Gegevensbeschermingsautoriteit (Data Protection Authority) – Court Ruling (Belgium, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Belgian Supreme Court ruled on a case where a shop required customers to show their ID to join a loyalty program. The court found this practice might violate GDPR rules on data minimization and consent. This case matters because it emphasizes that consent must be freely given and not tied to unnecessary data collection.
What happened
A shop required customers to present their electronic ID to access a loyalty scheme, which was challenged as excessive data processing.
Who was affected
Customers who were asked to provide their electronic ID to participate in the shop's loyalty program.
What the authority found
The Supreme Court found the shop's practice potentially violated GDPR by not adhering to data minimization and consent requirements.
Why this matters
This ruling reinforces the principle that businesses should not require excessive personal data for services like loyalty programs. It also stresses that consent must be freely given, without penalizing those who refuse to provide unnecessary data.
GDPR Articles Cited
A shop owner tied admission to a loyalty scheme to the presentation of an eID (i.e. a Belgian electronic identity card). A data subject refused to provide his eID, considering that such data processing was excessive and not proportionate when taking into account the purpose of the processing. The data subject further filed a complaint before the Belgian DPA (APD/GBA) for being deprived of the advantages conferred by the loyalty scheme. On 17 September 2019, the Belgian DPA fined the shop owner for requiring customers to present their eID in order to obtain a loyalty card and imposed a fine of €10,000. The shop owner appealed that decision. The imposed fine of €10,000 was later annulled by the Court of Appeal of Brussels, because (i) the new eID legislation could not be applied retroactively ; (ii) the fine was not sufficiently justified and (iii) the data linked to the eID of the Complainant had actually not been processed by the shop owner, since the data subject had refused to provide such eID. The Belgian DPA contested the legality of such a decision before the Supreme Court of Belgium. The Supreme Court annulled the decision of the Court of Appeal of Brussels because it considered that the Court of Appeal did not correctly apply the law. The Supreme Court considered in particular that the Court of Appeal of Brussels erred in law by not properly considering whether the compulsory reading of an identity card as the only mean of creating a customer loyalty card is contrary to the principle of data minimisation under Article 5(1)(c) GDPR, and contrary to the obligation to obtain the freely given consent of the data subject under Article 6(1)(a) GDPR, when refusal to provide such data results into a disadvantage for the data subject (such as not being able to obtain discounts). The Supreme Court stated that the Court of Appeal should have considered the loss of an advantage in assessing whether consent is freely given under GDPR. It also confirmed that the Belgi
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Gegevensbeschermingsautoriteit (Data Protection Authority) in BE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Gegevensbeschermingsautoriteit (Data Protection Authority) - Belgium (2021). Retrieved from cookiefines.eu
Last updated: