GDPR Fine for merchant

GDPR Fine for merchant

An unnamed Belgian merchant wanted to introduce a loyalty system using the electronic identity card technology. While this is a common practice among merchants and retailers, it is forbidden to collect data that is not directly required to provide the loyalty service. In response to a consumer complaint, the Data Protection Authority issued a GDPR fine. He complained that he was forced to present an ID to receive a loyalty card. The Data Protection Authority found this practice not to be GDPR compliant. Therefore, the Authority issued a 10.000€ GDPR fine.

The merchant violated the GDPR principle of data minimization. Businesses are not allowed to collect data that they do not need for the purpose the data was collected. As ID data was collected that unnecessary for providing the loyalty services, the Data Protection Authority considered this a serious offence.

Sources: sudinfo.be (French)

Decision data:
19.09.2019

Country:
Belgium

Type of Issue:
Illegal data collection

Number of involved data records:
unknown

Special category of data involved:
No

Fine:
€ 10,000,-

Reference: