Belgian Supreme Court ruled on the processing of personal data on the eID for the creation of a loyalty card. Only this card involved special discounts. The data subjects could not receive this or similar deals otherwise.
It started with a retailer that only gave discounts to loyalty card holders. This card could only be obtained after an electronic read-out of the customer’s eID. Customer A who preferred not to provide his eID complained because the loyalty card – and implied discounts- were denied to him.
As a result, the Belgian Data Protection Authority (DPA) decided that barcode, gender, and date of birth – all data on the eID – were not strictly necessary information. The processing was thus not in line with the principle of data minimization. Furthermore, customers weren’t offered the option to obtain discounts otherwise than by providing eID for the loyalty card.
In appeal, the Markets Court shed its light on the case. The court annulled the earlier decision of the DPA, considering there had been no actual processing of personal data and as such no GDPR violation.
PRINCIPLES OF DATA MINIMIZATION AND FREE CONSENT
In 2021 the Supreme Court followed the rationale of the DPA. Firstly, the Court confirmed that a data subject can lodge a complaint based on genuine interest. Moreover, the data subject can do so even if no personal data is/was actually processed. In this case, the refusal of consent – in the light of an allegedly infringing practice – avoided the processing taking place. The refusal explicitly related to the personal data of the data subject and resulted in him not being able to enjoy a service or advantage.
This led to a second conclusion of the Court. It considered that free consent was not sufficiently guaranteed, as consent refusal implied the immediate and irreparable loss of an advantage (e.g. discount) or service.
TAKEAWAYS FOR RETAILERS
When using loyalty cards, retailers better consider the following points:
- Only process data that is relevant and necessary to create a loyalty card.
Data on an eID, such as national registration number, sex, place of birth, etc. can hardly be considered “strictly necessary” to award commercial benefits.
- Always offer an alternative for the eID card readout.
For example, filling in a paper form. This is in order to guarantee free and lawful consent.
- Inform on how the data is processed and which rights customers gave.
Not sure if your company is GDPR compliant?
Feel free to reach out for more information on our GDPR audits and our legal services concerning data protection.
Laura Van Gompel
Lawyer – Managing Partner
- Corporate law
- Privacy & Technology
- International Contracts