because the authority concerned also only dealt with Article 7 of the GDPR in general terms and, as a result, also considered several violations of data protection provisions based on different behaviors, such as the lack of a visible revocation option under Article 7, paragraph 3, GDPR, the lack of a distinction between the present data protection declaration and the registration process and the data protection declaration of other partners, each under Article 7, paragraph 2, GDPR and, without further justification, according to the ruling, also under Article 7, paragraph 1, GDPR. However, it cannot be deduced from this which disregard of which provision and which behavior ultimately gave rise to the present administrative penal proceedings with regard to the Roman one offense, and this was not made clear in any way by the general allegation in the prosecution measures mentioned.

This not only limited the complainant's options for defense, but also meant that she was not protected from possible double punishment. It is true that it is not overlooked that these violations should be punished in connection with data processing (for the purpose of profiling) and thus in accordance with Art. 83 (3) GDPR. However, there are no indications that these offenses, which are aimed at different purposes and are otherwise not connected with each other, exclude each other in the sense of apparent competition and that punishment for one offense would therefore exclude punishment for the other offense (for a detailed discussion of apparent competition, see VwGH, March 29, 2021, Ra 2020/02/0298). This not only limited the complainant's options for defense, but also did not protect her from possible double punishment. It is true that it is not overlooked that these violations should be punished in connection with data processing (for the purpose of profiling) and thus in accordance with Article 83 (3) GDPR. However, there is no evidence that these offenses, which are aimed at different purposes and are otherwise not connected with each other, exclude each other in the sense of apparent competition and that punishment for one offense would therefore exclude punishment for the other offense (for more information on apparent competition, see VwGH, March 29, 2021, Ra 2020/02/0298).

The reference to Art. 7 (2) GDPR in the criminal judgment in the ruling on allegation I. was made for the first time on July 26, 2021. The reasoning stated in more detail that the visual design of the declaration of consent did not stand out sufficiently from the registration for XXXX and therefore did not meet the requirements of Art. 7 (2) GDPR. The reference to Art. 7 (2) GDPR in the criminal judgment in the ruling on allegation I. The reference to Article 7, Paragraph 2, GDPR was made for the first time on July 26, 2021. The reasoning stated in more detail that the visual design of the declaration of consent did not stand out sufficiently from the registration for Roman 40 and therefore did not meet the requirements of Article 7, Paragraph 2, GDPR.

In the court's opinion, this would have sufficiently specified the accusation (see VwGH, September 11, 2023, Ra 2023/09/0068, according to which the assessment of the suitability of an act of persecution in the form of a penal decision should not be based solely on the verdict, but the penal decision in its entirety must be viewed as an act of persecution). However, since at this point in time the statute of limitations for prosecution had already expired with regard to accusation I, which was concluded on March 5, 2020 and February 3, 2020, there is no longer any room for punishment. It was therefore, as in judgment point A.I. to decide. In the court's opinion, this would have sufficiently specified the charge (see VwGH, 11.09.2023, Ra 2023/09/0068, according to which, when assessing the suitability of an act of persecution in the form of a penal decision, one should not rely solely on the verdict, but rather the penal decision in its entirety must be considered as an act of persecution). However, since at this point in time the statute of limitations for prosecution had already expired in relation to the charge concluded on March 5, 2020 and February 3, 2020, there is no longer any room for punishment. It was therefore necessary to decide as in verdict point A.I.

on allegation II. (judgment point A.II).:on allegation Roman II. (judgment point A.II).:

In judgment point II., the complainant was accused of violating Art. 6 paragraph 1 GDPR because there was neither valid consent pursuant to Art. 6 paragraph 1 letter a GDPR nor any other legal basis under Art. 6 GDPR for the data processing for profiling in question. The court has no concerns that the complainant's allegation in question was sufficiently specified by the authority concerned and no submissions were made on this matter. In judgment point Roman II., the complainant was accused of violating Article 6, paragraph one, GDPR because there was neither valid consent pursuant to Article 6, paragraph one, letter a, GDPR nor any other legal basis under Article 6 GDPR for the data processing for profiling in question. The Court has no concerns as to whether the alleged offence in question was presented to the complainant by the authority concerned in a sufficiently specific manner and, moreover, no submissions were made in this regard.

It is undisputed that the complainant - if consent was given to do so - combined purchasing and participation data in the period from May 2, 2019 to January 31, 2021 and used this to create profiles of registered members that would allow conclusions to be drawn about their future purchasing behavior. To do this, it provided its members with pre-prepared declarations of consent as part of the registration process - where relevant here - by means of flyers and a website.

on the objective side of the offense:

In order for consent to be effective and to legitimize data processing in accordance with Art. 6 GDPR, various formal requirements must be met. In order for consent to be effective and to legitimize data processing in accordance with Article 6 GDPR, various formal requirements must be met.

Art. 7 Para. 2 1st sentence GDPR requires the responsible body in particular to provide a transparent written declaration of consent in the event that the declaration also concerns other matters. In this case, the request must be made "in an intelligible and easily accessible form" and "in clear and simple language" so that it can be clearly distinguished from other facts. The regulation therefore contains the requirement that consent, if it is to be given in writing together with other declarations, must be particularly highlighted. In addition, Art. 7 Paragraph 2, Sentence 1 of the GDPR requires transparency not only in terms of design, but also in terms of content. In order to comply with the regulation, a written consent clause must not only be placed in such a way that the person concerned cannot overlook it, for example by placing it at a particular distance from the rest of the text, by framing it or highlighting it in bold. In addition, it must also make the "whether" and "how" of a declaration of consent clear and simple language to the data subject (cf. Kühling/Buchner in Kühling/Buchner, General Data Protection Regulation, BDSG4 [2020], Art. 7, marginal no. 25).Article 7, paragraph 2, first sentence of the GDPR requires the responsible body in particular to design a written declaration of consent transparently in the event that the declaration also concerns other matters. In this case, the request must be made "in an understandable and easily accessible form" and "in clear and simple language" so that it can be clearly distinguished from other matters. The regulation therefore contains the requirement that consent, if it is to be given in writing together with other declarations, must be particularly highlighted. In addition, Article 7, paragraph 2, first sentence of the GDPR requires not only transparency in terms of design, but also in terms of content. In order to comply with the regulation, a written consent clause must not only be placed in such a way that the person concerned cannot overlook it, for example by placing it at a certain distance from the rest of the text, by framing it or highlighting it in bold. In addition, it must also make the content of the consent declaration clear to the person concerned in clear and simple language about the "if" and "how" of a declaration of consent (cf. Kühling/Buchner in Kühling/Buchner, General Data Protection Regulation, BDSG4 [2020], Article 7, para. 25).

A document has a different factual situation if it contains representations that go beyond the pure consent text and are therefore likely to push the consent into the background. This creates the risk that the person concerned does not actively perceive the consent to the processing of his or her data and that this is lost, for example, when confirming the general terms and conditions. The consent text must be formatted in such a way that it is clearly legible and recognizable and is set apart from the rest of the declaration (cf. Heckmann/Paschke in Ehmann/Selmayr, General Data Protection Regulation3 [2018] Art. 7, marginal no. 83). A document has a different situation if it contains representations that go beyond the pure consent text and are therefore likely to push the consent into the background. This creates the risk that the person concerned does not actively perceive the consent to the processing of their data and that this is lost, for example, when confirming the general terms and conditions. The consent text must be formatted in such a way that it is clearly legible and recognizable and is set apart from the rest of the declaration (cf. Heckmann/Paschke in Ehmann/Selmayr, General Data Protection Regulation3 [2018] Article 7, marginal no. 83).

In close connection with the transparency of the content, it must also be noted that consent according to the definition in Art. 4 Z 11 GDPR must also be given with knowledge of the facts (“informed and unambiguous expression of will”). The data subject must be able to estimate what effects the granting of consent will have on them, in particular they must be able to clearly and unambiguously recognize the circumstances of the data processing and the scope of the consent. The information must therefore be prepared in such a way that it is also understandable for an average consumer without any special legal training (Buchner, Art. 7 para. 59f). This is intended to prevent those affected from being overwhelmed by language or seduced by pleasant-sounding formulations that miss the point (cf. Heckmann/Paschke in Ehmann/Selmayr, General Data Protection Regulation3 [2018] Art. 7, para. 87). In close connection with transparency of content, it must also be noted that consent according to the definition in Article 4, paragraph 11, GDPR must also be given with knowledge of the facts ("informed and unambiguous expression of will"). The data subject must be able to estimate what effects the granting of consent will have on them, in particular they must be able to clearly and unambiguously recognize the circumstances of the data processing and the scope of the consent. The information must therefore be prepared in such a way that it is also understandable for an average consumer without special legal training (Buchner, Article 7, para. 59f). This is intended to prevent those affected from being overwhelmed by language or seduced by pleasant-sounding formulations that miss the point (cf. Heckmann/Paschke in Ehmann/Selmayr, General Data Protection Regulation3 [2018] Article 7,, para. 87).

