Freedelity – Violation Found (Belgium, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Freedelity was investigated for sharing personal data without clear consent. The Belgian data protection authority looked into how Freedelity collected and shared information from users' electronic ID cards. This case serves as a reminder for companies to be transparent about data sharing practices.
What happened
Freedelity was investigated for collecting and sharing personal data from users' electronic ID cards without proper transparency.
Who was affected
Consumers whose personal data was collected and shared by Freedelity with other brands.
What the authority found
The authority found no violations but highlighted concerns about how Freedelity handled personal data collection and sharing.
Why this matters
This case shows that companies must be clear about how they collect and share personal data. Website operators should ensure they communicate their data practices effectively to users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation. Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller. Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties. The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data between the controller and other companies, where the controller shared and updated all personal data of customers subscribed to the controller´s service, in exchange for advertisement of the controller´s website. The court found that the data collection and sharing are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system. Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes o
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Freedelity in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Freedelity - Belgium (2024). Retrieved from cookiefines.eu
Last updated: