GDPR Fine for merchant
An unnamed Belgian merchant wanted to introduce a loyalty system using the electronic identity card technology. While this is a common practice among merchants and retailers, it is forbidden to collect data that is not directly required to provide the loyalty service. In response to a consumer complaint, the Data Protection Authority issued a GDPR fine. He complained that he was forced to present an ID to receive a loyalty card. The Data Protection Authority found this practice not to be GDPR compliant. Therefore, the Authority issued a 10.000€ GDPR fine.
The merchant violated the GDPR principle of data minimization. Businesses are not allowed to collect data that they do not need for the purpose the data was collected. As ID data was collected that unnecessary for providing the loyalty services, the Data Protection Authority considered this a serious offence.
Sources: sudinfo.be (French)
Type of Issue:
Illegal data collection
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
5. Principles relating to personal data processing