A recent decision by the Austrian Data Protection Authority (DPA) has underlined the fact parent companies are ultimately responsible for how their subsidiaries manage people’s data, even if the offshoot entity operates entirely on its own.

Austrian food retailer REWE International this month was fined 8 million euros (U.S. $9 million) under the General Data Protection Regulation (GDPR) after its customer loyalty and rewards program, jö Bonus Club, allegedly collected users’ data without their consent and used it for marketing purposes.

REWE, which aims to challenge the decision, said jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club, so it—rather than the parent—should have been fined. In addition, because jö has not passed on any customer data to the parent company, REWE should not be held liable for misusing customer data, the company contended.

In a statement, REWE said it “cannot understand this action” by the Austrian DPA, adding that “because REWE does not intervene in the operational business of jö, and has not done so to date, it therefore cannot bear any responsibility for [its] data processing activities.”

This is not the first time jö Bonus Club has run afoul of the GDPR. Last August, it was fined €2 million (then-U.S. $2.4 million) for profiling millions of bonus club members’ data without consent and selling it to third parties.

“The GDPR requires fines to be ‘effective, proportionate, and dissuasive,’ so to comply with this, the regulator needed to impose the fine on the parent company. The subsidiary had received a fine previously, but clearly it was not enough to stop the infringing activity, meaning wider action needed to be taken.”

Kim Walker, Partner and Data Protection Specialist, Shakespeare Martineau

Legal experts doubt REWE’s chances of a successful appeal regarding this month’s penalty. They say the size of the fine indicates the gravity of the data abuse and the lack of effort to ensure compliance.

Chris Stanton, partner and head of professional risks at law firm Keoghs, believes the key issue is whether REWE was, or became, a controller of data held by the subsidiary. He warned that under Article 4 of the GDPR, a controller is “widely defined” and will catch the parent company of most organizations and group structures.

James Castro-Edwards, data protection and cybersecurity lawyer at law firm Arnold & Porter, said under European case law, a parent company may be liable for the activities of a subsidiary if it exercises a “decisive influence”—for instance, if it holds a 100 percent stake.

“For REWE to be liable for the activities of Unser Ö-Bonus Club, a court would need to be satisfied it was actually able to influence its subsidiary to act in a particular way. Either way, group companies should be aware the parent may attract liability for a subsidiary’s failure to comply with the GDPR,” said Castro-Edwards.

Jowanna Conboye, data protection and intellectual property partner at law firm Spencer West, said the principles of this case are very pertinent to many U.K. and European businesses, particularly those with group structures where “it is not unusual for the right hand not to know what the left hand is doing.”

“When it comes to liability and fines, the GDPR looks at ‘undertakings’—an established principle enshrined in competition law that looks at finances and control—and often ignores the distinction between different group companies,” she said. “It will therefore be very hard for a parent company like REWE to argue it is not liable for GDPR breaches by a subsidiary company.”

Kim Walker, partner and data protection specialist at law firm Shakespeare Martineau, suggested the size of the penalty might be because the Austrian DPA “felt REWE turned a blind eye to what its subsidiary was doing or neglected to control the way it carried out its business.”

“The GDPR requires fines to be ‘effective, proportionate, and dissuasive,’ so to comply with this, the regulator needed to impose the fine on the parent company,” said Walker. “The subsidiary had received a fine previously, but clearly it was not enough to stop the infringing activity, meaning wider action needed to be taken.”

Added Walker: “Parent companies should be aware they cannot wash their hands of the unlawful activities of subsidiaries if the supervisory authority feels the parent has neglected to monitor and control their use of data. As a result, parent companies should ensure data protection compliance applies group-wide to avoid any nasty surprises.”