Unser Ö-Bonus Club GmbH: Insufficient legal basis for data processing

The Austrian DPA has imposed a fine of EUR 2,000,000 on Rewe affiliate Ö-Bonus Club GmbH. When signing up for the customer loyalty program jö Bonus Club, the controller is said to have failed to properly explain that customers' data and shopping behavior are used to create individual profiles, and that the information is also passed on to partner companies. According to the GDPR, the clarification must be easily accessible and in simple language. However, the controller had designed the registration for the jö Bonus Club in such a way that the clarification about profiling could only be found after scrolling down. However, the consent was placed higher up, so in all cases the consents were obtained before the clarification. In turn, on the physical flyers, the signature box placed at the bottom of the form appeared as if it were a confirmation of enrollment in the club, even though it constituted consent to profiling as well. The DPA concluded that the controller breached its duty to provide consent in an understandable and easily accessible form in clear and simple language. Accordingly, it deemed the consents to be invalid and the profiling carried out on their basis to be unlawful. - UPDATE - The controller appealed the decision to the Austrian Federal Administrative Court, which reduced the original fine of EUR 2,000,000 to a total sum of EUR 500,000

GDPR Articles: Art. 6 GDPR, Art. 7 GDPR, Art. 12 GPDR
Industry: Industry and Commerce