On September 17, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of EUR 10,000 on a shop for the disproportionate use of customers’ electronic identity cards (the “eIDs ”) – a national identification card.
The Belgian DPA received a complaint from a customer who was denied a store loyalty card for refusing to provide his eID, despite the fact that he offered to provide his personal data separately to benefit from the loyalty card. The Litigation Chamber of the Belgian DPA found that this practice was not in line with the EU General Data Protection Regulation (the “GDPR”).
The reasons for the decision of the Litigation Chamber of the Belgian DPA are summarized below:
- Non-compliance with the GDPR data minimization principle: The Belgian DPA considers this practice to go against the data minimization principle, which requires data controllers to limit the processing of personal data to what is strictly necessary in relation to the purpose for which personal data are processed. In the case at hand, the shop required reading all the data stored on customers’ eIDs – including their names, addresses, ID photos, and barcodes linked to national register numbers – before issuing loyalty cards. In its decision, the Litigation Chamber insists on the sensitive nature of the national register number, the consultation and use of which is subject to strict rules. Accordingly, the Belgian DPA considers that the consultation and use of all personal data stored on customers’ eID cards for commercial purposes is disproportionate to the purpose of creating a customer loyalty card.
- Invalid consent: The Belgian DPA considers that the consent collected by the shop for the use of customers’ eID cards is invalid as it is not freely given, i.e., consent cannot be freely given if there are no alternatives for the data subjects but to consent to the processing of their personal data to obtain a customer loyalty card.
According to the Director of the Litigation Chamber, Dr. Hielke Hijmans, the use of eID cards as loyalty cards is a common practice. However, the GDPR does not allow companies to gain access to all the data stored on eID cards if it is not necessary for offering the service and there is no valid legal basis for such access. Therefore, the Belgian DPA considers this a serious infringement and imposed a fine of EUR 10,000.
For more information, read the decision, in Dutch.