Austrian Data Protection Authority Fines Loyalty Program Operator €2,000,000
‘Unser Ö-Bonus Club GmbH,’ a Vienna-based company that operates a multi-partner loyalty program, got a fine of 2,000,000 EUR from the Austrian Data Protection Authority (Datenschutzbehörde) over multiple violations of the GDPR. In summary, the company served users with inadequate consent declarations, engaged in unlawful processing of personal customer data for profiling purposes, and actually continued all that even after they admitted their wrongdoing. The violations pertain to Articles 6, 7, 12, and 13 of the GDPR.
When a user registers onto the bonus club program, their shopping behavior and all data that derive from it are collected and analyzed by the firm, which creates a unique customer profile. This is then passed to advertising partners for profit, but the users are unaware of both the data processing and the selling of their profiles to numerous other entities.