On 28 August 2018 the Belgian Data Protection Authority (DPA) received a complaint from a data subject regarding the use of his eID for the creation of a loyalty card. In order for the merchant to create such loyalty card the customer had to provide his eID (along with the personal data contained in it).
After the inspection service of the DPA finalized its investigation report the dispute chamber issued its judgement on 17 September 2019 stating that the merchant had violated the provisions of the General Data Protection Regulation 2016/679 (GDPR) and imposed a fine of 10.000 EUR.
In its judgment, the Belgian DPA decided that the actions of the merchant were in clear violation of the principles of data minimization and lawfulness.
The DPA ruled that for the creation of a loyalty card it is not relevant, and certainly not necessary, that the merchant also processed the data subject’s national registry number, gender, date of birth, etc. (all contained in the eID).
Furthermore, the DPA concluded that the principle of “lawfulness” was also breached by the merchant. The Belgian law regarding the use of identity cards clearly states that the national security number and photo of the holder of the eID can only be used in case the law (i.e. decree, ordonnance, legal act) has explicitly stipulated this.
Moreover, the eID can only be used and read if the data subject has given their free, specific and informed consent as holder of the eID. Since no alternative procedure was developed by the merchant for the creation of a loyalty card the DPA considered that consent was not freely given (as is required under the GDPR).
As a result, the DPA considered these violations by the merchant to be of gross negligence and punished the merchant with a fine of 10.000 EUR. Finally, the merchant is instructed to take additional actions with respect to informing the data subject of any personal data being transferred.
 The Act of 19 July 1991 on population registers, identity cards, aliens’ cards and residence documents, as applicable with effect from 23 December 2018.