As already explained, the data protection consent declaration in question was not obtained separately by the complainant for both the flyer and the website, but together with the registration for XXXX and the necessary confirmation of its general terms and conditions and its data protection declaration.As already explained, the data protection consent declaration in question was not obtained separately by the complainant for both the flyer and the website, but together with the registration for Roman 40 and the necessary confirmation of its general terms and conditions and its data protection declaration.

In both cases, the complainant did not comply with the transparent design of the written consent declaration required under Art. 7 Para. 2 1st sentence GDPR. In both cases, the complainant did not comply with the transparent design of the written declaration of consent required under Article 7, paragraph 2, first sentence of the GDPR.

The authority concerned correctly stated with regard to the flyer that the complainant placed the signature field at the end of the form and thus gave the overall impression that it was actually a signature for participation in the customer program. This is also due to the fact that the field is placed directly next to the date field, which is a mandatory field for registration. As far as the (greater) distance from the consent text is concerned, the authority concerned agrees that the impression that this could be a signature for the program is reinforced. The note placed below that this signature only applies to the declaration of consent does not change this, because it is not highlighted in any way from the rest of the text and is therefore particularly visible. In addition, it is also offset to the left and thus below the mandatory "date" field and not directly below the signature field. The fact that the "Signature" field is not a mandatory field marked with an asterisk does not invalidate this impression because - as the authority concerned correctly stated - an average consumer will not assume that a signature field - which is placed at the end of a registration form - is a mandatory field, but rather that the signature serves to confirm registration for XXXX. The authority concerned correctly stated in relation to the flyer that the complainant placed the signature field at the end of the form and thus gave the overall impression that it was actually a signature for participation in the customer program. This is also helped by the fact that the field is placed directly next to the date field, which is marked as a mandatory field for registration. With regard to the (greater) distance from the consent text, the authority concerned is also correct in that the impression that this could be a signature for the program is reinforced. The note underneath that this signature only applies to the declaration of consent does not change this because it is not highlighted in any way from the rest of the text and is therefore particularly visible. In addition, it is also offset to the left and thus below the mandatory "Date" field and not directly below the signature field. Even the fact that the "Signature" field is not a mandatory field marked with an asterisk does not invalidate this impression because - as the authority in question correctly stated - the average consumer will not assume that a signature field - which is placed at the end of a registration form - is a mandatory field, but rather that the signature serves to confirm registration for Roman 40.

Overall, the authority concerned is correct in its view that a customer will not have actively perceived that he has actually signed a declaration of consent to data profiling due to the visual design of the declaration of consent during the physical registration process. The consent obtained by means of a flyer therefore does not meet the criteria of Article 7, Paragraph 2, 1st sentence of the GDPR, according to the statements of the authority concerned. Overall, the authority concerned is correct in its view that a customer will not have actively perceived that he has actually signed a declaration of consent to data profiling due to the visual design of the declaration of consent during the physical registration process. The consent obtained by means of a flyer therefore does not meet the criteria of Article 7, Paragraph 2, 1st sentence of the GDPR, according to the statements of the authority concerned.

Nothing else applies with regard to the website. Here too, the authority concerned correctly stated that an average consumer would not assume that the bold heading for the declaration of consent "Enjoy your very own personal benefits" actually involves obtaining consent to carry out profiling. There is no indication of this in the consent text that follows ("Yes", "No") either, but the receipt or non-receipt of "exclusive" benefits is made dependent on the submission or non-submission of data processing in accordance with the "declaration of consent below". This wording (also suggested in the heading) is not only misleading because, ultimately, according to the complainant's own business model, even people who do not consent to the data comparison should receive "exclusive" benefits when registering. Rather, it also has the consequence that those affected are tricked into submitting a declaration of consent without knowing the actual consequences. The fact that the person concerned is ultimately informed of the data comparison in question in accordance with the "declaration of consent below" does not change this, because he or she must first scroll down the text and the reference to profiling is only then visible and, moreover, is not highlighted in bold compared to the heading. Finally, the authority concerned must also be followed here in that it must already be clear "at a first level" (based on the heading) what the consent actually refers to. In this respect, the complainant's statements that the person concerned is informed about the profiling in bold in the general terms and conditions and in the data protection declaration cannot apply.

If the complainant points out in this context that the person concerned is expressly informed in the overview table that they must give their consent to profiling before completing their registration and is also redirected to this by clicking on a pencil symbol, it should be noted that this again draws the person concerned's attention primarily to the receipt of benefits and thus creates the (misleading) impression that the receipt of "exclusive" benefits depends on the provision of consent. This impression is also reinforced by the note in the overview table that the registration process can only be completed after a declaration of profiling has been submitted (which is actually not otherwise indicated as a mandatory field).

Overall, the authority concerned must therefore agree here too that the consent obtained via the website does not meet the criteria of Art. 7, Paragraph 2, 1st sentence of the GDPR. Overall, the authority concerned must therefore agree here too that the consent obtained via the website does not meet the criteria of Art. 7, Paragraph 2, 1st sentence of the GDPR.

According to the express wording of Article 7, Paragraph 2, last sentence of the GDPR, parts of a declaration of consent are not binding if they constitute a violation of this regulation. According to the express wording of Article 7, Paragraph 2, last sentence of the GDPR, parts of a declaration of consent are not binding if they constitute a violation of this regulation.

Since the requests for consent under review using the "flyer" and "website" methods - as explained above - do not meet the requirements of Article 4, Paragraph 11 of the GDPR and Article 7, Paragraph 2 of the GDPR, these are invalid declarations of consent. Since the requests for consent under review using the "flyer" and "website" methods - as explained above - do not meet the requirements of Article 4, Paragraph 11 of the GDPR and Article 7, Paragraph 2 of the GDPR, these are invalid declarations of consent.

The requirements of Article 6, paragraph 1, letter a, GDPR (consent) were therefore not met. The requirements of Article 6, paragraph one, letter a, GDPR (consent) were therefore not met.

The complainant argued in the proceedings that for the data processing in question, Art. 6, paragraph 1, letter f, GDPR or Art. 6, paragraph 4, GDPR could also be used (alternatively). The complainant argued in the proceedings that for the data processing in question, Art. 6, paragraph one, letter f, GDPR or Article 6, paragraph 4, GDPR could also be used (alternatively).

The view of the authority concerned that an invalid declaration of consent in any case results in unlawful data processing and makes a review of other legal bases unnecessary cannot be followed (see also ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537 para. 92; and VwGH, 08.02.2022, Ro 2021/04/0033-8).

Since the GDPR does not stipulate any specific admissibility requirements with regard to the data processing of "profiling" in question here, no restriction of the scope of application of Art. 6 GDPR can be seen in this respect either. Art. 22 GDPR does not regulate the admissibility of profiling per se, but the use of certain results of such data processing. Whether and how personal data may be processed automatically for the purposes of personality assessment is therefore not determined by Art. 22 GDPR, but - as can be seen from Recital 72 of the GDPR - by the general rules of the GDPR on the principles and legality of data processing (see Buchner in Kühling/Buchner, General Data Protection Regulation, BDSG4 [2020], Art. 22 para. 11a). Since the GDPR does not specify any specific admissibility requirements with regard to the data processing of "profiling" in question here, no restriction of the scope of application of Article 6 GDPR can be seen in this respect either. Article 22 GDPR does not regulate the admissibility of profiling per se, but the use of certain results of such data processing. Whether and how personal data may be processed automatically for the purposes of personality assessment is therefore not determined by Article 22 of the GDPR, but - as can be seen from Recital 72 of the GDPR - by the general rules of the GDPR on the principles and legality of data processing (see Buchner in Kühling/Buchner, General Data Protection Regulation, BDSG4 [2020], Article 22, para. 11a).

Furthermore, it is clear from Article 21 paragraphs 1 and 2 of the GDPR that the European legislator wanted to consider other legal bases for profiling, in particular the legal basis of Article 6 paragraph 1 letter f of the GDPR. Furthermore, it is clear from Article 21 paragraphs 1 and 2 of the GDPR that the European legislator wanted to consider other legal bases for profiling, in particular the legal basis of Article 6 paragraph 1 letter f of the GDPR.

According to Article 6, paragraph 1, letter f, GDPR, the processing of personal data is only permitted if the processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular if the data subject is a child.According to Article 6, paragraph 1, letter f, GDPR, the processing of personal data is only permitted if the processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular if the data subject is a child.

