The Belgian Supreme Court issued, on 7 October 2021, its ruling in proceeding Nr. C.20.0323.N, upholding the Belgian Data Protection Authority's ('Belgian DPA') fine of €10,000 against Verreydt BV for violations of Articles 5(1)(c), 6(1), 13(1)(c), 13(1)(e), and 13(2)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following the Market Court's decision which ruled in favour of Verreydt's appeal and which, consequently, led to the Belgian DPA's decision to appeal to the Supreme Court.

In particular, the Supreme Court determined that it is not required that a complainant has first had their own personal data unlawfully processed. Specifically, the Supreme Court ruled that if the claimant, whether or not on the basis of a complaint, establishes a practice that may lead to a breach of the fundamental principles of the protection of personal data, the Supreme Court permits that the Belgian DPA can investigate and impose sanctions against this practice, even if the complainant's own personal data has not been processed. 

Furthermore, the Supreme Court continues to state that the contested decision refers to the manner of Verreydt with regard to the production of loyalty cards, which included the processing of customer data such as first names, surnames, addresses, dates of birth, gender, from when the data subject had been a customer, the sum of the purchases, and, via the barcode, the national register number. Moreover, the Supreme Court disagreed with the appellant court's finding that this does not prove that a violation of the principle of data minimisation had taken place, on the grounds that processing of complainants' data is not a necessary requirement in order for the Belgian DPA to take action. Thus, the Supreme Court found that it is sufficient that this identified practice may give rise to a violation of the data minimisation principle under Article 5(1) of the GDPR. 

In addition, the Belgian DPA's original decision found that consent could not be used as the legal basis for processing personal data within the loyalty cards, as it cannot be regarded as free consent within the meaning of Article 4(11) of the GDPR, given the absence of an alternative system that allows the creation of a loyalty card without using the electronic identity card. In light of this, the Supreme Court noted that customers can only enjoy discounts when using their eID card, and as such this constitutes a violation of Article 6(1) of the GDPR. As a result, the Supreme Court found that the Market Court had failed to verify whether the legal analysis taken with regard to this violation of valid consent is correct and misunderstood the judicial obligation to state their reasoning. 

You can read the ruling, only available in Dutch, here.

UPDATE (2 November 2021)

DPA releases statement on ruling

The Belgian DPA released, on 28 October 2021, a statement on the ruling, reiterating the course of events.

You can read the statement in French here and in Dutch here.