APD/GBA - 06/2019
|APD/GBA - DOS-2018-04470|
|Relevant Law:||Article 5(1)(c) GDPR|
|Decided:||17. 9. 2019|
|National Case Number:||06/2019|
|European Case Law Identifier:||n/a|
|Appeal:||Court of Appeals of Brussels - 2019/AR/1600|
French and Dutch
|Original Sources:||APD (in FR)and GBA (in NL)|
The Belgian DPA (APD/GBA) fined € 10000 for requiring an ID to issue a new loyalty card, which violated the principle of data minimisation.
The controller asked to a costumer to provide their electronic ID card for the creation of a loyalty card. The costumer did not want the data controller to use their electronic ID card, but only wanted to provide the data in written form. The controller refused to issue the loyalty card. Following the refusal, the costumer filed a complaint with the APD.
Is the processing of the electronic ID card necessary to issue a loyalty card?
First, the APD/GBA found that the request of the electronic ID card for the constitution of a loyalty card violated the principle of data minimisation in Article 5(1)(c) GDPR. In addition, no alternative system was offered to the data subject, thus the consent to the use of the ID forced. Therefore, the processing of the ID lacked a legal basis and was unlawful.
Secondly, the APD/GBA found that the controller provided contradictory information related to the sharing of personal data within the EEA and no information regarding the retention period.
As a consequence, the APD/GBA found that the controller violated Articles 13(1)(c), (e) and 13(2)(a) GDPR. Thus, it ordered the controller to comply with the GDPR. In addition it fined € 10,000 under Article 58(2)(i) GDPR for the violation of 5(1)(c) and 6(1) GDPR.
This decision has been appealed and overturned by the Court of Appeal on 19 February 2020, in the judgement Hof van beroep Brussels - 2019/AR/1600.
IAPP talked about the DPA decision and the Court of Appeal judgement here.
Share other blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the French or Dutch original for more details.
Subject: Complaint about the use of the identity card to create a loyalty cardLa Chambre Contentieuse de l'Autorité de protection des données, composed of Mr H. Hijmans, President, and Mr Y. Chicken and F. De Smet, Members ;Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the "DGPS");Considering the law of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as the LCA; Considering the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Considering the documents in the file;...... 2/91.Facts and Procedure-On 28 August 2018, the complainant filed a complaint with the Data Protection Authority against the defendant concerning the loyalty card offered by the defendant to his customers. According to the complainant, the creation of the loyalty card is carried out by reading the electronic identity card and using its data. The defendant refuses to issue the loyalty card if the customer does not want his electronic identity card to be used but only his written data. According to the complainant, the facts are dated June 8 and 30, 2018. -On 26 September 2018, the complaint was declared admissible on the basis of Articles 58 and 60 of the ICA, the complainant was informed thereof pursuant to Article 61 of the ICA and the complaint was forwarded to the Disputes Chamber pursuant to Article 62 § 1 of the ICA.On 23 October 2018, the Litigation Chamber decided to request an investigation from the Inspection Service, pursuant to Articles 63, 2° and 94, 1° of the VVG, and on 29 October 2018, pursuant to Article 96, § 1 of the VVG, the Litigation Chamber's request to conduct an investigation was forwarded to the Inspection Service, together with the complaint and the minutes of that decision.On May 10, 2019, the investigation of the Inspection Service is closed, the report is attached to the file and it is transmitted by the Inspector General to the President of the Litigation Chamber (Article 91, § 1 and § 2 of the LCA).- On May 28, 2019, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and Article 98 of the LCA, that the file may be dealt with on its merits.-On 3 June 2019, the parties concerned shall be informed by registered mail of the provisions as set out in Article 95 § 2 and Article 98 of the ICA. The deadline for receipt of submissions in response from the plaintiff was set at 28 June 2019, and for submissions in response from the defendant at 29 July 2019. 3/9-On 18 June 2019, the defendant requested a copy of the file (Article 95, § 2, 3° of the ICA). The defendant further declares that he accepts to receive electronically any communication relating to the case (Article 98, 1° of the ICA) - On 24 June, a copy of the file is sent to the defendant - The plaintiff does not submit any conclusion in response to the Complaint Chamber. However, the Complainant still transmits additional information to the Litigation Chamber, albeit after the deadline for submissions, so that the documents received from the Complainant on 8 and 29 July 2019 were excluded from the proceedings. on 30 July 2019, the Litigation Chamber receives the submissions in reply from the Respondent. 2. Legal basis - Article 5.1.c) of the GDR1. The personal data are: (c) adequate, relevant and limited to what is necessary in view of the purposes for which they are processed (data minimisation);[...]