Thus, according to this provision, the processing of personal data is permitted under three cumulative conditions: first, a legitimate interest must be pursued by the controller or by a third party, second, the processing of the personal data must be necessary to achieve the legitimate interest, and third, the interests or fundamental rights and freedoms of the person whose data is to be protected must not prevail (see, among others, VwGH Ro 2020/04/0037, para. 52; ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537, para. 106).Thus ... Person whose data is to be protected do not outweigh the interests of the controller (see, among others, VwGH Ro 2020/04/0037, para. 52; ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537, para. 106).

The ECJ most recently expressly stated in its judgment of July 4, 2023 that such processing can only be considered necessary to safeguard the legitimate interests of the controller or a third party if the operator in question has communicated a legitimate interest pursued by the data processing to the users from whom the data was collected, if this processing is carried out within the limits of what is strictly necessary to achieve this legitimate interest and if a balancing of the opposing interests, taking into account all relevant circumstances, shows that the interests or fundamental rights and freedoms of these users do not outweigh the legitimate interest of the controller or a third party (ECJ July 4, 2023, C-252/21, ECLI:EU:C:2023:537, para. 126).

Furthermore, Recital 47 of the GDPR states that the interests and fundamental rights of the data subject may outweigh the interests of the controller, in particular when personal data are processed in situations where a data subject would not reasonably expect such processing.

The data processing in question serves - as the investigation has shown - the purpose of personalized advertising. According to Recital 47, the processing of personal data for the purpose of direct marketing can in principle be regarded as processing that serves a legitimate interest of the controller (cf. ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537, para. 115). In the present case, it is also important that the person affected by the data processing in question is already a customer of the complainant as a result of registering for XXXX. An existing customer relationship also gives rise to a legitimate interest in approaching the customer with direct advertising (cf. Ehmann in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Appendix 3 to Art. 6, para. 26). The data processing in question serves - as the investigation has shown - the purpose of personalized advertising. According to Recital 47, the processing of personal data for the purpose of direct advertising can in principle be regarded as processing that serves a legitimate interest of the controller (cf. ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537, para. 115). In the present case, it is also important that the person affected by the data processing in question is already a customer of the complainant as a result of his or her registration for the Roman 40. An existing customer relationship also gives rise to a legitimate interest in approaching the customer with direct advertising (see Ehmann in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Appendix 3 to Article 6,, para. 26).

Regarding the requirement of necessity, it should be noted that the data required for addressing (name and physical or electronic address) are to be regarded as necessary for the purpose of direct advertising. In the area of existing customers or members, the necessity can also extend to certain basic characteristics (age, gender) as well as to past transactions and to derivable preferences and interests, especially if this data is used as a selection criterion for more interest-based advertising (see Ehmann in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Appendix 3 to Art.6, para. 29 and para. 40). With regard to the requirement of necessity, it should be noted that the data required for addressing (name and physical or electronic address) are to be regarded as necessary for the purpose of direct advertising. In the area of existing customers or members, the necessity can also extend to certain basic characteristics (age, gender) as well as to past transactions and to inferable preferences and interests, in particular if these data are used as a selection criterion for more interest-based advertising (cf. Ehmann in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Appendix 3 to Article ,, para. 29 and para. 40).

In the present case, as established, the participation data (name, address, etc.) were automatically linked to the member's purchasing data (place of purchase, product, etc.) in such a way that a preference in relation to the member's purchasing behavior could be derived from them and targeted advertising could thus be addressed to them. On the one hand, this (participation) data was made known to the complainant during registration, among other things by the member himself, and on the other hand, this (purchase) data was transmitted to the complainant by the respective partner, among other things for the purpose of managing the customer loyalty program. In the present case, there are no reasons to doubt the legality of their processing by the complainant per se. Likewise, as stated above, there are no concerns that such data is necessary and appropriate for the realization of the present purpose of personalized advertising.

Furthermore, the complainant also informed the person concerned during registration that this data would be used, among other things, for the purpose of carrying out personalized advertising and thus, among other things, in the complainant's interest in this regard by means of profiling.

However, the complainant based this exclusively on Art. 6 Para. 1 lit. a GDPR and, among other things, stated in its general terms and conditions that such data processing would only be carried out "if the member consents." In doing so, the complainant expressed to the person concerned that the person concerned is in control of the implementation of such data processing. Since in the present case the persons concerned did not perceive consent to the profiling in question either in the flyer or on the website - as already explained - they had to assume, in view of the wording "only if the member consents", that such data processing would not be carried out. However, the complainant relied exclusively on Article 6, paragraph one, letter a, GDPR and in addition stated in its terms and conditions, among other things, that such data processing would be carried out "only if the member consents". In doing so, the complainant expressed to the person concerned that the person concerned is in control of the implementation of such data processing. Since in the present case the persons concerned did not perceive consent to the profiling in question either in the flyer or on the website - as already explained - they had to assume, in view of the wording "only if the member consents", that such data processing would not be carried out.

It is not overlooked that people participating in the XXXX in particular are explicitly interested in needs-oriented benefits and therefore also generally expect to receive information about them. However, the fact that their data is automatically linked by the complainant and a profile of their personal shopping preferences is created cannot be covered by such an expectation. Rather, this would have required a corresponding notification from the complainant (cf. Art. 13 para. 2 lit. f GDPR and Dix in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Art. 13, para. 16; Bäcker in Kühling/Buchner, Data Protection Basic Regulation, BDSG4 [2020], Art. 13, para. 52a with reference to the wording “at least”). It is not overlooked that people participating in the Roman 40 in particular are explicitly interested in needs-oriented benefits and therefore also generally expect to receive information about them. However, the fact that her data is automatically linked by the complainant and a profile of her personal shopping preferences is created cannot be covered by such an expectation. Rather, this would have required a corresponding notification from the complainant (see Article 13, paragraph 2, letter f, GDPR and Dix in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Article 13,, para. 16; Bäcker in Kühling/Buchner, Data Protection Basic Regulation, BDSG4 [2020], Article 13,, para. 52a with reference to the wording “at least”).

In the present case, such a notification did not take place due to the complainant's information to the contrary, that the data processing in question would only be carried out “if the member consents”.

However, since the data subjects not only did not expect data processing in this form of profiling, but in view of the complainant's statements in their terms and conditions they even explicitly ruled it out, the data subjects' interests in confidentiality outweigh the complainant's legitimate interests. For this reason, Article 6, paragraph 1, letter f, GDPR cannot be applied. However, since the data subjects not only did not expect data processing in this form of profiling, but in view of the complainant's statements in their terms and conditions they even explicitly ruled it out, the data subjects' interests in confidentiality outweigh the complainant's legitimate interests. For this reason, Article 6, paragraph 1, letter f, GDPR cannot be applied.

However, nothing else can apply to the provision of Article 6, paragraph 4 GDPR also asserted by the complainant and the possibility of a change of purpose granted therein. However, nothing else can apply to the provision of Article 6, paragraph 4, GDPR, which the complainant also invokes, and the possibility of a change of purpose granted therein.

According to this provision, the controller can check, according to the second part of paragraph 4, whether a change of purpose is compatible with the purpose for which the personal data was originally collected. In doing so, the controller must take into account various criteria set out in letters a to e, including, according to letter b, the context in which the personal data was collected, in particular with regard to the relationship between the data subjects and the controller. According to Recital 50, the important factor here is "the context in which the data was collected, in particular the reasonable expectations of the data subject, based on their relationship with the controller, with regard to the further use of those data [...]".According to this provision, the controller can check, according to the second part of paragraph 4, whether a change of purpose is compatible with the purpose for which the personal data was originally collected. In doing so, the controller must take into account various criteria standardized in letters a to e, including, according to letter b, the context in which the personal data were collected, in particular with regard to the relationship between the data subjects and the controller. According to Recital 50, the important factor is “the context in which the data were collected, in particular the reasonable expectations of the data subject, based on their relationship with the controller, with regard to the further use of these data […]”.

