Who is responsible if your loyalty card violates the GDPR?

Creating a loyalty card by simply inserting your electronic identity card (eID) into a reader is convenient. But what exactly happens to your data? And who is responsible if this process violates data protection laws? A ruling of the Markets Court on June 18, 2025 in a case against data management company Freedelity creates clarity: responsibility is often shared.

The facts: an ecosystem of loyalty cards and shared data

Freedelity, a Belgian tech company, offers a service that makes it easy for consumers to manage loyalty cards and loyalty programs from different retail chains. At the heart of this model is the centralization and sharing of customer data in a central database, the Freedelity Database. In practice, data collection was often done in the store itself, via a terminal into which consumers could insert their eID cards.

Following a press article, the Data Protection Authority (DPA) launched an investigation. This investigation resulted in a conviction by the Litigation Chamber of the DPA, which ruled that Freedelity's practices violated the General Data Protection Regulation (GDPR).

The sanction: DPA strict, Market Court milder

The Litigation Chamber of the DPA imposed a series of severe measures on Freedelity. The company had to change its entire way of working within four months, under penalty of a fine of up to €5,000 per day. The main violations identified were:

1. Invalid consent: The way consent was sought was not "free, specific, informed and unambiguous." Customers were pressured to agree to share their data with all of Freedelity's partners in order to enjoy the benefits of one store.
2. Violation of data minimization: Too much data was collected from the eID card, such as nationality and place of birth, that was not strictly necessary for a loyalty program.
3. Excessive retention period: An eight-year retention period for inactive customers was considered excessive.
4. Shared responsibility: Crucial was the determination that Freedelity was not the sole data controller. The DPA ruled that Freedelity and the affiliated retail chains are joint controllers because they jointly determine the purpose and means of data collection.

Freedelity appealed to the Market Court. The Court largely followed the DPA on the merits and upheld the identified GDPR violations. However, the Court nullified the sanction imposed, in particular, the short four-month implementation period and associated penalties. The Court's reasoning was that the DPA imposed an unreasonable and disproportionate burden on Freedelity, especially since the co-responsible retail chains were not part of the proceedings. It was materially impossible for Freedelity to enter into new, GDPR-compliant agreements with hundreds of partners and adjust its technical systems at such short notice. The case was referred back to the DPA at this point to set a new, reasonable deadline.

Legal analysis and interpretation

This case offers some fundamental lessons on how to apply the GDPR in practice.

• Joint processing responsibility is a question of fact According to Article 26 GDPR, parties are joint controllers if they jointly determine the "why" (purpose) and "how" (means) of data processing. The ruling confirms that contractual clauses that place all responsibility on one party are not sufficient if the actual situation shows otherwise. The stores that installed the Freedelity terminals in their establishments and thus facilitated the data collection were rightly considered joint controllers.
• Consent is not an 'all or nothing' story The GDPR requires active and granular consent. Bundling different purposes (e.g., managing one loyalty card as well as sharing data with an unknown number of other companies) is out of the question. Consumers must have a real choice and be able to specify specifically what they do and do not agree to, without being disadvantaged if they refuse a portion.
• The principle of proportionality in sanctions The intervention of the Market Court is an important signal. Although the violations were established, a supervisory authority must consider practical feasibility when imposing measures. A sanction should not be punitive where it is intended to be corrective. Recognizing that implementation required complex adjustments and negotiations with third parties led to the conclusion that the deadline was unreasonable.

What this specifically means

• For businesses and retailers: You cannot simply "outsource" your GDPR responsibility to your software or technology provider. Once you co-decide on the purpose (e.g., "I want a customer program") and means (e.g., "we'll put this terminal in the store"), you are likely to be a joint data controller. This means you are jointly liable for any breaches. Critically analyze your contracts and the actual operation of the systems you use.
• For technology and service providers: Your platform must be built with privacy by design and privacy by default in mind. It is your duty to provide your customers (the merchants) with a system that allows them to properly collect valid consent. You cannot contractually shift the responsibility away from you when in practice you are in control of the core data processing.
• For consumers: Be critical when sharing your data for commercial benefits. You have the right to know exactly what data is collected, for what specific purposes, and with whom it is shared. A company should not force you to agree to share your data with a host of partners in order to obtain one store's loyalty card. Moreover, an alternative to using the eID card should always be offered.

Frequently asked questions (FAQ)

As a retailer, am I jointly responsible for GDPR violations by my software vendor?
Yes, in many cases it does. If you and your supplier jointly determine the purpose and means of data processing, you are considered a joint controller under Article 26 GDPR and share responsibility.

Can my permission for a loyalty card be linked to sharing my data with other companies?
No. Consent must be "free" and "specific." This means that you should not be forced to agree to share data with third parties in order to receive a service or benefit not directly related to it. Each finality requires a separate, specific consent.

What data may be read from my eID card for a loyalty card?
Only those data that are "adequate, relevant and limited to what is necessary" for the specific purpose (data minimization). Data such as your nationality, place of birth or card validity date are generally considered excessive for a standard loyalty program.

Conclusion

The Freedelity case highlights that GDPR compliance is a shared effort in a digital ecosystem. Both the technology provider and the retailer offering the service bear a crucial responsibility to ensure consumer rights. The Market Court ruling is also a reminder that enforcement, however necessary, must be reasonable and proportionate.