Unlawful declaration of consent – data protection supervisory authority imposes a fine of 2 million euros

von Jan

The General Data Protection Regulation sets out a whole series of conditions that must be met by an effective declaration of consent in accordance with Art. 6 Para.1 lit.a, 7 DSGVO. However, the fact that these requirements must also be observed in practice is now shown by the fine of 2 million euros imposed by the Austrian data protection supervisory authority.

What happened?

The fine affected jö Bonus Club GmbH. jö Bonus Club GmbH operates a loyalty card program for REWE customers. In order to be able to provide customers with discounts and offers as precisely as possible, jö Bonus Club GmbH evaluates information from the customers’ purchasing behavior as part of a profiling process.

What is the jö Bonus Club GmbH accused of?

The jö Bonus Club bases this profiling on the data protection consent of the members pursuant to Art. 6 (1) a DSGVO. Due to the particularly high risk that profiling poses to data subjects, this is also the correct legal basis in principle.

The supervisory authority saw the violation of the requirements of the GDPR in the design of the declaration of consent. For example, in the online declaration of consent, the required information was not directly visible to the data subjects, but was only accessible after scrolling on the homepage. The design of the declaration of consent in paper form also ensured that it was not apparent to the data subjects that they had given their consent to profiling.

According to the data protection supervisory authority, these objectionable consent forms were in use in the period between May 2019 and March 2020.

Lessons for practice

The requirements of the General Data Protection Regulation do not end with the selection of the correct legal basis. Rather, the highest attention must be paid to transparent design, especially in the case of consent under data protection law. Even small details in the layout can prevent comprehensive information of the data subjects and result in a fine by the data protection supervisory authorities.

We will be happy to support you in all matters relating to data protection in your company. Simply contact us via our contact form.

Want to learn more about the GDPR fine? Use our GDPR fine calculator, read more interesting blog articles and watch our videos.


Jan ist seit seiner erfolgreich abgeschlossenen Ausbildung als Business Development Manager bei der aigner business solutions tätig. Jan setzt seine Kreativität, Talent für Bildbearbeitung und Leidenschaft für Videoschnitt in unserer Marketingabteilung ein und unterstützt zudem den Vertriebsprozess bei ihren alltäglichen Aufgaben. Nicht zuletzt dürfen sich unsere Kunden und Follower stets über neue interessante Inhalte auf unseren Social Media Kanälen und in unseren Newslettern freuen.