The decisive factors for this criterion are, among other things, the actions of the controller and the expectations of the data subject derived from them. Compatibility of purpose cannot be assumed if the data subject could not have expected that the controller would further process their personal data for another purpose. The controller must at least inform the data subject of the purposes and the change of purpose before further processing. Such information also includes profiling measures. They can only be considered compatible if they were foreseeable for the data subject at the time the data was collected. The data subject need not expect profiles to be created that were not previously known; they do not correspond to their reasonable expectations (cf. Albrecht in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Art. 6 para. 4, marginal no. 43ff, in particular marginal no. 47 and 51). Accordingly, the decisive factors for this criterion include, among others, the actions of the controller and the expectations of the data subject derived from them. Compatibility of purpose cannot be assumed if the data subject did not have to expect that the controller would further process their personal data for another purpose. In this case, the controller must at least inform the data subject of the purposes and the change of purpose before further processing. Such information also includes profiling measures. They can only be considered compatible if they were foreseeable for the data subject at the time the data was collected. The data subject need not expect profiles to be created that were not previously known; they do not meet their reasonable expectations (see Albrecht in Simitis/Hornung/Spiecker [ed.], Data Protection Law [2019], Article 6, Paragraph 4,, No. 43ff, in particular No. 47 and 51).

However, the information provided by the complainant does not meet these requirements - as already stated in relation to Article 6, Paragraph 1, Letter f, GDPR. Accordingly, the complainant could not rely on Article 6, Paragraph 4, GDPR. However, the information provided by the complainant does not meet these requirements - as already stated in relation to Article 6, Paragraph 1, Letter f, GDPR. Accordingly, the complainant could not rely on Article 6, Paragraph 4, GDPR.

There are no other legal bases that could be considered and, moreover, no such bases were put forward.

on the subjective side of the offense:

At this point, it should be noted that the substantive requirements that a supervisory authority must observe when imposing such a fine are set out precisely in Article 83 (1) to (6) GDPR and without any discretion for the Member States (cf. the judgments of the ECJ of December 5, 2023, C-807/21, para. 45; and also of December 5, 2023, C-683/21, para. 67). At this point, it should be noted that the substantive requirements that a supervisory authority must observe when imposing such a fine are set out precisely in Article 83 (1) to (6) GDPR and without any discretion for the Member States (cf. the judgments of the ECJ of December 5, 2023, C-807/21, para. 45; and also of December 5, 2023, C-683/21, para. 67).

In the contested penal decision, the authority concerned stated in summary on the subjective side of the offense that the managing directors of the complainant in the specific case are responsible for the processing of personal data of the data subjects registered at " XXXX " for the purpose of profiling by the accused due to disregard of the required care and due to a lack of control and monitoring. In the contested penal decision, the authority concerned stated in summary on the subjective side of the offense that the managing directors of the complainant in the specific case are responsible for the processing of personal data of the data subjects registered at " Roman 40 " for the purpose of profiling by the accused due to a disregard of the required care and due to a lack of control and monitoring.

In its decisions C-807/21 (paras. 76 and 77) and C-683/21 (paras. 79 and 80), the ECJ ruled that Article 83 of Regulation 2016/679 is to be interpreted as meaning that, under this provision, a fine may only be imposed if it is proven that the controller, who is both a legal person and an undertaking, committed an infringement referred to in Article 83(4) to (6) GDPR intentionally or negligently. In its decisions C-807/21 (paras. 76 and 77) and C-683/21 (paras. 79 and 80), the ECJ ruled that Article 83 of Regulation 2016/679 is to be interpreted as meaning that a fine may only be imposed under this provision if it is proven that the controller, who is both a legal person and an undertaking, has intentionally or negligently committed an infringement referred to in Article 83, paragraphs 4 to 6 of the GDPR.

Furthermore, the ECJ clarified that a controller can be sanctioned for conduct that falls within the scope of the GDPR if he could not have been unaware of the illegality of his conduct, regardless of whether he was aware that it violated the provisions of the GDPR, and that the application of Art. 83 GDPR does not require any action or even knowledge on the part of the management body of that legal person. Furthermore, the ECJ clarified that a controller can be sanctioned for conduct that falls within the scope of the GDPR if he could not have been unaware of the illegality of his conduct, regardless of whether he was aware that it violated the provisions of the GDPR, and that the application of Art. 83 GDPR does not require any action or even knowledge on the part of the management body of that legal person.

The ECJ also ruled in the “Meta Platforms Inc.” case that, according to Art. 5 GDPR, the controller bears the burden of proof that the data is collected, inter alia, for specified, explicit and legitimate purposes and is processed lawfully, fairly and in a manner that is understandable to the data subject (ECJ of July 4, 2023, No. C-252/21, para. 95). The principles, prohibitions and obligations provided for in the GDPR are aimed in particular at “controllers”. According to the statements in Recital 74 of the GDPR, their responsibility and liability extends to any processing of personal data carried out by them or on their behalf. In this context, they must not only take appropriate and effective measures, but they must also be able to demonstrate that their processing activities are in line with the GDPR and that the measures they have taken to ensure this compliance are also effective. It is this liability that forms the basis for imposing a fine on the controller under Art. 83 GDPR in the event of one of the violations listed in Art. 83 (4) to (6) GDPR (see again ECJ of December 5, 2023, No. C-807/21, para. 38). The ECJ also held in the "Meta Platforms Inc." case that under Article 5 of the GDPR, the controller bears the burden of proof that the data is collected for specified, explicit and legitimate purposes, among other things, and processed lawfully, in good faith and in a manner that is understandable to the data subject (ECJ of July 4, 2023, No. C-252/21, para. 95). The principles, prohibitions and obligations provided for in the GDPR are aimed in particular at "controllers". According to the statements in Recital 74 of the GDPR, their responsibility and liability extends to any processing of personal data carried out by them or on their behalf. In this context, they must not only take appropriate and effective measures, but they must also be able to demonstrate that their processing activities are in line with the GDPR and that the measures they have taken to ensure this compliance are also effective. It is this liability that forms the basis for imposing a fine on the controller under Article 83 of the GDPR in the event of one of the violations listed in Article 83, paragraphs 4 to 6 (see again ECJ of December 5, 2023, case no. C-807/21, para. 38).

The authority concerned must therefore first agree that the complainant was in any case obliged to inquire about the relevant provisions of the GDPR (here in connection with the declarations of consent used by it for the purpose of legitimizing the data processing in question) and that this was before the data processing in question began.

Furthermore, the authority concerned must agree that the complainant or the persons acting on its behalf, in particular the two managing directors of the complainant and the data protection officer, should at least have recognized that the ultimately chosen design of the declarations of consent used for this purpose and thus the data processing based on them was not in accordance with the GDPR.

This is for the following reasons:

As already stated above on the objective side of the offence, with regard to the visual design of the declarations of consent used in the physical registration form, it should be noted that the form for obtaining the declarations of consent was designed in a misleading way due to the chosen distance from the text and the fact that it is a common practice that a contract must be signed when it is concluded, because it gives the impression that the form is not valid without a signature, and with regard to the electronic registration process, that the inscription "Enjoy your very own personal advantages" was misleading and misleading without further and above all clearly visible references to profiling.

It is not overlooked that – as the complainant complained with reference to the Advocate General’s Opinion in Case C-807/21, para. 80 – the assessment of compliance with the obligations laid down in the GDPR, including those on which the processing of data (Article 5 GDPR) and its legality (Article 6 GDPR) depend, can sometimes require a complex evaluation and assessment process. It is not overlooked that – as the complainant complained with reference to the Advocate General’s Opinion in Case C-807/21, para. 80 – the assessment of compliance with the obligations laid down in the GDPR, including those on which the processing of data (Article 5 GDPR) and its legality (Article 6 GDPR) depend, can sometimes require a complex evaluation and assessment process.

In the present case, however, according to the complainant's own statements, the processing in question was based primarily on the consent declarations it had obtained for the purpose and exclusively on the consent forms it had obtained for the purpose from the data subjects. The fact that the visual design of the consent declaration it had chosen did not correspond to the requirements of an "informed and unambiguous expression of intent" within the meaning of Art. 4(11) GDPR due to the misleading factors outlined above is clear from the mere wording of Art. 4(11) in conjunction with Art. 5(1)(a) in conjunction with Art. 7(2) GDPR. This should have been noticed by the complainant as the operator of a customer loyalty program. In the present case, however, according to the complainant's own statements, the processing in question was based primarily on the consent declarations it had obtained for the purpose and exclusively on the consent forms it had obtained for the purpose from the data subjects. The fact that the visual design of the declaration of consent chosen by the complainant does not correspond to the requirements of an "informed and unambiguous expression of intent" within the meaning of Article 4, paragraph 11, GDPR due to the misleading factors described above is already clear from the pure wording of Article 4, paragraph 11, in conjunction with Article 5, paragraph one, letter a, in conjunction with Article 7, paragraph 2, GDPR. This should have been noticed by the complainant as the operator of a customer loyalty program.

