A recent decision by the Austrian Data Protection Authority (DPA) has underlined the fact parent companies are ultimately responsible for how their subsidiaries manage people’s data, even if the offshoot entity operates entirely on its own.
Austrian food retailer REWE International this month was fined 8 million euros (U.S. $9 million) under the General Data Protection Regulation (GDPR) after its customer loyalty and rewards program, jö Bonus Club, allegedly collected users’ data without their consent and used it for marketing purposes.
REWE, which aims to challenge the decision, said jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club, so it—rather than the parent—should have been fined. In addition, because jö has not passed on any customer data to the parent company, REWE should not be held liable for misusing customer data, the company contended.
In a statement, REWE said it “cannot understand this action” by the Austrian DPA, adding that “because REWE does not intervene in the operational business of jö, and has not done so to date, it therefore cannot bear any responsibility for [its] data processing activities.”
This is not the first time jö Bonus Club has run afoul of the GDPR. Last August, it was fined €2 million (then-U.S. $2.4 million) for profiling millions of bonus club members’ data without consent and selling it to third parties.
Legal experts doubt REWE’s chances of a successful appeal regarding this month’s penalty. They say the size of the fine indicates the gravity of the data abuse and the lack of effort to ensure compliance.
Chris Stanton, partner and head of professional risks at law firm Keoghs, believes the key issue is whether REWE was, or became, a controller of data held by the subsidiary. He warned that under Article 4 of the GDPR, a controller is “widely defined” and will catch the parent company of most organizations and group structures.
James Castro-Edwards, data protection and cybersecurity lawyer at law firm Arnold & Porter, said under European case law, a parent company may be liable for the activities of a subsidiary if it exercises a “decisive influence”—for instance, if it holds a 100 percent stake.
“For REWE to be liable…
