Privacy Talk

Pdf version Archive Subscribe
Your business • October 2021

Violation of free consent, even without data processing

What you need to know.

Both the Belgian Data Protection Authority (“DPA”) and the Belgian Markets Court (in Dutch only) have previously ruled on the use of electronic identity cards (“eID”) to create a loyalty card that entitles customers to discounts. The Belgian Supreme Court has now also addressed this issue in a recent judgment (in Dutch only). The case in question contains interesting insights into the rights of data subjects, the principle of data minimisation and free consent that may also be relevant outside of Belgium.

As such, the Supreme Court states that data subjects can exercise their rights (e.g. the right to data minimisation) even if their personal data have not been processed. If a data subject refuses his or her consent (and therefore refuses the processing) precisely because of an alleged infringement, and as a result thereof has not obtained an advantage or service, there may still be a breach of the GDPR if the supervisory authority were to determine after investigation that the practice actually does constitute an infringement. According to the Court, there is indeed an infringement of the GDPR when the data subjects are obliged to have their personal data processed according to an infringing practice so that they can enjoy an advantage or service. Based on a recent decision (in Dutch only), the Belgian DPA does not seem to apply this case-law if there is indeed another possibility to make use of such service that does not infringe the GDPR. In that case, the DPA ruled that the data subject did not have any interest that justified filing a complaint, and therefore dismissed it.  

Furthermore, the Supreme Court further nuances the Markets Court's position on the concept of 'free' consent. The Markets Court seemed to have concluded that missing out on a possible extra advantage (i.e. the discounts) could never be regarded as a negative consequence. According to the Markets Court, this would be different if the consent is linked to the acquisition or retention of a legal or contractual right (e.g. the right to a guarantee). The Supreme Court however states that the loss of an advantage or service in the event of refusal of consent can lead to consent that has not been freely given. The Markets Court has been instructed to review this matter once again in concreto.

What you need to do.

If a data subject believes that he or she cannot freely consent to the processing, for example because your company does not respect the principles of data minimisation or integrity and confidentiality, he or she has the right to lodge a complaint with the competent data protection authority. Actual processing of his or her personal data is not required to demonstrate a genuine interest in filing the complaint, but the refusal of the processing must relate to his or her personal data and must result in him or her being unable to enjoy the service or advantage.   

If your company wishes to use the eID as a loyalty card, you must observe the principle of data minimisation. Only the personal data that are actually necessary for the creation and management of the loyalty card may be read. Special attention must be paid to reading out the national register number, the image and the fingerprints. The processing of these data is subject to strict conditions.

In order to exercise their rights under the data minimisation principle, it is necessary for data subjects to know exactly what personal data are being used for which purposes, for how long they are retained, and to whom they may be transferred. Properly including this information in your privacy statement and making this document accessible prior to processing is extremely important. 

In Belgium, for the purpose of a loyalty card the eID may only be read or used with the free, specific and informed consent of its holder. In addition, it is also mandatory to provide an alternative. For example, for the creation of your loyalty cards you can also offer a procedure for the manual registration of customer data, about which you must also inform the data subject with sufficient clarity.    

Finally, if you attach discounts to the use of a loyalty card (and the associated processing of personal data), it is appropriate to examine whether (and document that) the loss of such discounts if a data subject does not wish to share personal data does not entail any “detriment”. The EDPB also confirms that the GDPR does not preclude all incentives to obtain consent, but that it is up to your company to demonstrate that consent has been freely given in all the circumstances.

We are looking forward to the judgment of the Markets Court, which now has to replace the one annulled by the Supreme Court. We will be sure to keep you informed on further developments.

Please consult our website or contact one of our team members if you have questions or require more information:

Have a look at our 'GDPR toolkit'

GDPR toolkit

Receive our ‘Privacy Talk’ directly in your inbox

Subscribe

Discover the previous issues in our Archive

Archive
In the Picture - November 2024

Nuts and bolts: the new EU repair rules
Books

Burgerlijk wetboek / Code civil
Articles

FIFA moet transferregels aanpassen na uitspraak Hof van Justitie in zaak-Diarra
More Newsletter

Log into your account

Forgot password? Not a member yet?

Forgot password?

Request a new password by providing your email address.

Log into your account

Password reset

Enter your new password.

Password registration

Enter a password to protect you personal pages.

Activate your account

Activate your account by providing your email address.

Thanks

You will receive an email with a link to enter a new password.

Close

Thanks

Your new password is successfully saved.

Close
Close

Cookies

This website uses cookies to improve your browsing experience and to better tailor the website to your preferences. For more information about cookies and the list of cookies used on this website, see our Cookie Statement.

Below you can indicate your cookie preferences:

ON

Essential cookies are cookies that are necessary for the correct functioning of the website (e.g., to avoid overload on the website, keeping it functional and accessible). These cookies can be placed without your consent.

ON

Functional cookies are cookies that are necessary to improve your browsing experience or to provide a functionality explicitly requested by you (e.g. remembering your settings). These cookies can also be placed without your consent.

Analytical cookies are cookies that collect information about how you use the website to improve search engine hits and the functioning of the website (e.g. we see how visitors move around the website when they are using it to ensure that visitors find what they are looking for easily). These cookies are only placed if you have given your consent.

Advertising cookies are cookies that collect information about your surf and search behaviour in order to offer you personalised advertising in ad spaces on websites based on your personal interests. These cookies are only placed if you have given your consent.

Social media cookies are cookies that make it possible to share certain features from the website on social media networks (e.g. Facebook). Furthermore, these cookies collect information about your surf and search behaviour on the website in order to offer you personalised promotions and advertising about our products on these social media networks. These cookies are only placed if you have given your consent. It is possible that these social media networks also use the information they collect through these cookies for their own purposes. You can find more information about this in the privacy statements of the respective social media networks.

   

You can always change these preferences via your Cookie preferences.