Swiss hotel booking platform violates GDPR information obligation in Austria
In a decision dated 22th August 2019, the Austrian data protection authority obliged an online hotel booking platform based in Switzerland to comply with the GDPR information obligation. The Swiss company had only incompletely fulfilled its information obligations and had also failed to appoint an EU representative. In this case, the Austrian data protection authority considered the GDPR to be applicable on the basis of a so-called offer orientation.
The complaint was submitted to the Austrian data protection authority by an Austrian lawyer. On the booking platform, the lawyer had initially requested an offer for a holiday trip using a contact form. He rejected the offer received, but subsequently the platform sent him an unsolicited invitation by e-mail to receive a newsletter, which drew the lawyer’s attention to the lack of compliance with the information duties. Subsequently, he filed a complaint. On that basis, the Austrian data protection authority obliged the Swiss company to inform the complainant subsequently and to complete the information in its data protection declaration within four weeks.
- Applicability of the GDPR and appointment of an EU representative
In its decision of August 2019, the Austrian data protection authority first commented on the territorial scope of the GDPR and on the obligation to appoint an EU representative.
The geographical scope of the GDPR is opened up in particular if there is a so-called offer orientation towards the EU. Accordingly, the GDPR is applicable if a company not established in the EU aligns its range of goods or services with persons in the EU and processes their personal data (Art. 3 (2) GDPR). In the present case, the Austrian data protection authority affirmed the territorial applicability of the GDPR because it established that the Swiss hotel booking platform was orienting its offers on the basis of various indications. Decisive indications for this assessment were the use of an Austrian top-level domain (.at) and the language of the website (German), as well as the possibility for EU residents to receive offers in a newsletter.
If the GDPR is applied geographically on the basis of an offer orientation, the provider concerned is obliged to appoint a representative in the EU (Art. 27 (1) and (3) GDPR). This representative serves as contact point in the EU for the supervisory authorities and the persons concerned regarding questions relating to compliance with the GDPR or the exercise of the rights of data subjects. However, this does not imply a transfer of responsibility under data protection law. Because the respondent had failed to appoint a representative in the EU, the Austrian data protection authority asked the respondent to designate such a representative. The respondent complied with this request, although delayed.
- Access to information
The controller has a duty to provide information when he processes personal data (Art. 13 and 14 GDPR) before the processing activity begins. Therefore, he is obliged to provide comprehensive information required by the GDPR, such as the contact details of the controller, the processing purposes or the recipients of the data.
The respondent would therefore have been obliged to make available the information required under the GDPR. The Austrian data protection authority stated in this regard that “easy access” to the information is required. In the case of a website intended for the public, this prerequisite is fulfilled if the information is made available in electronic form. A reaction in the form that the information according to Art.13 DSGVO is to be transmitted proactively by e-mail to a data subject at the time of the data collection is therefore not required (at least in an online context), provided that the condition of “easy accessibility” is fulfilled.
- Significance for Swiss companies
The present proceedings were the first (published) proceedings ever conducted against a Swiss company on the basis of the GDPR. It confirms that Swiss companies can relatively quickly be covered by the scope of the GDPR and that a (widely understood) offer orientation to persons in the EU is sufficient: The decisive question is whether a company expresses its intention to offer goods and services also to persons located in the EU.