This is not changed by the fact that - as complained by the complainant - the authority concerned assumed in the initial decision that the declarations of consent for the methods "XXXX App" and "XXXX" were invalid, but in the preliminary decision on the appeal, in view of the screen-by-screen registration process, that the declaration of consent was sufficiently transparent and thus (still) valid, because this does not make any statement at all with regard to the declarations of consent in question here, which are not designed screen-by-screen. This is not changed by the fact that - as the complainant complained - the authority concerned assumed in the initial decision that the declarations of consent for the "Roman 40 App" and "Roman 40" methods were invalid, but in the preliminary decision on the appeal, in view of the screen-by-screen registration process, that the declaration of consent was sufficiently transparent and thus (still) valid, because this does not make any statement at all with regard to the declarations of consent in question here - which are not designed screen-by-screen.

At the time of the offence, there was also no supreme court case law or corresponding administrative practice on the provisions cited, on the basis of which the complainant could have trusted that the design complied with the GDPR, contrary to the misleading factors presented. In particular, it should be noted that even under the Data Protection Directive 95/46/EC, which was in force before the GDPR came into force, consent had to be given without any doubt and with full knowledge of the facts, which is why the legal uncertainty expressed by the complainant as a result of the GDPR coming into force undoubtedly did not exist in this respect. The fact that she based her design on a registration brochure for an existing customer loyalty program does not change the fact that she should have noticed the obviously misleading factors in the present case herself.

It can therefore be assumed that the complainant or the data protection officer who regularly deals with data protection issues, as well as the managing directors, should have noticed that the procedure chosen for the declarations of consent was misleading and that any data processing based on it was therefore unlawful.

It follows that on the subjective side of the offense, there is at least fault in the form of negligence on the part of the complainant. This was also examined by the authority concerned for the entire period. Against this background, a more detailed discussion of the complainant's arguments regarding the applicability of Section 5, Paragraph 1a of the Criminal Offenses Act could be omitted. This means that on the subjective side of the offence, there is at least fault in the form of negligence on the part of the complainant. This was also examined by the authority concerned for the entire period. Against this background, a more detailed discussion of the complainant's arguments regarding the applicability of Paragraph 5, Paragraph 1a of the Criminal Offenses Act could be omitted.

If the complainant in this context raises the existence of an excusable error of law, the following must be said against her:

In its judgment of 18 June 2013, Schenker & Co. and others, C-681/11, EU:C:2013:404, in European antitrust proceedings, the ECJ has already clarified that the fact that a company classifies its conduct, on which the finding of the infringement is based, as legally incorrect cannot lead to it not being fined if it cannot be uncertain about the anti-competitive nature of its conduct (ibid., para. 38), regardless of whether it relied on the legal advice of a lawyer or on a final decision of a Member State authority or court (ibid., para. 41). The ECJ thus did not follow the Advocate General's opinion in this case, which would have (still) permitted an error of law excluding liability based on legal advice, but not on internal advice, listing strict minimum requirements (para. 62 ff.).

The ECJ explicitly referred to this ECJ ruling in its "Deutsche Wohnen" decision on the GDPR in connection with its comments on liability (para. 76) and without any qualifying remarks. The applicability of this case law developed in the European antitrust proceedings on the irrelevance of an error of prohibition cannot therefore be denied in the context of data protection law (see Bergt in Kühling/Buchner, General Data Protection Regulation, BDSG4 [2020], Art. 83, para. 37). The ECJ explicitly referred to this judgment of the ECJ in its decision on the GDPR in the “Deutsche Wohnen” case, in connection with its comments on fault (para. 76), without any restrictive remarks. The applicability of this case law developed in the European antitrust proceedings on the irrelevance of an error of prohibition cannot therefore be denied in the context of data protection law (see Bergt in Kühling/Buchner, General Data Protection Regulation, BDSG4 [2020], Article 83, para. 37).

However, for the sake of order, it should not be overlooked that the complainant should have already noticed the illegality of the wording of the declarations of consent drawn up (with the advice of a lawyer and also internally) - as explained above - which is why the existence of an error of law should have been ruled out on the basis of these considerations anyway (see the minimum requirements for an error of law excluding liability set out by the Advocate General in Case C-681/11, in particular in paragraphs 64 and 68).

on the assessment of penalties:

According to Article 83, paragraph 5, letter a, GDPR, infringements of the principles for processing, including the conditions for consent, pursuant to Articles 5, 6, 7 and 9 in accordance with paragraph 2 shall be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher. According to Article 83, paragraph 5, letter a, GDPR, infringements of the principles for processing, including the conditions for consent, pursuant to Articles 5, 6, 7 and 9 in accordance with paragraph 2 shall be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher.

The term “undertaking” within the meaning of Articles 101 and 102 TFEU has no relevance to the question of whether and under what conditions a fine under Article 83 GDPR can be imposed on a responsible legal person, as it is only relevant for determining the amount of a fine imposed under Article 83(4) to (6) GDPR (cf. ECJ of 5 December 2023, C-807/21, paras. 53, 54). With regard to the concept of "undertaking" within the meaning of this provision, the ECJ further stated in Case C-807/21 (Deutsche Wohnen SE) that the reference in Recital 150 of the GDPR to the term "undertaking" within the meaning of Articles 101 and 102 TFEU is to be understood in this specific context of the calculation of fines imposed for infringements referred to in Article 83(4) to (6) GDPR (see paras. 55 et seq.). For the purposes of applying the competition rules laid down in Articles 101 and 102 TFEU, this concept of undertaking includes any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed. It therefore refers to an economic unit, even if it legally consists of several natural or legal persons. This economic unit consists of a unified organization of personal, material and immaterial resources that permanently pursues a specific economic purpose (with reference to the judgment of 6 October 2021, Sumal, C-882/19, EU:C:2021:800, para. 41 and the case law cited therein). The term "undertaking" within the meaning of Articles 101 and 102 TFEU has no relevance to the question of whether and under what conditions a fine can be imposed on a responsible legal person under Article 83 GDPR, as it is only relevant for determining the amount of a fine imposed under Article 83, paragraphs 4 to 6 GDPR (see ECJ of 5 December 2023, C-807/21, paras. 53, 54). With regard to the concept of "undertaking" within the meaning of this provision, the ECJ further stated in Case C-807/21 (Deutsche Wohnen SE) that the reference in Recital 150 of the GDPR to the term "undertaking" within the meaning of Articles 101 and 102 TFEU is to be understood in this specific context of the calculation of fines imposed for infringements referred to in Article 83, paragraphs 4 to 6 of the GDPR (see paragraphs 55 et seq.). For the purposes of applying the competition rules laid down in Articles 101 and 102 TFEU, this concept of undertaking includes any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed. It therefore refers to an economic unit, even if this unit legally consists of several natural or legal persons. This economic unit consists of a uniform organization of personal, material and intangible resources that permanently pursues a specific economic purpose (with reference to the judgment of 6 October 2021, Sumal, C-882/19, EU:C:2021:800, paragraph 41 and the case-law cited therein).

The criteria for assessing the existence of an economic unit are economic, legal and organizational links between the parent company and the subsidiary (e.g. level of participation, personal or organizational links as well as instructions and the existence of internal agreements). The ECJ has ruled that in the special case where a parent company holds 100% or almost 100% of the capital of its subsidiary which has infringed the Union's competition rules, firstly, that parent company can exercise a decisive influence on the conduct of that subsidiary and, secondly, there is a rebuttable presumption that that parent company actually exercises such an influence on the conduct of its subsidiary (see, for all of these statements, in particular, ECJ of 20 January 2011, C-90/09 P; 10 September 2009, C-97/08 P). The criteria for assessing the existence of an economic unit are economic, legal and organisational links between the parent company and subsidiary (e.g. level of participation, personal or organisational links, instructions and the existence of internal agreements). The ECJ has found that in the specific case where a parent company holds 100% or almost 100% of the capital of its subsidiary which has infringed the Union's competition rules, on the one hand, that parent company can exercise a decisive influence on the conduct of that subsidiary and, on the other hand, there is a rebuttable presumption that that parent company actually exercises such an influence on the conduct of its subsidiary (for all of these statements, see in particular ECJ of 20 January 2011, C-90/09 P; 10 September 2009, C-97/08 P).

