Updated: Apr 14, 2020
The Authority has sanctioned a merchant who offers as a sole means of creating a loyalty card is by the user providing details of their electronic identity card. The administrative fine imposed amounts to €10,000.
The electronic identity card contains a lot of information about the cardholder and the use of this data, without the client’s consent, is considered disproportionate to the proposed service.
To read the full press release in Dutch, click here
ODA has received a complaint about a merchant’s use of the electronic identity card (eID) as part of a commercial service, namely the creation of a loyalty card. Since the complainant did not want to present his identity card, he was refused the loyalty card. The user was offered to send them in writing the request to be able to benefit from a loyalty card. The OTP Litigation Chamber found this practice to be in breach of the GDPR for several reasons.
Non-compliance with the data minimisation principle
The principle of minimisation is an important principle in the GDPR that requires data controllers to limit the amount of personal data collected as well as the retention period of the data to what is strictly necessary given the purpose.
For the creation of the loyalty card, the merchant requires to read data on the eID such as name, first names, address, etc., but he also wants to access the photo and barcode that is linked to the national registry number. The Litigation Chamber recalls that the national registry number is a data subject to strict rules regarding its consultation and use.
The Litigation Chamber, therefore, considers that the reading and use of all the data present on the electronic identity card in a commercial setting are disproportionate data processing with regard to the objective of creating a loyalty card.
Absence of valid consent
Processing of personal data, to be lawful, must be based on one of the six legal bases provided by the GDPR. The trader invokes the consent as a legal basis to justify the processing of the data taken from the customer’s eID but the Contentious Chamber disputes the validity of this legal basis.
To be valid, consent must be free, specific and informed. The Litigation Chamber considers that the consent given in this case cannot be considered freely given consent as no alternative is offered to clients. If customers refuse to use their electronic identity card for the creation of a loyalty card, they are penalised and cannot enjoy benefits and discounts because no alternative is offered.
Hielke Hijmans, President of the Litigation Chamber, explains “Companies or merchants need to take a more conscientious approach when they claim all kinds of personal data for a service, especially in the absence of valid customer consent. RGPD provides principles and obligations that must serve as a guideline for the proper processing of personal data. “
Given the failure to respect the principle of data minimisation and the absence of a valid legal basis, the Contentious Chamber decides to order the merchant to comply with the requirements of the GDPR and impose an administrative fine amounting to €10.000.
“The use of electronic identity cards as a loyalty card is a common practice, but the GDPR does not provide access to a large amount of personal data if it is not strictly necessary for the supply of personal data. “a service and without a valid legal basis.” The Litigation Chamber considers that this is a serious offence and therefore imposes a fine of € 10,000, “says Hielke Hijmans, President of the Litigation Chamber.
David Stevens, ODA President: “This decision is an important new step in the road to better protecting the privacy of our citizens.”