September 23, 2019

Belgian DPA: Requiring Customers to Allow Their ID Cards To Be Scanned To Receive Loyalty Cards Violates GDPR

Fox Rothschild LLP

+ Follow Contact

Send

Embed

Fox Rothschild LLP Asking to read an electronic ID card as a condition for the provision of a service (issuing a rewards/loyalty card) is disproportionate and in violation of GDPR, says the Belgian data protection authority. The company was fined €10,000.

Key takeaways also relevant to authentication/collection under GDPR and CCPA:

Information you collect to identify an individual needs to be proportionate to the purpose for which it is used.
Reading and use of all data from the electronic identity card which contains name, first name, address, etc., but also the photo and the barcode that is linked to the National Register number – is excessive and disproportionate for the purpose of a commercial service (like issuing a loyalty card).
To be valid as a legal basis, consent needs to be freely given. If no other option is provided – this is not freely given.
In this case if the customer refused to allow his electronic id card to be used, he/she would be penalized and will not be able to enjoy the benefits and discounts because he/she would not be offered an alternative.

Read the full decision.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.