Freedelity – Violation Found (Belgium, 2024)

After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation. Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller. Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties. The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data between the controller and other companies, where the controller shared and updated all personal data of customers subscribed to the controller´s service, in exchange for advertisement of the controller´s website. The court found that the data collection and sharing are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system. Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes o