Executive summary

On September 17, 2019, the Belgian Data Protection Authority (DPA) issued a fine of EUR 10,000 for a breach of the General Data Protection Regulation’s (GDPR). The case related to a merchant who required the use of an electronic identity card as the sole means for the issuance of loyalty cards.

The DPA found that this practice did not comply with GDPR’s standards on (a) data minimization, as the electronic identity card contains much more information about the holder than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid.

The DPA also found that the merchant had not done enough to inform customer about its data processing activities, and thereby violated its information duties under the GDPR.

The facts

On August 28, 2018, a customer filed a complaint with the DPA concerning the merchant’s procedure for issuing loyalty cards. The merchant requires that customers first provide their electronic identity card before they can receive a loyalty card. The merchant provided no alternative means for acquiring the loyalty card.

The DPA’s Inspection Service Finalized its investigation was on May 10, 2019, and the Dispute Chamber held proceedings on the matter from the end of May until the end of July. The Dispute Chamber issed its final decision on September 17, 2019, and the parties have 30 days to appeal.

The assessment of the Belgian DPA

The Dispute Chamber first held that the merchant’s practice for the creation of loyalty cards violates the principle of data minimization, as it entails the processing of personal data that is not relevant for the creation of a loyalty card. By reading the barcode on the electronic identity card, the merchant processed the card holder’s national registry number, gender, and date of birth, all of which the Dispute Chamber found were not necessary for the creation of a loyalty card.

The Dispute Chamber further held that the merchant violated the principle of lawfulness of processing. The Belgian law regarding the use of the electronic identification card[1] specifically states that, unless a legal exception applies, an electronic identity card can only be read or used following the freely given, specific and informed consent of the card holder. The law further states that, where a benefit or service is offered to a citizen via his electronic identity card as part of an IT application, an alternative that does not require the use of the electronic identity card must be offered.

Because the merchant did not provide an alternative to the provision of the electronic identity card for the creation of a loyalty card, the Dispute Chamber found that the merchant has failed to obtain a valid consent for the collection of the personal data. The Dispute Chamber therefore found that the customers’ consent was not “freely given” as required under the GDPR.

Although not raised by the parties, the Dispute Chamber further investigated whether such processing could have been based on the legitimate interest of the controller. Here, it concluded that the interests of the data subject would prevail and that the balance of interests tilts in the favor of the customer. As a result, the legitimate interest of the controller could also not have been invoked as lawful basis for the processing.

Because the Dispute Chamber considers the violation of these obligations gross negligence with far-reaching impact on the rights of the customers, it punished the merchant with an administrative fine of EUR 10,000.

In addition, the Dispute Chamber found that the merchant had also not sufficiently informed the customer regarding the transfer of data to third parties, the lawful basis of the collection of the personal data, and the retention period of the personal data. Here, however, the Dispute Chamber simply took note of these violations as well with the mitigating measures the merchant has promised to undertake.

Important take-aways / Relevance for businesses

First, the decision illustrates the DPA’s complaint handling procedure. In a fairly straightforward case, it takes the DPA just over a year to go from complaint to final decision.

Second, the decision is an insightful application of the GDPR principles in a niche area of personal data processing. More specifically, to what extent and under what conditions companies can make use of electronic identity cards of individuals.

In general, companies can use, read or record the data on the electronic identity card, both those visible to the naked eye and those that can be read with a card reader, as long as they respect the basic principles of data protection law. There are, however, three important considerations that companies must keep in mind when using electronic identity cards:

  1. If a company wishes to read the identity card of an individual, it can rely only on the consent of the individual concerned as a lawful basis. As this case illustrates, companies must provide an alternative procedure in which the electronic identity of the data subject is not processed. Without such a valid alternative for individuals, consent cannot be considered freely given.
  2. Not all data on the identity card is free for companies to use. Specifically, the photograph of the holder of the identity card, the National Registry Number, and the digital image of the fingerprints that is on the ID (or at least will be, in the case of the digital fingerprints) may only be used if authorised to do so, or by virtue of a law, a decree or an ordinance.
  3. The DPA applies a very strict interpretation on the principle of data minimization. Even if companies have acquired a valid – and freely given – consent in accordance with the GDPR, they must also consider whether the data gathered through a read-out of the identity card is relevant for the processing purposes pursued. Remarkably, the DPA not only scrutinized the use of the national registry number, but also the use of gender and birthdate, two commonly used data categories in client relationship management. This decision should urge companies to be extra vigilant when determining relevant data categories for a certain data processing purpose.