On November 28, 2024, the Belgian Data Protection Authority (Belgian DPA) issued its decision no. 146/2024, in which it issued corrective measures to Freedelity S.A. and a fine of €5,000 for each day of non-compliance due to violations of the General Data Protection Regulation (GDPR).

Background to the decision

The Belgian DPA initiated an investigation into Freedelity following a request from the Belgian DPA's management committee in 2019. The Belgian DPA noted that Freedelity collects, directly or via partners, information about consumers, which is provided, among other things, via the electronic reading of their identity card (eID). This data is made available to retailers who use Freedelity's services to store and use their customers' data for marketing and customer relationship management purposes.

Findings of the Belgian DPA

Following its investigations, the Belgian DPA found that Freedelity failed to comply with its obligations under the GDPR, particularly:

• not obtaining valid consumer consent: the Belgian DPA concluded that Freedelity's consent mechanisms did not meet all the conditions of the GDPR;
• breach of the principles of data minimization and Privacy by Default: Freedelity was found to collect excessive personal data beyond the stated purpose of its data processing. Additionally, the Belgian DPA found that the centralization of data directly from the chip of the eID card poses a major risk to the privacy of millions of consumers concerned; and
• breach of the principle of storage limitation: Freedelity had an eight-year retention period for the data it collected, which was considered excessive and unjustified by the Belgian DPA.

Thus, the Belgian DPA concluded that Freedelity violated Articles 4(11), 5(2), 7(3), 24, and 25 of the GDPR.

Outcomes

In light of the above, the corrective measures imposed by the Belgian DPA on Freedelity include:

• establishing mechanisms for collecting consent that meet legal requirements, in particular by:
  • ensuring that access to commercial benefits is not dependent on the acceptance of additional processing or non-essential conditions;
  • informing consumers clearly and comprehensibly about the purposes of any processing in order to clarify their consent; and
  • implementing mechanisms enabling individuals to express their consent unambiguously and specifically for the different purposes of processing;
• establishing direct and accessible mechanisms for withdrawing consent;
• stopping the collection and processing of consumer identity card data that is not essential for the purposes pursued, as well as deleting unnecessary data collected in the past; and
• limiting the retention period of the data to a maximum of three years from the last activity carried out by the consumer, and deleting data retained for longer than three years.

Additionally, the Belgian DPA imposed a fine of €5,000 for each day of non-compliance with the above, until the maximum of €100,000.

You can read the press release in French here and in Dutch here, and the decision, only available in French, here.