Breaching the GDPR without data processing?

Vangompel-advocaten-GDPR breach without data processing

Laura Van Gompel14 May 2022 –The Belgian Supreme Court ruled on the processing of personal data on the eID for the creation of a loyalty card. This card – and this card only –  involved special discounts. The data subjects could not receive this or similar discounts otherwise. Citing the principles of data minimisation and free consent, the Supreme Court annulled the earlier judgement of the Markets Court.   

It started with a retailer who only gave discounts to loyalty card holders. This card could only be obtained after electronic read-out of the costumers’ eID. Customer A, who preferred not to provide his eID, complained because the loyalty card – and implied discounts- were denied to him.  

In 2019 the Belgian Data Protection Authority (DPA) decided that barcode, gender and date of birth – all data on the eID – were not strictly necessary information. The processing was thus not in line with the principle of data minimisation. Furthermore, customers weren’t offered the option to obtain the discounts otherwise than by providing eID for the loyalty card. 

In appeal, the Markets Court shed its light on the case. The court annulled the earlier decision of the DPA, considering there had been no actual processing of personal data and as such no GDPR violation.  

In 2021 the Supreme Court followed the rationale of the DPA.  

The Court first confirmed that a data subject can lodge a complaint based on a genuine interest, even if no personal data is/was actually processed. In this case, the refusal of consent – at the light of an allegedly infringing practice – avoided the processing of taking place. The refusal related specifically to the personal data of the data subject and resulted in him not being able to enjoy a service or advantage.  

This led to a second conclusion of the Court; it considered that free consent was not sufficiently guaranteed, as consent refusal implied the immediate and irremediable loss of an advantage (e.g. discount) or service.  

When using loyalty cards, retailers better consider the following points: 

  • Only process data that is relevant and necessary to create a loyalty card. 

Data on an eID, such as national registration number, sex, place of birth, etc. can hardly be considered “strictly necessary” to award commercial benefits. . 

  • Always offer an alternative for the eID card read out.  

For example, fill in of a paper form. This in order to guarantee free and lawful consent.  

  • Inform on how the data is processed and which rights costumers gave. 

Cover all your bases with a previously announced privacy policy. 

More news

Vangompel-advocaten-GDPR breach without data processing

Laura Van Gompel – 14 May 2022 –The Belgian Supreme Court ruled on the processing of personal data on …

Vangompel-advocaten-Think before you link. How your sports club also leaks data

Eric De Wilde – May 12 2022- In November 2021 the Belgian Data Protection Authority (DPA) admonished a fitness club for unlawfully transferring …

Laura Van Gompel  – October 2021 – Data protection (and processing) is not always part of the due diligence …

Subscribe to our newsletter