Austrian Data Protection Authority Fines ‘Unser Ö-Bonus Club GmbH’ €2,000,000

• An Austrian loyalty program operator was fined 2 million Euros for unlawful user data collection.
• The company obtained people’s consent improperly, failing to inform them about what that entails.
• The firm continued to use the illegally obtained user data even after they admitted their wrongdoing.

‘Unser Ö-Bonus Club GmbH,’ a Vienna-based company that operates a multi-partner loyalty program, got a fine of 2,000,000 EUR from the Austrian Data Protection Authority (Datenschutzbehörde) over multiple violations of the GDPR. In summary, the company served users with inadequate consent declarations, engaged in unlawful processing of personal customer data for profiling purposes, and actually continued all that even after they admitted their wrongdoing. The violations pertain to Articles 6, 7, 12, and 13 of the GDPR.

When a user registers onto the bonus club program, their shopping behavior and all data that derive from it are collected and analyzed by the firm, which creates a unique customer profile. This is then passed to advertising partners for profit, but the users are unaware of both the data processing and the selling of their profiles to numerous other entities.

The company did mention this procedure, found only by those who bother to scroll down, but the “Yes” or “No” consent prompt was offered on the top, so essentially, everyone accepted the terms without being informed about what this entails. Unser Ö-Bonus Club received an alert during the initial investigation about this problem and admitted that the form elements were wrongfully laid out.

Even after they fixed the form, though, the firm continued to use the data it had collected from 2.3 million Austrians, which they had gained through the inadequate form. This was an unethical move that the company could easily present as a mistake, and so they did. Also, they accuse the Austrian data protection authorities of not giving them advice and not warning them that if they didn’t purge the already collected info, a fine would be imposed.

Back in 2019, Rewe, the ‘Unser Ö-Bonus Club’ program operator, won the ‘Big Brother Award’ for “Communication and Marketing.” The jury openly supported this decision by saying that Rewe’s program results in the collection of valuable marketing data that many entities like supermarkets, petrol stations, and furniture stores are happy to buy and use.

Rewe has some reach outside Austria, operating businesses in Romania, Italy, Croatia, Bulgaria, the Czech Republic, and Hungary. Some of the brands that have or have had business relations and possibly data exchange relationships with Rewe include ‘Billa,’ ‘Penny,’ ‘BIPA,’ ‘Libro,’ and ‘Merkur.’