Prohibition of bundling

The prohibition of bundling (Koppelungsverbot) is a core element of freely given consent under the General Data Protection Regulation. It prohibits making the performance of a contract or the provision of a service conditional on the data subject consenting to the processing of personal data that is not in fact necessary for performing that contract. The legal basis is Art. 7(4) GDPR, which requires that, when assessing whether consent is freely given, "utmost account" be taken of whether such bundling exists. Where consent is not freely given, it is invalid and any processing based on it is unlawful.

The decisive line is drawn between data strictly required to perform the contract and data the controller wishes to process for additional purposes, such as advertising, profiling or disclosure to third parties. Processing necessary for the contract does not require consent at all; it relies on Art. 6(1)(b) GDPR. If, beyond this, consent is demanded and effectively coerced because the contract will not be concluded without it, a prohibited bundling occurs. The European Data Protection Board interprets the rule strictly: the data subject must be able to refuse or withdraw consent without suffering any detriment.

The prohibition of bundling is not, however, an absolute ban but a strong presumption against the consent being freely given. In exceptional cases bundling may be permissible where the data subject is offered a genuine, equivalent alternative without consent, for example an equivalent paid offer alongside an ad-funded one ("pay or consent" models). The controller bears the burden of proving that consent is freely given. In practice, separate and granular consent declarations, clear information about optionality and an easy withdrawal mechanism are decisive for complying with the prohibition and avoiding fines and civil liability.