No, an eID card reader is really not appropriate for the creation of loyalty cards

eID card readers for loyalty cards?

 In 2019, one of the first fines imposed by the then newly appointed Data Protection Authority and it was immediately a controversial one: 10,000 euros fine for a beverage company that, without the slightest suspicion and out of convenience to its customers, had decided to use an eID card reader to create customer cards (read our blog post from that time here). Easy, right: just insert your identity card in the reader and your loyalty card is ready for use?

This was not just the opinion of this beverage company, but rather the opinion of all merchants and large retail chains in this country, who have all automated the creation of loyalty cards in one way or another. So there was great consternation when the GBA decided that the yet convenient way of creating loyalty cards was in violation of the GDPR. The beverage company in question did not sit back and fought tooth and nail against this fine in recent years and this struggle brings us to the aforementioned ruling of the Court of Cassation.

So what is the problem with eID card readers according to the GBA?

The fine imposed on the beverage company in question in 2018 was the result of a complaint from a customer. The customer was of the opinion that her privacy was violated because when the eID card was read, much more information was collected by the liquor store than is actually needed to create a loyalty card. An eID card also contains a person’s social security number, gender and date of birth and that is quite a lot of information just to save some points and earn a discount…

The reasoning of the GBA in imposing the fine was actually quite logical: the GDPR provides some basic principles that everyone should take into account when collecting and processing personal data. One of these principles concerns data minimization: you may only collect the data that you really need and of which you can demonstrate that you need it. In other words, “less is more” is not an empty slogan under GDPR and anyone processing personal data should constantly ask themselves whether the same processing is possible with less data.

In the case of the liquor trade: to maintain a loyalty card, you don’t necessarily need more than the name and first name of your customer, a contact method (e-mail or telephone or postal address) and possibly also his or her gender or title so that you can address him or her in the right way. Who systematically collects more data, is in violation, simple as that.

Moreover, according to the GBA there was a second problem because the customer was not “free” to give his or her consent to the processing of data. European case law is very clear regarding this point: if you ask someone’s permission to process their data (e.g. for a loyalty card), then you have to make sure that they give that permission beforehand, through an active act (so no pre-checked checkboxes) and that they are correctly informed (i.e. communicate a copy of the privacy policy), but above all they must be free not to give any permission which would result in a disadvantage.

Mandatory or coerced consent is therefore out of the question and rewarding customers who do give consent is also prohibited. After all, this would mean buying off the consent and influencing the choice of the person concerned, which is certainly not allowed. Our beverage company, however, only gave discounts to customers who had created a loyalty card and the only way to get a loyalty card was to give permission for your… eID card to be read.

Start of a legal saga

So, a logical decision by the GBA, who merely applied the basic principles of the GDPR and the case law of the European Court of Justice in a consistent manner. Nevertheless, this ruling was followed by a legal saga that has already lasted three years, with no end in sight. The beverage company first appealed the fine to the Markets Court and was proven right, not because the fine was unjustified, but because the procedure had been carelessly conducted by the GBA. The latter then went to the Court of Cassation who handed down its judgment, after which it is once again the turn of the Court of Appeal to make a final judgement.

What can we learn from the judgment of the Court of Cassation today?

The Court of Cassation actually confirms that the GBA was right at the time.  Coincidentally, this also means that our advice at the time -as we naturally expected- remains unshaken.  Be careful before you use eID card readers.  Preferably don’t do it to create loyalty cards or other commercial customer promotions and if you do want to use electronic loyalty cards, choose a software vendor who can guarantee you that the general principles of data minimization and privacy by design have been observed when creating the software.

For you as an offline or online merchant, this decision also means the following in a broader perspective: 

• During every data processing activity, ask yourself whether you are respecting the basic principles of the GDPR. Are you using only the strictly necessary data?  Do you keep them no longer than really necessary?  Do you use them only for the specific purpose for which the data subject has shared them with you?
• Also, ask yourself for each processing step whether or not you need consent.  After all, the GDPR has 6 legal grounds that can allow you to process data and consent is merely one of them. But not all legal grounds work in all circumstances.  So make the right choices at the right time.
• If you do ask permission from your (future) customers, make sure they can read your privacy policy beforehand (and make sure it is clear and well-detailed), that they actively “choose” to give permission (no preselected choices, no “by continuing, you agree”, no implicit or assumed consents) and above all make sure that people are free to choose whether or not to give consent (any context where such free consent is impossible, e.g. because you absolutely need data, is a contest in which consent may not be the right legal basis.  Seek timely legal advice before making wrong choices…).
• If you want to use personal data of your existing customers for direct marketing purposes (newsletters) you may not need explicit consent, but for non-customers and for any other marketing use (profile building, data sharing with partners, …) you definitely do need consent and you should ask for it separately (“yes, I agree that my data can be used for marketing purposes as described in the privacy policy”).
• Document your choices and your decisions.  GDPR revolves integrally around your “accountability”, which is the obligation you have to be able to provide an accurate and cogent justification or explanation for the above questions at any time.  
• That accountability starts with a well-founded and detailed data register.  It surprises us every day how many entrepreneurs have created no or poor data registers while this constitutes a basic obligation that the GDPR imposes on (almost) every entrepreneur.
• Get advice in time.  As you can see, the fines can amount to thousands of euros and the costs for legal assistance in case things go wrong will increase exponentially, while prior advice does not have to cost that much at all…

Questions about privacy, consumer law or e-commerce?

Are you not sure that your customer files, loyalty card or website comply with the required legal obligations? Choose an efficient and pragmatic audit of your website via our Website Certifier or ask for our help via a GDPR audit, tailored to your marketing department. This way you can manage your online business with peace of mind.