The app Freedelity is being sanctioned for the way it handles data from Belgian consumers. The company offers loyalty cards linked to your identity card.
The Belgian Data Protection Authority (GBA) is giving Freedelity a public slap on the wrist in a press release. The company behind the MyFreedelity app is said to be “intrusive and non-transparent” in its collection of data from Belgian consumers, thus violating GDPR legislation. Freedelity is being ordered to comply within a four-month period, under penalty of fines.
Identity card as a loyalty card
Freedelity’s business model is based on offering loyalty cards based on identity cards. Anyone who creates an account basically agrees to share their identity card with Freedelity and companies that have subscribed to the company’s services. In participating stores, your card will be read. Major brands such as MediaMarkt use myFreedelity.
The GBA finds that the consent that Freedelity and its partners obtain from consumers does not meet the requirements of the GDPR. For example, consent is sometimes implied when a consumer scans their ID card, which does not meet the requirements of unambiguity and specificity. Mechanisms to withdraw consent are also insufficiently user-friendly. In addition, Freedelity collects redundant data such as the national registry number and stores it for eight years, which is excessively long, according to the GBA.
Freedelity is urged to adjust its practices. For example, the company must ensure clear and specific consent mechanisms, including simple options to revoke consent. Also, the collection of non-essential data should stop and unnecessary data should be deleted. Finally, data retention periods should be limited to three years after a consumer’s last activity.
Penalty payments
Freedelity has until 30 days after the decision to appeal and four months to make the requested changes. If the company remains in default, it risks penalties of up to 5,000 euros per day.
The company will appeal what it describes as a “witch hunt. “We have been processing data on more than seven million Belgians for 15 years and there has never been an admissible complaint,” CEO Sebastian Buyse told Gazet van Antwerpen. The CEO also denounces the timing of the ruling just before Black Friday, the high mass of online retail.
GDPR fines are rather scarce in Belgium. Since the privacy law went into effect, the GBA has issued some 40 fines. High workload at the privacy watchdog means that not all complaints can be dealt with in time. Freedelity did not escape the dance.