close
Share with your friends
The Belgian Data Protection Authority imposes fine for misuse of customer’s eID

Misuse of eID fined by Belgian DPA

Misuse of eID fined by Belgian DPA

On 28 August 2018 the Belgian Data Protection Authority (DPA) received a complaint from a data subject regarding the use of his eID for the creation of a loyalty card. In order for the merchant to create such loyalty card the customer had to provide his eID (along with the personal data contained in it).

After the inspection service of the DPA finalized its investigation report the dispute chamber issued its  judgement on 17 September 2019 stating that the merchant had violated the provisions of the General Data Protection Regulation 2016/679 (GDPR) and imposed a fine of 10.000 EUR.

In its judgment, the Belgian DPA decided that the actions of the merchant were in clear violation of the principles of data minimization and lawfulness

a. Data minimization principle

The DPA ruled that for the creation of a loyalty card it is not relevant, and certainly not necessary, that the merchant also processed the data subject’s national registry number, gender, date of birth, etc. (all contained in the eID). 

b. Lawfulness principle

Furthermore, the DPA concluded that the principle of “lawfulness” was also breached by the merchant. The Belgian law regarding the use of identity cards[1] clearly states that the national security number and photo of the holder of the eID can only be used in case the law (i.e. decree, ordonnance, legal act) has explicitly stipulated this.

Moreover, the eID can only be used and read if the data subject has given their free, specific and informed consent as holder of the eID. Since no alternative procedure was developed by the merchant for the creation of a loyalty card the DPA considered that consent was not freely given (as is required under the GDPR).

As a result, the DPA considered these violations by the merchant to be of gross negligence and punished the merchant with a fine of 10.000 EUR. Finally, the merchant is instructed to take additional actions with respect to informing the data subject of any personal data being transferred.

[1] The Act of 19 July 1991 on population registers, identity cards, aliens’ cards and residence documents, as applicable with effect from 23 December 2018.

1000

Connect with us