Introduction
In a significant ruling that highlights the stringent requirements of the General Data Protection Regulation (GDPR), the Belgian Data Protection Authority (DPA) has found Freedelity—a company using electronic ID cards (eIDs) for data collection—in violation of several key GDPR provisions. The decision requires compliance within four months, and emphasizes key GDPR principles such as transparency, consent, and data minimization.
Overview of the Ruling
The Belgian DPA's investigation revealed that Freedelity's practices around collecting and processing personal data through eIDs did not meet GDPR standards. The authority stressed the importance of obtaining valid consent, ensuring transparency in data processing activities, and adhering to the principles of data minimization and accountability.
The Key Violations
1. Consent Issues
- Lack of Valid Consent: Freedelity failed to demonstrate that it had obtained explicit, informed, and freely given consent from users for its data processing activities, violating Articles 4(11), 6(1)(a), and 7 of the GDPR.
- Withdrawal of Consent: There were no mechanisms in place to allow users to withdraw their consent easily, breaching Article 7(3).
2. Accountability and Transparency Failures
- Inadequate Documentation: Freedelity did not maintain sufficient records to demonstrate compliance with GDPR requirements, contravening Articles 5(2), 24, and 25.
- Lack of User Information: Users were not adequately informed about how their personal data was being processed, violating the transparency principle (Article 5(1)(a)).
3. Principle of Data Minimization
- Excessive Data Collection: The company collected more personal data than necessary for its stated purposes, infringing Article 5(1)(c).
4. Retention Period Violations
- Unjustified Data Retention: Freedelity could not justify the length of time it retained personal data, breaching Article 5(1)(e).
5. Lack of Adequate Safeguards for Data Processing
- Insufficient Security Measures: The company did not implement appropriate measures to ensure the validity and security of its data collection practices, violating Article 32.
Required Compliance Steps
To rectify these violations, the DPA has instructed Freedelity to undertake the following actions:
1. Consent Practices
- Implement Valid Consent Mechanisms: Ensure that user consent is explicit, specific, informed, and freely given.
- Facilitate Withdrawal of Consent: Provide clear and accessible processes for users to withdraw their consent at any time.
2. Transparency and Documentation
- Revise Privacy Policies: Update privacy notices to clearly explain data collection methods, purposes, usage, and retention practices.
- Maintain Detailed Records: Keep comprehensive records of all data processing activities, including the legal basis for processing, to demonstrate compliance.
3. Data Minimization
- Review Data Collection Practices: Conduct an audit to ensure data collection aligns with the principle of proportionality.
- Limit Data Collection: Collect only the data that is strictly necessary for the intended purposes.
4. Retention Policies
- Define Retention Periods: Establish clear retention periods for all categories of personal data.
- Regular Data Deletion: Implement procedures to regularly review and delete data that are no longer necessary.
5. Technical and Organizational Measures
- Enhance Data Security: Implement appropriate technical and organizational measures to protect personal data against unauthorized access or disclosure.
- Adopt Privacy by Design by Default: Integrate data protection principles into the development of new products and services.
6. Periodic Audits
- Conduct Regular Audits: Perform ongoing internal and external audits to ensure continuous compliance with GDPR requirements.
- Address Compliance Gaps: Promptly rectify any issues identified during audits.
Lessons from the Ruling
This case serves as a critical reminder for organizations processing personal data. By addressing these issues comprehensively, Freedelity can not only achieve compliance but also set a strong precedent for responsible data handling practices.
⮕ Consent Is Paramount: Organizations must obtain valid consent and ensure users are fully informed about data processing activities.
⮕ Transparency Builds Trust: Clear communication about data practices is essential for compliance and fostering user confidence.
⮕ Accountability Is Continuous: Compliance requires ongoing effort and adaptation to evolving regulatory standards.
⮕ Minimization Reduces Risk: Limiting data collection to what is necessary reduces compliance risks and potential penalties.
⮕ Retention Must Be Justified: Data retention practices must align with the purposes for which data are collected and processed.
Analysis of the Data Controller vs. Data Processor Debate and Joint Roles
The Belgian DPA's ruling also clarifies the distinctions and responsibilities associated with Freedelity's role as a data controller, data processor, and potential joint controller. Understanding these roles is crucial under the GDPR framework, as they determine the specific obligations and liabilities of entities involved in data processing.