-Article 6.1 of the DGPS1. Processing is lawful only if, and to the extent that, at least one of the following conditions is met: (a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; (b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request; (c) the processing is necessary for compliance with a legal obligation to which the controller is subject; (d) the processing is necessary to safeguard the vital interests of the data subject or of another natural person; (e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.Section 13.1 of the DGMP1.Where personal data relating to a data subject are obtained from that data subject, the controller shall provide him/her, at the time the data in question are obtained, with all the following information: (a) the identity and contact details of the controller and, where applicable, the representative of the controller; (b) where applicable, the contact details of the Data Protection Officer; (c) the purposes of the processing operation for which the personal data are intended and the legal basis of the processing operation; (d) where the processing operation is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party; (e) the recipients or categories of recipients of the personal data, if they exist; (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the reference to appropriate or adapted safeguards and the means of obtaining a copy or the place where they have been made available.-Article 13.2.a) of the DSMP2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are obtained, with the following additional information necessary to ensure fair and transparent processing: (a) the storage period of the personal data or, where this is not possible, the criteria used to determine this period;[...] 5/9. 3, Statement of reasonsThe Litigation Chamber bases its opinion mainly on the findings made by the Inspection Service. The Inspection Service notes that the defendant bases the processing of personal data for the creation of a loyalty card solely on the data available via the electronic identity card. The Inspection Service therefore confirms the complaint in the sense that no alternative is offered to customers who actually want a loyalty card but do not want the defendant to use their electronic identity card for this purpose, whereas according to the Inspection Service, obtaining consent and proposing an alternative is indeed required. In this respect, the Inspection Service also refers to Article 6, § 4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, as applicable from 23 December 2018, which provides that the electronic identity card may only be read or used with the free, specific and informed consent of its holder. When an advantage or service is offered to a citizen by means of his identity card as part of a computer application, an alternative that does not require the use of the electronic identity card must also be offered. The Inspection Service also refers in this respect to Recommendation No. 03/20111 in order to support the requirement of consent and the proposal of an alternative. the Litigation Chamber considers that in this case, the offences in question are violations of Articles 5.1.c) (data minimisation), 6 (basis of processing) and 13 (information to the data subject) of the DGPS: Data minimisationThe Litigation Chamber emphasises that data minimisation must be considered as an essential principle with which data processing must comply and which is reflected as such in Article 5 of the DGPS, reflecting the essence of this Regulation. This is not only the case in the context of the application of the DGMP, but also in the context of the law of 8 December 1992 on the protection of privacy with regard to the processing of personal data. The reference of the Inspection Service to Recommendation 1Recommendation of initiative n° 03/2011 of 25 May 2011 on the copying of identity cards as well as their use and electronic reading, issued by the Commission for the Protection of Privacy. Substantive decision 06/2019-6/9n°03/2011 is therefore justified and must be understood in this light, namely that minimisation of data must always take precedence. The amendment of Article 6 of the Law of 19 July 1991 as mentioned above also constitutes an application of the general principle of data minimisation, as enshrined in Article 5.1.c) of the DGPS. The defendant's argument that the facts on which the complaint is based date back to before the entry into force of the amendment to Article 6 of the Law of 19 July 1991 is therefore irrelevant. The inspection report also indicates that the customer data processed are as follows: surname, first names, address, date of birth, sex, time from which the person concerned is a customer and amount of purchases. The bar code of the electronic identity card containing the national register number is linked by the defendant to the customer's data. For the Chamber of Litigation, the following is essential. The data processing involves the use of the National Register number, which is included in the barcode of the electronic identity card, which is not relevant. In this respect, the Litigation Division considers it important that special rules apply to the use of the national register number (already applicable before 23 December 2018), which prescribe a very prudent use of this national register number. Since, according to the findings of the Inspection Service, the bar code is used to find the customer in the customer file, the Litigation Chamber assumes that the national register number - or at least part of the identity card number - is used in violation of the principle of minimisation. The Chamber also points out that the processing of customer data (surname, first names, address, date of birth, sex, time from which the person concerned is a customer and amount of purchases) does not comply with the principle of minimisation, since the data "sex and date of birth" are also not relevant. In this respect, the Litigation Chamber assumes that the loyalty card is not