The Belgian Data Protection Authority, known as GBA, has issued a directive to Freedelity, a Belgian firm specializing in managing consumer identity and contact data, to align its operations with the General Data Protection Regulation (GDPR) mandates. This move comes after the GBA found that Freedelity’s data processing consent practices and data minimization principles fall short of GDPR requirements.
Key Findings from the Investigation:
– Inadequate Consent Practices: The investigation revealed that the consent obtained by Freedelity did not meet GDPR standards. Consent must be freely given, informed, specific, unambiguous, and revocable. However, Freedelity and its retail partners often fail to ensure these conditions. For instance, consumers are pressed to accept Freedelity’s terms to gain commercial advantages, and information about data sharing among partners is often not explicitly disclosed.
– Data Minimization and Protection Defaults: Freedelity was found to be collecting excessive information, including data not necessary for its specified purposes. The GBA identified the retention of information such as identity card numbers and issuance municipalities, pointing out the lack of necessity for these data points in customer-retailer relationships.
– Excessive Data Retention: The company’s practice of retaining consumer data for eight years was deemed excessive. The oversight body noted that this duration far exceeds what is necessary for the intended marketing purposes, violating GDPR’s storage limitation principle.
Corrective Measures Enforced:
The GBA has demanded several remedial actions from Freedelity, including:
– Instituting mechanisms to gather consent that meet GDPR criteria, ensuring that no commercial services are contingent upon unnecessary data processing consents.
– Providing clear information to consumers about each data processing purpose prior to consent collection.
– Implementing systems that allow clear, specific consent for various data processing purposes and enable easy consent withdrawal.
– Ceasing the collection and processing of non-essential consumer identity data and erasing previously gathered unnecessary information.
– Reducing the data retention period to a maximum of three years post-consumer activity, with a mandate to remove data exceeding this timeframe.
Fulfilling these measures demands a significant overhaul of Freedelity’s business model, aiming for compliance within four months. The company also faces potential fines up to 5,000 euros per day if compliance is not achieved. Furthermore, Freedelity has a 30-day window to appeal the decision.
The steps initiated by the GBA underscore the importance of rigorous adherence to data protection laws, particularly where consumer identity information is utilized extensively for customer relationship and marketing strategies.
Original source link: [https://www.gegevensbeschermingsautoriteit.be/burger/identiteitskaart-als-klantenkaart-de-gba-beveelt-freedelity-te-voldoen-aan-de-avg]