In the present case, the complainant is a 100% subsidiary of XXXX m.b.H., which in turn is a 100% subsidiary of XXXX AG, which in turn is a 100% subsidiary of XXXX Gesellschaft mit beschränkter Haftung. It should be noted that in 2016, XXXX AG decided to set up a multi-partner customer loyalty program in the XXXX Group and the complainant was founded in 2017 for this purpose, namely to establish a customer loyalty program for the XXXX Group. The complainant's data protection officer, XXXX, is employed by both XXXX m.b.H and XXXX AG. The XXXX Group has (data protection) guidelines that are available to each individual company and can be adapted. There is therefore also a close organizational/personal connection between the companies mentioned and thus, according to the cited ECJ case law, the presumption that the parent companies mentioned exert a decisive influence on the complainant. It would have been up to the complainant to refute this presumption by means of appropriate evidence or to prove that the subsidiary operates independently on the market (so-called Akzo presumption, Case C-97/08 P, Akzo Nobel and others v Commission, paras. 59 and 60, and joined cases C-293/13 and 294/13 P, Fresh Del Monte Produce v Commission and Commission v Fresh del Monte Produce; see also ECJ of January 27, 2021, C-595/18 P, para. 32). The complainant has not commented on this. It has neither submitted any submissions on the statements made by the authority concerned in its opinion of January 30, 2024, according to which an economic unit exists between the companies mentioned, nor has it submitted any further submissions on this issue at the oral hearing before the Federal Administrative Court, despite the court's express request. The Federal Administrative Court therefore has no doubt that in this case the companies mentioned form an economic unit. In the present case, the complainant is a wholly owned subsidiary of roman 40 m.b.H., which in turn is a wholly owned subsidiary of roman 40 AG, which in turn is a wholly owned subsidiary of roman 40 Gesellschaft mit beschränkter Haftung. It should be noted that in 2016 roman 40 AG decided to set up a multi-partner customer loyalty program within the roman 40 Group and the complainant was founded in 2017 for this purpose, namely to establish a customer loyalty program for the roman 40 Group. The complainant’s data protection officer, roman 40, is employed by both roman 40 m.b.H and roman 40 AG. The roman 40 Group has (data protection) guidelines that are available to each individual company and can be adapted. There is therefore also a close organizational/personal link between the companies mentioned and thus, according to the ECJ case law cited, the presumption that the parent companies mentioned exert a decisive influence on the complainant. It would have been up to the complainant to refute this presumption by means of appropriate evidence or to prove that the subsidiary operates independently on the market (so-called Akzo presumption, case C-97/08 P, Akzo Nobel and others v Commission, paras. 59 and 60, and joined cases C-293/13 and 294/13 P, Fresh Del Monte Produce v Commission and Commission v Fresh del Monte Produce; see also ECJ of January 27, 2021, C-595/18 P, para. 32). The complainant has not commented on this. Neither did it submit any submissions on the statements made by the authority concerned in its statement of 30 January 2024 that an economic unit exists between the companies mentioned, nor did it submit any further submissions on this issue in the oral hearing before the Federal Administrative Court despite the court's express request. The Federal Administrative Court therefore has no doubt that in the given case there is an economic unit between the companies mentioned.

Against this background, it should be noted that the annual turnover of the entire economic unit, i.e. the complainant, XXXX m.b.H., XXXX AG and XXXX Gesellschaft mit beschränkter Haftung, must be taken into account. Against this background, it should be noted that the annual turnover of the entire economic unit, i.e. the complainant, roman 40 m.b.H., roman 40 AG and roman 40 Gesellschaft mit beschränkter Haftung, must be taken into account.

There was no longer any room for the complainant's request to suspend the proceedings until the ECJ's decision in Case C-383/23 (ILVA), as it had already been established from the judgment in Case C-807/21 (Deutsche Wohnen SE) that the economic unit's worldwide annual turnover in the previous financial year must be used to assess the penalty.

As to the question of which event the previous financial year is linked to, the turnover of which determines the upper limit of the possible fine, it should be noted that according to the case law of the ECJ in antitrust law on the almost identical Article 23 of Regulation No. 1/2003, the reference period is the financial year preceding the imposition of the sanction (ECJ, judgment of January 26, 2017 - C-637/13 P - Badezimmerkartell Laufen Austria, para. 49; ECJ, judgment of September 4, 2014 - C-408/12 P - YKK et al. para. 90). Since Article 83 of the GDPR is modeled on the antitrust law regulation, the amount of annual turnover in the last completed financial year before the fine/penalty decision is issued is decisive. The time of the court decision is just as irrelevant as the time of the relevant violation (see also the Guidelines 04/2022 of the European Data Protection Board on the calculation of fines within the meaning of the GDPR, version 2.1, adopted on 24 May 2023, para. 131 [hereinafter: Guidelines EDPB 04/2022]). As to the question of which event the previous financial year is linked to, the turnover of which determines the upper limit of the possible fine, it should be noted that according to the case law of the ECJ in antitrust law on the almost identical Article 23, Regulation No. 1 / 2003, the reference period is the financial year preceding the imposition of the sanction (ECJ, judgment of January 26, 2017 - C-637/13 P - Badezimmerkartell Laufen Austria, para. 49; ECJ, judgment of September 4, 2014 - C-408/12 P - YKK et al. para. 90). Since Article 83, GDPR is modeled on the antitrust regulation, the amount of annual turnover in the last completed financial year before the fine/penalty decision is issued is decisive. The time of the court decision is just as irrelevant as the time of the relevant violation (see also the Guidelines 04/2022 of the European Data Protection Board for the calculation of fines within the meaning of the GDPR, version 2.1, adopted on 24 May 2023, para. 131 [hereinafter: Guidelines EDSA 04/2022]).

Since the penal decision was issued on 26 July 2021, the annual turnover for 2020 is therefore decisive. Based on a turnover for 2020 of the complainant, XXXX m.b.H., XXXX AG and XXXX Gesellschaft mit beschränkter Haftung of EUR 265,364,038.00, this results in an upper limit for the fine of EUR 20 million. Since the penal decision was issued on 26 July 2021, the annual turnover for 2020 is therefore decisive. Based on a turnover for 2020 of the complainant, roman 40 m.b.H., roman 40 AG and roman 40 Gesellschaft mit beschränkter Haftung, of EUR 265,364,038.00, this results in an upper limit for the fine of EUR 20 million.

When determining the fine within this fine range, the Federal Administrative Court was guided by the following:

First of all, it should be noted that the authority concerned cited two violations in the ruling of the contested penal decision: the violation of the legally compliant design of the declaration of consent and the resulting unlawful data processing. Since, in the sense of the above statements, the statute of limitations has already expired with regard to the violation of the legally compliant design of the declaration of consent, the present punishment is only (any longer) based on an accusation.

According to Article 83 (1) GDPR, each supervisory authority ensures that the imposition of fines is effective, proportionate and dissuasive in each individual case. Article 83 (2) GDPR lists assessment criteria that must be "duly" taken into account when deciding on the imposition of a fine and its amount in each individual case. The relevant factors are in particular the nature, severity and duration of the violation, the number of persons affected by the processing, the extent of the damage, the category of personal data affected, the company's efforts to limit the damage, the nature and extent of cooperation with the data protection authorities and the degree of responsibility. According to Article 83, paragraph one, GDPR, each supervisory authority ensures that the imposition of fines is effective, proportionate and dissuasive in each individual case. Article 83, paragraph 2, GDPR lists assessment criteria that must be "duly" taken into account in each individual case when deciding on the imposition of a fine and its amount. The relevant factors are in particular the type, severity and duration of the violation, the number of people affected by the processing, the extent of the damage, the category of personal data affected, the company's efforts to limit the damage, the type and extent of cooperation with the data protection authorities and the degree of responsibility.

The company's turnover is not mentioned in Article 83, paragraph 2 of the GDPR as a criterion for determining the fine. However, this does not mean that the company's turnover is not important when determining the fine. "On the one hand, for companies with high turnover, turnover determines the upper limit of the fine and thus sets the framework into which the specific data protection violation is to be classified and fitted. The fine framework provides the necessary orientation for the specific assessment. On the other hand, fines against companies must be effective and deterrent in accordance with Art. 83 (1) GDPR. This also depends on the sensitivity of the respective company to punishment. The larger the company, the lower the sensitivity to punishment and the higher the fine must usually be so that it can develop its special preventive effect. The level of turnover is a suitable indicator for the size of the company and thus for the sensitivity to suspicion; the balance sheet profit and other key figures of the company's economic performance can also be taken into account" (see again BVwG, March 27, 2024, W214 2243436-1/39E m.w.H.). The EDPB guidelines on the calculation of fines also assume (with reference to a binding EDPB decision 1/2021 in this regard, paras. 411 and 412) that the size of the company must be taken into account when calculating the fine, which is why its turnover must be taken into account (see again the EDPB guidelines 04/2022, paras. 63ff.). The company's turnover is not mentioned in Article 83, paragraph 2, GDPR as a criterion for determining the fine. However, this does not mean that the company's turnover is of no importance when determining the fine. "On the one hand, for companies with high turnover, turnover determines the upper limit of the fine and thus sets the framework within which the specific data protection violation is to be classified and fitted. The fine framework provides the necessary orientation for the specific assessment. On the other hand, fines against companies must be effective and deterrent in accordance with Article 83, paragraph one, GDPR. This also depends on the sensitivity of the respective company to punishment. The larger the company, the lower the sensitivity to punishment and the higher the fine must be as a rule so that it can develop its special preventive effect. The level of turnover is a suitable indicator for the size of the company and thus for the sensitivity to suspicion; the balance sheet profit and other key figures of the company's economic performance can also be taken into account" (see again BVwG, March 27, 2024, W214 2243436-1/39E m.w.H.). The EDSA guidelines on the calculation of fines also assume (with reference to a binding EDSA decision 1/2021 in this regard, paras. 411 and 412) that the size of the company must be taken into account when calculating the fine, which is why its turnover must be taken into account (see again the EDSA guidelines 04/2022, paras. 63ff.)

