DSB (Austria) - D130.1178 2023-0.631.894

From GDPRhub
DSB - D130.1178 2023-0.631.894 ; DSB-D130.1174
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 7(3) GDPR
Article 17 GDPR
Article 19 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.08.2022
Decided: 19.09.2023
Fine: n/a
Parties: Hearst Magazine Media, Inc.
National Case Number/Name: D130.1178 2023-0.631.894 ; DSB-D130.1174
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: co

The Austrian DPA ordered a controller to bring its cookie banner into compliance with Article 7 GDPR and to inform third party providers of the deletion of personal data of the complainant pursuant to Article 19 GDPR.

English Summary


Upon visiting Hearst Magazine Media, Inc.’s (the controller) website https://www.elle.com/, on 24 September 2021, a complainant accepted cookies via a cookie banner showing only the options: “accept” or “learn more”. The complainant then found that unique random numbers allowing to identify him had been saved on the controller’s server and were then transmitted to the servers of third party providers as Google and TheTradeDesk.

On 9 August 2022, the complainant, represented by noyb - European Centre for Digital Rights, filed a complaint with the Austrian DPA against the controller. The complainant claimed that the cookie banner displayed on the controller’s website was not compliant with the GDPR, and sought to obtain deletion of his data from the operator’s website by virtue of Article 17 GDPR as well as from the servers of the third party providers. In relation to this, the complainant holds that the controller failed to inform the third party providers about his request of deletion of his data, in conformity with Article 19 GDPR.

In the meantime, the controller changed its cookie-banner so that a “decline” option was visible.


First, the Austrian DPA found the format of the cookie-banner shown on the website operated by the controller on 24 September 2021 to be in violation of the GDPR since there was no “decline” option, which infringes Article 7(3) GDPR. Accordingly, the DPA held that there was no unambiguous consent that fits the definition of Article 4(11) GDPR, which makes the processing activities unlawful. On this basis, the DPA held that the complainant rightfully requested the deletion of his personal data in accordance with Article 17(1)(d) GDPR, as the processing of his personal data was unlawful, which also obliges the controller to notify the erasure of personal data to the third party providers unless this proves impossible, in line with Article 19 GDPR. In relation to this, however, the Austrian DPA held that since the data of the complainant had already been deleted at the time of the decision, an order to delete the complainant’s personal data as per Article 17 GDPR could not be issued. Still, the DPA found that the controller did not comply with its obligation under Article 19 GDPR to inform the third party providers about the deletion of the complainant’s personal data, nor did it bring any reasons for not being able to do so. Accordingly, the DPA ordered the controller to inform the recipients of the complainant’s personal data (in particular Google and TheTradeDesk) about the deletion of the data relating to him pursuant to Article 19 GDPR.

Secondly, the complainant sought, in his complaint, to obtain an order from the DPA that the controller stop processing his personal data. In this regard, the DPA held that since there was, at the moment of the decision, no ongoing unlawful processing of personal data relating to him or her, the DPA could not order the controller to stop processing. In the DPA’s view, it can be inferred from the wording of Article 77(1) GDPR and from Article 58(2)(d) GDPR that national DPAs only have competence to take action with respect to GDPR violations that are ongoing and this may not extend to past nor to future unlawful processing activities. In this respect, the DPA partially dismissed the complaint.

Thirdly, with respect to the current version of the cookie banner displayed on the controller’s website, the DPA held that since the “decline” option is visually different from the “accept” option in colour and format, this does not constitute the basis for a lawful consent under Article 4(11) GDPR. Further the DPA held that there appears to be no clear indication on how to withdraw one’s consent as it is only to be found at the end of the webpage under “cookie choices”. Lastly, the controller wrongly categorised analytics cookies as strictly necessary ones. Accordingly, the DPA ordered the controller to adapt its cookie banner so that it complies with the GDPR within 8 weeks from the decision.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
current16:26, 26 September 2023 (878 KB)Co (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.