Loyalty cards and schemes: can the eID BE used in Belgium?

On 17 September 2019, the Belgian Data Protection Authority fined a merchant for requiring the electronic identity card (eID) to create a loyalty card. However, the imposed fine of € 10,000 was later annulled by the Market Court because the new eID legislation could not be applied retroactively. Under the new eID legislation, can an organization read the eID for a loyalty card or other loyalty schemes electronically?

1. Rules on the use of the eID 

1.1. What personal data may be used?

The eID contains various personal data. It follows from the eID legislation (Article 6 of the Act of 19 July 1991) that a distinction must be made between certain more sensitive personal data and other personal data on the eID.

1.1.1. More sensitive personal data

The national registry number and the photograph of the eID holder are considered to be more sensitive data and should therefore not be processed arbitrarily. This is only allowed to the extent that their processing is permitted by a law, a decree or an ordinance. The digital image of a fingerprint on the new eID is only accessible to competent public authorities.

An example of such a regime is the Act of 8 August 1983. This law stipulates that, in principle, the use of the national register number requires authorisation from the FPS Home Affairs (General Directorate for Institutions and Population). However, this authorisation is not required for the simple identification and authentication of a natural person in the context of an IT application, provided that the national register number is only read and not stored.

1.1.2. Other personal data

Other, less sensitive, personal data on the eID, such as the name or gender of the holder, may be processed as long as such processing is in accordance with the GDPR and other applicable data protection legislation.

It makes little difference whether these personal data are collected with the naked eye or by reading the eID, but the eID will have to be read electronically in order to collect certain personal data. For example, the holder's address can only be found on the chip of the eID.

1.2. Consent

The eID legislation also provides that the freely given, specific and informed consent of the holder is required for reading or using the eID. It goes without saying that the police or an authorised private actor identifying a person by means of the identity card are not subject to the same consent requirement.

In order to be able to speak of freely given consent, it has to be possible for the holder to refuse without being put at a disadvantage. In the context of a loyalty card, however, an alternative must be provided (see below). However, the law does not require explicit or written consent, which means that consent could be deduced from the voluntary handing over of the eID. 

In addition, the holder must always be informed in accordance with the GDPR, for example about the purpose of processing.

2. Using the eID for a loyalty card?

2.1. Provide an alternative

The eID legislation stipulates that there has to be an alternative to the use of the eID if an advantage or service is offered via the eID in the context of an IT application. Parliamentary documents mention that it is irrelevant that this alternative is more annoying to the service provider or the citizen.

It follows from this that the creation of a loyalty card in order to obtain certain discounts must also be possible without having the eID read in electronically. The alternative could be that the customer shows his or her eID without having it read electronically.

2.2. Points of attention

When offering a loyalty card or a loyalty scheme, the following points of attention are important.

• Valid consent: ensure that consent is freely given, specific and informed when reading the eID. Inform the client by means of a transparent privacy statement that complies with the GDPR.
• Alternative offer: provide an alternative if the customer does not wish to have his eID read in.
• Data minimisation: in the context of a loyalty card or loyalty scheme, it is important that the principle of data minimisation is observed. This means that only the relevant personal data may be processed. For example, for the granting of an advantage by means of a loyalty card, the gender of the customer does not matter. However, the analysis may be different in the context of a loyalty scheme. The context is very important here.
• Other applicable legislation: take into account any other applicable legislation, such as consumer legislation, advertising legislation or anti-discrimination legislation.
• Verify validity of the identity card: the validity of an eID can be checked by using www.checkdoc.be. This website of the Federal Public Service for Home Affairs makes it possible to check whether an eID has been reported as lost, stolen, invalid, expired or not issued.

Do you still have questions about the electronic identity card (eID) or about your loyalty card or loyalty scheme and the associated processing of personal data? Please contact Timelex.