Unlawful declaration of consent – data protection supervisory authority imposes a fine of 2 million euros

The fine affected jö Bonus Club GmbH. jö Bonus Club GmbH operates a loyalty card program for REWE customers. In order to be able to provide customers with discounts and offers as precisely as possible, jö Bonus Club GmbH evaluates information from the customers’ purchasing behavior as part of a profiling process.

The jö Bonus Club bases this profiling on the data protection consent of the members pursuant to Art. 6 (1) a DSGVO. Due to the particularly high risk that profiling poses to data subjects, this is also the correct legal basis in principle.

The supervisory authority saw the violation of the requirements of the GDPR in the design of the declaration of consent. For example, in the online declaration of consent, the required information was not directly visible to the data subjects, but was only accessible after scrolling on the homepage. The design of the declaration of consent in paper form also ensured that it was not apparent to the data subjects that they had given their consent to profiling.

According to the data protection supervisory authority, these objectionable consent forms were in use in the period between May 2019 and March 2020.

The requirements of the General Data Protection Regulation do not end with the selection of the correct legal basis. Rather, the highest attention must be paid to transparent design, especially in the case of consent under data protection law. Even small details in the layout can prevent comprehensive information of the data subjects and result in a fine by the data protection supervisory authorities.

We will be happy to support you in all matters relating to data protection in your company. Simply contact us via our contact form.

Want to learn more about the GDPR fine? Use our GDPR fine calculator, read more interesting blog articles and watch our videos.