A recent decision by the Austrian Data Protection Authority (DPA) has underlined the fact parent companies are ultimately responsible for how their subsidiaries manage people’s data, even if the offshoot entity operates entirely on its own.
Austrian food retailer REWE International this month was fined 8 million euros (U.S. $9 million) under the General Data Protection Regulation (GDPR) after its customer loyalty and rewards program, jö Bonus Club, allegedly collected users’ data without their consent and used it for marketing purposes.
