Beverage company fined for using eID cards to create customer loyalty cards Summary The decision of the Belgian Supreme Court A customer lodged a complaint regarding the use The Supreme Court annulled the decision of the Court of loyalty cards by a beverage company. The loyalty of Appeal and referred it back to the Court of Appeal. cards were issued by reading the eID cards, which are The case is pending at the time of writing. the official national identification cards in Belgium for individuals. The complainant argued that the Our remarks company collected more information than necessary • When creating loyalty programs, one must observe when creating the loyalty cards, including clients’ the GDPR principles of data minimization by using social security numbers, gender, and date of birth. only necessary data, limiting retention time, and The complainant also argued that valid consent for using data for specific purposes shared by the processing this data was not obtained. data subject. For example, it is rarely necessary to Decision by the Belgian DPA process the social security numbers of customers The Belgian Data Protection Authority (DPA) found that for providing a loyalty program. the company had violated both the principle of data • If one wants to use consent for processing personal minimization and that the consent of their customers data one should consider the following: could not be considered ‘freely given’ in accordance ° Consider whether consent is required for each with the GDPR. The DPA imposed a fine of 10,000 EUR on processing step. If not, assess if one can use other the company. legal bases such as contract (GDPR, article 6(1)(a) or Court of Appeal legitimate interest (GDPR, article 6(1)(f)). The decision was appealed to the Court of Appeal of ° When seeking permission from (potential) customers, Brussels. They annulled the fine as they found that (i) ensure they have access to and understand your The new eID legislation could not retroactively apply. clear and detailed privacy policy before making a (ii) The fine lacked adequate justification. (iii) The shop choice. Active and voluntary consent is essential, owner did not process the data associated with the avoiding preselected choices or implied consent. complainant’s eID as the data subject had declined to People should have the freedom to choose whether provide it. to provide consent, except in cases where data is The DPA then appealed the decision from the Court of absolutely necessary. Appeal to the Belgian Supreme Court. ° To use the personal data of existing customers in The Supreme Court found that the Court of Appeal direct marketing (newsletters), explicit consent of Brussels failed to consider potential violations of may not be required. However, explicit consent is data minimization and freely given consent under the necessary for non-customers and other marketing GDPR. The Supreme Court also highlighted that the purposes such as profile building or data sharing with loss of benefits, like discounts, should be considered in partners. Obtain separate consent for these activities, evaluating freely given consent. They also affirmed the clearly stating the scope in the privacy policy. authority of the Belgian DPA to handle complaints even when no personal data has been processed. Published: 07-10-2021 Journal number: C.20.0323.N/1 Tags: 01 Legal basis and principles of processing 94