An identity card is not a customer card
You probably barely have any cash left in your wallet. But customer cards all
the more. With some cards you get an immediate discount. Other cards give you an
overview of your purchases and you will no longer receive a paper ticket at the
cash register. And finally there are the cards with which you can collect
points. Why not have everything put on one card: your identity card?
The local liquor store
A drinks retailer offered its customers a discount based on the purchases made
in other words, a points system. But instead of offering the customers yet
another plastic card, he asked them to put their identity card in the card
reader.
However, a customer with principles refused to hand over his identity card, but
demanded the discount. And so the case came to the Data Protection Authority
(DPA). The DPA is an independent body that monitors compliance with the basic
principles of the protection of personal data. Those basic principles are
contained in a European Regulation of 2016, known as the GDPR: the General Data
Protection Regulation. You can therefore contact the DPA if you believe that
your privacy has been violated.
DPA and Marktenhof
The DPA was particularly strict on the liquor trader.
An identity card
contains a lot of information that is not relevant for a discount on drinks. In
addition to your full name, it contains your date and place of birth, your
gender
and also your National Register Number.
The GDPR is strict with regard to the use of all kinds of personal data, but the
National Register Number falls under a different regulation and that is even
stricter.
Although it is very tempting to use the National Register Number as a unique
identification number for your customers, its use for commercial purposes is
also very strictly prohibited.
The DPA decided to impose a fine of 10.000€ on the drinks trader:
for violation of the minimum data collection rules. That is: you may not collect
more data than the strictly necessary; and
due to a lack of consent to the processing of that data.
The Marktenhof, an appeal body under which also the DPA falls, thought this was
exaggerated. After all, the liquor dealer hadn't been given the data... So how
could he have committed an offence.
Moreover, the customer had a choice, according to the court. If he did not want
the data to be processed, he did not have to insert the card into the card
reader. The fact that he then missed the discount was indeed a consequence of
that refusal, but it was not in itself sufficient to say that the customer had
no choice.
Ultimately, the case was brought before the Court of Cassation. And that supreme
judicial body of our country aligns itself with the vision of ... DPA.
Nothing has happened...
Initially, there was the question of whether you can file a complaint with the
DPA if no violation has occurred. After all, the drinks merchant had not
received the identity card.
The Court of Cassation answers affirmative: any person who believes that his
rights under the GDPR have been infringed, has the right to file a complaint,
after which the inspection service of the DPA can take action or not.
The
fact that the personal data have not been effectively processed is
irrelevant.
If the inspection service determines that the principles of the GDPR have not
been respected, it can take action. In this case the inspection established that
the drinks merchant kept all the details of the identity cards. Most of the data
collected in this way was not necessary for the discount.
Permission
But if a customer inserts his identity card into a card reader, does he not
grant permission for the processing of that data?
The Court of Cassation has to take a turn there, but the conclusion is that the
customers do not grant permission for the processing of all data with this
action. The reasoning behind this is that by only granting a discount when the
identity card is inserted into the card reader, the customers do not actually
have a choice. And if there is no choice, there is no free consent either.
The reasoning of the Marktenhof that the customer actually had no disadvantage,
only he could not get the discount, is rejected by the Court of Cassation:
missing out on an advantage also leads to a restriction of free choice.
Minimal data collection and alternative
Using the identity card as a customer card is not prohibited in itself. But the
data retrieved must meet the minimum data collection requirements.
The
customers name seems to be about the maximum information that you can obtain
from the card. You may add some other information yourself, such as a telephone
number or e-mail address.
If you wish to download additional data, such as date of birth or place of
residence, you must ask for permission.
It's also not a bad idea to offer an alternative: apps where customers have to
fill in their own data, an old-fashioned stamp card or just another plastic
card... Plenty of choice.