Menu Close

IAB Europe fined 250,000 euros after GDPR breach

In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at recent cases in Europe relating to the lawfulness of processing, a decision by the Belgian Data Protection Authority relating to the Transparency and Consent Framework used by much of the advertising industry in the EU and findings from an audit completed by the UK’s Information Commissioner’s Office on Greater Manchester Police.

Learn the details of these and other key emerging themes as events unfold. Follow our round-up of latest stories and find out what the latest developments mean for you.  Our weekly review below helps you decide.

What happened

  • IAB Europe was fined €250,000 by the Belgian Data Protection Authority (DPA). It found that its Transparency and Consent Framework (TCF), which is widely used in the advertising industry in the EU, does not comply with the EU GDPR.

  • The DPA found that by processing data under the TCF, which facilitates the management of users’ preferences for online advertising, IAB Europe acts as a data controller and is liable for potential violations of the GDPR.

  • In addition, IAB Europe was found to lack a legal basis for processing and failed to appoint a data protection officer, conduct a data protection impact assessment, or maintain a register of processing activities.

Why it matters

  • IAB Europe has also been ordered to permanently delete personal data already recorded in the TCF system from all its IT systems, files, and data carriers, as well as from those of processors contracted by IAB Europe.

  • IAB Europe rejects the Belgian DPA’s finding that it is a data controller in the context of TCF, noting that it is wrong in law and will have major negative consequences far beyond the digital advertising industry.

  • In addition to considering all options for a legal challenge, the organisation anticipates working with the authority on an action plan going forward.

What happened

  • A data subject in Austria gave their phone number to a data controller, Austrian Post Plc, and stated that they did not wish for it to be shared with a third party.

  • However, the data subject was later contacted by a market research institute on two occasions. The market research institute was acting as a data processor on behalf of the data controller.

  • In a complaint filed with the Austrian Data Protection Authority, the data subject argued that the transfer of his data (name and phone number) to the processor was illegitimate because they had already refused consent for any form of data sharing.

  • The Austrian Data Protection Authority dismissed the complaint.

Why it matters

  • The Federal Administrative Court in Austria upheld the decision of the Austrian Data Protection Authority.

  • According to the court, the processor is to be regarded as an extension of the controller.

  • The controller is therefore free to assign a processor to the processing of data if it is in compliance with Article 6 of the EU GDPR.

  • As a result, the transmission of data from the controller to the processor itself does not need to be justified under Article 6 of the EU GDPR

What happened

  • Coolblue is a company that sells electronic products. The data subject in this case was employed at Coolblue between 2017 and 2020. During that time, and with data the subject’s permission, Coolblue took photographs of the data subject in the context of promotion and marketing. Pictures of the data subject were displayed on Coolblue vans and the company’s YouTube channel.

  • After the termination of their contract with Coolblue, the data subject claimed that the business should have requested for the their consent for the use of the promotional material, since it contained their personal data.

  • According to the data subject, Coolblue had no legal basis to process their personal data, since their data subject revoked their consent pursuant to Article 7(3) EU GDPR.

Why it matters

  • The Rotterdam Court of First Instance considered that Coolblue could process a data subject’s personal data pursuant to Article 6(1)(f) EU GDPR, because their legitimate interest overrides the fundamental rights and freedoms of the data subject.

  • The Court stated that although Coolblue could not rely on the data subject’s consent, it could rely on Article 6(1)(f) GDPR.

  • The Court noted that Coolblue had a commercial interest, that this interest is legitimate, and that the costs for Coolblue would be unreasonably high, and the impact on their business significant, if the photograph of the data subject could no longer be used.

One more thing…

The Information Commissioner’s Office in the UK has published its audit report of the Greater Manchester Police. The summary of its findings can be found here. Key takeaways include the need for the organisation to improve its compliance in training and awareness, information security and governance and accountability.


Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 



Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 


Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.