used to control the minimum age for the purchase of alcohol, and since the method used by the defendant to create loyalty cards does not respect the principle of data minimisation, the Litigation Chamber therefore considers that the infringement of Article 5(1)(c) of the GDR is proven. -7/9Legality of the processing According to the Complaint Chamber, contrary to what the defendant claims, consent cannot be invoked as a legal basis for the processing operation since, in the defendant's current method, consent cannot in any way be considered as free consent within the meaning of Article 4(11) of the DGPS, in the absence of an alternative system allowing the creation of a loyalty card without the use of the electronic identity card, also giving the possibility in this case to the person concerned to benefit from reductions. The Litigation Chamber also refers in this respect to the Group 29 Guidelines on Consent within the meaning of Regulation 2016/6792, which stipulates that the adjective "free" implies real choice and control for the persons concerned. As a general rule, the DGMP provides that if the person concerned is not really able to exercise a choice, feels compelled to consent or will suffer significant negative consequences if he or she does not give consent, consent is not valid. If consent is presented as a non-negotiable part of the general conditions, it is considered that it has not been freely given. Consent will therefore not be considered as freely given if the person concerned is unable to refuse or withdraw his or her consent without prejudice. Given that in the present case, the complainant, and by extension all customers, can only benefit from discounts through their electronic identity card and that the defendant does not propose any alternative for the creation of a loyalty card in order to be able to enjoy this advantage, it is clear that there is no question of free consent.Although the Respondent does not invoke it, the Litigation Chamber examined to what extent the processing could be based on Article 6(1)(f) of the DGPS and to what extent the processing might prove necessary to defend its legitimate interests. The Litigation Chamber observes that, to this end, a weighting must be made with the interest of the person concerned in order to assess which interest is predominant. For this legal basis also, the Litigation Chamber declares that such a balancing of interests leads in this case to the conclusion that the interest of the plaintiff, and by extension of all customers, takes precedence, and the Litigation Chamber decides that the infringement of Article 6.1. of the GDR is proven.2 Guidelines on consent within the meaning of Regulation 2016/679, issued on 28 November 2017, revised and adopted on 10 April 2018. 8/9In view of the fact that the violation of Article 5(1)(c) of the DGPS concerns a fundamental principle in data processing and that the violation of Article 6(1) of the DGPS is of such a nature that there is therefore no valid legal basis on which to base the data processing, the Litigation Chamber imposes an administrative fine of €10,000. Under article 83.2. of the DGMP, in particular the nature and gravity of the two violations, the Litigation Chamber considers that this sanction is justified. Failure to comply with the relevant provisions of the DGPS must be considered as gross negligence having a considerable impact not only on the processing of the complainant's data, but also on the processing of all the defendant's customers, in the absence of an alternative for the creation of the customer file on the basis of the electronic identity card, in the absence of valid consent and in view of excessive data processing. Information to the data subject Regarding the other findings of the Inspection Service, namely: (a) the contradiction between the defendant's assertion that there is no communication of data to third parties whereas the privacy statement indicates that transfers are possible within the European Economic Area to affiliated companies.(b) the lack of clear information to the data subject, in particular as regards the legal basis and the storage period, the Litigation Chamber takes note of the fact that the defendant acknowledges that these can rightly be considered as breaches of the DGPS and declares that additional measures will be taken in the short term to bring the data processing into conformity with the DGPS.The Litigation Chamber declares on the basis of the foregoing that the violation of Articles 13.1.c), 13.1.e) and 13.2.a) of the DGPS must be considered as proven following the findings of the Inspection Service and that it is appropriate to order that the processing be brought into conformity with these Articles of the DGPS. 9/9 BY THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation, to impose sanctions concerning the violation of Articles 5.1. c); 6.1. ; 13.1. c); 13.1. e) and 13.2. a) of the GDR:- pursuant to Article 100, § 1, 9° of the ICA, to order the respondent to bring the processing into conformity with Article 5.1. c), Article 6.1., Article 13.1. c), Article 13.1. c), Article 13.1. e) and Article 13.2. a) of the DGPS pursuant to Article 101 of the ICA, to impose an administrative fine of 10,000 euros following the infringement of Article 5.1. c) and Article 6.1. of the DGPS. -to publish this decision on the website of the Data Protection Authority, pursuant to Article 100, § 1, 16° of the ICA, certainly after anonymisation, pursuant to Article 108, § 1 of the Law of 3 December 2017, this decision may be appealed within thirty days of notification to the Court of Contracts, with the Data Protection Authority as respondent