The jö Bonus Club bases this profiling on the data protection consent of the members pursuant to Art. 6 (1) a DSGVO. Due to the particularly high risk that profiling poses to data subjects, this is also the correct legal basis in principle.
The supervisory authority saw the violation of the requirements of the GDPR in the design of the declaration of consent. For example, in the online declaration of consent, the required information was not directly visible to the data subjects, but was only accessible after scrolling on the homepage. The design of the declaration of consent in paper form also ensured that it was not apparent to the data subjects that they had given their consent to profiling.
According to the data protection supervisory authority, these objectionable consent forms were in use in the period between May 2019 and March 2020.