An identity card is not a customer card

You probably barely have any cash left in your wallet. But customer cards all the more. With some cards you get an immediate discount. Other cards give you an overview of your purchases and you will no longer receive a paper ticket at the cash register. And finally there are the cards with which you can collect points. Why not have everything put on one card: your identity card?

The local liquor store

A drinks retailer offered its customers a discount based on the purchases made – in other words, a points system. But instead of offering the customers yet another plastic card, he asked them to put their identity card in the card reader.

However, a customer with principles refused to hand over his identity card, but demanded the discount. And so the case came to the Data Protection Authority (DPA). The DPA is an independent body that monitors compliance with the basic principles of the protection of personal data. Those basic principles are contained in a European Regulation of 2016, known as the GDPR: the General Data Protection Regulation. You can therefore contact the DPA if you believe that your privacy has been violated.

DPA and Marktenhof

The DPA was particularly strict on the liquor trader.
An identity card contains a lot of information that is not relevant for a discount on drinks. In addition to your full name, it contains your date and place of birth, your gender… and also your National Register Number.

The GDPR is strict with regard to the use of all kinds of personal data, but the National Register Number falls under a different regulation and that is even stricter.

Although it is very tempting to use the National Register Number as a unique identification number for your customers, its use for commercial purposes is also very strictly prohibited.

The DPA decided to impose a fine of 10.000 on the drinks trader:

for violation of the minimum data collection rules. That is: you may not collect more data than the strictly necessary; and

due to a lack of consent to the processing of that data.

The Marktenhof, an appeal body under which also the DPA falls, thought this was exaggerated. After all, the liquor dealer hadn't been given the data... So how could he have committed an offence.

Moreover, the customer had a choice, according to the court. If he did not want the data to be processed, he did not have to insert the card into the card reader. The fact that he then missed the discount was indeed a consequence of that refusal, but it was not in itself sufficient to say that the customer had no choice.

Ultimately, the case was brought before the Court of Cassation. And that supreme judicial body of our country aligns itself with the vision of ... DPA.

Nothing has happened...

Initially, there was the question of whether you can file a complaint with the DPA if no violation has occurred. After all, the drinks merchant had not received the identity card.

The Court of Cassation answers affirmative: any person who believes that his rights under the GDPR have been infringed, has the right to file a complaint, after which the inspection service of the DPA can take action or not.
The fact that the personal data have not been effectively processed is irrelevant.

If the inspection service determines that the principles of the GDPR have not been respected, it can take action. In this case the inspection established that the drinks merchant kept all the details of the identity cards. Most of the data collected in this way was not necessary for the discount.

Permission

But if a customer inserts his identity card into a card reader, does he not grant permission for the processing of that data?

The Court of Cassation has to take a turn there, but the conclusion is that the customers do not grant permission for the processing of all data with this action. The reasoning behind this is that by only granting a discount when the identity card is inserted into the card reader, the customers do not actually have a choice. And if there is no choice, there is no free consent either.

The reasoning of the Marktenhof that the customer actually had no disadvantage, only he could not get the discount, is rejected by the Court of Cassation: missing out on an advantage also leads to a restriction of free choice.

Minimal data collection and alternative

Using the identity card as a customer card is not prohibited in itself. But the data retrieved must meet the minimum data collection requirements.
The customer’s name seems to be about the maximum information that you can obtain from the card. You may add some other information yourself, such as a telephone number or e-mail address.

If you wish to download additional data, such as date of birth or place of residence, you must ask for permission.

It's also not a bad idea to offer an alternative: apps where customers have to fill in their own data, an old-fashioned stamp card or just another plastic card... Plenty of choice.