Greetings from Brussels!

I was in discussion recently with a Belgian friend regarding the Belgian DPA and its enforcement of the GDPR. One comment I heard, which I think is a fair one, is that there’s notably less media attention given here to GDPR infringement and enforcement and to the DPA, in general, compared to other EU member states. That aside, I did find the details of one recent enforcement that may be of interest to you.

On 19 Sept., the dispute chamber of the Data Protection Authority imposed an administrative fine of 10,000 euros for a GDPR breach by a merchant retailer that required an electronic identity card to create a loyalty card as part of its commercial offering. Interestingly for the anglophones among you and to put into context, in Belgium as in other continental European countries, such as France, there is a national identity card that one is legally obligated to carry on their person at all times. Invariably, the ID card can and is used as a confirmation of identity in both public (administration) and commercial scenarios; the card also contains a readable chip with additional personal data.

In this particular investigation, the DPA found that the practice of requiring access to the ID card as conditional to the loyalty scheme did not comply with GDPR’s standards on the grounds of (a) data minimization, as the electronic identity card contains much more information about the data subject than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real (alternative) choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid. Furthermore, the DPA also found that the merchant had not sufficiently informed the complainant customer about the extent of its data-processing activities and thereby violated its information duties under the GDPR. A decent summary of the case is summarized by IAPP member Maarten Stassen, partner (and a colleague) at Crowell & Moring law firm.

The Belgian DPA also released an explanatory statement at the time. Hielke Hijmans, the president of the dispute chamber, stated, "Companies or merchants need to take a more conscientious approach when they claim all kinds of personal data for a service, especially in the absence of valid customer consent. GDPR provides principles and obligations that must serve as a guideline for the proper processing of personal data." David Stevens, the DPA president, added, "This decision is an important new step in the road to better protecting the privacy of our citizens."

On another note, if you haven’t done so already, do take a look at the insightful and concise analysis of the ongoing EU member state review of the GDPR, by IAPP Senior Westin Fellow Müge Fazlioglu. I have to agree with Müge, it will be important and of great interest for privacy pros to follow the Article 97 process until 25 May 2020, as the European Commission prepares its first evaluation and review of the GDPR.