Since the penalty range under Art. 83 GDPR is very high up to EUR 20,000,000, the importance of the protected legal interest cannot in any case be classified as low. Since the penalty range under Article 83 GDPR is very high up to EUR 20,000,000, the importance of the protected legal interest cannot in any case be classified as low.

Given that the complainant culpably and unlawfully processed the personal data of the data subjects for its business activities for the purpose of personalized communication, that the processing affected the entire federal territory of Austria, that the processing of personal data is a central activity of the complainant, that a large number of natural persons (approx. 2,285,021) were affected by the unlawful processing and that the processing took place over a period of almost two years, it must be noted that the violation, even if it was committed negligently, was in any case not minor, but rather, when assessed according to the criteria set out in Art. 83 (2)(a) GDPR, has a medium to high degree of severity. Taking into account the fact that the design of the registration form was more negligent than the design of the online consent (although in this case too the complainant should have clearly recognised the misunderstanding), the calculation basis for a medium violation must be used when considering the overall situation. Given that the complainant culpably and unlawfully processed the personal data of the data subjects for its business activities for the purpose of personalised communication, the processing affected the entire federal territory of Austria, the processing of personal data is a central activity of the complainant, a large number of natural persons (approx. 2,285,021) were affected by the unlawful processing and the processing took place over a period of almost two years, it must be stated that the violation, even if it was committed negligently, was in any case not minor, but rather, when assessed according to the criteria set out in Article 83, Paragraph 2, Letter a, GDPR, has a medium to high degree of severity. Taking into account the fact that the design of the registration form was more negligent than the design of the online consent (although even in this case the complainant should have clearly recognised the ambiguity), the basis for calculating a medium violation must be used in an overall assessment.If the complainant refers to the application of Section 11 DSG and a warning should therefore be given priority, it should be pointed out that the principle of proportionality provided for therein is already anchored in Article 83 GDPR. In any case, the system and priority of application of the GDPR do not indicate that the procedure under Section 11 DSG takes precedence; with regard to a possible attempt to bind the authority concerned (or the court) beyond the GDPR (cf. Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl, DSG (2018) p. 131, Section 11, Note 6), there is no corresponding opening clause or authorization in the GDPR. In the opinion of the Federal Administrative Court, however, due to the severity of the violation described above, a mere warning is not an option, nor is a discontinuance of the proceedings or a warning in accordance with Section 45 Paragraph 1 Item 4 of the Criminal Procedure Act, especially since the importance of the legal interest protected by criminal law (the fundamental right to prohibit the processing of personal data without a legal basis) is in any case not to be regarded as minor. In addition, reference should be made in this context to Recital 148 of the GDPR (see all this in a similar case: BVwG, March 27, 2024, W214 2243436-1/39E). If the complainant relies on the application of Paragraph 11 of the DSG and a warning is therefore to be given preference, it should be pointed out that the principle of proportionality provided for there is already anchored in Article 83 of the GDPR. In any case, the system and priority of application of the GDPR do not indicate that the procedure under paragraph 11 of the Data Protection Act takes precedence; with regard to a possible attempt to bind the authority concerned (or the court) beyond the GDPR (see Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl, DSG (2018) p. 131, paragraph 11, note 6), there is no corresponding opening clause or authorization in the GDPR. In the view of the Federal Administrative Court, however, due to the seriousness of the violation described above, a mere warning is not an option, nor is a discontinuance of the proceedings or a warning in accordance with paragraph 45, paragraph one, number 4 of the Administrative Offenses Act, especially since the importance of the legal interest protected by criminal law (the fundamental right to prohibit the processing of personal data without a legal basis) is in any case not to be regarded as minor. In addition, reference should be made in this context to Recital 148 of the GDPR (see all of this in a similar case: BVwG, March 27, 2024, W214 2243436-1/39E).

According to the EDSA 04/2022 guidelines, a starting amount of 10% to 20% of the statutory maximum (EUR 20,000,000.00) is to be assumed for a violation of medium severity. In view of the above, a provisional starting amount of EUR 2,000,000.00 (10% of the statutory maximum) therefore seems appropriate to the Federal Administrative Court.

Since the turnover of the complainant's group of companies is less than EUR 500,000,000.00, an adjustment must be made based on the size of the company according to the EDSA 04/2022 guidelines. Due to a company turnover such as that of the complainant of EUR 265,364,038.00, the EDSA recommends that the calculations be based on an amount between 40% and 100% of the determined starting amount. In particular, since the company turnover is closer to the lower limit of EUR 250,000,000.00 than to the upper limit of EUR 500,000,000.00, a final starting amount of 50% of the provisional starting amount, i.e. an amount of EUR 1,000,000, was to be assumed.

The authority concerned took into account the negligent commission, the absence of previous violations of the GDPR by the authority concerned, the participation of the complainant in the current investigation before the data protection authority, the loss of assets, the adaptation of the consent forms after the issuance of the decision of the data protection authority in the official review procedure, as well as the (current) COVID-19 pandemic and all the resulting necessary restructuring measures in the company. In addition, the Federal Administrative Court took into account the extensive efforts of the complainant to ensure that the declarations of consent and thus data processing were GDPR-compliant in advance through intensive internal and external consultations, as well as the fact that the complainant tried to mitigate damage even after receiving the criminal conviction and deleted or stopped the data processing in question in August 2021.

Due to the existing and newly added mitigating circumstances (where the negligent commission was already taken into account when classifying the severity of the violation), the starting amount had to be adjusted so that a fine of EUR 500,000.00 seems appropriate. The specific fine imposed by the authority concerned, EUR 2,000,000.00, is therefore higher than the fine set by the Federal Administrative Court, although it should not be overlooked that the fine imposed by the authority concerned (still) related to two charges.

It should be noted that the Federal Administrative Court also had to exercise discretion when setting the fine. For example, Wessely states the following in Raschauer/Wessely (ed.), Commentary on the Administrative Penal Code3 (2023) § 19, marginal note 26: It should be noted that the Federal Administrative Court also had to exercise discretion when setting the fine. For example, Wessely states the following in Raschauer/Wessely (ed.), Commentary on the Administrative Penal Code3 (2023) Paragraph 19, marginal note 26:

“When making its decision, the Administrative Court must not only examine the exercise of discretion by the administrative penal authority, but must exercise discretion itself and impose a new sentence (VwGH 31.1.2012, 2009/05/0123). This is particularly the case if the verdict is changed. In general, if the appeal is partially upheld (VwGH 27.5.2008, 2007/05/0235), for example by reducing the period of time during which the offence was committed (VwGH 22.4.2010, 2007/07/0015; 21.2.2012, 2010/11/0245), if the notices are removed because they have been cancelled in the meantime (VwGH 27.5.2008, 2007/05/0235) or if other mitigating circumstances arise (VwGH 22.4.1998, 97/03/0353), i.e. in cases of a qualitative or quantitative reduction in the offence, the sentence must also be reduced. However, this is not mandatory. For example, there is no need for a reduction if the Administrative Court estimates the negative value of the offense to be higher than the administrative authority or if the economic situation of the accused has improved in the meantime (VwGH 27.5.2008, 2007/05/0235; 23.2.2022, Ra 2020/17/0024; 29.3.2022, Ro 2020/02/0003); however, such a procedure requires appropriate justification (VwGH 22.4.1998, 97/03/0353)."

The fine calculated by the Federal Administrative Court appears to be appropriate to the offense and guilt and is at the lower end of the available penalty range. There is no scope for a further reduction in the sanction, particularly due to the large number of people affected and the duration of the violation. In the present case, an (even) lower amount would no longer meet the criteria for a fine set out in Article 83, paragraph 1 of the GDPR, according to which it must be effective, proportionate and deterrent in each individual case. The fine calculated by the Federal Administrative Court appears to be appropriate to the offence and guilt and is at the lower end of the available penalty range. There is no scope for a further reduction in the sanction, particularly due to the large number of people affected and the duration of the violation. In the present case, an (even) lower amount would no longer meet the criteria for a fine set out in Article 83, paragraph 1 of the GDPR, according to which it must be effective, proportionate and deterrent in each individual case.

