The Freedelity app has been sanctioned for the way it uses data from Belgian consumers. The company offers loyalty cards that are linked to your ID card.

The Belgian Data Protection Authority (GBA) publicly reprimanded Freedelity in a press release. The company behind the MyFreedelity app is said to be “intrusive and non-transparent” when collecting data from Belgian consumers, thereby violating GDPR legislation. Freedelity is obliged to comply with this within four months under penalty of fines.

Identity card as a customer card

Freedelity’s business model is based on offering loyalty cards based on ID cards. Anyone who creates an account generally agrees to share their ID with Freedelity and companies that have subscribed to the company’s services. Your card will be read at participating stores. Big brands like MediaMarkt use myFreedelity.

The GBA has found that the consent that Freedelity and its partners obtain from consumers does not comply with the requirements of the GDPR. For example, consent is sometimes implied when a consumer scans their ID card, which does not meet the conditions of clarity and specificity. The mechanisms for withdrawing consent are also not sufficiently user-friendly. In addition, Freedelity collects redundant data such as the national registration number and stores it for eight years, which the GBA says is an excessively long time.

Freedomlity is urged to adapt the way it works. For example, the company must provide clear and specific consent mechanisms, including easy options to withdraw consent. The collection of unnecessary data must also be stopped and unnecessary data deleted. Finally, the data retention period should be limited to three years after a consumer’s last activity.

Penalties

Freedelity has up to 30 days from the decision to appeal and four months to make the requested adjustments. In the event of a payment default, the company faces fines of up to 5,000 euros per day.

The company will appeal what it calls a “witch hunt.” “We have been processing data from more than seven million Belgians for fifteen years and no valid complaint has ever been filed,” CEO Sebastian Buyse told Gazet van Antwerpen. The CEO also criticizes the timing of the statement shortly before Black Friday, the high volume of online retail.

GDPR fines are rare in Belgium. Since the Data Protection Act came into force, the GBA has imposed around forty fines. Due to the high workload of the data protection officer, not all complaints can be processed promptly. Freedom didn’t miss the dance.