Key Findings on Roles
1. Freedelity as a Data Controller
Determination of Purposes and Means: Freedelity was deemed a data controller for its "Freedelity file," as it determined the purposes (e.g., creating a centralized customer database) and means (e.g., using eID technology) of processing personal data.
Violations Noted:
- Lack of Compliance Mechanisms: Failure to implement appropriate measures to ensure compliance with GDPR principles such as consent and transparency.
- Insufficient Safeguards: Inadequate measures to demonstrate the lawfulness of processing, violating Article 24.
2. Freedelity as a Data Processor
Processing on Behalf of Clients: In scenarios where Freedelity processed data on behalf of third-party retailers using its platform, it acted as a data processor.
Issues Identified:
- Lack of Contractual Clarity: Absence of sufficient Data Processing Agreements (DPAs) with clients, as required under Article 28.
- Undefined Responsibilities: Failure to specify roles, security measures, and processing instructions.
3. Joint Controllership
Shared Decision-Making: The DPA identified instances of joint controllership where Freedelity and its clients jointly determined the purposes and means of processing.
- Example: Retailers using Freedelity's platform to access and utilize customer data collected via eIDs.
GDPR Requirements:
- Written Arrangements: Under Article 26, joint controllers must establish clear agreements outlining their respective responsibilities.
- Transparency to Data Subjects: The arrangement must be transparent, and information must be provided to data subjects via privacy notices.
Responsibilities and Violations Under GDPR
A. Data Controller Obligations
- Consent and Transparency: Implement robust mechanisms for obtaining consent and providing transparent information to data subjects (Articles 6, 7, and 5(1)(a)).
- Accountability: Maintain documentation to demonstrate compliance (Article 5(2)).
- Data Minimization and Retention: Collect only necessary data and define clear retention periods (Articles 5(1)(c) and 5(1)(e)).
B. Data Processor Obligations
- Act on Instructions: Process data only on documented instructions from the controller (Article 28).
- Security Measures: Implement appropriate technical and organizational measures (Article 32).
- Data Processing Agreements: Ensure agreements are in place outlining processing activities and responsibilities.
C. Joint Controller Obligations
- Define Roles and Responsibilities: Establish clear arrangements regarding their respective GDPR obligations (Article 26).
- Inform Data Subjects: Provide transparent information about the joint controllership arrangement.
Compliance Recommendations
Freedelity can address these challenges and strengthen compliance by focusing on the following actions:
1. Clarify and Document Roles
- Define Roles: Clearly delineate whether it acts as a controller, processor, or joint controller in each processing activity.
- Document Agreements: Formalize these roles in contracts and agreements with clients.
2. Establish Robust Agreements
- Data Processing Agreements: For processor roles, create DPAs that comply with Article 28 requirements.
- Joint Controller Arrangements: For joint controllership scenarios, establish written agreements outlining responsibilities.
3. Enhance Transparency and Communication
- Update Privacy Notices: Ensure that data subjects are informed about the roles of Freedelity and its partners, as well as the purposes and legal bases of processing.
- Clear Communication with Clients: Ensure clients understand their obligations under GDPR.
4. Implement Staff Training
- Educate Employees: Provide training on GDPR roles and responsibilities to ensure staff are aware of compliance requirements.
Lessons Learned
This ruling highlights the importance of accurately identifying and documenting roles under the GDPR. Clear agreements and transparency are essential not only for compliance but also for mitigating risks associated with regulatory scrutiny and potential legal disputes. Organizations must proactively manage their data protection obligations to maintain trust and uphold the rights of data subjects.
In Summary
The Belgian DPA's decision against Freedelity serves as a compelling case study on the importance of GDPR compliance in data processing activities. Organizations must prioritize obtaining valid consent, maintaining transparency, and adhering to principles such as data minimization and accountability. Moreover, accurately identifying and documenting roles—as data controllers, processors, or joint controllers—is essential for fulfilling legal obligations and protecting the rights of data subjects. By implementing the recommended compliance steps, organizations can navigate the complexities of the GDPR and foster trust with users through responsible data handling practices.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io
Concerned about your website’s compliance?
Does your site collect data or share it with third parties before obtaining valid user consent?
The AesirX Privacy Scanner is a free privacy tool that identifies potential GDPR and ePrivacy
Directive violations, enabling you to address them proactively.
Unsure about the results? Ask the AesirX Privacy AI Advisor to interpret the scan and receive
actionable steps to move toward compliance.
Check your compliance now: https://privacyscanner.aesirx.io