On 17 September 2019, the Belgian Data Protection Authority fined a merchant for requiring the electronic identity card (eID) to create a loyalty card. However, the imposed fine of € 10,000 was later annulled by the Market Court because the new eID legislation could not be applied retroactively. Under the new eID legislation, can an organization read the eID for a loyalty card or other loyalty schemes electronically?
The eID contains various personal data. It follows from the eID legislation (Article 6 of the Act of 19 July 1991) that a distinction must be made between certain more sensitive personal data and other personal data on the eID.
The national registry number and the photograph of the eID holder are considered to be more sensitive data and should therefore not be processed arbitrarily. This is only allowed to the extent that their processing is permitted by a law, a decree or an ordinance. The digital image of a fingerprint on the new eID is only accessible to competent public authorities.
An example of such a regime is the Act of 8 August 1983. This law stipulates that, in principle, the use of the national register number requires authorisation from the FPS Home Affairs (General Directorate for Institutions and Population). However, this authorisation is not required for the simple identification and authentication of a natural person in the context of an IT application, provided that the national register number is only read and not stored.
Other, less sensitive, personal data on the eID, such as the name or gender of the holder, may be processed as long as such processing is in accordance with the GDPR and other applicable data protection legislation.
It makes little difference whether these personal data are collected with the naked eye or by reading the eID, but the eID will have to be read electronically in order to collect certain personal data. For example, the holder's address can only be found on the chip of the eID.
The eID legislation also provides that the freely given, specific and informed consent of the holder is required for reading or using the eID. It goes without saying that the police or an authorised private actor identifying a person by means of the identity card are not subject to the same consent requirement.
In order to be able to speak of freely given consent, it has to be possible for the holder to refuse without being put at a disadvantage. In the context of a loyalty card, however, an alternative must be provided (see below). However, the law does not require explicit or written consent, which means that consent could be deduced from the voluntary handing over of the eID.
In addition, the holder must always be informed in accordance with the GDPR, for example about the purpose of processing.
The eID legislation stipulates that there has to be an alternative to the use of the eID if an advantage or service is offered via the eID in the context of an IT application. Parliamentary documents mention that it is irrelevant that this alternative is more annoying to the service provider or the citizen.
It follows from this that the creation of a loyalty card in order to obtain certain discounts must also be possible without having the eID read in electronically. The alternative could be that the customer shows his or her eID without having it read electronically.
When offering a loyalty card or a loyalty scheme, the following points of attention are important.
Do you still have questions about the electronic identity card (eID) or about your loyalty card or loyalty scheme and the associated processing of personal data? Please contact Timelex.