DSB (Austria) - D130.1170: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 70: Line 70:


=== Facts ===
=== Facts ===
On 22 October 2021, the complainant, represented in the proceedings by ''noyb'' – European Centre for Digital Rights, visited a website operated by the American company Briggs & Stratton LLC (the controller).  
On 22 October 2021, a data subject visited a website operated by the American company Briggs & Stratton LLC (the controller) and accepted cookies via a cookie banner showing only the options “cookie settings” or “accept all cookies”. As a consequence, unique IDs that allow for identification of the data subject had been saved on the controller’s server and were then transmitted to the servers of third party providers, including Amazon, Google and Microsoft. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data and to inform the third party providers thereof. However, the controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller also failed to provide an answer on whether third party providers had been informed about the complainant's request for erasure of his personal data.  


Upon opening the website, a cookie banner popped up showing only the options “cookie settings” or “accept all cookies”. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data. The controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller never answered to the question whether third party providers had been informed about the complainant's request for erasure of his personal data either.
The data subject, represented in the proceedings by ''noyb'' – European Centre for Digital Rights, thus filed a complaint with the Austrian DPA to have his right to erasure according to [[Article 17 GDPR]] enforced, as well as to order the controller to suspend all processing activities of his personal data and to inform third party providers of the erasure of the personal data transmitted to them by virtue of [[Article 19 GDPR]].   
 
The data subject thus filed a complaint with the Austrian DPA to have his right to erasure according to [[Article 17 GDPR]] enforced, as well as to order the controller to suspend all processing activities of his personal data and informing the third party providers of the erasure of the personal data transmitted to them by virtue of [[Article 19 GDPR]].   


In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still failed to meet GDPR requirements as it proved more burdensome to withdraw one’s consent than to grant it.
In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still failed to meet GDPR requirements as it proved more burdensome to withdraw one’s consent than to grant it.
Line 83: Line 81:
On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of [[Article 17 GDPR]] and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to [[Article 19 GDPR]], within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.  
On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of [[Article 17 GDPR]] and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to [[Article 19 GDPR]], within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.  


With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]]. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with the GDPR requirements within 8 weeks from the decision.
With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact that it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of [[Article 7 GDPR#3|Article 7(3) GDPR]]. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with GDPR requirements within 8 weeks from the decision.


== Comment ==
== Comment ==

Revision as of 08:55, 27 September 2023

DSB - D130.1170
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 7(3) GDPR
Article 17 GDPR
Article 19 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.08.2022
Decided: 19.09.2023
Published:
Fine: n/a
Parties: Briggs & Stratton LLC
National Case Number/Name: D130.1170
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: co

The Austrian DPA ordered a controller to erase the personal data of a data subject processed upon accepting a cookie via a banner in violation of the GDPR and to inform third party providers of the erasure according to Article 17 GDPR and Article 19 GDPR.

English Summary

Facts

On 22 October 2021, a data subject visited a website operated by the American company Briggs & Stratton LLC (the controller) and accepted cookies via a cookie banner showing only the options “cookie settings” or “accept all cookies”. As a consequence, unique IDs that allow for identification of the data subject had been saved on the controller’s server and were then transmitted to the servers of third party providers, including Amazon, Google and Microsoft. The complainant held the cookie banner to be unlawful and requested the controller to stop processing and delete all his personal data and to inform the third party providers thereof. However, the controller never provided information regarding the erasure of the personal data apart from stating that it does not save any data on its own servers, but it makes use of Adobe Analytics. The controller also failed to provide an answer on whether third party providers had been informed about the complainant's request for erasure of his personal data.

The data subject, represented in the proceedings by noyb – European Centre for Digital Rights, thus filed a complaint with the Austrian DPA to have his right to erasure according to Article 17 GDPR enforced, as well as to order the controller to suspend all processing activities of his personal data and to inform third party providers of the erasure of the personal data transmitted to them by virtue of Article 19 GDPR.

In the meantime, the controller adjusted the cookie banner displayed on its website, however, the complainant claimed that it still failed to meet GDPR requirements as it proved more burdensome to withdraw one’s consent than to grant it.

Holding

As regards the cookie banner displayed on the controller’s website on 22 October 2021, the Austrian DPA held that given the absence of a “reject” option that cookie banner constituted a violation of Article 7(3) GDPR and it also failed to comply with the requirements set out in Article 5(1)(a) GDPR and Article 25(1) GDPR. Accordingly, the DPA held that there could be no valid consent according to Article 7 GDPR and Article 4(11) GDPR.

On this basis, the DPA declared the processing of personal data of the complainant by the controller to be unlawful and it ordered the controller to delete his personal data (id and id-number) by virtue of Article 17 GDPR and to communicate this to the third party providers to whom this data had been disclosed upon visiting the controller’s website (in particular Amazon, Google, Microsoft and Adobe), according to Article 19 GDPR, within 4 weeks from adoption of this decision. In this, the DPA held that it is irrelevant whether the controller saves the personal data relating to the complainant on its own servers or on an external server such as Adobe Analytics.

With respect to the current cookie banner showing on the controller’s webpage, the DPA held that the fact that it still takes more steps to withdraw than to give one’s consent to the cookie settings constitutes a violation of Article 7(3) GDPR. In light of this, the DPA ordered the controller to adapt the cookie banner displayed on its website so that it complies with GDPR requirements within 8 weeks from the decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current15:28, 26 September 2023 (849 KB)Co (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.