The complaint was therefore upheld to the extent stated and the fine reduced to EUR 500,000.00.

Based on the cited case law of the ECJ C-807/21, according to which it is not necessary to identify a specific person in a management position who committed the culpable conduct, it can be assumed that paragraphs 1 and 2 of Section 30 DSG are no longer applicable and that the culpable conduct of the managing directors does not have to be mentioned in the verdict of the penal decision of the authority concerned (see also VwGH 01.02.2024, Ra 2020/04/0187-20, para. 28, according to which the "requirement derived from national law (the VStG) that in order to impose a fine on a legal person under the GDPR, all necessary elements for punishing the natural person must be included in the verdict of the penal decision should have remained unapplied [...]"). Based on the cited case law of the ECJ C-807/21, according to which it is not necessary to identify a specific person in a management position who committed the culpable conduct, it can be assumed that paragraphs one and two of Section 30, DSG are no longer applicable and that the culpable conduct of the managing directors does not have to be mentioned in the verdict of the penal decision of the authority concerned (see also VwGH 01.02.2024, Ra 2020/04/0187-20, para. 28, according to which the "requirement derived from national law (the VStG) that in order to impose a fine on a legal person under the GDPR, all necessary elements for punishing the natural person must be included in the verdict of the penal decision should have remained unapplied [...]").

The verdict of the contested penal decision therefore had to be amended accordingly in this respect and also with regard to the removal of verdict point I without replacement.The verdict of the contested penal decision therefore had to be amended accordingly in this respect and also with regard to the removal of verdict point Roman one without replacement.

The case law of the Administrative Court of Justice on Section 44a of the Criminal Procedure Act, which was cited by the complainant, according to which the deletion of a natural person from the verdict of a criminal decision in cases in which the responsibility of a legal person is inseparably linked to these natural persons results in an inadmissible change to the charge, was no longer relevant in view of the supreme court requirements set out.The case law of the Administrative Court of Justice on Section 44a of the Criminal Procedure Act, which was cited by the complainant, according to which the deletion of a natural person from the verdict of a criminal decision in cases in which the responsibility of a legal person is inseparably linked to these natural persons results in an inadmissible change to the charge, was no longer relevant in view of the supreme court requirements set out.

on the costs of the administrative penal proceedings and the appeal proceedings:

According to Section 64 Paragraph 1 of the Administrative Penalty Act, the penal decision must state that the person punished must make a contribution to the costs of the criminal proceedings. According to Section 64 Paragraph 2 of the Administrative Penalty Act, this contribution for the first instance proceedings is to be calculated at 10% of the penalty imposed, but at least 10 euros. The contribution to the costs had to be reduced to 50,000.00 euros due to the penalty now imposed.According to Paragraph 64, Paragraph 1 of the Administrative Penalty Act, the penal decision must state that the person punished must make a contribution to the costs of the criminal proceedings. According to Paragraph 64, Paragraph 2 of the Administrative Penalty Act, this contribution for the first instance proceedings is to be calculated at 10% of the penalty imposed, but at least 10 euros. The contribution to the costs had to be reduced to EUR 50,000.00 due to the penalty now imposed.

As the complaint was thus partially upheld, the complainant was not required to pay any costs of the appeal proceedings (Section 52, Paragraph 1 and Paragraph 2 of the Administrative Court Act). As the complaint was thus partially upheld, the complainant was not required to pay any costs of the appeal proceedings (Section 52, Paragraph 1 and Paragraph 2 of the Administrative Court Act).

Insofar as the complainant states in this context that the imposition of a fine is - as follows from Art. 84 GDPR - conclusively regulated in Art. 83 GDPR and that there is therefore no scope for Section 64 VStG, she fails to recognize that the costs imposed on the basis of Section 64 VStG are not to be understood as a sanction, but - as the ECJ has already stated in its judgment of 14 October 2021, case C-231/20, MT, et al. - as a contribution to the procedural costs. Specifically, in this judgment on Section 64 VStG, the ECJ stated that, according to the case-law of the Court of Justice, court fees generally contribute to the proper functioning of the judicial system, since they represent a source of funding for the judicial activities of the Member States (para. 56). The imposition of a contribution towards the costs of the proceedings amounting to 10% of the fine imposed does not ‘in itself infringe the principle of proportionality’ (paragraph 56), but it is for the national court ‘to ensure that such a contribution towards the costs, since it is imposed on the basis of a percentage of the amount of the fine imposed, is neither excessive in relation to the actual costs of such proceedings nor infringed the right of access to justice enshrined in Article 47 of the Charter’ (paragraph 57). Insofar as the complainant states in this context that the imposition of a fine is - as follows from Article 84, GDPR - conclusively regulated in Article 83, GDPR and that there is therefore no scope for Section 64, VStG, she fails to recognise that the costs imposed on the basis of Section 64, VStG are not to be understood as a sanction but - as the ECJ has already stated in its judgment of October 14, 2021, case C-231/20, MT, et al. - as a contribution to the costs of the proceedings. Specifically, in this judgment on Section 64, VStG, the ECJ stated that, according to the case-law of the Court of Justice, court fees generally contribute to the proper functioning of the judicial system, since they represent a source of financing for the judicial activities of the Member States (para. 56). The imposition of a contribution towards the costs of the proceedings of 10% of the fine imposed does not "in itself violate the principle of proportionality" (para. 56), but it is for the national court "to ensure that such a contribution towards the costs, since it is imposed on the basis of a percentage of the amount of the fine imposed, is neither excessive in relation to the actual costs of such proceedings nor infringed the right of access to justice enshrined in Article 47 of the Charter" (para. 57).

In this respect, the Administrative Court also ruled in its decision of December 10, 2021, Ra 2020/17/0013, based on the judgment of the ECJ of October 14, 2021, MT, C-231/20, that, among other things, the legal basis for the prescription of a contribution to the costs of criminal proceedings pursuant to Section 64 (2) of the Criminal Proceedings Act is fundamentally compatible with Union law. It is not apparent that there are circumstances in the present case that - as set out in the judgment of the ECJ - would have to lead to a different assessment, and this was not demonstrated by the complainant either. In this respect, the Administrative Court also ruled in its ruling of December 10, 2021, Ra 2020/17/0013, based on the ECJ ruling of October 14, 2021, MT, C-231/20, that, among other things, the legal basis for the imposition of a contribution to the costs of criminal proceedings pursuant to Section 64, Paragraph 2, VStG is fundamentally compatible with Union law. It is not apparent that there are circumstances in the present case that - as set out in the ECJ ruling - would have to lead to a different assessment, and this was not demonstrated by the complainant.

It was therefore necessary to decide in accordance with the ruling.

Payment information

You must pay the total amount of EUR 550,000.00 (fine, costs of the administrative procedure) within two weeks into the account of the Federal Administrative Court (BVwG) with the IBAN AT840100000005010167 (BIC BUNDATWW), stating the procedure number, free of charge for the recipient. In the event of default, it must be expected that the amount will be collected by force after a reminder has been issued.

Regarding B) Admissibility of the appeal:

According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133 Paragraph 4 B-VG. The ruling must be briefly justified. The appeal is admissible in accordance with Article 133 Paragraph 4 B-VG because the decision depends on the solution of a legal question that is of fundamental importance. There is a lack of case law from the Administrative Court on Art. 7 GDPR, in particular on paragraph 2 thereof, also in light of the specification requirements of Sections 32 paragraph 2 and 44 a VStG. There is also a lack of case law from the Administrative Court on excusable errors of prohibition within the scope of application of the GDPR. According to Paragraph 25 a, Paragraph 1, VwGG, the administrative court must state in its ruling or order whether the appeal is admissible in accordance with Article 133, Paragraph 4, B-VG. The ruling must be briefly justified. The appeal is admissible in accordance with Article 133, Paragraph 4, B-VG because the decision depends on the solution of a legal question that is of fundamental importance. There is a lack of case law from the Administrative Court on Article 7 GDPR, in particular on paragraph 2 thereof, also in light of the specification requirements of Paragraphs 32 paragraph 2 and 44 a VStG. There is also a lack of case law from the Administrative Court on excusable errors of law within the scope of the GDPR.

It was therefore necessary to declare that the appeal was admissible in accordance with Article 133, Paragraph 4, B-VG.It was therefore necessary to declare that the appeal was admissible in accordance with Article 133, Paragraph 4, B-VG.