Violation of free consent, even without data processing
What you need to know.
Both the Belgian Data Protection Authority (“DPA”) and the Belgian Markets Court (in Dutch only) have previously ruled on the use of electronic identity cards (“eID”) to create a loyalty card that entitles customers to discounts. The Belgian Supreme Court has now also addressed this issue in a recent judgment (in Dutch only). The case in question contains interesting insights into the rights of data subjects, the principle of data minimisation and free consent that may also be relevant outside of Belgium.
As such, the Supreme Court states that data subjects can exercise their rights (e.g. the right to data minimisation) even if their personal data have not been processed. If a data subject refuses his or her consent (and therefore refuses the processing) precisely because of an alleged infringement, and as a result thereof has not obtained an advantage or service, there may still be a breach of the GDPR if the supervisory authority were to determine after investigation that the practice actually does constitute an infringement. According to the Court, there is indeed an infringement of the GDPR when the data subjects are obliged to have their personal data processed according to an infringing practice so that they can enjoy an advantage or service. Based on a recent decision (in Dutch only), the Belgian DPA does not seem to apply this case-law if there is indeed another possibility to make use of such service that does not infringe the GDPR. In that case, the DPA ruled that the data subject did not have any interest that justified filing a complaint, and therefore dismissed it.
Furthermore, the Supreme Court further nuances the Markets Court's position on the concept of 'free' consent. The Markets Court seemed to have concluded that missing out on a possible extra advantage (i.e. the discounts) could never be regarded as a negative consequence. According to the Markets Court, this would be different if the consent is linked to the acquisition or retention of a legal or contractual right (e.g. the right to a guarantee). The Supreme Court however states that the loss of an advantage or service in the event of refusal of consent can lead to consent that has not been freely given. The Markets Court has been instructed to review this matter once again in concreto.
What you need to do.
If a data subject believes that he or she cannot freely consent to the processing, for example because your company does not respect the principles of data minimisation or integrity and confidentiality, he or she has the right to lodge a complaint with the competent data protection authority. Actual processing of his or her personal data is not required to demonstrate a genuine interest in filing the complaint, but the refusal of the processing must relate to his or her personal data and must result in him or her being unable to enjoy the service or advantage.
If your company wishes to use the eID as a loyalty card, you must observe the principle of data minimisation. Only the personal data that are actually necessary for the creation and management of the loyalty card may be read. Special attention must be paid to reading out the national register number, the image and the fingerprints. The processing of these data is subject to strict conditions.
In order to exercise their rights under the data minimisation principle, it is necessary for data subjects to know exactly what personal data are being used for which purposes, for how long they are retained, and to whom they may be transferred. Properly including this information in your privacy statement and making this document accessible prior to processing is extremely important.
In Belgium, for the purpose of a loyalty card the eID may only be read or used with the free, specific and informed consent of its holder. In addition, it is also mandatory to provide an alternative. For example, for the creation of your loyalty cards you can also offer a procedure for the manual registration of customer data, about which you must also inform the data subject with sufficient clarity.
Finally, if you attach discounts to the use of a loyalty card (and the associated processing of personal data), it is appropriate to examine whether (and document that) the loss of such discounts if a data subject does not wish to share personal data does not entail any “detriment”. The EDPB also confirms that the GDPR does not preclude all incentives to obtain consent, but that it is up to your company to demonstrate that consent has been freely given in all the circumstances.
We are looking forward to the judgment of the Markets Court, which now has to replace the one annulled by the Supreme Court. We will be sure to keep you informed on further developments.
Please consult our website or contact one of our team members if you have questions or require more information: