Asking to read an electronic ID card as a condition for the provision of a service (issuing a rewards/loyalty card) is disproportionate and in violation of GDPR, says the Belgian data protection authority.  The company was fined €10,000.

Key takeaways also relevant to authentication/collection under GDPR and CCPA:
  • Information you collect to identify an individual needs to be proportionate to the purpose for which it is used.
  • Reading and use of all data from the electronic identity card which contains name, first name, address, etc., but also the photo and the barcode that is linked to the National Register number – is excessive and disproportionate for the purpose of a commercial service (like issuing a loyalty card).
  • To be valid as a legal basis, consent needs to be freely given. If no other option is provided – this is not freely given.
  • In this case if the customer refused to allow his electronic id card to be used, he/she would be penalized and will not be able to enjoy the benefits and discounts because he/she would not be offered an alternative.

Read the full decision.