jö Bonus Club is supposed to pay a data protection fine of €2 million

The jö Bonus club, which was set up by Rewe Austria with partners and now has more than four million members, is set to pay a fine of two million euros according to a decision by the Austrian data protection authority. This is what the “standard” says.. The reason is presumably because customers were not properly informed of the use of profiling. The decision is not final yet.

Since users were not adequately informed about profiling in the jö Bonus Club consent declaration from May 2019 to March 2020, there is a violation of the General Data Protection Regulation (GDPR), according to the report.

Agree to “profiling” in the terms and conditions

The club gave the impression that customers only participate in discounts and coupons. If they scroll down, they would have discovered that they are willing to do what is called profiling, i.e. to increase the use of personal data to make future predictions. Profiling is the use of collected personal data, for example to start targeted advertising campaigns or to adapt a range of products based on knowledge about the buying behavior of a large number of customers.

Specifically, the data protection authority objects to the format on the club’s website and on registration forms. Consent to profiling doesn’t always have to be obvious. The club also saw this and changed it after initial action – but data from 2.3 million people is still in use.

The data protection authority sees profiling as a particular risk because certain aspects of a person can be assessed and their future behavior can be predicted. If this data is passed to third parties, it can cause problems for those affected. With jö Bonus Club, broad consent is given, whereby all partners – in addition to the brands Rewe Billa, Penny and Bipa, for example, as well as Libro – can use the information collected.

According to the report, users who registered from May 2019 to March 2020 via the club’s website or flyer were not adequately informed. The General Data Protection Regulation (GDPR) presupposes information in an “accessible”, clear and simple language. However, personal data processing was only indicated after users ticked a “yes” or “no” box and scrolled down rather than being notified before giving their consent.