A Vienna based company incurred a GDPR fine of €2 million for the unlawful collection and processing of user data.
A GDPR fine of €2 million was recently imposed on the Vienna based loyalty program operator, Unser Ö-Bonus Club GmbH, for unlawfully processing user data. The company was accused of collecting user data without making the users sufficiently informed of the intended use of their data. Data subjects whose personal data is processed, must be specifically informed of the intended use of their data and be allowed to opt out of the arrangement if they choose to do so. However, businesses that allow users to accept their privacy policy without giving them adequate opportunity to fully read and understand the terms are liable to be fined, according to this latest decision by the Austrian Data Protection Authority. It should also be noted that data subjects should be asked whether they have read and understood the Privacy Policy rather than prompting them to ‘accept’ it, as the latter should be applicable only where the lawful basis for processing is consent.
While the company provided users with a privacy policy, it was considered improperly placed, and therefore unable to adequately inform users.
Unser Ö-Bonus Club GmbH was found to have provided a form for registration for their service which collected user data, and created profiles for users using this data. The data was then passed on to advertising partners for marketing purposes. While the company provided new users with a privacy policy, it was found to have been improperly placed, at the point where a user is issuing consent when signing up for their service. Users who were signing up would have had to scroll past the option for clicking yes or no to give their consent, down to the privacy policy. Their format was therefore not seen as appropriately able to inform users of the terms of usage of their data.
The Vienna based company was found to have violated several GDPR guidelines.
Unser Ö-Bonus Club GmbH was found to have violated a number of guidelines, including unlawful user data collection, insufficient acquisition of consent, unlawfully processing personal data for profiling consumers, and continuation of violation after admission. The violations concern Articles 6, 7, 12, and 13 of the GDPR. According to the GDPR, businesses processing personal data can do so only if the processing and its purposes are legal. Also, companies collecting personal data after consent should be able to demonstrate – whenever required – that they have obtained consent for the specific purposes for which the data was collected. GDPR further requires that notice of collection should be given at the data collection point and that nothing should be hidden from the users with regards to their data.
The company incurred a heavier fine because it continued to use unlawfully collected data after admittance to the violations.
After the company admitted to the violations during the investigation, they continued to handle the data which was unlawfully collected. Although the company amended the form, it continued to unlawfully use the collected personal data, from the previous form, which was deemed inadequate. The company blamed the Austrian Data Protection Authority for not informing them that their continued use of that data was deemed unethical and unlawful. However, the Authority concluded that an additional fine would be applied for that violation as well, bringing the total fine to €2 million.
